Cryptanalysis of Cryptosystems Based on Noncommutative Skew Polynomials.

We describe an attack on the family of Diffie-Hellman and El-Gamal like cryptosystems recently presented at PQ Crypto 2010. We show that the reference hard problem is not hard. 1 Description of the Cryptosystems Skew polynomials are polynomials with a particular noncommutative inner product. Let Fq denote the finite field with q elements, and p be the characteristic of the field. Automorphisms of Fq are the so-called Frobenius maps which are powering to a power of p. Let θ be such an automorphism. We denote by ? the inner product of skew polynomials. It is defined inductively for all a ∈ Fq by X ? a = θ(a)X. The ring of skew polynomials is still a left and right Euclidean domain, that is, there are both a left and a right Euclidean division algorithm. Using the Euclidean algorithms we can thus compute left and right greatest common divisors. However, due to the noncommutativity of the inner product, skew polynomials admit many factorizations instead of a single one. The cardinality of the number of possible factorizations is expected to be exponential in the degree of the polynomial. Based on this property, the authors of [1] designed public key cryptosystems where the trapdoor information is knowing one particular factorization of a skew polynomial. However, for the purpose of the cryptosystem, both the public skew polynomial and its secret factorization must be of particular nature. At this point, it is not useful to describe the proposed cryptosystems. Instead, we simply show that the instance of the factoring problem arising in their cryptosystems is easy. This problem is the following. Let S be a randomly generated subset of skew polynomials whose elements commute with each others. This set is public information. Let Q be a randomly chosen polynomial with many factors of small degree which do not commute with the elements of S. This polynomial is also public information. In the Diffie-Hellman like protocol of [1], any participant randomly chooses two polynomials L and R which are generated from elements of S, and outputs P = L ? Q ? R. The cryptosystem relies on the intractability of extracting L and R from P . The rationale of the cryptosystem is that this particular factorization is lost among the exponentially numerous other ones.