Post-Quantum Cryptography(PQC): Generalized ElGamal Cipher over GF(251^8)
Abstract—
Post-Quantum Cryptography (PQC) attempts to find cryptographic protocols resistant to attacks by means of for instance Shor’s polynomial time algorithm for numerical field problems like integer factorization (IFP) or the discrete logarithm (DLP).
Other aspects are the backdoors discovered in deterministic random generators or recent advances in solving some instances of DLP. The use of alternative algebraic structures like non-commutative or non-associative partial groupoids, magmas, monoids, semigroups, quasigroups or groups, are valid choices for these new kinds of protocols. In this paper, we focus in an asymmetric cipher based on a generalized ElGamal non-arbitrated protocol using a non-commutative general linear group. The developed protocol forces a hard subgroup membership search problem into a non-commutative structure. The protocol involves at first a generalized Diffie-Hellman key interchange and further on the private and public parameters are recursively updated each time a new cipher session is launched. Security is based on a hard variation of the Generalized Symmetric Decomposition Problem (GSDP). Working with GF(251^8) a 64-bits security is achieved, and if GF(251^16) is chosen, the security rises to 127-bits. An appealing feature is that there is no need for big number libraries as all arithmetic if performed in ℤ (cid:2)(cid:3)(cid:4) and therefore the new protocol is particularly useful for computational platforms with very limited capabilities like smartphones or smartcards. Keywords – Post-Quantum Cryptography, Non-Commutative Cryptography, Finite Fields, Asymmetric Cryptography, Generalized ElGamal Protocol I NTRODUCTION ost-Quantum Cryptography (PQC) is a relatively new cryptologic trend that recently acquired an official NIST status [1, 2] and which aims to be resistant to quantum computers attacks (like Shor algorithm). But PQC not only cover against that menace, it works also as a response against side-channel attacks [3], the increasing concern about pseudo-prime generator backdoor attacks (i.e. Dual_EC_DRBG NSA [4]) or the development of quasi-polynomial discrete logarithm attacks [5] which impact severely against current de facto standards [6] of asymmetric cryptography whose security rest on integer-factorization (IFP) and discrete-logarithm (DLP) over numeric fields. And more, sub-exponential time complexity attacks on many instances appear [5][6]. Shor algorithm [7] opened a quantum computing way to break current asymmetric protocols. As a response, there rise an increasing interest in some simple solutions like Lattice-based, Pairing-based, Multi Quadratic, Code-based, Hash-based, Non-Commutative and Non-Associative algebraic cryptography [1, 2, 8 to 13]. Pedro Hecht: Maestría en Seguridad Informática, FCE- FCEyN-FI (Universidad de Bs Aires) [email protected] A whole branch of new protocols was developed which do not rely on extended precision arithmetic’s and instead exploit internal asymmetry of abstract algebraic structures like partial grupoids, categories, magmas, monoids, quasigroups, groups, rings, loops or neofields [9 to 24]. The new developed one-way trapdoor functions (OWTF) include conjugator search (CSP), decomposition (DP), commutative subgroup search (CSSP), symmetric decomposition (SDP) and generalized symmetric decomposition (GSDP) [9, 15, 17, 25, 26]. This paper focus a simple solution using the general linear multiplicative subgroup over prime field F , represented as GL(d, F ), d is the square matrix order . All arithmetic operations are into Z . The prime characteristic 251 is the biggest one fitting into a byte. As advantage, no big number libraries are involved, memory requirement reduced and fast computation expected. As a necessary condition for asymmetric cryptography, a hidden commutative subgroup is developed inside. PQC studies were purposely followed by the author over his past research [27 to 32]. 2. A LGEBRAIC C ONCEPTS
Let p be a prime, d any integer >1, q=p d and F p [x] the polynomial extension of the prime field F p . The number of square matrices of order d and values in F p is p d^2 , and of those p d^2-d are nilpotent [33 to 36]. The number of elements in the general linear group of d -order non-singular square matrices is: (cid:5)(cid:6)(cid:7)(cid:8)(cid:9), (cid:11) (cid:12) (cid:13)(cid:5) = ∏ (cid:17)(cid:18) (cid:19) − (cid:18) (cid:21) (cid:22) (cid:19)(cid:23)(cid:24)(cid:21)(cid:25)(cid:26) (1) A non-singular matrix or d -order whose monic characteristic polynomial is irreducible in F p , generates a cyclic (thus commutative) subgroup P d of (cid:27) (cid:19) = (cid:6)(cid:7)(cid:8)(cid:9), (cid:11) (cid:12) (cid:13) . Each d -degree irreducible polynomial f(x) in F p [x] field has a square companion matrix of d -order who acts as a generator of the multiplicative cyclic subgroup P d , and each member of this subgroup corresponds to a unique monic characteristic polynomial of at most d-1 degree [ ]. The (cid:28) (cid:29)(cid:30)(cid:29) number of non-trivial (null or unitary) monic d -degree f(x) over F field is: (cid:28) (cid:29)(cid:30)(cid:29) = (cid:18) (cid:19) – 2 (2) Using Möbius ! function, the N p (d) number of monic irreducible d -degree polynomials over F p [x] field is: P. Hecht PQC: GENERALIZED ELGAMAL CIPHER OVER
GF(251 ) P (cid:28) (cid:12) (cid:17)(cid:9)(cid:22) = (cid:24)(cid:19) ∑ !(cid:17)(cid:9)(cid:22)(cid:18) (cid:19)/$$|(cid:19) = (cid:12) & (cid:23)’(cid:19) = ( )*) (cid:19) (3) To generate a random d -order monic irreducible polynomial over F p [x] , we use the probabilistic Algorithm 4.70 [6] whose complexity is O(m (lg m)(lg p)) and requires approximately d -trials. Once found, it is translated into the companion matrix [33]. Uppon, it is of interest to find its order, because that would be the number of elements of the commutative subgroup P d of the M d matrix group. Whatever this value is, it must be a divisor of the multiplicative subfield order ( = p d - 1 ) and if it were maximal, the irreducible polynomial would be a primitive one. To calculate polynomial orders, a modified version of Algorithm 4.77 [6] can be used. Clearly using an irreducible polynomial in an extension field is a method of generating a P d commutative subgroup of the non-singular modular square matrices, but there exists another way to achieve the same goal. For matrices, the necessary and sufficient condition for two symmetric (diagonalizable) matrices to commute, is that they share the same orthonormal basis, that means the same eigenvectors P matrix [34, 35]. If we start from two different diagonal matrices D , D ; then the transformed A (=P D P -1 ) and B (=P D P -1 ) commute (AB = BA) . The later approach is computational faster than the first one, so it will be followed in our protocol. 3. C RYPTOGRAPHIC A SPECTS
Security of an asymmetric cipher protocol always relies on a hard OWTF [6]. Here we propose a generalized ElGamal cipher selecting GSDP as the one-way trapdoor function. If the algebraic structure and OWTF are well selected, a provably secure protocol could be developed [9, 15]. This sounds good, but it is not easy to prove such a claim [37]; so caution at use is strongly advised. In our case, the GSDP could be stated as follows (cid:7)+, (cid:6) - ./. 0/112,-,34+ 56/2(cid:18) -.(cid:9) 7 - 0/112,-,34+ 82956/2(cid:18), ’ -.(cid:9) (cid:17)1, .(cid:22) ∈ ℤ, =3.(cid:9) > ∈ 7 | ; = > ? : > @ (4) This structure resembles a generalized discrete logarithm (GDLP) or a conjugation search problem (CSP). GSDP is more difficult as the first one, as no numeric field is directly involved and because the vectorially structure of elements involved. GSDP is clearly a generalization of CSP, so a harder solution must be expected. GSDP is supposed to be one of the hardest challenges in group theory [9, 14, 15, 16, 17]. As no cryptanalytic quantum algorithm is on sight and probably does not exist, the present protocol belongs to the PQC set. Of course, this statement should be proven, a question beyond the purpose of this paper. In our protocol, we use a harder variety of GSDP, with less known information. We call it blind general symmetric decomposition problem (BGSDP), and it states as (cid:7)+, (cid:6) - ./. 0/112,-,34+ 56/2(cid:18) -.(cid:9) 7 - 0/112,-,34+ 82956/2(cid:18), 534+. ; ∈ (cid:6) 92, 2.A./B. [ : ∈ (cid:6), (cid:17)1, .(cid:22) ∈ ℤ], =3.(cid:9) > ∈ 7 | ; = > ? : > @ (5) Not only this kind of generalized discrete logarithm problem is at least difficult as GSDP, in our case we change all hidden parameters each time a new cipher session is started. We accomplish this with an iterated update of those parameters. 4. C IPHER P ROTOCOL
In our version, we work with two entities (Alice and Bob), but this could be easily generalized for any number of participants. All arithmetic operations should be assumed belonging to field (cid:11) ’E(cid:24) . The setup steps (Table 2.) involve a generalized Diffie-Hellman key exchange. At following box, common symbols are explained as used along this protocol. T ABLE
I S
YMBOLS AND DEFINITIONS . T ABLE
II S
ETUP STEPS T ABLE
III N
EW SESSION ∈ – belongs to ∈ F –randomly selected element in ∀≠ -all different elements (cid:27) I ≡ (cid:6)(cid:7)(cid:17)8, (cid:11) ’E(cid:24) (cid:22) – non-commutative group L I ∈ (cid:27) I – commutative subgroup M N , M O – diagonal matrices P I,(cid:24)↗ –left upward first non-zero term of the secondary diagonal P (cid:24),I↙ –right downward first non-zero term of the secondary diagonal P (cid:24),(cid:24)↘ – left downward first non-zero term of the principal diagonal P I,I↖ – right upward first non-zero term of the principal diagonal ⟹ send publicly to the other entity validation – greyed consistency proof Any entity begins
L ∈ F (cid:27) I ⟹ (cid:6) ∈ F (cid:27) I ⟹ ALICE BOB
Generating private elements A (cid:24) , A ’ ∈ F ℤ ’E(cid:24)∗ ’ ∀≠ W (cid:24) … W I ∈ F ℤ ’E(cid:24)∗ M N = (cid:17)W (cid:24) … W I (cid:22) Y = LM N L (cid:23)(cid:24) ∈ L I (cid:24) , ’ ∈ F ℤ ’E(cid:24)∗ ’ ∀≠ ! (cid:24) … ! I ∈ F ℤ ’E(cid:24)∗ M O = (cid:17)! (cid:24) … ! I (cid:22) Z = LM O L (cid:23)(cid:24) ∈ L I ALICE BOB
Interchange tokens
Y′ = Y \ ] (cid:6) Y \ ^ ⟹ Z′ = Z $ ] (cid:6) Z $ ^ ⟹ ALICE BOB
First common key ( K ) is obtained P = Y \ ] Z′ Y \ ^ I,(cid:24)↗ . P (cid:24),I↙ . = P (cid:24),(cid:24)↘ . P I,I↖
P = Z $ ] Y′ Z $ ^ I,(cid:24)↗ . P (cid:24),I↙ . = P (cid:24),(cid:24)↘ . P I,I↖
P = Y \ ] ‘ O Y \ ^ = Y \ ] (cid:17)Z $ ] (cid:6) (cid:26) Z $ ^ (cid:22)Y \ ^ = = Z $ ] (cid:17)Y \ ] (cid:6) (cid:26) Y \ ^ (cid:22)Z $ ^ = Z $ ] ‘ N Z $ ^ = P ALICE BOB
ALICE start a new cipher session updating recursively parameters
P = P ?.@
I,(cid:24)↗ . P (cid:24),I↙ . = P (cid:24),(cid:24)↘ . P I,I↖
L = P ? L P @ (cid:6) = P ? (cid:6) P @ Y = LM N L (cid:23)(cid:24) Y´ = Y ? (cid:6) Y @ ⟹ T ABLE
IV B
OB UPDATES PARAMETERS UPPON ACKNOWLEGMENT . T ABLE
V A
LICE CIPHER AN H MESSAGE TO B OB . T ABLE
VI B
OB DECIPHERS H MESSAGE . Suppose that this protocol is intended be used among an n -entities community, some caution should be held. The key point would be that each pair of interacting entities should store last interchanged session key until next opened session. That is not a big inconvenience and the protocol remains non-arbitrated. Another feature could be the incorporation of authentication to block man-in-the-middle attacks. That could be made in a chained mode if each entity begins session exchanging HMAC codes [6] involving the last public key, a timestamp and eventually the last HMAC exchanged. 5. S TEP -B Y -S TEP S AMPLE
All symbols used here refers to the previous section. Any interested reader should be able to reconstruct this sequence, as no hidden values are included into this description.
Figure 1. Cipher setup. Any entity defines P and send to the other.
Figure 2. Cipher setup. Any entity defines G and send to the other. It would also be possible that one defines P and the other answers G.
Figure 3. Alice defines her initial private keys. She also has randomly selected k =77 and k =184. Figure 4. Bob defines his initial private keys. He also has randomly selected r =42 and r =229. Figure 5. Alice and Bob define tokens and exchange them.
ALICE BOB
BOB acknowledges and update parameters
P = P ?.@
I,(cid:24)↗ . P (cid:24),I↙ . = P (cid:24),(cid:24)↘ . P I,I↖
L = P ? L P @ (cid:6) = P ? (cid:6) P @ Z = LM O L (cid:23)(cid:24) Z´ = Z ? (cid:6) Z @ ⟹ ALICE BOB
ALICE ciphers an H message to BOB b ∈ (cid:27) I c ∈ F L I d = (cid:17); (cid:24) , ; ’ (cid:22) ⟹ ; (cid:24) = c ? (cid:6) c @ ; ’ = b(cid:17)c ? Z´ c @ (cid:22) ALICE BOB
BOB deciphers H b = ; ’ (cid:17)Z ? ; (cid:24) Z @ (cid:22) (cid:23)(cid:24) b = ; ’ (cid:17)Z ? ; (cid:24) Z e (cid:22) (cid:23)(cid:24) = b(cid:17)c ? Z´ c @ (cid:22)(cid:17)Z ? ; (cid:24) Z @ (cid:22) (cid:23)(cid:24) = b(cid:17)c ? Z ? (cid:22)(cid:6) (cid:24) (cid:17)Z @ c @ (cid:22)(cid:17)Z ? ; (cid:24) Z @ (cid:22) (cid:23)(cid:24) = b(cid:17)Z ? (cid:17)c ? (cid:6) (cid:24) c @ (cid:22)Z @ (cid:22)(cid:17)Z ? ; (cid:24) Z @ (cid:22) (cid:23)(cid:24) = b(cid:17)Z ? ; (cid:24) Z @ (cid:22)(cid:17)Z ? y (cid:24) Z @ (cid:22) (cid:23)(cid:24) = b Figure 6. Both obtain the first common session key and the first power parameters using diagonal values ( m =41, n =178, m.n = 19). Figure 7. Alice starts a new cipher session. Both update the session key using the current power parameters and calculate new power parameters ( m =139, n =203). Figure 8. Now both independently update auxiliary matrices.
Figure 9. Alice update her private and public session keys. Note that for increased security reason, each new session use recursivelly updated keys.
Figure 10. Bob updates his private and public session keys.
Figure 11. Alice choose H message to cipher. This modular matrix is a general one, the only restriction is to be non-singular.
Figure 12. Alice uses a random diagonal matrix to generate a session matrix J. It is mandatory to change J at each cipher session, the same as the k-parameter in a ElGamal numeric field cipher. Please watch out that the updated auxiliary matrix P are used to obtain J.
Figure 13. Alice cipher H matrix.
Figure 14. Bob recovers the H message. B ENCHMARKING
To estimate the performance of the protocol, we used a simple textbook interpreted program written in
Mathematica 8+ language. This could be one of the worst scenario to test, but it also provides a kind of lower bound for the timing. The computational platform was an Intel (R)
Core (TM) i5-5200U CPU @ 2.20GHz, 2 Core(s), 4 Logical Processor(s) 64-bit Windows 10 Home, version 10.0.14393, 8GB physical RAM in a Dell XPS 13 9343. The
Mathematica notebooks here used are freely available upon request. In this simulation sample, instantaneous transfers between entities are assumed, so only computational steps are considered. At same time, no simultaneous or parallel computations are performed, Alice and Bob sum sequentially their timed calculations. All results informed refer to the mean run time of 1000 random iterations. (a)
At setup, definition of P and G , took 0.12 ms (b) From P , G already defined until first session key K and new power parameters obtained, took 29.56 ms (c) New session updating took 52.94 ms (d)
Enciphering–deciphering cycle took 32.36 ms As observed, a full session of an approximate 64-bytes message (an H matrix) secured transmission took 85 ms in our environment. Of course, a lot of optimization should be accomplished before a real-life application is planned. 7. P ROTOCOL S ECURITY
The group of order 8 modular integer matrices
M(8, Z ) has a cardinal ≈ 10 . The invertible Hill matrices subgroup M = GL(8, Z ) has a slighty lower order [36] (1-1/251)(1–1/251 )(1–1/251 )(1–1/251 )(1-1/251 ) (1–1/251 )(1–1/251 )(1–1/251 ) ≈ 10 (6) Comparing both numbers, the probability of selecting a singular matrix in M(8, Z ) is p ≈ 0.004 , a low but not negligible value. Each time a new random modular matrix is obtained, it must be controlled that his determinant is not null. Supposing no other weakness are available, cracking a private key depends on an order eight diagonal matrix, so a brute force search of the commutative P subgroup of M involves the cardinal |P | = 249.248.247.246.245.244.243.242 = = 13190481178699144320 ≈ 10 ≈ 2 (7) Currently it is impossible to make a systematic search of that space, and if a greater security is pursued, it would suffice to expand the commutative subgroup to P , who implies a 127-bit level. It is recommended to adopt a compromise solution between the desire to obtain greater security and the concomitant use of more resources, which are always costly and limited. A second way to attack the present protocol would be to find a polynomial time algorithm to solve the algebraic generalized symmetric decomposition. As some simpler OWTF based on algebraic conjugation were successfully cryptanalyzed [38, 39], it was mandatory to find very hard functions. We presented earlier (see definition 5.) a stronger version, the blind general symmetric decomposition problem (BGSDP). As posted, it could be conjectured that this kind of algebraic challenge belongs to a NP time-complexity class and at same time resilient to quantum computers attacks. As said, this statement is currently unproved and it seems not easy to be solved. Perhaps there exists a completely different way to attack the present protocol; but at current time the author is unaware of it. As consequence, we assume a 64-bit security for the protocol as it is stated. 8. C ONCLUSIONS
We developed a non-arbitrated and compact algebraic post-quantum cipher protocol, which could easily be adapted to other purposes as key exchange, key transport and ZKP authentication [9, 30]. By compact, we mean that no big number library is required as only Z field operations are involved. This feature would enable the use or it in low computational resources environments like smartphones, smartcards, etc. 9. R EFERENCES [1]
L. Chen et al, NISTIR 8105, Report on Post-Quantum Cryptography, NIST,2006. http://nvlpubs.nist.gov/nistpubs/ir/2016/NIST.IR.8105.pdf (consulted February10, 2017) [2]
D. Moody, Update on the NIST Post-Quantum Cryptography Project, 2016. http://csrc.nist.gov/groups/SMA/ispab/ (consulted February10, 2017) [3]
Y.B. Zhou, Side-Channel Attacks: Ten Years After Its Publication and the Impacts on Cryptographic Module Security Testing, State Key Laboratory of Information Security, Institute of Software, Chinese Academy of Sciences, 2006. [4]
A. Menezes, P. van Oorschot and S.Vanstone, ”Handbook of Applied Cryptography”, CRC Press, 1997. [7]
P. Shor, “Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer”, SIAM J. Comput., no. 5, pp. 1484-1509, 1997. [8]
P. Barreto, “Introdução à criptografia pós-quântica”, Minicursos do XIII Simpósio Brasileiro em Segurança da Informação e de Sistemas Computacionais — SBSeg 2013, Cap 2, 2013. [9]
L. Gerritzen et al (Editors), Algebraic Methods in Cryptography, Contemporary Mathematics, AMS, Vol. 418, 2006 [10]
B. Tsaban, Polynomial time solutions of computational problems in non-commutative algebraic crypto, 2012. http://arxiv.org/abs/1210.8114v2, (consulted February10, 2017) [11]
A. Kalka, Non-associative public-key cryptography, 2012. arXiv:1210.8270 [cs.CR] (consulted February10, 2017) [12]
C. Koscielny, Generating quasigroups for cryptographic applications, Int. J. Appl. Math. Comput. Sci., 12:4, 559–569, 2002. [13]
S. Markovski, Quasigroups and Related Systems 23, 41−90, 2015. [14]
D. Grigoriev and I. Ponomarenko, “Constructions in public-key cryptography over matrix groups”, Preprint arXiv/math, no. 0506180v1, 2005. (consulted February10, 2017) [15]
Z. Cao, D. Xiaolei and L. Wang, “New public-key cryptosystems using polynomials over non-commutative rings”, Preprint arXiv/cr, eprint.iacr.org/2007/009.pdf, 2007. (consulted February10, 2017) [16]
S. Paeng, D. Kwon, K. Ha and J. Kim, “Improved public-key cryptosystem using finite non-abelian groups”, Cryptology ePrint archive, Report 2001/066, 2001. (consulted February10, 2017) [17]
J. Birget, S. Magliveras and M. Sramka, “On public-key cryptosystems based on combinatorial group theory”, Cryptology ePrint archive report 2005/070, 2005. [18]
M. González Vasco, C. Martinez and R. Steinwandt, “Towards a uniform description of several group based cryptographic primitives”, Designs, Codes and Cryptography, no. 33, pp. 215-226, 2004. [19]
V. Shpilrain, A. Ushakov, “Thompson's group and public-key cryptography”, Preprint arXiv/math.gr, no. 0505487 , 2005. (consulted February10, 2017) [20]
E. Lee, “Braid groups in cryptography”, IEICE Trans. Fund., vol. E87-A, no.5, pp. 986-992, 2004. [22]
B. Eick and D. Kahrobaei, “Polycyclic groups: a new platform for cryptography”, Preprint arXiv/math.gr, no. 0411077, 2004. (consulted February10, 2017) [23]
A. Mahalanobis, “The Diffie-Hellman key exchange protocol and non-abelian nilpotent groups”, Preprint arXiv/math.gr, no. 0602282v3, 2007. (consulted February10, 2017) [24]
V.A. Shcherbacov, Quasigroups in cryptology, Computer Science Journal of Moldova, 17:2, 50, 2009. [25]
S. Magliveras, D. Stinson and T. van Trung, “New approaches to designing public key cryptosystems using one-way functions and trapdoors in finite groups”, Technical Report CORR, pp. 2000-2049, 2000. [26]
V. Shpilrain and G. Zapata, “Combinatorial group theory and public-key cryptography”, Preprint arXiv/math.gr, no. 0410068, 2004. (consulted February10, 2017) [27]
P. Hecht, Un modelo compacto de criptografía asimétrica empleando anillos no conmutativos, Actas del V Congreso Iberoamericano de Seguridad Informática CIBSI’09, 188-201, 2009. [28]
P. Hecht, A Zero-Knowledge authentication protocol using non commutative groups, Actas del VI Congreso Iberoamericano de Seguridad Informática CIBSI’11, 96-102, 2011. [29]
P. Hecht, Criptografía no conmutativa usando un grupo general lineal de orden primo de Mersenne, Actas del VII Congreso Iberoamericano de Seguridad Informática CIBSI’13, 147-153, 2013. [30]
P. Hecht, A Post-Quantum Set of Compact Asymmetric Protocols using a General Linear Group, Actas del VIII Congreso Iberoamericano de Seguridad Informática CIBSI’15, 96-101, 2015. [31]
P. Hecht, Zero-Knowledge Proof Authentication using Left Self Distributive Systems: a Post-Quantum Approach, Actas del VIII Congreso Iberoamericano de Seguridad Informática CIBSI’15, 113-116, 2015. [32]
J. Kamlofsky, P. Hecht, O. A. Hidalgo Izzi, S. Abdel Masih, A Diffie-Hellman Compact Model over Non-Commutative Rings Using Quaternions, Actas del VIII Congreso Iberoamericano de Seguridad Informática CIBSI’15, 218-222, 2015. [33]
R. Lidl and H. Niederreiter, Finite Fields, Cambridge University Press, Cambridge, 1997. [34]
T. Beth et al,, “Encyclopedia of Mathematics and its Applications”, Vol 69: “Design Theory”, 2 nd . Ed, Cambridge University Press, 1999 [35] R. Horn, C. Johnson, “Matrix Analysis”, Cambridge University Press, 1985. [36]
J. Overbey, W. Traves and J. Wojdylo, “On the key space of the Hill Cipher”, Cryptologia, vol. 29, no.1, pp. 59–72, 2005. [37]
A.W. Dent, Fundamental problems in provable security and cryptography, Phil Trans R Soc, 364, 3215-3230, 2006. [38]
A. D. Myasnikov, A. Ushakov, Cryptanalysis of matrix conjugation schemes, https://eprint.iacr.org/2012/694.pdf, 2012. (consulted February10, 2017) [39]
A. A. Kamal, A. M. Youssef, Cryptanalysis of Alvarez et al. Key Exchange Scheme, Information Sciences, 223, 317,321, 2013