Next Article in Journal
Quantum Behavior of a PT -Symmetric Two-Mode System with Cross-Kerr Nonlinearity
Previous Article in Journal
A Variant of Chebyshev’s Method with 3αth-Order of Convergence by Using Fractional Derivatives
 
 
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

Public Key Protocols over Twisted Dihedral Group Rings

by
María Dolores Gómez Olvera
*,
Juan Antonio López Ramos
and
Blas Torrecillas Jover
Department of Mathematics, University of Almería, 04120 La Cañada de San Urbano, Spain
*
Author to whom correspondence should be addressed.
Symmetry 2019, 11(8), 1019; https://doi.org/10.3390/sym11081019
Submission received: 9 July 2019 / Revised: 2 August 2019 / Accepted: 3 August 2019 / Published: 7 August 2019

Abstract

:
Key management is a central problem in information security. The development of quantum computation could make the protocols we currently use unsecure. Because of that, new structures and hard problems are being proposed. In this work, we give a proposal for a key exchange in the context of NIST recommendations. Our protocol has a twisted group ring as setting, jointly with the so-called decomposition problem, and we provide a security and complexity analysis of the protocol. A computationally equivalent cryptosystem is also proposed.

1. Introduction

In recent years, intense research has been made in cryptography, especially in relation to new public key protocols. In August 2015, the USA’s National Security Agency (NSA) announced plans to upgrade security standards. Improvements in quantum computation make it necessary to replace current protocols with secure quantum ones. In a NIST report [1], there are six proposals to be quantum safe: lattice-based, code-based, multivariate-based, hash-based, isogeny-based, and group-based cryptographic schemes.
In this work, we make a proposal for a quantum-safe public key protocol. In the context of group-based proposals, it is believed that problems such as the conjugate search problem (CSP) are not solvable using quantum computers. We propose the so-called decomposition problem (DP), which is a generalization of the CSP, and the multiplicative monoid of a twisted group ring as a setting in our aim to find a quantum-safe key exchange in the context of group-based cryptography.
Decomposition Problem. Given ( x , y ) G 2 and S G , the problem is to find z 1 , z 2 S such that y = z 1 x z 2 .
Note that the CSP is a special case of this problem where z 2 = z 1 1 , and that for the DP we do not need invertible elements.
The idea is that even in asymmetric cryptography (more usually called public key cryptography), characterized by having both a secret and public key to encrypt and decrypt (in contrast with symmetric cryptography, which uses the same key for both procedures), the first and last steps in the algorithm use the same key, which is the secret key, i.e., both generation of the public key and computation of the shared key. In terms of Diffie–Hellman key exchange generalization using semigroup actions [2], this would be the following.
Let S be a finite set, G be an abelian semigroup, and ϕ a G-action on S, and a public element h S . The extended Diffie–Hellman key exchange in ( G , S , ϕ ) is the following protocol:
  • Alice chooses a G and computes ϕ ( a , h ) . Alice’s private key is a, and her public key is p A = ϕ ( a , h ) .
  • Bob chooses b G and computes ϕ ( b , h ) . Bob’s private key is b, and his public key is p B = ϕ ( b , h ) .
  • Their common secret key is then
    ϕ ( a , p B ) = ϕ ( a , ϕ ( b , h ) = ϕ ( a b , h ) = ϕ ( b a , h ) = ϕ ( b , ϕ ( a , h ) = ϕ ( b , p A ) .
So we can see that both Alice and Bob use their secret key in the first and last steps of the algorithm. In contrast, our purpose would work as follows.
Let S be a finite set, G be a non-abelian semigroup, and ϕ a G-action on S, and a public element h S . The extended Diffie–Hellman key exchange in ( G , S , ϕ ) is the following protocol:
  • Alice chooses a G and computes ϕ ( a , h ) . Alice’s private key is a, and her public key is p A = ϕ ( a , h ) .
  • Bob chooses b G and computes ϕ ( b , h ) . Bob’s private key is b, and his public key is p B = ϕ ( b , h ) .
  • Their common secret key is then
    ϕ ( a * , p B ) = ϕ ( a * , ϕ ( b , h ) = ϕ ( a * b , h ) = ϕ ( b * a , h ) = ϕ ( b * , ϕ ( a , h ) = ϕ ( b * , p A ) ,
    where a * , b * depend on a , b and also on the algebraic setting, in our case, in the cocycle of the twisted group ring. In this way, the symmetry that we found using the secret key twice during the key exchange does not occur, and we can show that this is an advantage, for example, when facing attacks like the decomposition attack [3].
The rest of this paper is organized as follows: In Section 2, we give an algebraic setting of twisted group rings. In Section 3, we provide our proposed key exchange and a security analysis of this protocol. Section 4 shows a computationally equivalent cryptosystem. In Section 5, we extend our proposal for n users, where we can observe clearly that there is a lack of symmetry concerning the action of every user. Finally, conclusions are presented in Section 6.

2. Algebraic Setting

In this section, twisted group rings are defined, and we also show some properties that make the key exchange possible. Firstly, we recall the definition of 2-cocycles, which will allow us to define the twisted multiplication.
Definition 1.
Let G be a group and A be an abelian group. An application
α : G × G A
is a 2-cocycle if
1. 
α ( g , 1 ) = α ( 1 , g ) = 1 , for all g G ,
2. 
α ( g , h ) α ( g h , k ) = α ( g , h k ) α ( h , k ) , for all g , h , k G .
Now we define twisted group rings as follows.
Definition 2.
Let K be a ring, G be a multiplicative group, and α be a cocycle in U ( K ) . The group ring K α G is defined to be the set of all finite sums of the form
g i G r i g i ,
where r i K and all but a finite number of r i are zero.
The sum of two elements in K α G is given by
g i G r i g i + g i G s i g i = g i G ( r i + s i ) g i .
And multiplication, which is twisted by a cocycle, is given by
g i G r i g i · g i G s i g i = g i G g j g k = g i r j s k α ( g j , g k ) g i .
When the cocycle α is trivial, R α G is the classical group ring R [ G ] .
As an example, consider the field K, its primitive root of unity t, and the dihedral group of 2 m elements, D 2 m = < x , y : x m = y 2 = 1 , y x a = x m a y > . The group ring R = K α D 2 m , where α is
α : D 2 m × D 2 m K
with α ( x i , x j y k ) = 1 and α ( x i y , x j y k ) = t j i , j = 1 , , 2 m 1 , is a twisted group ring.
This example is our concrete proposal for the key exchange, the twisted dihedral group ring K α D 2 m , where K is a finite field of characteristic p such that p | 2 m . This is required in order to R is not a semisimple ring, which has its consequence in the security analysis.
Once we have defined our setting, we establish some useful properties that will allow us to make our key exchange possible.
Definition 3.
Let R = K α D 2 m , where t is the primitive root of unity that generates K and α is the cocycle defined above. Given h R ,
h = 0 i m 1 k = 0 , 1 r i x i y k ,
where r i K and x , y D 2 m . We define h * K α D 2 m :
h * = 0 i m 1 k = 0 , 1 r i t i x i y k ,
where r i K and x , y D m .
Note that R = K α D 2 m can be written as
R = R 1 R 2 ,
where R 1 = K C m and R 2 = K α C m y , and C m is a cyclic group of order m. In this context, we can define A j R j as
A j = i = 0 m 1 r i x i y k R j : r i = r m i .
Proposition 1.
Given h 1 , h 2 R ,
  • If h 1 , h 2 R 1 , then h 1 h 2 = h 2 h 1 ;
  • If h 1 , h 2 A 2 , then h 1 h 2 * = h 2 h 1 * , and h 1 * h 2 = h 2 * h 1 ;
  • If h 1 A 1 , h 2 A 2 , then h 1 h 2 = h 2 h 1 * .
The proof can be seen in Appendix A.

3. Twisted Key Exchange Protocol

In this section, we explain the key exchange proposed, over the twisted group ring R = K α D 2 m , and discuss the security and complexity of the protocol.
Let h R be a random public element. The key exchange between Alice and Bob is as follows:
  • Alice selects a secret pair s A = ( g 1 , k 1 ) , where g 1 R 1 , k 1 A 2 R 2 .
  • Bob selects a secret pair s B = ( g 2 , k 2 ) , where g 2 R 1 , k 2 A 2 R 2 .
  • Alice sends Bob p A = g 1 h k 1 , and Bob sends Alice p B = g 2 h k 2 .
  • Alice computes K A = g 1 p B k 1 * , and Bob computes K B = g 2 p A k 2 * , and they get the same secret shared key.
We can easily check that they get the same shared key, computing
K A = g 1 p B k 1 * = g 1 g 2 h k 2 k 1 * = g 2 g 1 h k 1 k 2 * = g 2 p A k 2 * = K B ,
since we had g 1 g 2 = g 2 g 1 and k 1 k 2 * = k 2 k 1 * by Proposition 1.

Security Analysis of the Protocol

Security of the protocol described above is based on the assumption that the following problem is computationally hard:
Given R = K α D 2 m = R 1 R 2 , A 2 R 2 , and the public elements h , y R , and the map * : R R , find a R 1 , b A 2 R 2 such that a h b * = y .
The stronger decisional version of this assumption would be:
Given R = K α D 2 m = R 1 R 2 , A 2 R 2 , and the public elements h , y R , and the map * : R R , it is hard to distinguish a R 1 , b A 2 R 2 such that a h b * = y from a random element of the form g h k , where g R 1 and k R 2 .
Now we discuss the security of our protocol against various types of attacks in the literature. The first attack given by [4] takes advantage of the algebraic setting; the second one, from [3], involves the underlying computational problem; the third attack is a variation on our case, and finally, we check the brute force attack.
1.
Attacks using decomposition of group rings. Our proposed protocol over K α D 2 m is not susceptible to this kind of attack because in our case, c h a r ( K ) = p | 2 m = | D 2 m | , so our group ring is never semisimple.
2.
Decomposition attack (Roman’kov). This attack by Roman’kov cannot be applied directly since secret keys in our case are not selected in that way. But we propose the necessary changes for it to be applicable (mainly, where the secret key belongs). Our proposal is robust against this attack, as can be observed in the following example.
Example 1.
Let R = G F ( 2 2 ) α D 6 , the public element h = t + ( t + 1 ) x + x 2 + t y + x y + x 2 y , and the secret keys
s A = ( 1 + t x + t x 2 , y + ( t + 1 ) x y + ( t + 1 ) x 2 y ) ,
s B = ( t + ( t + 1 ) x + ( t + 1 ) x 2 , ( t + 1 ) y + x y + x 2 y ) .
Then Alice and Bob obtain their public keys
p A = t + t x + ( t + 1 ) x 2 + t y + x y + ( t + 1 ) x 2 y , p B = t + x + t x 2 + ( t + 1 ) y + t x y + x 2 y ,
and the shared key
K = ( t + 1 ) + x + t x 2 + t y + ( t + 1 ) x y + ( t + 1 ) x 2 y .
A passive eavesdropper, Eve, might obtain a basis B of R 1 h R 2 p A ,
B = { 1 + t x , 1 + x + x 2 , ( t + 1 ) x + x + t x 2 , y + ( t + 1 ) x y + t x 2 y } .
So she can see p A as
p A = β i a i h b i ,
where
a 1 = 1 + t x , a 2 = 1 + x + x 2 , a 3 = 1 , a 4 = 1 + t x + ( t + 1 ) x 2 ,
and
b 1 = x 2 y , b 2 = x 2 y , b 3 = y + x y + x 2 y , b 4 = y + x y
if she applies the attack, obtains
i = 1 3 α i a i p B b i = t + ( t + 1 ) x + x 2 + ( t + 1 ) y + ( t + 1 ) x y K .
We can see that this attack would not work since our shared key K cannot be expressed in terms of the basis B.
3.
Decomposition as 1-side multiplication. This decomposition is not always possible, and if that is the case, it does not necessarily imply breaking our protocol. We show it by using the following example.
Example 2.
Let us consider R , h , s A , s B as in the preceding example. A passive eavesdropper, Eve, would try to recover K from p A and p B . Let us assume that she can find γ such that
γ · h = p A .
In this case, Eve finds γ = y . But applying this γ to p B is helpless,
γ · p B = ( t + 1 ) + ( t + 1 ) x + ( t + 1 ) x 2 + t y + t x y + x y K ,
p B · γ = ( t + 1 ) + x + t x 2 + t y + t x y + x y K .
4.
Brute force attack. The complexity of our algorithm is O ( p 3 4 k ) for a k-bits long key.
Complexity can be obtained by computing the number of possible keys. Given h public, we have that the set of private keys is R 1 h A 2 and the set of shared keys is R 1 h A 1 . Recall that R 1 = K C m , R 2 = K α C m y , and A j = i = 0 m 1 r i x i y k R j : r i = r m i . In both cases, we have
| R 1 | = ( p n ) m | A j | = ( p n ) m 2 ,
so an eavesdropper would have to try ( p n ) m · ( p n ) m 2 = p 3 2 n m for an n m -bits long key, i.e., p 3 4 k possibilities for a k-bits long key. In the example proposed in Appendix B, G F ( 2 4 ) α D 32 , for a 128-bits long key, we obtain a security of O ( 2 96 ) .
In terms of complexity, we could say that our protocol is not as good as other protocols in group rings, such as the key exchange proposed in [5] (in our case, the key should be larger for the same security against a brute force attack), but it is still competitive, and it is resistant against attacks such as [4], which breaks the proposal in [5].
Finally, note that we have studied passive attacks, but in case of an active attack, such as a man-in-the-middle attack, we would need extra security in our protocol. It could be solved by using an authenticated channel, with digital signatures.

4. A Public Key Cryptosystem

In this section, we show a computationally equivalent cryptosystem.
Let R = K α D 2 m be a twisted group ring by the 2-cocycle α , and recall R = R 1 R 2 . We consider the following Elgamal-type cryptosystem for encryption and decryption. Suppose Bob wants to send a message to Alice. We have R, and a random element h R , both public. Alice establishes her public key as follows: she selects g 1 R 1 and k 1 R 2 , and computes p A = g 1 h k 1 .
Encryption. 
To encrypt a message, Bob executes the following steps:
1. 
Bob selects two secret elements g 2 R 1 and k 2 R 2 and computes x 1 = g 2 h k 2 .
2. 
Bob represents the message as an element m R .
3. 
Bob computes x 2 = m + g 2 p A k 2 * and sends ( x 1 , x 2 ) to Alice.
Decryption. 
Alice decrypts the message m by calculating
m = x 2 + g 1 x 1 k 1 * = m + g 2 ( g 1 h k 1 ) k 2 * g 1 ( g 2 h k 2 ) k 1 * ,
given that g 1 g 2 = g 2 g 1 and k 1 k 2 * = k 2 k 1 * by Proposition 1.
Proposition 2.
Breaking the cryptosystem above is equivalent to breaking the key exchange proposed.
Proof. 
Assume that an eavesdropper, Eve, can solve the key exchange, and she wants to get m from the pair
( x 1 , x 2 ) = ( g 2 h k 2 , m + g 2 p a k 2 * ) .
Since she is able to break the key exchange, knowing Alice’s public key g 1 h k 1 and Bob’s g 2 h k 2 allows her to get g 2 g 1 h k 1 k 2 * (the shared key). So she can recover the message
m = x 2 g 2 p A k 2 * = m + g 2 g 1 h k 1 k 2 * g 2 g 2 h k 1 k 2 * .
Now, assume that Eve can solve the cryptosystem. Then she can obtain any message m if she knows h , g 1 h k 1 , g 2 h k 2 , m + g 2 g 1 h k 1 k 2 * . Eve encrypts a message m using g 2 h k 2 , obtaining
( x 1 , x 2 ) = ( g 2 h k 2 , m + g 2 g 1 h k 1 k 2 * ) .
Since she can break the cryptosystem, she recovers m,
m = x 2 g 2 g 1 h k 1 k 2 * ,
and obtains the shared key by computing
K = g 2 g 1 h k 1 k 2 * = m x 2 .
 □

5. Group Key Management

In this section, we present a key exchange protocol for n users. As stated before, we observe very clearly the lack of symmetry concerning the action of every user. We also discuss the rekeying process.
Let h R = R 1 R 2 , described above. For i = 1 , , n , user U i has a secret pair s i = ( g i , k i ) , where g i R 1 and k i A 2 R 2 . Let ϕ ( s i , h ) = g i h k i , 2-sided multiplication. We will denote s i * = ( g i , k i * ) .
  • For i = 1 , , n , user U i sends to user U i + 1 the message
    { C i 1 , C i 2 , , C i i + 1 } ,
    where C 1 1 = h , C 1 2 = g 1 h k 1 and
    • for i > 1 even, C i j = ϕ ( s i , C i 1 j ) , when j < i , C i i = C i 1 i , C i i + 1 = ϕ ( s i * , C i 1 i ) ,
    • for i > 1 odd, C i j = ϕ ( s i * , C i 1 j ) , when j < i , C i i = C i 1 i , C i i + 1 = ϕ ( s i , C i 1 i ) .
  • User U n computes ϕ ( s n , C n 1 n ) if n is odd and ϕ ( s n * , C n 1 n ) if n is even.
  • User U n broadcasts
    { C n 1 , C n 2 , , C n n } .
  • User U i computes ϕ ( s i , C n i ) if n is odd or ϕ ( s i * , C n i ) if n is even, and gets the shared key.
Proposition 3.
After this protocol, users U 1 , , U n agree on a common key.
Proof. 
Users U 1 , U n agree on a common key. Now we prove it for an even or odd n number of users.
Firstly, we consider n odd. Let us show that users U 1 , U n 1 get the same key and that this is equal to U n key. To do so, we will prove by induction that
ϕ ( s i , C n i ) = ϕ ( s j , C n j )
for i j , i , j { 1 , , n 1 } . And this also equals U n key, ϕ ( s n , C n 1 n ) . For s = 3 ,
ϕ ( s 1 , C 3 1 ) = ϕ ( s 1 , g 3 g 2 h k 2 k 3 * ) = g 1 g 3 g 2 h k 2 k 3 * k 1 = g 2 g 3 g 1 h k 1 k 3 * k 2 = ϕ ( s 2 , g 3 g 1 h k 1 k 3 * ) = ϕ ( s 2 , C 3 2 )
using the commutativity rules given by Proposition 1,
k 2 k 3 * k 1 = k 2 k 1 * k 3 = k 1 k 2 * k 3 = k 1 k 3 * k 2 .
Moreover, ϕ ( s 3 , C 2 3 ) = g 3 g 2 g 1 h k 1 k 2 * k 3 = g 2 g 3 g 1 h k 1 k 3 * k 2 = ϕ ( s 2 , C 3 2 ) .
Now, suppose that
ϕ ( s i , C n i ) = ϕ ( s j , C n j ) .
Then we have
ϕ ( s i * , C n + 1 i ) = ϕ ( s i * , ϕ ( s n + 1 , C n i ) ) = ϕ ( s i * s n + 1 , C n i ) = ϕ ( s n + 1 * s i , C n i ) = ϕ ( s n + 1 * , ϕ ( s i , C n i ) ) = ϕ ( s n + 1 * , ϕ ( s j , C n j ) ) = ϕ ( s n + 1 * s j , C n j ) = ϕ ( s j * s n + 1 , C n j ) = ϕ ( s j * , ϕ ( s n + 1 , C n j ) ) = ϕ ( s j * , C n + 1 )
and
ϕ ( s n , C n 1 n ) = ϕ ( s n , ϕ ( s n 1 * , C n 1 n 2 ) = ϕ ( s n s n 1 * , C n 1 n 2 ) = ϕ ( s n 1 s n * , C n 1 n 1 ) = ϕ ( s n 1 , ϕ ( s n * , C n 1 n 1 ) = ϕ ( s n 1 , C n n 1 ) .
So all users U 1 , , U n get the same key for n odd.
Secondly, we show that this also works for n even. We prove by induction that
ϕ ( s i * , C n i ) = ϕ ( s j * , C n j )
for i j , i , j { 1 , , n 1 } . And this also equals U n key, ϕ ( s n , C n 1 n ) . For s = 4 ,
ϕ ( s 1 * , ϕ ( s 4 , C 3 1 ) ) = ϕ ( s 1 * , g 4 g 3 g 2 h k 2 k 3 * k 4 ) = g 1 g 4 g 3 g 2 h k 2 k 3 * k 4 k 1 * = g 2 g 4 g 3 g 1 h k 1 k 3 * k 4 k 2 * = ϕ ( s 2 * , g 4 g 3 g 1 h k 1 k 3 * k 4 ) = ϕ ( s 2 * , ϕ ( s 4 , C 3 2 ) ) ,
ϕ ( s 1 * , ϕ ( s 4 , C 3 1 ) ) = ϕ ( s 1 * , g 4 g 3 g 2 h k 2 k 3 * k 4 ) = g 1 g 4 g 3 g 2 h k 2 k 3 * k 4 k 1 * = g 3 g 4 g 2 g 1 h k 1 k 2 * k 4 k 3 * = ϕ ( s 3 * , g 4 g 2 g 1 h k 1 k 2 * k 4 ) = ϕ ( s 3 * , ϕ ( s 4 , C 3 3 ) )
using that g i R 1 commute and
k 2 k 3 * k 4 k 1 * = k 3 k 2 * k 4 k 1 * = k 3 k 4 * k 2 k 1 * = k 3 k 4 * k 1 k 2 * = k 3 k 1 * k 4 k 2 * = k 1 k 3 * k 4 k 2 * , k 2 k 3 * k 4 k 1 * = k 2 k 4 * k 1 k 3 * = k 2 k 1 * k 4 k 3 * = k 1 k 2 * k 4 k 3 * .
In addition, ϕ ( s 4 * , C 3 4 ) = g 4 g 3 g 2 g 1 h k 1 k 2 * k 3 k 4 * = g 3 g 4 k 2 k 1 h k 1 k 2 * k 4 k 3 * = ϕ ( s 3 * , ϕ ( s 4 , C 3 3 ) ) .
Suppose now that
ϕ s i * , C n i = ϕ s j * , C n j .
Then we have
ϕ ( s i , C n + 1 i ) = ϕ s i , ϕ ( s n + 1 * , C n i ) = ϕ s i , ϕ ( s n + 1 * , C n i ) = ϕ s i s n + 1 * , C n i ) = ϕ s n + 1 s i * , C n i ) = ϕ s n + 1 , ϕ ( s i * , C n i ) = ϕ s n + 1 , ϕ ( s j * , C n j ) = ϕ s n + 1 s j * , C n j ) = ϕ s j s n + 1 * , C n j = ϕ s j , ϕ ( s n + 1 * , C n j ) = ϕ ( s j , C n + 1 j ) .
So the shared key ϕ s i , ϕ ( s n + 1 * , C n i ) is the same for every i { 1 , , n 1 } , and also,
ϕ ( s n * , C n 1 n ) = ϕ ( s n * , ϕ ( s n 1 , C n 1 n 2 ) = ϕ ( s n * s n 1 , C n 1 n 2 ) = ϕ ( s n 1 * s n , C n 1 n 1 ) = ϕ ( s n 1 * , ϕ ( s n , C n 1 n 1 ) = ϕ ( s n 1 * , C n n 1 ) ,
and all users U 1 , , U n have the same shared key, and we are done. □
An important issue in group key management is rekeying after the initial key agreement. There exist three situations: the first is due to key caducity, and the members of the group are the same; the second is when a user leaves the group, and the third is when a new user joins it. We describe these procedures in the following lines.
Let us consider the first situation. Every user U i has the information C n i received from the user U n . The rekeying process can be carried out by any of them, as is suggested in [6]. We call this user U c . He chooses a new element s c = ( g c , k c ) , where g c R 1 and k c A 2 . If n is odd, he changes his private key to s c * s c and broadcasts the message
{ ϕ ( s c * , C n 1 ) , ϕ ( s c * , C n 2 ) , , ϕ ( s c * , C n c 1 ) , C n c , ϕ ( s c * , C n c + 1 ) , , ϕ ( s c * , C n n ) } .
If n is even, he changes his private key to s c s c * and broadcasts the message
{ ϕ ( s c , C n 1 ) , ϕ ( s c , C n 2 ) , , ϕ ( s c , C n c 1 ) , C n c , ϕ ( s c , C n c + 1 ) , , ϕ ( s c , C n n ) } .
Then every user recovers the common key using the private key s i if n is even, and s i * if n is odd.
We can easily check that this shared key is the same for every user. Recall that we proved that ϕ ( s i , C n i ) = ϕ ( s j , C n j ) for i , j = 1 , , n 1 and odd n. Now we have
ϕ ( s i * , ϕ ( s c , C n i ) = ϕ ( s i * s c , C n i ) ) = ϕ ( s c * s i , C n i ) = ϕ ( s c * , ϕ ( s i , C n i ) = ϕ ( s c * , ϕ ( s j , C n j ) = ϕ ( s c * s j , C n j ) = ϕ ( s j * s c , C n j ) ) = ϕ ( s j * , ϕ ( s c , C n j ) ,
and ϕ ( s n , C n 1 n ) = ϕ ( s n 1 , C n n 1 ) implies that
ϕ ( s n * , ϕ ( s c , C n n ) = ϕ ( s n * s c , C n n ) ) = ϕ ( s c * s n , C n n ) = ϕ ( s c * , ϕ ( s n , C n n ) ) = ϕ ( s c * , ϕ ( s n , C n 1 n ) ) = ϕ ( s c * , ϕ ( s n 1 , C n n 1 ) ) = ϕ ( s c * s n 1 , C n n 1 ) = ϕ ( s n 1 * s c , C n n 1 ) ) = ϕ ( s n 1 * , ϕ ( s c , C n n 1 ) ) ,
so all users get the same shared key. This can be proved analogously for odd n. Note that every time we rekey, we need to consider that a new user has been added to the key agreement (just to decide if we use the procedure for odd or even n), so the second time we rekey we will consider that they are n + 1 users, and so on.
In the second case, when some user leaves the group, the corresponding position in the rekeying message is omitted.
In the last case, when a new user U n + 1 joins the group, if n is odd, then U c adds the element ϕ ( s c , C n n ) and sends the following to the new user:
{ ϕ ( s c , C n 1 ) , ϕ ( s c , C n 2 ) , , ϕ ( s c , C n c 1 ) , C n c , ϕ ( s c , C n c + 1 ) , , ϕ ( s c , C n n 1 ) , ϕ ( s c , C n n ) } .
If n is even, U c adds the element ϕ ( s c * , C n n ) and sends to U n + 1 the following:
{ ϕ ( s c * , C n 1 ) , ϕ ( s c * , C n 2 ) , , ϕ ( s c * , C n c 1 ) , C n c , ϕ ( s c * , C n c + 1 ) , , ϕ ( s c * , C n n 1 ) , ϕ ( s c * , C n n ) } .
Finally, user U n + 1 proceeds to step 3 of the group key protocol and sends the other users the information to obtain the shared key using their private keys.
Our next objective is showing that the security of this protocol for n users is equivalent to the security of the key exchange in the case of two users, as is the case of [6] and any other similar proposal such as [7] or more recently, [8], among many others.

6. Conclusions

Our contribution is proposing twisted group rings as interesting structures for key management, combined with the decomposition problem, since they seem to be quantum-safe for the time being. More specifically, we have introduced a key exchange protocol using the group ring K α [ D 2 m ] and have shown a security and complexity analysis. We have also proposed an Elgamal cryptosystem and discussed its security. Finally, we have extended this protocol for several users.

Author Contributions

Investigation, M.D.G.O., J.A.L.R., and B.T.J.; Writing—original draft, M.D.G.O.; Writing—review & editing, J.A.L.R. and B.T.J.

Funding

This work has been supported by Ministerio de Economía y Competitividad grant MTM2017-86987-P. Both the second and third authors are also funded by Junta de Andalucía grant FQM221.

Conflicts of Interest

The authors declare no conflict of interest.

Appendix A

Proof of Proposition 1.
Let us show that each of these equalities holds.
1.
Given h 1 , h 2 R 1 , we have
r i x i s j x j = r i s j α ( x i , x j ) x i x j = r i s j x i + j ,
s j x j r i x i = s j r i α ( x j , x i ) x j x i = r i s j x i + j .
So then
h 1 h 2 = i = 0 m 1 ( r i x i ) j = 0 m 1 ( s j x j ) = i , j = 0 m 1 ( r i s j x i + j ) = j = 0 m 1 ( r j x j ) i = 0 m 1 ( r i x i ) = h 2 h 1 .
2.
Given h 1 , h 2 A 2 , these elements can be written as
r 0 y + r 1 x y + r 2 x 2 y + + r m 1 2 x m 1 2 y + r m 1 2 x m + 1 2 y + + r 2 x n 2 y + r 1 x n 1 y = r 0 y + i = 1 m 1 2 ( r i x i y + r i x m i y )
if m is odd, and
r 0 y + r 1 x y + r 2 x 2 y + + r m 2 1 x m 2 1 y + r m 2 x m 2 y + r m 2 1 x m 2 + 1 y + + r 2 x n 2 y + r 1 x n 1 y = r 0 y + r m 2 x m 2 y + i = 1 m 2 2 ( r i x i y + r i x m i y )
if m is even.
It is worth showing now that the following equality holds:
i = 1 n ( r i x i y + r i x m i ) j = 1 n ( t j s j x j y + t j s j x m j ) = j = 1 n ( s j x j y + s j x m j ) i = 1 n ( t i r i x i y + t i r i x m i ) .
This is because we will need to use it in both bases, for even and odd m. Since we have that with basic elements we get
( r i x i y + r i x i y ) · ( t j s j x j y + t j s j x j y ) = ( s j x j y + s j x j y ) · ( t i r i x i y + t i r i x i y ) ,
( r i x i y + r i x i y ) · ( t j s j x j y + t j s j x j y ) = r i x i y · t j s j x j y + r i x i y · t j s j x j y + r i x i y · t j s j x j y + r i x i y · t j s j x j y = r i s j t j α ( x i y , x j y ) x i y x j y + r i s j t j α ( x i y , x j y ) x i y x j y + r i s j t j α ( x i y , x j y ) x i y x j y + r i s j t j α ( x i y , x j y ) x i y x j y = r i s j t j t j x i j + r i s j t j t j x i + j + r i s j t j t j x i j + r i s j t j t j x i + j = r i s j ( x i j + x i + j + x i j + x i + j ) ,
( s j x j y + s j x j y ) · ( t i r i x i y + t i r i x i y ) = s j x j y · t i r i x i y + s j x j y · t i r i x i y + s j x j y · t i r i x i y + s j x j y · t i r i x i y = s j r i t i α ( x j y , x i y ) x j y x i y + s j r i t i α ( x j y , x i y ) x j y x i y + s j r i t i α ( x j y , x i y ) x j y x i y + s j r i t i α ( x j y , x i y ) x j y x i y = s j r i x j + i + s j r i x j i + s j r i x j + i + s j r i x j i = s j r i ( x j + i + x j i + x j + i + x j i ) = r i s j ( x i j + x i + j + x i j + x i + j ) .
Then we have
i = 1 n ( r i x i y + r i x m i y ) j = 1 n ( t j s j x j y + t j s j x m j y ) = i = 1 n ( r i x i y · t j s j x j y + r i x i y · t j s j x m j y + r i x m i y · t j s j x j y + r i x m i y · t j s j x m j y ) = i = 1 n ( r i s j t j α ( x i y , x j y ) + r i s j t i α ( x i y , x m j y ) x i y x m j y + r i s j t j α ( x m i y , x j y ) x m i y x j y + r i s j t j α ( x m i y , x m j y ) x m i y x m j y ) = i = 1 n ( r i s j t j t j x i y x j y + r i s j t j t j x i y x m j y + r i s j t j t j x m i y x j y + r i s j t j t j x m i y x m j y ) = i = 1 n ( r i s j x i j + r i s j x i + j + r i s j x i j + r i s j x i + j ) = i = 1 n r i s j ( x i j + x i + j + x i j + x i + j ) = j = 1 n ( s j x j y + s j x m j y ) i = 1 n ( t i r i x i y + t i r i x m i y ) .
2.1
Now we show that h 1 h 2 * = h 2 h 1 * .
-
If m is odd:
h 1 h 2 * = r 0 y + i = 1 m 1 2 ( r i x i y + r i x m i y ) ( s 0 y + j = 1 m 1 2 ( t j s j x j y + t j s j x m j y ) ) = r 0 y · s 0 y + r 0 y j = 1 m 1 2 ( t j s j x j y + t j s j x m j y ) + i = 1 m 1 2 ( r i x i y + r i x m i y ) s 0 y + i = 1 m 1 2 ( r i x i y + r i x m i y ) j = 1 m 1 2 ( t j s j x j y + t j s j x m j y ) = r 0 s 0 + i = 1 m 1 2 ( r i x i y + r i x m i y ) s 0 y + r 0 y j = 1 m 1 2 ( t j s j x j y + t j s j x m j y ) + i = 1 m 1 2 ( r i x i y + r i x m i y ) j = 1 m 1 2 ( t j s j x j y + t j s j x m j y ) = s 0 y · r 0 y + s 0 y i = 1 m 1 2 ( t i r i x i y + t i r i x m i y ) + j = 1 m 1 2 ( s j x j y + s j x m j y ) r 0 y + j = 1 m 1 2 ( s j x j y + s j x m j y ) i = 1 m 1 2 ( t i r i x i y + t i r i x m i y ) = s 0 y + j = 1 m 1 2 ( s j x j y + s j x m j y ) r 0 y + i = 1 m 1 2 ( t i r i x i y + t i r i x m i y ) = h 2 h 1 * ,
where we have used that
  • i = 1 n ( r i x i y + r i x m i ) j = 1 n ( t j s j x j y + t j s j x m j ) = j = 1 n ( s j x j y + s j x m j ) i = 1 n ( t i r i x i y + t i r i x m i ) A1,
  • r 0 y · j = 1 m 2 2 ( t j s j x j y + t j s j x m j y ) = j = 1 m 2 2 ( s j x j y + s j x m j y ) · r 0 y A2,
  • i = 1 m 2 2 ( r i x i y + r i x m i y ) s 0 y = s 0 y j = 1 m 2 2 ( t i r i x i y + t i r i x m i y ) A2,
    r 0 y j = 1 m 1 2 ( t j s j x j y + t j s j x m j ) = j = 1 m 1 2 ( r 0 y · t j s j x j y + r 0 y · t j s j x m j y ) = j = 1 m 1 2 ( r 0 s j t j α ( y , x j y ) y x j y + r 0 s j t j α ( y , x m j ) y x m j y ) = j = 1 m 1 2 ( r 0 s j x m j + r 0 s j x j ) = j = 1 m 1 2 ( s j r 0 α ( x j y , y ) x j y y + s j r 0 α ( x m j y , y ) x m j y y ) = j = 1 m 1 2 ( s j x j y + s j x m j ) r 0 y .
-
Analogously, if m is even, we have
h 1 h 2 * = r 0 y + r m 2 x m 2 y + i = 1 m 2 2 ( r i x i y + r i x m i ) s 0 y + t m 2 s m 2 x m 2 y + j = 1 m 2 2 ( t j s j x j y + t j s j x m j ) = r 0 y · s 0 y + r 0 y · t m 2 s m 2 x m 2 y + r 0 y j = 1 m 2 2 ( t j s j x j y + t j s j x m j y ) + r m 2 x m 2 y · s 0 y + r m 2 x m 2 y · t m 2 s m 2 x m 2 y + r m 2 x m 2 y j = 1 m 2 2 ( t j s j x j y + t j s j x m j y ) + i = 1 m 2 2 ( r i x i y + r i x m i y ) · s 0 y + i = 1 m 2 2 ( r i x i y + r i x m i y ) t m 2 · t m 2 s m 2 x m 2 y + i = 1 m 2 2 ( r i x i y + r i x m i y ) j = 1 m 2 2 ( t j s j x j y + t j s j x m j y ) = r 0 s 0 + r m 2 x m 2 y · s 0 y + i = 1 m 2 2 ( r i x i y + r i x m i y ) · s 0 y + r 0 y · t m 2 s m 2 x m 2 y + r m 2 x m 2 y · t m 2 s m 2 x m 2 y + i = 1 m 2 2 ( r i x i y + r i x m i y ) t m 2 · t m 2 s m 2 x m 2 y r 0 y j = 1 m 2 2 ( t j s j x j y + t j s j x m j y ) + r m 2 x m 2 y j = 1 m 2 2 ( t j s j x j y + t j s j x m j y ) + i = 1 m 2 2 ( r i x i y + r i x m i y ) j = 1 m 2 2 ( t j s j x j y + t j s j x m j y ) = s 0 y · r 0 y + s 0 y · t m 2 r m 2 x m 2 y + s 0 y j = 1 m 2 2 ( t i r i x i y + t i r i x m i y ) + s m 2 x m 2 y r 0 y + s m 2 x m 2 y · t m 2 r m 2 x m 2 y + s m 2 x m 2 y i = 1 m 2 2 ( t i r i x i y + t i r i x m i y ) + j = 1 m 2 2 ( s j x j y + r j x m j y ) r 0 y + j = 1 m 2 2 ( s j x j y + r j x m j y ) t m 2 r m 2 x m 2 y + j = 1 m 2 2 ( s j x j y + r j x m j y ) i = 1 m 2 2 t i ( r i x i y + t i r i x m i y ) = s 0 y + s m 2 x m 2 + j = 1 m 2 2 ( s j x j y + s j x m j ) r 0 y + t m 2 r m 2 x m 2 + i = 1 m 2 2 ( t i r i x i y + t i r i x m i ) = h 2 h 1 * ,
where we have used that
  • r 0 y · s 0 y = r 0 s 0 = s 0 r 0 = s 0 y · r 0 y
  • r 0 y · t m 2 s m 2 x m 2 y = r 0 s m 2 t m 2 α ( y , x m 2 y ) y x m 2 y = r 0 s m 2 x m 2 = s m 2 r 0 α ( x m 2 y , y ) x m 2 y y = s m 2 x m 2 y · r 0 y ,
  • r 0 y · j = 1 m 2 2 ( t j s j x j y + t j s j x m j y ) = j = 1 m 2 2 ( s j x j y + r j x m j y ) · r 0 y A2,
  • r m 2 x m 2 y · s 0 y = r m 2 s 0 α ( x m 2 y , y ) x m 2 y y = r m 2 s 0 x m 2 = s 0 r m 2 t m 2 α ( y , x m 2 y ) y x m 2 y = s 0 y · t m 2 r m 2 x m 2 y ,
  • r m 2 x m 2 y · t m 2 s m 2 x m 2 y = s m 2 x m 2 y · t m 2 r m 2 x m 2 y A3,
  • r m 2 x m 2 y j = 1 m 2 2 ( t j s j x j y + t j s j x m j y ) = j = 1 m 2 2 ( r m 2 x m 2 y · s j x j y + · r m 2 x m 2 y s j x m j y ) = j = 1 m 2 2 ( r m 2 s j x m 2 + j + r m 2 s j x m 2 j )
    = j = 1 m 2 2 ( s j x j y · t m 2 r m 2 x m 2 y + r j x m j y · t m 2 r m 2 x m 2 y ) = j = 1 m 2 2 ( s j x j y + r j x m j y ) t m 2 r m 2 x m 2 y ,
  • i = 1 m 2 2 ( r i x i y + r i x m i y ) s 0 y = s 0 y j = 1 m 2 2 ( t i r i x i y + t i r i x m i y ) A2,
  • i = 1 m 2 2 ( r i x i y + r i x m i y ) t m 2 s m 2 x m 2 y = s m 2 x m 2 y i = 1 m 2 2 ( t i r i x i y + t i r i x m i y ) A3,
  • i = 1 m 2 2 ( r i x i y + r i x m i y ) j = 1 m 2 2 ( t j s j x j y + t j s j x m j y ) = j = 1 m 2 2 ( s j x j y + r j x m j y ) i = 1 m 2 2 ( t i r i x i y + t i r i x m i y ) A1,
    r m 2 x m 2 y j = 1 m 2 2 ( t j s j x j y + t j s j x m j y ) = j = 1 m 2 2 ( r m 2 x m 2 y · t j s j x j y + · r m 2 x m 2 y s j x m j y ) = j = 1 m 2 2 ( r m 2 s j t j α ( x m 2 , x j y ) x m 2 x j y + r m 2 s j t j α ( x m 2 , x m j y ) x m 2 x m j y ) = j = 1 m 2 2 ( r m 2 s j x m 2 + j + r m 2 s j x m 2 j ) = j = 1 m 2 2 ( r m 2 s j x m 2 j + r m 2 s j x m 2 + j ) = j = 1 m 2 2 ( s j r m 2 t m 2 α ( x j y , x m 2 ) x j y x m 2 + s j r m 2 t m 2 α ( x m j y , x m 2 ) x m j y x m 2 ) = j = 1 m 2 2 ( s j x j y · t m 2 r m 2 x m 2 y + r j x m j y · t m 2 r m 2 x m 2 y ) = j = 1 m 2 2 ( s j x j y + r j x m j y ) t m 2 r m 2 x m 2 y .
The proof of h 1 * h 2 = h 2 * h 1 and h 1 h 2 = h 2 h 1 * can be made by using similar arguments.
 □

Appendix B. Mathematica Implementation of 128-Bit Example

In this appendix, we include an example of our key exchange in G F ( 2 4 ) α D 32 , where keys are 128 bits long, implemented in the software Mathematica.
Figure A1. Implementation of the key exchange in Mathematica.
Figure A1. Implementation of the key exchange in Mathematica.
Symmetry 11 01019 g0a1

References

  1. Chen, L.; Jordan, S.; Liu, Y.-K.; Moody, D.; Peralta, R.; Perlner, R.; SmithTone, D. Report on Post-Quantum Cryptography; US Department of Commerce, National Institute of Standards and Technology: Gaithersburg, MD, USA, 2016; Volume 8150.
  2. Maze, G.; Monico, C.; Rosenthal, J. Public key cryptography based on semigroup actions. Adv. Math. Commun. 2007, 1, 489–507. [Google Scholar] [Green Version]
  3. Romankov, V. A general encryption scheme using two-sided multiplications with its cryptanalysis. arXiv 2017, arXiv:1709.06282. [Google Scholar]
  4. Eftekhari, M. Cryptoanalisis of Some Protocols using Matrices over Group Rings. In Proceedings of the International Conference on Cryptology in Africa, Dakar, Senegal, 24–26 May 2017; Volume 10239, pp. 223–229. [Google Scholar]
  5. Kahrobaei, D.; Koupparis, C.; Shpilrain, V. Public key exchange using matrices over group rings. Groups Complex. Cryptol. 2013, 5, 97–115. [Google Scholar] [CrossRef] [Green Version]
  6. Steiner, M.; Tsudik, G.; Waidner, M. Key agreement in dynamic peer groups. IEEE Trans. Parallel Distrib. Syst. 2000, 11, 769–780. [Google Scholar] [CrossRef]
  7. Burmester, M.; Desmedt, I. A secure and scalable Group Key Exchange system. Inf. Proc. Lett. 2005, 94, 137–143. [Google Scholar] [CrossRef]
  8. Lopez-Ramos, J.A.; Rosenthal, J.; Schipani, D.; Schnyder, R. An application of group theory in confidential network communications. Math. Meth. Apply Sci. 2018, 41, 2294–2298. [Google Scholar] [CrossRef]

Share and Cite

MDPI and ACS Style

Gómez Olvera, M.D.; López Ramos, J.A.; Torrecillas Jover, B. Public Key Protocols over Twisted Dihedral Group Rings. Symmetry 2019, 11, 1019. https://doi.org/10.3390/sym11081019

AMA Style

Gómez Olvera MD, López Ramos JA, Torrecillas Jover B. Public Key Protocols over Twisted Dihedral Group Rings. Symmetry. 2019; 11(8):1019. https://doi.org/10.3390/sym11081019

Chicago/Turabian Style

Gómez Olvera, María Dolores, Juan Antonio López Ramos, and Blas Torrecillas Jover. 2019. "Public Key Protocols over Twisted Dihedral Group Rings" Symmetry 11, no. 8: 1019. https://doi.org/10.3390/sym11081019

APA Style

Gómez Olvera, M. D., López Ramos, J. A., & Torrecillas Jover, B. (2019). Public Key Protocols over Twisted Dihedral Group Rings. Symmetry, 11(8), 1019. https://doi.org/10.3390/sym11081019

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop