1. Introduction
In recent years, intense research has been made in cryptography, especially in relation to new public key protocols. In August 2015, the USA’s National Security Agency (NSA) announced plans to upgrade security standards. Improvements in quantum computation make it necessary to replace current protocols with secure quantum ones. In a NIST report [
1], there are six proposals to be quantum safe: lattice-based, code-based, multivariate-based, hash-based, isogeny-based, and group-based cryptographic schemes.
In this work, we make a proposal for a quantum-safe public key protocol. In the context of group-based proposals, it is believed that problems such as the conjugate search problem (CSP) are not solvable using quantum computers. We propose the so-called decomposition problem (DP), which is a generalization of the CSP, and the multiplicative monoid of a twisted group ring as a setting in our aim to find a quantum-safe key exchange in the context of group-based cryptography.
Decomposition Problem. Given and , the problem is to find such that .
Note that the CSP is a special case of this problem where , and that for the DP we do not need invertible elements.
The idea is that even in asymmetric cryptography (more usually called public key cryptography), characterized by having both a secret and public key to encrypt and decrypt (in contrast with symmetric cryptography, which uses the same key for both procedures), the first and last steps in the algorithm use the same key, which is the secret key, i.e., both generation of the public key and computation of the shared key. In terms of Diffie–Hellman key exchange generalization using semigroup actions [
2], this would be the following.
Let S be a finite set, G be an abelian semigroup, and a G-action on S, and a public element . The extended Diffie–Hellman key exchange in is the following protocol:
Alice chooses and computes . Alice’s private key is a, and her public key is .
Bob chooses and computes . Bob’s private key is b, and his public key is .
Their common secret key is then
So we can see that both Alice and Bob use their secret key in the first and last steps of the algorithm. In contrast, our purpose would work as follows.
Let S be a finite set, G be a non-abelian semigroup, and a G-action on S, and a public element . The extended Diffie–Hellman key exchange in is the following protocol:
Alice chooses and computes . Alice’s private key is a, and her public key is .
Bob chooses and computes . Bob’s private key is b, and his public key is .
Their common secret key is then
where
depend on
and also on the algebraic setting, in our case, in the cocycle of the twisted group ring. In this way, the symmetry that we found using the secret key twice during the key exchange does not occur, and we can show that this is an advantage, for example, when facing attacks like the decomposition attack [
3].
The rest of this paper is organized as follows: In
Section 2, we give an algebraic setting of twisted group rings. In
Section 3, we provide our proposed key exchange and a security analysis of this protocol.
Section 4 shows a computationally equivalent cryptosystem. In
Section 5, we extend our proposal for
n users, where we can observe clearly that there is a lack of symmetry concerning the action of every user. Finally, conclusions are presented in
Section 6.
2. Algebraic Setting
In this section, twisted group rings are defined, and we also show some properties that make the key exchange possible. Firstly, we recall the definition of 2-cocycles, which will allow us to define the twisted multiplication.
Definition 1. Let G be a group and A be an abelian group. An applicationis a 2-cocycle if - 1.
, for all
- 2.
, for all .
Now we define twisted group rings as follows.
Definition 2. Let K be a ring, G be a multiplicative group, and α be a cocycle in . The group ring is defined to be the set of all finite sums of the formwhere and all but a finite number of are zero. The sum of two elements in
is given by
And multiplication, which is twisted by a cocycle, is given by
When the cocycle is trivial, is the classical group ring .
As an example, consider the field
K, its primitive root of unity
t, and the dihedral group of
elements,
. The group ring
, where
is
with
and
, is a twisted group ring.
This example is our concrete proposal for the key exchange, the twisted dihedral group ring , where K is a finite field of characteristic p such that . This is required in order to R is not a semisimple ring, which has its consequence in the security analysis.
Once we have defined our setting, we establish some useful properties that will allow us to make our key exchange possible.
Definition 3. Let , where t is the primitive root of unity that generates K and α is the cocycle defined above. Given ,where and . We define :where and . Note that
can be written as
where
and
, and
is a cyclic group of order
m. In this context, we can define
as
Proposition 1. Given ,
If , then ;
If , then , and ;
If , then .
3. Twisted Key Exchange Protocol
In this section, we explain the key exchange proposed, over the twisted group ring , and discuss the security and complexity of the protocol.
Let be a random public element. The key exchange between Alice and Bob is as follows:
Alice selects a secret pair , where .
Bob selects a secret pair , where .
Alice sends Bob , and Bob sends Alice .
Alice computes , and Bob computes , and they get the same secret shared key.
We can easily check that they get the same shared key, computing
since we had
and
by Proposition 1.
Security Analysis of the Protocol
Security of the protocol described above is based on the assumption that the following problem is computationally hard:
Given , , and the public elements , and the map , find , such that .
The stronger decisional version of this assumption would be:
Given , , and the public elements , and the map , it is hard to distinguish , such that from a random element of the form , where and .
Now we discuss the security of our protocol against various types of attacks in the literature. The first attack given by [
4] takes advantage of the algebraic setting; the second one, from [
3], involves the underlying computational problem; the third attack is a variation on our case, and finally, we check the brute force attack.
- 1.
Attacks using decomposition of group rings. Our proposed protocol over is not susceptible to this kind of attack because in our case, , so our group ring is never semisimple.
- 2.
Decomposition attack (Roman’kov). This attack by Roman’kov cannot be applied directly since secret keys in our case are not selected in that way. But we propose the necessary changes for it to be applicable (mainly, where the secret key belongs). Our proposal is robust against this attack, as can be observed in the following example.
Example 1. Let , the public element , and the secret keysThen Alice and Bob obtain their public keysand the shared key A passive eavesdropper, Eve, might obtain a basis B of ,So she can see aswhereandif she applies the attack, obtains We can see that this attack would not work since our shared key K cannot be expressed in terms of the basis B.
- 3.
Decomposition as 1-side multiplication. This decomposition is not always possible, and if that is the case, it does not necessarily imply breaking our protocol. We show it by using the following example.
Example 2. Let us consider as in the preceding example. A passive eavesdropper, Eve, would try to recover K from and . Let us assume that she can find γ such that In this case, Eve finds . But applying this γ to is helpless, - 4.
Brute force attack. The complexity of our algorithm is for a k-bits long key.
Complexity can be obtained by computing the number of possible keys. Given
h public, we have that the set of private keys is
and the set of shared keys is
. Recall that
,
, and
. In both cases, we have
so an eavesdropper would have to try
for an
-bits long key, i.e.,
possibilities for a
k-bits long key. In the example proposed in
Appendix B,
, for a 128-bits long key, we obtain a security of
.
In terms of complexity, we could say that our protocol is not as good as other protocols in group rings, such as the key exchange proposed in [
5] (in our case, the key should be larger for the same security against a brute force attack), but it is still competitive, and it is resistant against attacks such as [
4], which breaks the proposal in [
5].
Finally, note that we have studied passive attacks, but in case of an active attack, such as a man-in-the-middle attack, we would need extra security in our protocol. It could be solved by using an authenticated channel, with digital signatures.
4. A Public Key Cryptosystem
In this section, we show a computationally equivalent cryptosystem.
Let
be a twisted group ring by the 2-cocycle
, and recall
. We consider the following Elgamal-type cryptosystem for encryption and decryption. Suppose Bob wants to send a message to Alice. We have
R, and a random element
, both public. Alice establishes her public key as follows: she selects
and
, and computes
.
Encryption. To encrypt a message, Bob executes the following steps:
- 1.
Bob selects two secret elements and and computes .
- 2.
Bob represents the message as an element .
- 3.
Bob computes and sends to Alice.
Decryption. Alice decrypts the message m by calculatinggiven that and by Proposition 1. Proposition 2. Breaking the cryptosystem above is equivalent to breaking the key exchange proposed.
Proof. Assume that an eavesdropper, Eve, can solve the key exchange, and she wants to get
m from the pair
Since she is able to break the key exchange, knowing Alice’s public key
and Bob’s
allows her to get
(the shared key). So she can recover the message
Now, assume that Eve can solve the cryptosystem. Then she can obtain any message
m if she knows
. Eve encrypts a message
m using
, obtaining
Since she can break the cryptosystem, she recovers
m,
and obtains the shared key by computing
□
5. Group Key Management
In this section, we present a key exchange protocol for n users. As stated before, we observe very clearly the lack of symmetry concerning the action of every user. We also discuss the rekeying process.
Let , described above. For , user has a secret pair , where and . Let , 2-sided multiplication. We will denote .
For
, user
sends to user
the message
where
,
and
for even, , when , , ,
for odd, , when , , .
User computes if n is odd and if n is even.
User computes if n is odd or if n is even, and gets the shared key.
Proposition 3. After this protocol, users agree on a common key.
Proof. Users agree on a common key. Now we prove it for an even or odd n number of users.
Firstly, we consider
n odd. Let us show that users
get the same key and that this is equal to
key. To do so, we will prove by induction that
for
,
. And this also equals
key,
. For
,
using the commutativity rules given by Proposition 1,
Moreover, .
Now, suppose that
Then we have
and
So all users
get the same key for
n odd.
Secondly, we show that this also works for
n even. We prove by induction that
for
,
. And this also equals
key,
. For
,
using that
commute and
In addition, .
So the shared key
is the same for every
, and also,
and all users
have the same shared key, and we are done. □
An important issue in group key management is rekeying after the initial key agreement. There exist three situations: the first is due to key caducity, and the members of the group are the same; the second is when a user leaves the group, and the third is when a new user joins it. We describe these procedures in the following lines.
Let us consider the first situation. Every user
has the information
received from the user
. The rekeying process can be carried out by any of them, as is suggested in [
6]. We call this user
. He chooses a new element
, where
and
. If
n is odd, he changes his private key to
and broadcasts the message
If
n is even, he changes his private key to
and broadcasts the message
Then every user recovers the common key using the private key if n is even, and if n is odd.
We can easily check that this shared key is the same for every user. Recall that we proved that
for
and odd
n. Now we have
and
implies that
so all users get the same shared key. This can be proved analogously for odd
n. Note that every time we rekey, we need to consider that a new user has been added to the key agreement (just to decide if we use the procedure for odd or even
n), so the second time we rekey we will consider that they are
users, and so on.
In the second case, when some user leaves the group, the corresponding position in the rekeying message is omitted.
In the last case, when a new user
joins the group, if
n is odd, then
adds the element
and sends the following to the new user:
If
n is even,
adds the element
and sends to
the following:
Finally, user proceeds to step 3 of the group key protocol and sends the other users the information to obtain the shared key using their private keys.
Our next objective is showing that the security of this protocol for
n users is equivalent to the security of the key exchange in the case of two users, as is the case of [
6] and any other similar proposal such as [
7] or more recently, [
8], among many others.
6. Conclusions
Our contribution is proposing twisted group rings as interesting structures for key management, combined with the decomposition problem, since they seem to be quantum-safe for the time being. More specifically, we have introduced a key exchange protocol using the group ring and have shown a security and complexity analysis. We have also proposed an Elgamal cryptosystem and discussed its security. Finally, we have extended this protocol for several users.