Keywords

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

1 Introduction

Multilinear Maps. For the past couple of years, cryptographic multilinear maps have found numerous applications in the design of cryptographic protocols, the most salient example of which is probably the construction of indistinguishability obfuscation (iO) [GGH+13b]. The first multilinear maps candidate (GGH13) was described by Garg, Gentry and Halevi [GGH13a] from ideal lattices. It was then followed by another candidate (aka, CLT13) due to Coron, Lepoint and Tibouchi [CLT13] using the same techniques but over the integers, and later by a third candidate (GGH15) by Gentry, Gorbunov and Halevi [GGH15], related to the homomorphic encryption scheme from [GSW13].

Unfortunately, these candidates do not rely on well-established hardness assumptions, and recent months have witnessed a number of attacks (including [CHL+15, CGH+15, HJ16, BGH+15, PS15, CFL+16]) showing that they fail to meet a number of desirable security requirements, and that they cannot be used to securely instantiate such and such protocols. Some attempts to protect against these attacks have also known a similar fate [CLT15, BGH+15]. The security of the constructions based on these multilinear maps is currently unclear to the community [Hal15]. While two recent works [CGH+15, MSZ16] have shown polynomial-time attacks against some obfuscation candidates, many iO candidates remain unaffected by the attacks proposed so far. The same cannot be said for the more immediate application of multilinear maps that is one-round multipartite key agreement.

One-Round Multipartite Key-Agreement Protocol. Since its discovery in 1976, the Diffie–Hellman protocol [DH76] is one of the most widely used cryptographic protocol to create a common secret between two parties. A generalization of this one-round protocol to three parties was proposed in 2000 by Joux [Jou00] using cryptographic bilinear maps; it was later extended to \(k\ge 4\) parties assuming the existence of a cryptographic \((k-1)\)-linear map by Boneh and Silverberg [BS02]. In a nutshell, the protocol works as follows: assuming some public parameters are shared by all the parties, each party broadcasts some data and keeps some data secret, and then by combining their secret data with the other parties’ published values using the multilinear map, they can derive a shared common secret key.

The first candidates for a k-partite Diffie–Hellman key-agreement protocol for arbitrary k were described in [GGH13a, CLT13] using respectively the GGH13 and CLT13 multilinear maps candidates. Unfortunately, the protocols were later shown to be insecure in [HJ16, CHL+15]: using the public parameters and the broadcast data, an eavesdropper can recover the shared common secret key in polynomial time.

The GGH15 Key-Agreement Protocol. Since the third proposed multilinear maps scheme, GGH15, does not fit the same graded encoding framework as the earlier candidates, one needs new constructions to use it to instantiate cryptographic protocols. And the first such application was again a Diffie–Hellman key-agreement protocol [GGH15, Sect. 5.1]. To avoid similar attacks as the one that targeted GGH13 and CLT13, based on encodings of zero, the protocol was designed in such a way that the adversary is never given encodings of the same element that could be subtracted without doing the full key-agreement computation. Namely, each party i has a directed path of matrices \({{\varvec{A}}_{i,1}}, \ldots , {{\varvec{A}}_{i, k+1}}\) all sharing the same end-point \({{\varvec{A}}_{i, k+1}} = {{\varvec{A}}_0}\), and has a secret value \(s_i\). She can then publish encodings of \(s_i\) on the chains of the other parties in a “round robin” fashion, i.e. \(s_i\) is encoded on the j-th edge of the chain of the party \(i'=j-i+1\), with index arithmetic modulo k. The graph for 3 parties is illustrated in Fig. 1.

Fig. 1.
figure 1

Graph for a 3-partite key-agreement protocol with GGH15 multilinear maps.

Full size image

On the i-th chain, Party i will then be able to multiply these encodings (the one he kept secret and the ones published by the other parties) to get an encoding of \(\prod _j s_j\) relative to the path \({{\varvec{A}}_{i,1}}\leadsto {{\varvec{A}}_0}\). Now, since the encodings of \(s_i\) cannot be mixed before the end-point \({{\varvec{A}}_0}\), it seems difficult to obtain an encoding of 0 on an edge in the middle of the graph to mount “zeroizing attacks” [GGH15].

Halevi’s Candidate Key-Agreement Protocols. As no attack was known on GGH15 multilinear maps and in an attempt to reinstate a key-agreement protocol for GGH13, Halevi recently proposed, on the Cryptology ePrint Archive, two variants of GGH13 supporting a similar key-agreement protocol [Hal15].Footnote 1 The first variant uses the “asymmetric” GGH13 scheme to handle the graph structure [Hal15, Sect. 7]. Namely, in basic GGH13 each encoding is multiplicatively masked by a power \(z^i\) of a secret mask z; in asymmetric GGH13, the encodings can be masked by powers of multiple \(z_j\)’s. Therefore, in this new key-agreement protocol candidate, the public encodings are now associated with independent masks \(z_{i,j}\)’s such that their product yields the same value Z, i.e. \(\prod _{j} z_{i,j} = Z\) for all i (so that the final encoding shall extract to the same shared key). The graph for 3 parties is illustrated in Fig. 2.

Fig. 2.
figure 2

Multipartite key agreement from asymmetric GGH13, with 3 parties, from [Hal15, Sect. 7].

Full size image

Once again, the fact that the encodings of the same value \(s_i\) are multiplied with different masks gives hope that no encoding of 0 multiplied by a value other than Z can be obtained, and therefore that zeroizing attacks are impossible [GGH13a, CGH+15].

A second variant of GGH13, which we refer to as Graph-GGH13, mimics the structure of GGH15 encodings more closely and is described in [Hal15, Sect. 6]. An encoding \(c \in \alpha +gR\) relative to a path \(u\leadsto v\) is now a matrix \(\tilde{{\varvec{C}}} = {{\varvec{P}}_u^{-1}}\cdot {{\varvec{C}}}\cdot {{\varvec{P}}_v}\), where \({{\varvec{C}}} \in {\mathbb Z}_q^{n \times n}\) is the multiply-by-c matrix, and the \({{\varvec{P}}_w}\)’s are secret random matrices. In the key-agreement protocol, each party i has a directed path of matrices \({{\varvec{P}}_{i,1}}, \ldots , {{\varvec{P}}_{i, k+1}}\) all sharing the same end-point \({{\varvec{P}}_{i, k+1}}={{\varvec{P}}_0}\) and the same start-point \({{\varvec{P}}_{i,1}} = {{\varvec{P}}_1}\), and has a secret value \(s_i\). She can then publish encodings of \(s_i\) on the chains of the other parties in a “round robin” fashion. The graph for 3 parties is illustrated in Fig. 3.

Fig. 3.
figure 3

Multipartite key agreement from GGH13 with graph constraints, with 3 parties, from [Hal15, Sect. 6].

Full size image

And here again, the fact that the encodings corresponding to the same \(s_i\) are multiplied on the left and on the right by completely random matrices \({{\varvec{P}}_{i, j}}\) makes it difficult to cancel them out and obtain an encoding of 0 without evaluating the full “chains” (that is, the operations of the key agreement itself).

Finally, in order to capture the intuition of what it means for an attacker to break the scheme, Halevi defined, for both schemes, the “core computational task” of an adversary as recovering any basis of the (hidden) plaintext space [Hal15, Sect. 2.2].

Our Contributions. Our main contribution is to describe a cryptanalysis of the Diffie–Hellman key-agreement protocol when instantiated with GGH15 multilinear maps. Our attack makes it possible to generate an equivalent user private key in polynomial time, which in turn allows to recover the shared session key. Our attack proceeds in two steps: in the first step, we express the secret exponent of one user as a linear combination of some other secret exponents corresponding to public encodings, using a variant of the Cheon et al. attack [CHL+15]. This does not immediately break the protocol because the coefficients of the linear combination can be large. In the second step, we use the previous linear combination to derive an encoding equivalent to the user private encoding, by correcting the error resulting from the large coefficients of the linear combination. Our attack also applies to GGH15 with safeguards; we extend the basic attack by using another linear relation to estimate the error incurred from the large coefficients, thus enabling to recover the shared session key.

In the full version of this paper [CLLT15], we also describe attacks that break both variants of GGH13 proposed by Halevi in [Hal15]. Our attacks apply some variant of the Cheon et al. attack [CHL+15] to recover a basis of the secret plaintext space R / gR in polynomial time. This was considered as the “core computational task of an attacker” in [Hal15].

Source Code. A proof-of-concept implementation of our cryptanalysis of GGH15, using the Sage [Dev16] mathematics software system, is available at: http://pastebin.com/7kZHnTXY

2 The GGH15 Multilinear Map Scheme

We briefly recall the GGH15 multilinear map scheme; we refer to [GGH15] for a full description. In the following we only consider the commutative variant from [GGH15, Sect. 3.2], as only that commutative variant can be used in the multipartite key-agreement protocol from [GGH15, Sect. 5.1].

2.1 GGH15 Multilinear Maps

The construction works over polynomial rings \(R={\mathbb Z}[x]/(f(x))\) and \(R_q=R/qR\) for some degree n irreducible integer polynomial \(f(x) \in {\mathbb Z}[x]\) and an integer q. The construction is parametrized by a directed acyclic graph \(G=(V,E)\). To each node \(u \in V\) a random row vector \({{\varvec{A}}_u} \in R_q^m\) is assigned, where m is a parameter. An encoding of a small plaintext element \(s \in R\) relative to path \(u \leadsto v\) is a matrix with small coefficients \({{\varvec{D}}} \in R^{m \times m}\) such that:

$$ {{\varvec{A}}_u} \cdot {{\varvec{D}}}=s \cdot {{\varvec{A}}_v} + {{\varvec{E}}} \pmod {q}$$

where \({{\varvec{E}}}\) is a small error vector of dimension m with components in R; we refer to [GGH15] for how such encoding \({{\varvec{D}}}\) can be generated, based on a trapdoor sampling procedure from [MP12]. Only small plaintext elements \(s \in R\) are encoded. As in [Hal15] we use the row vector notation for \({{\varvec{A}}_u}\), rather than the column vector notation used in [GGH15].Footnote 2 It is easy to see that two encodings \({{\varvec{D}}_1}\) and \({{\varvec{D}}_2}\) relative to the same path \(u \leadsto v\) can be added; namely from:

$$\begin{aligned} {{\varvec{A}}_u} \cdot {{\varvec{D}}_1}=&s_1 \cdot {{\varvec{A}}_v} + {{\varvec{E}}_1} \pmod {q} \\ {{\varvec{A}}_u} \cdot {{\varvec{D}}_2}=&s_2 \cdot {{\varvec{A}}_v} + {{\varvec{E}}_2} \pmod {q} \end{aligned}$$

we obtain:

$$ {{\varvec{A}}_u} \cdot \left( {{\varvec{D}}_1} + {{\varvec{D}}_2} \right) =(s_1+s_2) \cdot {{\varvec{A}}_v} + {{\varvec{E}}_1} + {{\varvec{E}}_2} \pmod {q}. $$

Moreover two encodings \({{\varvec{D}}_1}\) and \({{\varvec{D}}_2}\) relative to path \(u \leadsto v\) and \(v \leadsto w\) can be multiplied to get an encoding relative to path \(u \leadsto w\). Namely given:

$$\begin{aligned} {{\varvec{A}}_u} \cdot {{\varvec{D}}_1}&=s_1 \cdot {{\varvec{A}}_v} + {{\varvec{E}}_1} \pmod {q} \\ {{\varvec{A}}_v} \cdot {{\varvec{D}}_2}&=s_2 \cdot {{\varvec{A}}_w} + {{\varvec{E}}_2} \pmod {q} \end{aligned}$$

we obtain by multiplying the matrix encodings \({{\varvec{D}}_1}\) and \({{\varvec{D}}_2}\):

$$\begin{aligned} {{\varvec{A}}_u} \cdot {{\varvec{D}}_1} \cdot {{\varvec{D}}}_2&= (s_1 \cdot {{\varvec{A}}}_v + {{\varvec{E}}}_1) \cdot {{\varvec{D}}}_2 \pmod {q} \\&=s_1 \cdot s_2 \cdot {{\varvec{A}}}_w + s_1 \cdot {{\varvec{E}}}_2 +{{\varvec{E}}}_1 \cdot {{\varvec{D}}}_2 \pmod {q}\\&=s_1 \cdot s_2 \cdot {{\varvec{A}}}_w + {{\varvec{E}}}' \pmod {q} \end{aligned}$$

for some new error vector \({{\varvec{E}}}'\). Since \(s_1\), \({{\varvec{E}}}_1\), \({{\varvec{E}}}_2\) and \({{\varvec{D}}}_2\) have small coefficients, \({{\varvec{E'}}}\) still has small coefficients (compared to q), and therefore the product \({{\varvec{D}}}_1 \cdot {{\varvec{D}}}_2\) is an encoding of \(s_1 \cdot s_2\) for the path \(u \leadsto w\).

Finally, given an encoding \({{\varvec{D}}}\) relative to path \(u \leadsto w\) and the vector \({{\varvec{A}}}_u\), extraction works by computing the high-order bits of \({{\varvec{A}}}_u \cdot {{\varvec{D}}}\). Namely we have:

$$ {{\varvec{A}}}_u \cdot {{\varvec{D}}}=s \cdot {{\varvec{A}}}_w + {{\varvec{E}}} \pmod {q}$$

for some small \({{\varvec{E}}}\), and therefore the high-order bits of \({{\varvec{A}}}_u \cdot {{\varvec{D}}}\) only depend on the secret exponent s.

Remark 1

As emphasized in [GGH15], only the plaintext space of the \(s_i\)’s is commutative, not the space of the encoding matrices \({{\varvec{D}}}_i\). The ability to multiply the plaintext elements \(s_i\) in arbitrary order will be used in the multipartite key-agreement protocol below.

2.2 The GGH15 Multipartite Key-Agreement Protocol

We briefly recall the multipartite key-agreement protocol from [GGH15, Sect. 5.1]. We consider the protocol with k users. As illustrated in Fig. 4 for \(k=3\) users, each user i for \(1 \le i \le k\) has a directed path of vectors \({{\varvec{A}}}_{i,1},\ldots ,{{\varvec{A}}}_{i,k+1}\), all sharing the same end-point \({{\varvec{A}}}_0={{\varvec{A}}}_{i,k+1}\). The i-th user will use the resulting chain to extract the session key. Each user i has a secret exponent \(s_i\). Each secret exponent \(s_i\) will be encoded in each of the k chains; the encoding of \(s_i\) on the j-th chain for \(j \ne i\) will be published, while the encoding of \(s_i\) on the i-th chain will be kept private by user i. Therefore on the i-th chain only user i will be able to compute the session key. The exponents \(s_i\) are encoded in a “round robin” fashion; namely the i-th secret \(s_i\) is encoded on the chain of user j at edge \(\ell =i+j-1\), with index arithmetic modulo k. Only the vectors \({{\varvec{A}}}_{i,1}\) for \(1 \le i \le k\) are made public to enable extraction of the session-key; the others are kept private. We recall the formal description of the protocol in the full version of this paper [CLLT15].

Fig. 4.
figure 4

Graph of a key agreement between 3 parties for GGH15. The vertices contain random vectors \({{\varvec{A}}}_{ij}\), and encodings are represented on the edges. Each party is represented by a different color, keeps the encoding in parenthesis secret and publishes the two other encodings.

Full size image

We illustrate the protocol for \(k=3\) users. For the chain corresponding to User 1, we have the following encodings:

$$\begin{aligned} {{\varvec{A}}}_{1,1} \cdot {{\varvec{D}}}_{1,1}&= s_{1} \cdot {{\varvec{A}}}_{1,2} + {{\varvec{F}}}_{1,1} \pmod {q}\\ {{\varvec{A}}}_{1,2} \cdot {{\varvec{D}}}_{1,2}&= s_{2} \cdot {{\varvec{A}}}_{1,3} + {{\varvec{F}}}_{1,2} \pmod {q}\\ {{\varvec{A}}}_{1,3} \cdot {{\varvec{D}}}_{1,3}&= s_{3} \cdot {{\varvec{A}}}_{0} + {{\varvec{F}}}_{1,3} \pmod {q} \end{aligned}$$

where \({{\varvec{D}}}_{1,2}\) and \({{\varvec{D}}}_{1,3}\) are public while \({{\varvec{D}}}_{1,1}\) is kept private by User 1. Therefore User 1 can compute modulo q:

$$\begin{aligned} {{\varvec{A}}}_{1,1} \cdot {{\varvec{D}}}_{1,1} \cdot {{\varvec{D}}}_{1,2} \cdot {{\varvec{D}}}_{1,3}&=(s_1 \cdot {{\varvec{A}}}_{1,2} + {{\varvec{F}}}_{1,1}) \cdot {{\varvec{D}}}_{1,2} \cdot {{\varvec{D}}}_{1,3} \pmod {q}\\&= (s_1 \cdot s_2 \cdot {{\varvec{A}}}_{1,3} +s_1 \cdot {{\varvec{F}}}_{1,2}~\\&\quad + {{\varvec{F}}}_{1,1} \cdot {{\varvec{D}}}_{1,2} ) \cdot {{\varvec{D}}}_{1,3} \pmod {q}. \end{aligned}$$

Letting \({{\hat{{\varvec{F}}}}}_{1,2} :=s_1 \cdot {{\varvec{F}}}_{1,2} + {{\varvec{F}}}_{1,1} \cdot {{\varvec{D}}}_{1,2}\), we obtain:

$$\begin{aligned} {{\varvec{A}}}_{1,1} \cdot {{\varvec{D}}}_{1,1} \cdot {{\varvec{D}}}_{1,2} \cdot {{\varvec{D}}}_{1,3}&= \left( s_1 \cdot s_2 \cdot {{\varvec{A}}}_{1,3} +{{\hat{{\varvec{F}}}}}_{1,2} \right) \cdot {{\varvec{D}}}_{1,3} \pmod {q} \\&= s_1 \cdot s_2 \cdot s_3 \cdot {{\varvec{A}}}_{0} + s_1 \cdot s_2 \cdot {{\varvec{F}}}_{1,3} + {{\hat{{\varvec{F}}}}}_{1,2} \cdot {{\varvec{D}}}_{1,3} \!\!\! \pmod {q}. \end{aligned}$$

Since \(s_1\), \(s_2\) and \(s_3\) are small and \({{\varvec{F}}}_{1,3}\), \({{\hat{{\varvec{F}}}}}_{1,2}\) and \({{\varvec{D}}}_{1,3}\) have small components, User 1 can extract the most significant bits corresponding to \(s_1 \cdot s_2 \cdot s_3 \cdot {{\varvec{A}}}_{0}\). Similarly User 2 will compute the session key using the following chain, where \({{\varvec{D}}}_{2,1}\) and \({{\varvec{D}}}_{2,2}\) are public while \({{\varvec{D}}}_{2,3}\) is private to User 2:

$$\begin{aligned} {{\varvec{A}}}_{2,1} \cdot {{\varvec{D}}}_{2,1}&= s_{3} \cdot {{\varvec{A}}}_{2,2} + {{\varvec{F}}}_{2,1} \pmod {q}\\ {{\varvec{A}}}_{2,2} \cdot {{\varvec{D}}}_{2,2}&= s_{1} \cdot {{\varvec{A}}}_{2,3} + {{\varvec{F}}}_{2,2} \pmod {q}\\ {{\varvec{A}}}_{2,3} \cdot {{\varvec{D}}}_{2,3}&= s_{2} \cdot {{\varvec{A}}}_{0} + {{\varvec{F}}}_{2,3} \pmod {q}. \end{aligned}$$

Namely User 2 can compute:

$$\begin{aligned} {{\varvec{A}}}_{2,1} \cdot {{\varvec{D}}}_{2,1} \cdot {{\varvec{D}}}_{2,2} \cdot {{\varvec{D}}}_{2,3}&= (s_3 \cdot s_1 \cdot {{\varvec{A}}}_{2,3} + s_3 \cdot {{\varvec{F}}}_{2,2} ~\\&\quad + {{\varvec{F}}}_{2,1} \cdot {{\varvec{D}}}_{2,2}) \cdot {{\varvec{D}}}_{2,3} \pmod {q} \\&= s_3 \cdot s_1 \cdot s_2 \cdot {{\varvec{A}}}_0 + {{\varvec{F}}} \pmod {q} \end{aligned}$$

for some small vector \({{\varvec{F}}}\), and extract the same most significant bits corresponding to \(s_1 \cdot s_2 \cdot s_3 \cdot {{\varvec{A}}}_{0}\); the same holds for User 3.

The previous encodings are generated by random linear combination of public encodings, corresponding to secret exponents \(t_{i,\ell }\) for \(1 \le \ell \le N\), for large enough N. More precisely, for each \(1 \le i \le k\) one generates random small plaintext elements \(t_{i,\ell }\) for \(1 \le \ell \le N\), which are then encoded on all chains j at edge \(i'=i+j-1\) (with index modulo k), by \({{\varvec{C}}}_{j,i',\ell }\). This means that for \(k=3\) users, we have the following encodings corresponding to User 1:

$$\begin{aligned} {{\varvec{A}}}_{1,1} \cdot {{\varvec{C}}}_{1,1,\ell }&= t_{1,\ell } \cdot {{\varvec{A}}}_{1,2} + {{\varvec{E}}}_{1,1,\ell } \pmod {q}\\ {{\varvec{A}}}_{2,2} \cdot {{\varvec{C}}}_{2,2,\ell }&= t_{1,\ell } \cdot {{\varvec{A}}}_{2,3} + {{\varvec{E}}}_{2,2,\ell } \pmod {q} \\ {{\varvec{A}}}_{3,3} \cdot {{\varvec{C}}}_{3,3,\ell }&= t_{1,\ell } \cdot {{\varvec{A}}}_{0} + {{\varvec{E}}}_{3,3,\ell } \pmod {q} \end{aligned}$$

and the tuple \(({{\varvec{D}}}_{1,1},{{\varvec{D}}}_{2,2},{{\varvec{D}}}_{3,3})\) is generated by linear combination of the tuple \(({{\varvec{C}}}_{1,1,\ell },{{\varvec{C}}}_{2,2,\ell },{{\varvec{C}}}_{3,3,\ell })\), so that the matrices \({{\varvec{D}}}_{1,1}\), \({{\varvec{D}}}_{2,2}\) and \({{\varvec{D}}}_{3,3}\) encode the same secret exponent \(s_1\); the same holds for users 2 and 3. We refer to the full version of this paper [CLLT15] for the formal description of the protocol.

3 Cryptanalysis of GGH15 Without Safeguards

In the following we describe a cryptanalysis of the multipartite key-agreement protocol based on GGH15 multilinear maps recalled in the previous section. Heuristically our attack recovers the session-key from public element in polynomial-time. Our attack proceeds in two steps.

  1. 1.

    In the first step, we are able to express one secret exponent \(s_1\) as a linear combination of the other secret exponents \(t_{1,\ell }\), using a variant of the Cheon et al. attack [CHL+15]. However this does not immediately break the protocol, because the coefficients are not small.

  2. 2.

    In the second step, we compute an equivalent of the private encoding of User 1 from the previous linear combination, by correcting the error due to the large coefficients. This breaks the key-exchange protocol.

3.1 Description with 3 Users

For simplicity we first consider the protocol with only 3 users; the extension to \(k \ge 3\) users is relatively straightforward and described in the full version of this paper [CLLT15]. Therefore we consider the following 3 rows corresponding to the 3 users:

figure a

where all encodings \({{\varvec{C}}}_{i,j,\ell }\) and \({{\varvec{D}}}_{i,j}\) are public, except \({{\varvec{D}}}_{1,1}\) which is private on Row 1, \({{\varvec{D}}}_{2,3}\) is private on Row 2, and \({{\varvec{D}}}_{3,2}\) is private on Row 3. The corresponding graph is illustrated in Fig. 4. Note that on each row we have used the same index \(\ell \) for \(t_{1,\ell }\), \(t_{2,\ell }\) and \(t_{3,\ell }\), but on a given row one can obviously compute product of encodings for different indices.

First Step: Linear Relations. In the first step of the attack, we show that we can express \(s_1\) as a linear combinations of the \(t_{1,\ell }\)’s. For this we consider the rows 2 and 3, for which the encodings \({{\varvec{D}}}_{2,2}\) and \({{\varvec{D}}}_{3,3}\) corresponding to \(s_1\) are public. In the remaining of the attack, we always consider a fixed index \(\ell =1\) for the encodings corresponding to \(t_{3,\ell }\), and for simplicity we write \(t_3:=t_{3,1}\), \({{\varvec{C}}}_{1,3}:={{\varvec{C}}}_{1,3,1}\), \({{\varvec{C}}}_{2,1}:={{\varvec{C}}}_{2,1,1}\) and \({{\varvec{C}}}_{3,2}:={{\varvec{C}}}_{3,2,1}\).

Since we always work with the same \(t_3\), on Row 2 we define the product encodings \({\hat{{\varvec{C}}}}_{2,2,\ell }:={{\varvec{C}}}_{2,1} \cdot {{\varvec{C}}}_{2,2,\ell }\), and on Row 3 we define the product encodings \({\hat{{\varvec{C}}}}_{3,2,\ell }:={{\varvec{C}}}_{3,1,\ell } \cdot {{\varvec{C}}}_{3,2}\); recall that we use a fixed index for \(t_3\). Therefore we can write:

$$\begin{aligned} {{\varvec{A}}}_{2,1} \cdot {\hat{{\varvec{C}}}}_{2,2,\ell }&= t_{1,\ell } \cdot t_3 \cdot {{\varvec{A}}}_{2,3} + {\hat{{\varvec{E}}}}_{2,2,\ell } \pmod {q}\\ \nonumber {{\varvec{A}}}_{2,3} \cdot {{\varvec{C}}}_{2,3,\ell }&= t_{2,\ell } \cdot {{\varvec{A}}}_{0} + {{\varvec{E}}}_{2,3,\ell } \pmod {q} \\ \nonumber {{\varvec{A}}}_{3,1} \cdot {\hat{{\varvec{C}}}}_{3,2,\ell }&= t_{2,\ell } \cdot t_3 \cdot \nonumber {{\varvec{A}}}_{3,3} + {\hat{{\varvec{E}}}}_{3,2,\ell } \pmod {q} \\ \nonumber {{\varvec{A}}}_{3,3} \cdot {{\varvec{C}}}_{3,3,\ell }&= t_{1,\ell } \cdot {{\varvec{A}}}_{0} + {{\varvec{E}}}_{3,3,\ell } \pmod {q} \end{aligned}$$
(1)

for some small error vectors \({\hat{{\varvec{E}}}}_{2,2,\ell }\) and \({\hat{{\varvec{E}}}}_{3,2,\ell }\).

For simplicity of notations, we first consider a fixed index i for the encodings corresponding to \(t_{1,i}\), and we write \(t_1:=t_{1,i}\), \({\hat{{\varvec{C}}}}_{2,2}:={\hat{{\varvec{C}}}}_{2,2,i}\) and \({{\varvec{C}}}_{3,3}:={{\varvec{C}}}_{3,3,i}\). Similarly we consider a fixed index j for the encodings corresponding to \(t_{2,j}\) and we write \(t_2:=t_{2,j}\), \({{\varvec{C}}}_{2,3}:={{\varvec{C}}}_{2,3,j}\) and \({\hat{{\varvec{C}}}}_{3,2}:={\hat{{\varvec{C}}}}_{3,2,j}\). We use similar notations for the corresponding error vectors.

All previous equations hold modulo q only. To get a result over R instead of only modulo q, we compute the difference between two rows, for the same product of secret exponents. More precisely, we compute:

$$\begin{aligned} \mathbf {\omega }&= {{\varvec{A}}}_{2,1} \cdot {\hat{{\varvec{C}}}}_{2,2} \cdot {{\varvec{C}}}_{2,3}-{{\varvec{A}}}_{3,1} \cdot {\hat{{\varvec{C}}}}_{3,2} \cdot {{\varvec{C}}}_{3,3} \\ \nonumber&=t_{1} \cdot t_3 \cdot t_{2} \cdot {{\varvec{A}}}_0 + t_{1} \cdot t_3 \cdot {{\varvec{E}}}_{2,3} +{\hat{{\varvec{E}}}}_{2,2} \cdot {{\varvec{C}}}_{2,3} \\ \nonumber&\quad -t_{2} \cdot t_3 \cdot t_{1} \cdot {{\varvec{A}}}_0 - t_{2} \cdot t_3 \cdot {{\varvec{E}}}_{3,3} - {\hat{{\varvec{E}}}}_{3,2} \cdot {{\varvec{C}}}_{3,3} \end{aligned}$$
(2)
$$\begin{aligned} \nonumber \\&=t_{1} \cdot t_3 \cdot {{\varvec{E}}}_{2,3} +{\hat{{\varvec{E}}}}_{2,2} \cdot {{\varvec{C}}}_{2,3} - t_{2} \cdot t_3 \cdot {{\varvec{E}}}_{3,3} - {\hat{{\varvec{E}}}}_{3,2} \cdot {{\varvec{C}}}_{3,3}. \end{aligned}$$
(3)

Namely the latter equation holds over R (and not only modulo q) because all the terms in (3) have small coefficients; namely the only term \(t_{1} \cdot t_2 \cdot t_{3} \cdot {{\varvec{A}}}_0\) with large coefficients modulo q is canceled when doing the subtraction.

We have that \(\mathbf {\omega }\) is a vector of dimension m. Now an important step is to restrict ourselves to the first component of \(\mathbf {\omega }\). Namely in order to apply the same technique as in the Cheon et al. attack, we would like to express \(\mathbf {\omega }\) as the product of two vectors, where the left vector corresponds to User 1 and the right vector corresponds to User 2. However due to the “round-robin” fashion of exponent encodings, for this we would need to swap the product \({\hat{{\varvec{E}}}}_{3,2} \cdot {{\varvec{C}}}_{3,3}\) appearing in (3), since \({\hat{{\varvec{E}}}}_{3,2}\) corresponds to User 2 while \({{\varvec{C}}}_{3,3}\) corresponds to User 1; this cannot be done if we consider the full vector \(\mathbf {\omega }\). By restricting ourselves to the first component of \(\mathbf {\omega }\), the product \({\hat{{\varvec{E}}}}_{3,2} \cdot {{\varvec{C}}}_{3,3}\) becomes a simple scalar product that can be swapped; namely the scalar product of \({\hat{{\varvec{E}}}}_{3,2}\) by the first column vector \({{\varvec{C}}}'_{3,3}\) of the matrix \({{\varvec{C}}}_{3,3}\). We obtain the scalar:

$$\omega = t_1 \cdot t_3 \cdot E_{2,3} +{\hat{{\varvec{E}}}}_{2,2} \cdot {{\varvec{C}}}'_{2,3} - t_{2} \cdot t_3 \cdot E_{3,3}- {{\varvec{C}}}'_{3,3} \cdot {\hat{{\varvec{E}}}}_{3,2} $$

where \({{\varvec{C}}}'_{2,3}\) and \({{\varvec{C}}}'_{3,3}\) are the first column vectors of \({{\varvec{C}}}_{2,3}\) and \({{\varvec{C}}}_{3,3}\) respectively, both of dimension m; similarly \(E_{2,3}\) and \(E_{3,3}\) are the first components of \({{\varvec{E}}}_{2,3}\) and \({{\varvec{E}}}_{3,3}\) respectively.

We can now write \(\omega \) as the scalar product of 2 vectors, the left one corresponding only to User 1, and the right one corresponding only to User 2:

$$\begin{aligned} \omega&= \begin{bmatrix} t_1~&{\hat{{\varvec{E}}}}_{2,2}~&E_{3,3}~&{{\varvec{C}}}'_{3,3} \end{bmatrix} \cdot \begin{bmatrix} t_3 \cdot E_{2,3} \\ {{\varvec{C}}}'_{2,3} \\ -t_2 \cdot t_3 \\ -{\hat{{\varvec{E}}}}_{3,2} \end{bmatrix}. \end{aligned}$$

Note that the two vectors in the product have dimension \(2m+2\).

As in the Cheon et al. attack [CHL+15], we can now extend \(\omega \) to a matrix by considering many left row vectors and many right column vectors. However instead of a square matrix as in the Cheon et al. attack, we consider a rectangular matrix with \(2m+3\) rows and \(2m+2\) columns. In Eq. (2), this is done by considering \(2m+3\) public encodings \({\hat{{\varvec{C}}}}_{2,2,i}\) and \({{\varvec{C}}}_{3,3,i}\) corresponding to User 1, and similarly \(2m+2\) encodings \({{\varvec{C}}}_{2,3,j}\) and \({\hat{{\varvec{C}}}}_{3,2,j}\) corresponding to User 2, for \(1 \le i \le 2m+3\) and \(1 \le j \le 2m+2\). More precisely we compute as previously over R the following matrix elements, restricting ourselves to the first component:

$$\begin{aligned} ({{\varvec{W}}})_{ij} = {{\varvec{A}}}_{2,1} \cdot {\hat{{\varvec{C}}}}_{2,2,i} \cdot {{\varvec{C}}}'_{2,3,j}-{{\varvec{A}}}_{3,1} \cdot {\hat{{\varvec{C}}}}_{3,2,j} \cdot {{\varvec{C}}}'_{3,3,i} \end{aligned}$$
(4)

and as previously we can write:

$$ ({{\varvec{W}}})_{ij} = \begin{bmatrix} t_{1,i}~&{\hat{{\varvec{E}}}}_{2,2,i}~&E_{3,3,i}~&{{\varvec{C}}}'_{3,3,i} \end{bmatrix} \cdot \begin{bmatrix} t_3 \cdot E_{2,3,j} \\ {{\varvec{C}}}'_{2,3,j} \\ -t_{2,j} \cdot t_3 \\ -{\hat{{\varvec{E}}}}_{3,2,j} \end{bmatrix}. $$

We obtain a \((2m+3) \times (2m+2)\) matrix \({{\varvec{W}}}\) with:

where the matrix \({{\varvec{A}}}\) has \(2m+3\) rows vectors, each of dimension \(2m+2\), and the matrix \({{\varvec{B}}}\) has \(2m+2\) column vectors, each of dimension \(2m+2\); hence \({{\varvec{B}}}\) is a square matrix.

By doing linear algebra, we can find a vector \({{\varvec{u}}}\) over R of dimension \(2m+3\) such that \({{\varvec{u}}} \cdot {{\varvec{W}}}=0\), which gives:

$$ ({{\varvec{u}}} \cdot {{\varvec{A}}}) \cdot {{\varvec{B}}}=0.$$

Heuristically with good probability the matrix \({{\varvec{B}}}\) is invertible, which implies:

$$ {{\varvec{u}}}\cdot {{\varvec{A}}}=0.$$

Since the first column of the matrix \({{\varvec{A}}}\) is the column vector given by the \(t_{1,i}\)’s, such vector \({{\varvec{u}}}\) gives a linear relation among the secret exponents \(t_{1,i}\).

Moreover, since the encodings \({{\varvec{D}}}_{2,2}\) and \({{\varvec{D}}}_{3,3}\) corresponding to \(s_1\) are public, we can express \(s_1\) as a linear combination of the \(t_{1,i}\)’s, over R. Namely we can define as previously the product encoding \({\hat{{\varvec{D}}}}_{2,2}:={{\varvec{C}}}_{2,1} \cdot {{\varvec{D}}}_{2,2}\), with:

$$ {{\varvec{A}}}_{2,1} \cdot {\hat{{\varvec{D}}}}_{2,2} = s_{1} \cdot t_3 \cdot {{\varvec{A}}}_{2,3} + {{\hat{{\varvec{F}}}}}_{2,2} \pmod {q} $$

for some small error vector \({{\hat{{\varvec{F}}}}}_{2,2} \), and we can now compute the same \(({{\varvec{W}}})_{ij}\) as in (4) but with \({\hat{{\varvec{D}}}}_{2,2}\) and \({{\varvec{D}}}'_{3,3}\) instead of \({\hat{{\varvec{C}}}}_{2,2,i}\) and \({{\varvec{C}}}'_{3,3,i}\), where \({{\varvec{D}}}'_{3,3}\) is the first column of \({{\varvec{D}}}_{3,3}\). More precisely, we compute for all \(1 \le j \le 2m+2\):

$$ \omega _j={{\varvec{A}}}_{2,1} \cdot {\hat{{\varvec{D}}}}_{2,2} \cdot {{\varvec{C}}}'_{2,3,j}-{{\varvec{A}}}_{3,1} \cdot {\hat{{\varvec{C}}}}_{3,2,j} \cdot {{\varvec{D}}}'_{3,3}$$

which gives as previously:

$$\omega _j=\begin{bmatrix} s_1~&{{\hat{{\varvec{F}}}}}_{2,2}~&F_{3,3}~&{{\varvec{D}}}'_{3,3} \end{bmatrix} \cdot \begin{bmatrix} t_3 \cdot E_{2,3,j} \\ {{\varvec{C}}}'_{2,3,j} \\ -t_{2,j} \cdot t_3 \\ -{\hat{{\varvec{E}}}}_{3,2,j} \end{bmatrix}. $$

This implies that we can replace any row vector \([t_{1,i}~{\hat{{\varvec{E}}}}_{2,2,i}~E_{3,3,i}~{{\varvec{C}}}'_{3,3,i}]\) in the matrix \({{\varvec{A}}}\) by the row vector:

$$\begin{aligned}{}[s_1 ~~ {{\hat{{\varvec{F}}}}}_{2,2} ~~ F_{3,3} ~~ {{\varvec{D}}}'_{3,3}] \end{aligned}$$
(5)

where \({{\varvec{D}}}'_{3,3}\) is the first column of \({{\varvec{D}}}_{3,3}\), and \(F_{3,3}\) is the first component of \({{\varvec{F}}}_{3,3}\). Using the previous technique, we can therefore obtain a linear relation between \(s_1\) and the \(t_{1,i}\)’s over R. More precisely, with overwhelming probability, such a relation can be put in the form:

$$\begin{aligned} \mu \cdot s_1 = \sum _{i=1}^{2m+2} \lambda _i \cdot t_{1,i} \end{aligned}$$
(6)

with \(\mu \in {\mathbb {Z}}\) and \(\lambda _1,\dots ,\lambda _{2m+2}\in R\). Indeed, we obtain such a relation by computing the kernel of the matrix analogous to \({{\varvec{W}}}\) above in echelon form over the fraction field of R, which gives the kernel of the corresponding matrix \({{\varvec{A}}}\) (assuming that \({{\varvec{B}}}\) is invertible). Unless a minor of that matrix vanishes, which happens with only negligible probability, this gives a relation where the coefficient of \(s_1\) is 1 and the other coefficients are in the fraction field \(R\otimes _{\mathbb {Z}}{\mathbb Q}\) of R. By clearing denominators, we get an expression of the form (6).

Then, by considering exactly one additional \(t_{1,i}\) (say \(t_{1,2m+3}\)) and carrying out the same computations with indices \(i=2,\dots ,2m+3\) instead of \(i=1,\dots ,2m+2\), we get a second relation:

$$\begin{aligned} \nu \cdot s_1 = \sum _{i=2}^{2m+3} \lambda '_i \cdot t_{1,i}. \end{aligned}$$

If the integers \(\mu \) and \(\nu \) are relatively prime, which happens with significant probabilityFootnote 3, we can apply Bézout’s identity to obtain a linear relation in R where the coefficient of \(s_1\) is 1:

$$\begin{aligned} s_1=\sum \limits _{i=1}^{2m+3} \alpha _{i} \cdot t_{1,i}. \end{aligned}$$
(7)

Note that we have the same linear relations for the other components of the vector (5) corresponding to \(s_1\), namely:

$$\begin{aligned} {{\hat{{\varvec{F}}}}}_{2,2}=\sum \limits _{i=1}^{2m+3} \alpha _{i} \cdot {\hat{{\varvec{E}}}}_{2,2,i},\quad F_{3,3}=\sum \limits _{i=1}^{2m+3} \alpha _{i} \cdot E_{3,3,i},\quad {{\varvec{D}}}'_{3,3}=\sum \limits _{i=1}^{2m+3} \alpha _{i} \cdot {{\varvec{C}}}'_{3,3,i}. \end{aligned}$$
(8)

Second Step: Equivalent Private-Key. In this second step, we show how to publicly compute an encoding equivalent to \({{\varvec{D}}}_{1,1}\), which is private to User 1; this will break the key-agreement protocol. In the first step, we had considered rows 2 and 3 to derive the linear relations (7) and (8); we now consider Row 1. On Row 1, the encodings \({{\varvec{D}}}_{1,2}\) and \({{\varvec{D}}}_{1,3}\) are public, so we can define as previously the product encoding \({\hat{{\varvec{D}}}}_{1,3}={{\varvec{D}}}_{1,2} \cdot {{\varvec{D}}}_{1,3}\), which gives:

$${{\varvec{A}}}_{1,2} \cdot {\hat{{\varvec{D}}}}_{1,3} = s_{2} \cdot s_3 \cdot {{\varvec{A}}}_{0} + {{\hat{{\varvec{F}}}}}_{1,3} \pmod {q} $$

for some small error vector \({{\hat{{\varvec{F}}}}}_{1,3}\). Recall that the encoding \({{\varvec{D}}}_{1,1}\) is private to User 1, with:

$$\begin{aligned} {{\varvec{A}}}_{1,1} \cdot {{\varvec{D}}}_{1,1} = s_{1} \cdot {{\varvec{A}}}_{1,2} + {{\varvec{F}}}_{1,1} \pmod {q}. \end{aligned}$$
(9)

Therefore only User 1 can privately compute:

$$\begin{aligned} {{\varvec{A}}}_{1,1} \cdot {{\varvec{D}}}_{1,1} \cdot {\hat{{\varvec{D}}}}_{1,3}=s_{1}\cdot s_2 \cdot s_3 \cdot {{\varvec{A}}}_{0} + s_1 \cdot {{\hat{{\varvec{F}}}}}_{1,3}+ {{\varvec{F}}}_{1,1} \cdot {\hat{{\varvec{D}}}}_{1,3} \pmod {q} \end{aligned}$$
(10)

and extract the high order bits of \(s_{1} \cdot s_2 \cdot s_3 \cdot {{\varvec{A}}}_{0} \bmod q\) to generate the session key.

We cannot compute the previous equation since \({{\varvec{D}}}_{1,1}\) is private. However since we know a linear relation (7) between \(s_1\) and the \(t_{1,i}\)’s, and the encodings \({{\varvec{C}}}_{1,1,i}\) corresponding to \(t_{1,i}\) are public, with:

$${{\varvec{A}}}_{1,1} \cdot {{\varvec{C}}}_{1,1,i} = t_{1,i} \cdot {{\varvec{A}}}_{1,2} + {{\varvec{E}}}_{1,1,i} \pmod {q}$$

it is then natural to compute:

$$ {\tilde{{\varvec{D}}}}_{1,1}= \sum \limits _{i=1}^{2m+3} \alpha _i \cdot {{\varvec{C}}}_{1,1,i}, $$

which gives:

$$\begin{aligned} {{\varvec{A}}}_{1,1} \cdot {\tilde{{\varvec{D}}}}_{1,1} =s_1 \cdot {{\varvec{A}}}_{1,2} + \sum \limits _{i=1}^{2m+3} \alpha _i \cdot {{\varvec{E}}}_{1,1,i} \pmod {q}. \end{aligned}$$
(11)

The difference with (9) is that the error term \(\sum _{i=1}^{2m+3} \alpha _i \cdot {{\varvec{E}}}_{1,1,i}\) is not necessarily small since the coefficients \(\alpha _i\) can be large. Therefore if we compute:

$$\begin{aligned} {{\varvec{A}}}_{1,1} \cdot {\tilde{{\varvec{D}}}}_{1,1} \cdot {\hat{{\varvec{D}}}}_{1,3} =s_1 \cdot s_2 \cdot s_3 \cdot {{\varvec{A}}}_0 + s_1 \cdot {{\hat{{\varvec{F}}}}}_{1,3} + \left( \sum \limits _{i=1}^{2m+3} \alpha _i \cdot {{\varvec{E}}}_{1,1,i} \right) \cdot {\hat{{\varvec{D}}}}_{1,3} \pmod {q} \end{aligned}$$
(12)

then as opposed to (10) this does not reveal the high-order bits of \(s_1 \cdot s_2 \cdot s_3 \cdot {{\varvec{A}}}_0 \bmod q\). In the following, we show how to derive an approximation of \(\sum _{i=1}^{2m+3} \alpha _i \cdot {{\varvec{E}}}_{1,1,i}\) over R, in order to correct the error in (11) and break the protocol. This is the second part of our attack.

As in the first step of the attack, to get equations over R and not only modulo q, we consider the difference between two rows, this time the difference between rows 1 and 3 (instead of rows 2 and 3). We have the public encodings:

$$\begin{aligned} {{\varvec{A}}}_{1,1} \cdot {{\varvec{C}}}_{1,1,\ell }&= t_{1,\ell } \cdot {{\varvec{A}}}_{1,2} + {{\varvec{E}}}_{1,1,\ell } \pmod {q} \\ {{\varvec{A}}}_{1,2} \cdot {\hat{{\varvec{C}}}}_{1,3,\ell }&= t_{2,\ell } \cdot t_3 \cdot {{\varvec{A}}}_0 + {\hat{{\varvec{E}}}}_{1,3,\ell } \pmod {q} \\ {{\varvec{A}}}_{3,1} \cdot {\hat{{\varvec{C}}}}_{3,2,\ell }&= t_{2,\ell } \cdot t_3 \cdot {{\varvec{A}}}_{3,3} + {\hat{{\varvec{E}}}}_{3,2,\ell } \pmod {q} \\ {{\varvec{A}}}_{3,3} \cdot {{\varvec{C}}}_{3,3,\ell }&= t_{1,\ell } \cdot {{\varvec{A}}}_{0} + {{\varvec{E}}}_{3,3,\ell } \pmod {q} \end{aligned}$$

where we let \({\hat{{\varvec{C}}}}_{1,3,\ell }:={{\varvec{C}}}_{1,2,\ell } \cdot {{\varvec{C}}}_{1,3}\), for some small error vector \({\hat{{\varvec{E}}}}_{1,3,\ell }\). As previously we can compute over R, restricting ourselves to the first component, where \({\hat{{\varvec{C}}}}'_{1,3,j}\) and \({{\varvec{C}}}'_{3,3,i}\) are the first columns of \({\hat{{\varvec{C}}}}_{1,3,j}\) and \({{\varvec{C}}}_{3,3,i}\) respectively:

$$\begin{aligned} \omega _{ij}&={{\varvec{A}}}_{1,1} \cdot {{\varvec{C}}}_{1,1,i} \cdot {\hat{{\varvec{C}}}}'_{1,3,j}- {{\varvec{A}}}_{3,1} \cdot {\hat{{\varvec{C}}}}_{3,2,j} \cdot {{\varvec{C}}}'_{3,3,i} \\&= t_{1,i} \cdot \hat{E}_{1,3,j} + {{\varvec{E}}}_{1,1,i} \cdot {\hat{{\varvec{C}}}}'_{1,3,j} - t_{2,j} \cdot t_3 \cdot E_{3,3,i} - {\hat{{\varvec{E}}}}_{3,2,j} \cdot {{\varvec{C}}}'_{3,3,i}. \end{aligned}$$

We can therefore compute over R, using the coefficients \(\alpha _i\) from the linear relation (7):

$$\begin{aligned} \varOmega _j&= \sum \limits _{i=1}^{2m+3} \alpha _i \cdot \left( {{\varvec{A}}}_{1,1} \cdot {{\varvec{C}}}_{1,1,i} \cdot {\hat{{\varvec{C}}}}'_{1,3,j}- {{\varvec{A}}}_{3,1} \cdot {\hat{{\varvec{C}}}}_{3,2,j} \cdot {{\varvec{C}}}'_{3,3,i} \right) \\ \nonumber&= \sum \limits _{i=1}^{2m+3} \alpha _i \cdot \left( t_{1,i} \cdot \hat{E}_{1,3,j} + {{\varvec{E}}}_{1,1,i} \cdot {\hat{{\varvec{C}}}}'_{1,3,j} - t_{2,j} \cdot t_3 \cdot E_{3,3,i} - {\hat{{\varvec{E}}}}_{3,2,j} \cdot {{\varvec{C}}}'_{3,3,i} \right) . \end{aligned}$$
(13)

Using the linear relations (7) and (8), we obtain:

$$ \varOmega _j=s_1 \cdot \hat{E}_{1,3,j} - t_{2,j} \cdot t_3 \cdot F_{3,3} - {\hat{{\varvec{E}}}}_{3,2,j} \cdot {{\varvec{D}}}'_{3,3}+ \left( \sum \limits _{i=1}^{2m+3} \alpha _i \cdot {{\varvec{E}}}_{1,1,i} \right) \cdot {\hat{{\varvec{C}}}}'_{1,3,j} $$

which gives:

$$\begin{aligned} \varOmega _j = u_j + \left( \sum \limits _{i=1}^{2m+3} \alpha _i \cdot {{\varvec{E}}}_{1,1,i} \right) \cdot {\hat{{\varvec{C}}}}'_{1,3,j} \end{aligned}$$
(14)

for some small \(u_j\) in R. In summary we obtain a large scalar \(\varOmega _j\) because the coefficients \(\alpha _i\) in (13) are large, but eventually what makes \(\varOmega _j\) large is only the contribution from \((\sum _{i=1}^{2m+3} \alpha _i \cdot {{\varvec{E}}}_{1,1,i}) \cdot {\hat{{\varvec{C}}}}'_{1,3,j}\); namely because of the linear relations (7) and (8) the other terms remain small.

We can now write (14) in vectorial form, where we let \({\hat{{\varvec{C}}}}''_{1,3}\) be the square matrix whose columns are the column vectors \({\hat{{\varvec{C}}}}'_{1,3,j}\) for \(1 \le j \le m\); recall that the \({\hat{{\varvec{C}}}}'_{1,3,j}\) are the first column vectors of the matrix encodings \({\hat{{\varvec{C}}}}_{1,3,j}\). We obtain a row vector \(\mathbf {\varOmega }\) of dimension m, where:

$$\begin{aligned} \mathbf {\varOmega } = {{\varvec{u}}} + \left( \sum \limits _{i=1}^{2m+3} \alpha _i \cdot {{\varvec{E}}}_{1,1,i} \right) \cdot {\hat{{\varvec{C}}}}''_{1,3} \end{aligned}$$
(15)

where \({\hat{{\varvec{C}}}}''_{1,3}\) is a public square matrix of dimension m.

Now the crucial observation is that because the vector \({{\varvec{u}}}\) has small components, we can get an approximation of the vector \(\sum _{i=1}^{2m+3} \alpha _i \cdot {{\varvec{E}}}_{1,1,i}\) by reducing the vector \(\mathbf {\varOmega }\) modulo the matrix \({\hat{{\varvec{C}}}}''_{1,3}\), assuming that \({\hat{{\varvec{C}}}}''_{1,3}\) is an invertible matrix, which heuristically holds with good probability. This can be done by solving over the fraction field of R the linear system \(\mathbf {\varOmega }={{\varvec{y}}} \cdot {\hat{{\varvec{C}}}}''_{1,3}\) and then rounding to R the coefficients of \({{\varvec{y}}}\). Heuristically the vector \({{\varvec{E}}} =\lfloor {{\varvec{y}}} \rceil \) should be a good approximation of \(\sum _{i=1}^{2m+3} \alpha _i \cdot {{\varvec{E}}}_{1,1,i}\); namely letting:

$$\begin{aligned} {{\varvec{E}}}' =\sum \limits _{i=1}^{2m+3} \alpha _i \cdot {{\varvec{E}}}_{1,1,i} -{{\varvec{E}}} \end{aligned}$$
(16)

we get using \({{\varvec{y}}} = \mathbf {\varOmega } \cdot {\hat{{\varvec{C}}}}''^{-1}_{1,3}\):

$$\begin{aligned} {{\varvec{E}}}'&=\left( \mathbf {\varOmega }-{{\varvec{u}}} \right) \cdot {\hat{{\varvec{C}}}}''^{-1}_{1,3}-{{\varvec{E}}} \\&= {{\varvec{y}}}-{{\varvec{E}}} - {{\varvec{u}}} \cdot {\hat{{\varvec{C}}}}''^{-1}_{1,3} \end{aligned}$$

and therefore since \({{\varvec{y}}}-{{\varvec{E}}}\) and \({{\varvec{u}}}\) are small, the difference vector \({{\varvec{E'}}}\) should be small if the norm of the transpose of the matrix \({\hat{{\varvec{C}}}}''^{-1}_{1,3}\) remains small. We know that such a bound holds with probability close to 1 if we model \({\hat{{\varvec{C}}}}''_{1,3}\) as a random matrix (e.g. Rudelson [Rud08] provides a bound of the form \(O(m^{3/2})\)), and so we expect \({{\varvec{E'}}}\) to be small (compared to q) for randomly generated encodings, since in the GGH15 parameter selection one takes \(m=\Theta (\log q)\).

Combining (11) and (16), we get:

$$ {{\varvec{A}}}_{1,1} \cdot {\tilde{{\varvec{D}}}}_{1,1}-{{\varvec{E}}}=s_1 \cdot {{\varvec{A}}}_{1,2} +{{\varvec{E}}}' \pmod {q}$$

for a small vector \({{\varvec{E}}}'\). Note that the previous equation is very similar to the original equation for the private encoding \({{\varvec{D}}}_{1,1}\):

$$ {{\varvec{A}}}_{1,1} \cdot {{\varvec{D}}}_{1,1}=s_1 \cdot {{\varvec{A}}}_{1,2} +{{\varvec{F}}}_{1,1} \pmod {q}$$

the only difference being the publicly computed correction vector \({{\varvec{E}}}\). Therefore the pair \(({\tilde{{\varvec{D}}}}_{1,1},{{\varvec{E}}})\) gives us an equivalent of the private encoding \({{\varvec{D}}}_{1,1}\), which breaks the protocol. More precisely we can eventually compute from public parameters:

$$\begin{aligned} \left( {{\varvec{A}}}_{1,1} \cdot {\tilde{{\varvec{D}}}}_{1,1}-{{\varvec{E}}}\right) \cdot {{\varvec{D}}}_{1,2} \cdot {{\varvec{D}}}_{1,3}&=\left( s_1 \cdot {{\varvec{A}}}_{1,2} +{{\varvec{E}}}' \right) \cdot {\hat{{\varvec{D}}}}_{1,3} \pmod {q}\\&= s_1 \cdot s_2 \cdot s_3 \cdot {{\varvec{A}}}_0\\&\quad + s_1 \cdot {{\hat{{\varvec{F}}}}}_{1,3}+{{\varvec{E}}}' \cdot {\hat{{\varvec{D}}}}_{1,3} \pmod {q}. \end{aligned}$$

Since all the error terms are small, this enables to extract the high-order bits of \(s_1 \cdot s_2 \cdot s_3 \cdot {{\varvec{A}}}_0 \bmod q\), and breaks the protocol.

3.2 Extension to \(k \ge 3\) Users

The extension of our attack to \(k \ge 3\) users is relatively straightforward and described in the full version of this paper [CLLT15].

4 Cryptanalysis of GGH15 with Safeguards

In [GGH15, Sect. 5.1] two safeguards for multipartite key agreement based on GGH15 multilinear maps are described:

  1. 1.

    Kilian-style randomization of the encodings, where \({{\varvec{C}}}\) is replaced by \({\bar{{\varvec{C}}}} :={{\varvec{R}}}^{-1} \cdot {{\varvec{C}}} \cdot {{\varvec{R}}}'\) using the randomizer matrices \({{\varvec{R}}}\), \({{\varvec{R'}}}\) belonging to two adjacent nodes.

  2. 2.

    Choosing the first encoding matrix in each chain to have large entries.

In the following, we show how to extend our previous attack when those two safeguards are used.

4.1 First Safeguard: Kilian-Style Randomization of the Encodings

The following safeguard for GGH15 multilinear maps is described in [GGH15], using Kilian-type randomization [Kil88]. For each internal node v in the graph one can choose a random invertible \(m \times m\) matrix \({{\varvec{R}}}_v\) modulo q, and for the sinks and sources we set \({{\varvec{R}}}_v={{\varvec{I}}}\). Then each encoding \({{\varvec{C}}}\) relative to path \(u\leadsto v\) is replaced by a masked encoding \({\bar{{\varvec{C}}}}:= {{\varvec{R}}}_u^{-1} \cdot {{\varvec{C}}} \cdot {{\varvec{R}}}_v\). Concretely, in the GGH15 key-agreement protocol, instead of publishing encodings \({{\varvec{C}}}_{i,j}\) with:

$$ {{\varvec{A}}}_{i,j} \cdot {{\varvec{C}}}_{i,j,\ell }=t_{1+(j-i\;\bmod \; k),\ell } \cdot {{\varvec{A}}}_{i,j+1} + {{\varvec{E}}}_{i,j,\ell } \pmod {q} $$

one would only publish the masked encodings modulo q:

$$\begin{aligned} {\bar{{\varvec{C}}}}_{i,j,\ell }:= {{\varvec{R}}}_{i,j}^{-1} \cdot {{\varvec{C}}}_{i,j,\ell } \cdot {{\varvec{R}}}_{i,j+1} \end{aligned}$$
(17)

with \({{\varvec{R}}}_{i,1}={{\varvec{R}}}_{i,k+1}={{\varvec{I}}}\) for all i; the same masking is applied to the encodings \({{\varvec{D}}}_{i,j}\). Since the product of encoding on any source-to-sink path remains the same, the same value is eventually extracted. Namely for all i we have:

$$ \prod \limits _{j=1}^k {\bar{{\varvec{C}}}}_{i,j} =\prod \limits _{j=1}^k {{\varvec{C}}}_{i,j}$$

and therefore exactly the same session-key as before is computed by all users.

4.2 Second Safeguard: First Encodings with Large Entries

The second safeguard described in [GGH15, Sect. 5.1] consists in choosing the first encodings \({{\varvec{C}}}_{i,1}\) in each chain to have large entries modulo q, instead of small entries. Namely the first encoding \({{\varvec{C}}}_{i,1}\) does not contribute in the error term when computing the session-key, so it can have large entries.

4.3 Cryptanalysis of GGH15 with both Safeguards

In this section we show how to extend our attack from Sect. 3 when both safeguards are used. Note the first step of our attack still applies, since in the first step we are only using product of encodings from source to sink. Namely in Eq. (4) exactly the same value \(({{\varvec{W}}})_{ij}\) is obtained when using masked encodings. Therefore we can still derive the same linear relation between secret exponents as in (7) and (8).

However the second step of our attack does not apply directly, since our second step requires the knowledge of the matrix \({\hat{{\varvec{C}}}}''_{1,3}\) in (15), which is obtained from the first columns of the encodings \({\hat{{\varvec{C}}}}_{1,3,j}={{\varvec{C}}}_{1,2,j} \cdot {{\varvec{C}}}_{1,3}\). Since these are partial products only, such partial products would be masked by the unknown randomization matrix \({{\varvec{R}}}_{1,2}^{-1}\) modulo q, hence the matrix \({\hat{{\varvec{C}}}}''_{1,3}\) is unknown.

We can however adapt our second step as follows. For simplicity we keep the same notations as previously, that is we describe our extended attack in term of the original encodings \({{\varvec{C}}}_{i,j,\ell }\), instead of the masked encodings \({\bar{{\varvec{C}}}}_{i,j,\ell }\) from (17); in that case we are only allowed to use products of encodings from source to sink. We first start with a slightly different equation from (15):

$$\begin{aligned} \mathbf {\varOmega } = {{\varvec{u}}} + \left( \sum \limits _{i=1}^{2m+3} \alpha _i \cdot {{\varvec{E}}}_{1,1,i} \right) \cdot {\hat{{\varvec{G}}}}''_{1,3} \end{aligned}$$
(18)

where \({\hat{{\varvec{G}}}}''_{1,3}\) is a matrix whose columns are the first column vectors of \({{\varvec{D}}}_{1,2} \cdot {{\varvec{C}}}_{1,3,j}\) for \(1 \le j \le 2m+2\). Note that in (12) the error term that we must estimate to recover the session key is:

$$\begin{aligned} {{\varvec{E}}}=\left( \sum \limits _{i=1}^{2m+3} \alpha _i \cdot {{\varvec{E}}}_{1,1,i} \right) \cdot {\hat{{\varvec{D}}}}_{1,3} \end{aligned}$$
(19)

Using a similar approach as in the attack first step, our approach consists in finding a vector \({{\varvec{x}}}\) with coefficients in the fraction field \(R\otimes _{\mathbb {Z}}{\mathbb Q}\) of R such that:

$$ {\hat{{\varvec{D}}}}'_{1,3}={\hat{{\varvec{G}}}}''_{1,3} \cdot {{\varvec{x}}}$$

where \({\hat{{\varvec{D}}}}'_{1,3}\) is the first column vector of \({\hat{{\varvec{D}}}}_{1,3}\). Applying the vector \({{\varvec{x}}}\) on (18) and rounding in R, we obtain:

$$ \left\lfloor \mathbf {\varOmega } \cdot {{\varvec{x}}} \right\rceil =\left\lfloor {{\varvec{u}}} \cdot {{\varvec{x}}} \right\rceil + \left( \sum \limits _{i=1}^{2m+3} \alpha _i \cdot {{\varvec{E}}}_{1,1,i} \right) \cdot {\hat{{\varvec{D}}}}'_{1,3} $$

Since the components of \({{\varvec{u}}}\) (over R) are small, and moreover the coefficients of \({{\varvec{x}}}\) (over \(R\otimes _{\mathbb {Z}}{\mathbb Q}\)) are heuristically also small, the scalar \( \lfloor {{\varvec{u}}} \cdot {{\varvec{x}}} \rceil \) in R is small compared to q, and therefore we obtain a good estimate of the first component of the error vector \({{\varvec{E}}}\) from (19), which enables to recover the first component of the session key and breaks the scheme.Footnote 4

4.4 Detailed Description

First Step: Linear Relations in \({\varvec{R}}\) . The first step of our attack is exactly the same as previously. Namely as mentioned previously the first step of our previous attack still applies, since in the first step we are only using product of encodings from source to sink. More precisely in Eq. (4) exactly the same value \(({{\varvec{W}}})_{ij}\) is obtained when using masked encodings, and therefore we can still derive the same linear relations as in (7) and (8):

$$\begin{aligned} s_1=\sum \limits _{i=1}^{2m+3} \alpha _{i} \cdot t_{1,i},\quad {{\hat{{\varvec{F}}}}}_{2,2}=\sum \limits _{i=1}^{2m+3} \alpha _{i} \cdot {\hat{{\varvec{E}}}}_{2,2,i},\nonumber \\ F_{3,3}=\sum \limits _{i=1}^{2m+3} \alpha _{i} \cdot E_{3,3,i},\quad {{\varvec{D}}}'_{3,3}=\sum \limits _{i=1}^{2m+3} \alpha _{i} \cdot {{\varvec{C}}}'_{3,3,i}. \end{aligned}$$
(20)

Note that as opposed to Sect. 3 we don’t know the value of the encodings \({{\varvec{D}}}'_{3,3}\) and \({{\varvec{C}}}'_{3,3,i}\), since they are masked by the \({{\varvec{R}}}_{ij}\) matrices; we only recover the coefficients \(\alpha _i\) in R.

Second Step: Another Linear Relation. In the second step, our goal is to find a vector \({{\varvec{x}}}\) with coefficients in the fraction field \(R\otimes _{\mathbb {Z}}{\mathbb Q}\) of R such that:

$$ {{{\varvec{D}}}'_{1,3}} = {\sum \limits _{i=1}^{2m+2}} x_i \cdot {{\varvec{C}}}'_{1,3,i} $$

where \({{\varvec{D}}}'_{1,3}\) and \({{\varvec{C}}}'_{1,3,i}\) are the first column vectors of \({{\varvec{D}}}_{1,3}\) and \({{\varvec{C}}}_{1,3,i}\) respectively. We show that this can be done using the same approach as in the attack first step.

Namely letting \({\hat{{\varvec{C}}}}_{1,2,\ell }:={{\varvec{C}}}_{1,1,\ell } \cdot {{\varvec{C}}}_{1,2}\) where we let \({{\varvec{C}}}_{1,2}:={{\varvec{C}}}_{1,2,1}\) corresponding to \(t_2:=t_{2,1}\), we obtain:

$$\begin{aligned} {{\varvec{A}}}_{1,1} \cdot {\hat{{\varvec{C}}}}_{1,2,\ell }&= t_{1,\ell } \cdot t_2 \cdot {{\varvec{A}}}_{1,3}+ {\hat{{\varvec{E}}}}_{1,2,\ell } \pmod {q}\\ {{\varvec{A}}}_{1,3} \cdot {{\varvec{C}}}_{1,3,\ell }&= t_{3,\ell } \cdot {{\varvec{A}}}_0 + {{\varvec{E}}}_{1,3,\ell } \pmod {q} \end{aligned}$$

Similarly letting \({\hat{{\varvec{C}}}}_{2,3,\ell }:={{\varvec{C}}}_{2,2,\ell } \cdot {{\varvec{C}}}_{2,3}\) where \({{\varvec{C}}}_{2,3}:={{\varvec{C}}}_{2,3,1}\), we get:

$$\begin{aligned} {{\varvec{A}}}_{2,1} \cdot {{\varvec{C}}}_{2,1,\ell }&= t_{3,\ell } \cdot {{\varvec{A}}}_{2,2}+ {{\varvec{E}}}_{2,1,\ell } \pmod {q}\\ {{\varvec{A}}}_{2,2} \cdot {\hat{{\varvec{C}}}}_{2,3,\ell }&= t_1 \cdot t_{2,\ell } \cdot {{\varvec{A}}}_0 + {\hat{{\varvec{E}}}}_{2,3,\ell } \pmod {q} \end{aligned}$$

We can therefore compute the following matrix elements in R, restricting ourselves as previously to the first component of the vectors:

$$\begin{aligned} ({{\varvec{W}}})_{ij}&={{\varvec{A}}}_{1,1} \cdot {\hat{{\varvec{C}}}}_{1,2,i} \cdot {{\varvec{C}}}'_{1,3,j} - {{\varvec{A}}}_{2,1} \cdot {{\varvec{C}}}_{2,1,j} \cdot {\hat{{\varvec{C}}}}'_{2,3,i} \\&= t_{1,i} \cdot t_2 \cdot E_{1,3,j}+{\hat{{\varvec{E}}}}_{1,2,i} \cdot {{\varvec{C}}}'_{1,3,j} - t_{3,j} \cdot {\hat{E}}_{2,3,i}- {{\varvec{E}}}_{2,1,j} \cdot {\hat{{\varvec{C}}}}'_{2,3,i} \end{aligned}$$

for all \(1 \le i \le 2m+2\) and \(1 \le j \le 2m+2\), where \({{\varvec{C}}}'_{1,3,j}\) and \({\hat{{\varvec{C}}}}'_{2,3,i}\) are the first column vectors of \({{\varvec{C}}}_{1,3,j}\) and \({\hat{{\varvec{C}}}}_{2,3,i}\) respectively. This gives:

$$ ({{\varvec{W}}})_{ij} = \begin{bmatrix} t_{1,i}\, t_2~&{\hat{{\varvec{E}}}}_{1,2,i}~&\hat{E}_{2,3,i}~&{\hat{{\varvec{C}}}}'_{2,3,i} \end{bmatrix} \cdot \begin{bmatrix} E_{1,3,j} \\ {{\varvec{C}}}'_{1,3,j} \\ -t_{3,j} \\ -{{\varvec{E}}}_{2,1,j} \end{bmatrix}. $$

Moreover, since the encodings \({{\varvec{D}}}_{1,3}\) and \({{\varvec{D}}}_{2,1}\) corresponding to \(s_3\) on rows 1 and 2 are public, we can additionally compute the corresponding vector:

$$\begin{aligned} ({{\varvec{V}}})_{i}&={{\varvec{A}}}_{1,1} \cdot {\hat{{\varvec{C}}}}_{1,2,i} \cdot {{\varvec{D}}}'_{1,3} - {{\varvec{A}}}_{2,1} \cdot {{\varvec{D}}}_{2,1} \cdot {\hat{{\varvec{C}}}}'_{2,3,i} \\&= \begin{bmatrix} t_{1,i}\, t_2~&{\hat{{\varvec{E}}}}_{1,2,i}~&\hat{E}_{2,3,i}~&{\hat{{\varvec{C}}}}'_{2,3,i} \end{bmatrix} \cdot \begin{bmatrix} F_{1,3} \\ {{\varvec{D}}}'_{1,3} \\ -s_{3} \\ -{{\varvec{F}}}_{2,1} \end{bmatrix}. \end{aligned}$$

where \({{\varvec{D}}}'_{1,3}\) is the first column vector of \({{\varvec{D}}}_{1,3}\). Therefore assuming that the matrix \({{\varvec{W}}}\) is invertible, we can find \({{\varvec{x}}}\) in \(R\otimes _{\mathbb {Z}}{\mathbb Q}\) such that:

$$ {{\varvec{W}}} \cdot {{\varvec{x}}}={{\varvec{V}}}$$

which gives as required:

$$\begin{aligned} {{{\varvec{D}}}'_{1,3}} = {\sum \limits _{i=1}^{2m+2}} x_i \cdot {{\varvec{C}}}'_{1,3,i} \end{aligned}$$
(21)

Note that the only difference with the linear relations from Step 1 is that we don’t require the \(x_i\)’s to be in R, only in the fraction field \(R\otimes _{\mathbb {Z}}{\mathbb Q}\) of R; this implies that heuristically such coefficients should remain small in absolute value.

Third Step: Estimating the Error Term. In the third step our goal is to estimate the error term when computing the session-key, as in the second step of the basic attack. We first start with a slightly different equation from (15):

$$\begin{aligned} \mathbf {\varOmega } = {{\varvec{u}}} + \left( \sum \limits _{i=1}^{2m+3} \alpha _i \cdot {{\varvec{E}}}_{1,1,i} \right) \cdot {\hat{{\varvec{G}}}}''_{1,3} \end{aligned}$$
(22)

where \({\hat{{\varvec{G}}}}''_{1,3}\) is a matrix whose columns are the first column vectors of \({{\varvec{D}}}_{1,2} \cdot {{\varvec{C}}}_{1,3,j}\) for \(1 \le j \le 2m+2\). Therefore the only difference with (15) is that we use the matrix \({\hat{{\varvec{G}}}}''_{1,3}\) instead of \({\hat{{\varvec{C}}}}''_{1,3}\).

To obtain (22) we proceed as follows. Instead of letting \({\hat{{\varvec{C}}}}_{1,3,\ell }={{\varvec{C}}}_{1,2,\ell } \cdot {{\varvec{C}}}_{1,3}\) as in the basic attack, we let \({\hat{{\varvec{C}}}}_{1,3,\ell }={{\varvec{D}}}_{1,2} \cdot {{\varvec{C}}}_{1,3,\ell }\). Similarly we let \({\hat{{\varvec{C}}}}_{3,2,\ell }:={{\varvec{D}}}_{3,1} \cdot {{\varvec{C}}}_{3,2,\ell }\). This is possible because on rows 1 and 3 the encodings \({{\varvec{D}}}_{1,2}\) and \({{\varvec{D}}}_{3,1}\) corresponding to \(s_2\) are public. We obtain:

$$\begin{aligned} {{\varvec{A}}}_{1,1} \cdot {{\varvec{C}}}_{1,1,\ell }&= t_{1,\ell } \cdot {{\varvec{A}}}_{1,2} + {{\varvec{E}}}_{1,1,\ell } \pmod {q} \\ {{\varvec{A}}}_{1,2} \cdot {\hat{{\varvec{C}}}}_{1,3,\ell }&= s_{2} \cdot t_{3,\ell } \cdot {{\varvec{A}}}_0 + {\hat{{\varvec{E}}}}_{1,3,\ell } \pmod {q} \\ {{\varvec{A}}}_{3,1} \cdot {\hat{{\varvec{C}}}}_{3,2,\ell }&= s_{2} \cdot t_{3,\ell } \cdot {{\varvec{A}}}_{3,3} + {\hat{{\varvec{E}}}}_{3,2,\ell } \pmod {q} \\ {{\varvec{A}}}_{3,3} \cdot {{\varvec{C}}}_{3,3,\ell }&= t_{1,\ell } \cdot {{\varvec{A}}}_{0} + {{\varvec{E}}}_{3,3,\ell } \pmod {q} \end{aligned}$$

As previously we can compute over R, restricting ourselves to the first component, where \({\hat{{\varvec{C}}}}'_{1,3,j}\) and \({{\varvec{C}}}'_{3,3,i}\) are the first columns of \({\hat{{\varvec{C}}}}_{1,3,j}\) and \({{\varvec{C}}}_{3,3,i}\) respectively:

$$\begin{aligned} \omega _{ij}&={{\varvec{A}}}_{1,1} \cdot {{\varvec{C}}}_{1,1,i} \cdot {\hat{{\varvec{C}}}}'_{1,3,j}- {{\varvec{A}}}_{3,1} \cdot {\hat{{\varvec{C}}}}_{3,2,j} \cdot {{\varvec{C}}}'_{3,3,i} \\&= t_{1,i} \cdot \hat{E}_{1,3,j} + {{\varvec{E}}}_{1,1,i} \cdot {\hat{{\varvec{C}}}}'_{1,3,j} - s_{2} \cdot t_{3,j} \cdot E_{3,3,i} - {\hat{{\varvec{E}}}}_{3,2,j} \cdot {{\varvec{C}}}'_{3,3,i}. \end{aligned}$$

We can therefore compute over R, using the coefficients \(\alpha _i\) from the linear relations (20):

$$\begin{aligned} \varOmega _j= & {} \sum \limits _{i=1}^{2m+3} \alpha _i \cdot \omega _{ij} \\= & {} \sum \limits _{i=1}^{2m+3} \alpha _i \cdot \left( t_{1,i} \cdot \hat{E}_{1,3,j} + {{\varvec{E}}}_{1,1,i} \cdot {\hat{{\varvec{C}}}}'_{1,3,j} - s_{2} \cdot t_{3,j} \cdot E_{3,3,i} - {\hat{{\varvec{E}}}}_{3,2,j} \cdot {{\varvec{C}}}'_{3,3,i} \right) \end{aligned}$$

Using the linear relations in (20), we obtain:

$$ \varOmega _j=s_1 \cdot \hat{E}_{1,3,j} - s_{2} \cdot t_{3,j} \cdot F_{3,3} - {\hat{{\varvec{E}}}}_{3,2,j} \cdot {{\varvec{D}}}'_{3,3}+ \left( \sum \limits _{i=1}^{2m+3} \alpha _i \cdot {{\varvec{E}}}_{1,1,i} \right) \cdot {\hat{{\varvec{C}}}}'_{1,3,j} $$

where \({{\varvec{D}}}'_{3,3}\) is the first column vector of \({{\varvec{D}}}_{3,3}\). This gives:

$$ \varOmega _j = u_j + \left( \sum \limits _{i=1}^{2m+3} \alpha _i \cdot {{\varvec{E}}}_{1,1,i} \right) \cdot {\hat{{\varvec{C}}}}'_{1,3,j} $$

for some small \(u_j\) in R. Since we have let \({\hat{{\varvec{C}}}}_{1,3,j}={{\varvec{D}}}_{1,2} \cdot {{\varvec{C}}}_{1,3,j}\) for \(1 \le j \le 2m+2\), in vectorial form we obtain (22) as required, where \({\hat{{\varvec{G}}}}''_{1,3}\) is the matrix whose columns are the first column vectors of \({{\varvec{D}}}_{1,2} \cdot {{\varvec{C}}}_{1,3,j}\) for \(1 \le j \le 2m+2\).

Recall that in (12) the error term that we must estimate to recover the session key is:

$$\begin{aligned} {{\varvec{E}}}=\left( \sum \limits _{i=1}^{2m+3} \alpha _i \cdot {{\varvec{E}}}_{1,1,i} \right) \cdot {\hat{{\varvec{D}}}}_{1,3} \end{aligned}$$
(23)

where \({\hat{{\varvec{D}}}}_{1,3}={{\varvec{D}}}_{1,2} \cdot {{\varvec{D}}}_{1,3}\). In the following we will only estimate the first component, so we let \({\hat{{\varvec{D}}}}'_{1,3}={{\varvec{D}}}_{1,2} \cdot {{\varvec{D}}}'_{1,3}\), where \({\hat{{\varvec{D}}}}'_{1,3}\) and \({{\varvec{D}}}'_{1,3}\) are the first column vectors of \({\hat{{\varvec{D}}}}_{1,3}\) and \({{\varvec{D}}}_{1,3}\) respectively.

We now use the vector \({{\varvec{x}}}\) computed in the second step. In matrix notation, Eq. (21) gives:

$$ {{\varvec{D}}}'_{1,3}={{\varvec{C}}}''_{1,3} \cdot {{\varvec{x}}}$$

where \({{\varvec{C}}}''_{1,3}\) is the matrix whose columns are the first column vectors of \({{\varvec{C}}}_{1,3,i}\) for \(1 \le i \le 2m+2\). Using \({\hat{{\varvec{G}}}}''_{1,3}={{\varvec{D}}}_{1,2} \cdot {{\varvec{C}}}''_{1,3}\), this gives:

$$ {\hat{{\varvec{D}}}}'_{1,3}={{\varvec{D}}}_{1,2} \cdot {{\varvec{D}}}'_{1,3}= {{\varvec{D}}}_{1,2} \cdot {{\varvec{C}}}''_{1,3} \cdot {{\varvec{x}}}= {{\varvec{G}}}''_{1,3} \cdot {{\varvec{x}}}$$

where \({\hat{{\varvec{D}}}}'_{1,3}\) is the first column vector of \({\hat{{\varvec{D}}}}_{1,3}\). Applying the vector \({{\varvec{x}}}\) on (22), we therefore get:

$$ \mathbf {\varOmega } \cdot {{\varvec{x}}} = {{\varvec{u}}} \cdot {{\varvec{x}}} + \left( \sum \limits _{i=1}^{2m+3} \alpha _i \cdot {{\varvec{E}}}_{1,1,i} \right) \cdot {\hat{{\varvec{D}}}}'_{1,3} $$

We claim that this provides a good estimate of the first component of the error vector \({{\varvec{E}}}\) from (23). Recall that the components of \({{\varvec{x}}}\) are in \(R\otimes _{\mathbb {Z}}{\mathbb Q}\), so by rounding to the nearest integer we can get the following value in R:

$$\begin{aligned} E'=\lfloor {\varvec{\varOmega }} \cdot {{\varvec{x}}}\rceil = \lfloor {{\varvec{u}}} \cdot {{\varvec{x}}} \rceil + \left( {\sum \limits _{i=1}^{2m+3}} \alpha _i \cdot {{\varvec{E}}}_{1,1,i} \right) \cdot {\hat{{\varvec{D}}}}'_{1,3} \end{aligned}$$
(24)

Since the components of \({{\varvec{u}}}\) (over R) are small, and moreover the coefficients of \({{\varvec{x}}}\) (over \(R\otimes _{\mathbb {Z}}{\mathbb Q}\)) are also small (heuristically), the scalar \( \lfloor {{\varvec{u}}} \cdot {{\varvec{x}}} \rceil \) in R is small.

Finally, letting as previously:

$$ {\tilde{{\varvec{D}}}}_{1,1}= \sum \limits _{i=1}^{2m+3} \alpha _i \cdot {{\varvec{C}}}_{1,1,i}, $$

we obtain:

$$ {{\varvec{A}}}_{1,1} \cdot {\tilde{{\varvec{D}}}}_{1,1} =s_1 \cdot {{\varvec{A}}}_{1,2} + \sum \limits _{i=1}^{2m+3} \alpha _i \cdot {{\varvec{E}}}_{1,1,i} \pmod {q}. $$

which gives as previously:

$$ {{\varvec{A}}}_{1,1} \cdot {\tilde{{\varvec{D}}}}_{1,1} \cdot {\hat{{\varvec{D}}}}'_{1,3} =s_1 \cdot s_2 \cdot s_3 \cdot A_0 + s_1 \cdot \hat{F}_{1,3} + \left( \sum \limits _{i=1}^{2m+3} \alpha _i \cdot {{\varvec{E}}}_{1,1,i} \right) \cdot {\hat{{\varvec{D}}}}'_{1,3} \pmod {q} $$

Therefore combining with (24) we can compute from public parameters:

$$ {{\varvec{A}}}_{1,1} \cdot {\tilde{{\varvec{D}}}}_{1,1} \cdot {\hat{{\varvec{D}}}}'_{1,3}-E' =s_1 \cdot s_2 \cdot s_3 \cdot A_0 + s_1 \cdot \hat{F}'_{1,3} -\lfloor {{\varvec{u}}} \cdot {{\varvec{x}}} \rceil \pmod {q}$$

Since the terms \(s_1 \cdot \hat{F}'_{1,3} \) and \(\lfloor {{\varvec{u}}} \cdot {{\varvec{x}}} \rceil \) are small, this reveals the first component of the secret vector \(s_1 \cdot s_2 \cdot s_3 \cdot {{\varvec{A}}}_0\), which breaks the scheme.