Matrix key exchange

Question

Given is a square matrix $M$ over a field $F$, we have a key exchange with the following conditions:

1. Person $X$ sends a message to Person $Y$: $C_{1}=AM$, where $A$ is a randomly chosen square matrix.
2. Person $Y$ sends a message to Person $X$: $C_{2}=MB$, where $B$ is a randomly chosen square matrix.
3. Both can compute the secret key $K=AMB$.

The question is how to find $K$ in polynomial time in the size of the matrix ring without knowing $M$, or alternatively to prove the security of the given protocol.

Can anybody help me with this problem? I am really stuck with it and don't see a way to solve it.

Answer 1

One observation is that if we modify the problem so that $M, A, B$ are random invertible matrices, then it is easy to prove the security of the system. In fact, we can prove that the system is informationally secure; that is, for any observed $C_1, C_2$ pair, for any possible value of $K$, there is a unique set of values of $A, B, M$ that yield that $K$ (and hence the attacker gains no information from the $C_1, C_2$ pair about which values of $K$ are more likely). Of course, if that specific value of $M$ is reused in any other context, you lose this informational security.

Now, the original problem is about random matricies selected without regard to their invertibility. I'll leave this for you to solve: if $M, A$ or $B$ are noninvertable, to what extent can the attacker exploit that to recover $K$ (or, rather, limit the possible values that $K$ might be able to take on)?

Answer 2

C1 must send M using the public channel to C2 so that he is able to compute MB. So, M is publicly known being trivial compute A from AM.