CRYPTANALYSIS OF THE DHDP AND EGDP PROTOCOLS OVER E (m) p KARAN KHATHURIA, GIACOMO MICHELI, AND VIOLETTA WEGER Abstract. In this paper we break the protocol based on the Diffie-Hellman De- composition problem and ElGamal Decomposition problem over the matrix ring E (m) p . Our attack terminates in a provable running time of O(m 10 ). 1. Introduction Public key cryptosystems are often based on number theoretical problems, such as integer factorization as in RSA [1] or the discrete logarithm problem over finite fields or over elliptic curves. The latter is the base for wellknown protocols, as the ElGamal protocol [2] or the Diffie-Hellman key exchange protocol [3]. Increasing computing powers threatens these classical cryptographic schemes and new ambient spaces are demanded, for example involving noncommutative structures (see [4, 5, 6, 7, 8]). In nonabelian groups there are two main problems which give raise to cryptographic schemes; the semigroup action problem (SAP) [9], and the decomposition problem (DP). For an overview see [10, 11]. These two problems are very similar: in the SAP one is given a finite semigroup S acting on a finite set A, for x, y ∈ A, such that there exists an s ∈ S with y = sx, one wants to find t ∈ S , such that y = tx. Whereas in the DP one is given a nonabelian group G,(x, y) ∈ G × G and S ⊂ G, one wants to find z 1 ,z 2 ∈ S , such that y = z 1 xz 2 . Based on these two problems J.J. Climent and J.A. L´opez-Ramos proposed three protocols in [12] over a special ring of matrices involving operations modulo different powers of the same prime, called E (m) p . Similar cryptosystems can be found in [13, Example 4.3.c]. This ring is a generalization of the ring E p , Climent, Navarro and Tartosa introduced in [14]. The first cryptographic scheme based on E p [15], was broken in [16]. This attack can be prevented by admitting only few invertible elements, as it is the case in the ring E (m) p [17, Corollary 1]. In addition, another nice property of such rings is that they do not admit embeddings into matrix rings over a field (see [18]), which is often the main problem of cryptographic schemes over matrix rings (see for example [19]) and it prevents a reduction to small extensions of finite fields as in [20]. The first protocol proposed in [12] based on the semigroup action problem over the ring E (m) p was broken by Micheli and Weger in [21] using a solution sieve argument. In this paper we break the remaining two protocols proposed by Climent and L´opez- Ramos in [12] both are based on the decomposition problem over E (m) p and happen to be equivalent. They will be denoted by the Diffie-Hellman Decomposition Problem Key words and phrases. Finite Fields; Cryptography. The second author is thankful to Swiss National Science Foundation grant number 171248. 1 arXiv:1810.02964v1 [cs.CR] 6 Oct 2018