Public Key Protocols over Twisted Dihedral Group Rings

Key management is a central problem in information security. The development of quantum computation could make the protocols we currently use unsecure. Because of that, new structures and hard problems are being proposed. In this work, we give a proposal for a key exchange in the context of NIST recommendations. Our protocol has a twisted group ring as setting, jointly with the so-called decomposition problem, and we provide a security and complexity analysis of the protocol. A computationally equivalent cryptosystem is also proposed.


Introduction
In recent years, intense research has been made in cryptography, especially in relation to new public key protocols. In August 2015, the USA's National Security Agency (NSA) announced plans to upgrade security standards. Improvements in quantum computation make it necessary to replace current protocols with secure quantum ones. In a NIST report [1], there are six proposals to be quantum safe: lattice-based, code-based, multivariate-based, hash-based, isogeny-based, and group-based cryptographic schemes.
In this work, we make a proposal for a quantum-safe public key protocol. In the context of group-based proposals, it is believed that problems such as the conjugate search problem (CSP) are not solvable using quantum computers. We propose the so-called decomposition problem (DP), which is a generalization of the CSP, and the multiplicative monoid of a twisted group ring as a setting in our aim to find a quantum-safe key exchange in the context of group-based cryptography.
Decomposition Problem. Given (x, y) ∈ G 2 and S ⊂ G, the problem is to find z 1 , z 2 ∈ S such that y = z 1 xz 2 .
Note that the CSP is a special case of this problem where z 2 = z −1 1 , and that for the DP we do not need invertible elements.
The idea is that even in asymmetric cryptography (more usually called public key cryptography), characterized by having both a secret and public key to encrypt and decrypt (in contrast with symmetric cryptography, which uses the same key for both procedures), the first and last steps in the algorithm use the same key, which is the secret key, i.e., both generation of the public key and computation of the shared key. In terms of Diffie-Hellman key exchange generalization using semigroup actions [2], this would be the following.
Let S be a finite set, G be an abelian semigroup, and φ a G-action on S, and a public element h ∈ S. The extended Diffie-Hellman key exchange in (G, S, φ) is the following protocol: 1. Alice chooses a ∈ G and computes φ(a, h). Alice's private key is a, and her public key is p A = φ(a, h). 2. Bob chooses b ∈ G and computes φ(b, h). Bob's private key is b, and his public key is p B = φ(b, h).

Their common secret key is then
So we can see that both Alice and Bob use their secret key in the first and last steps of the algorithm. In contrast, our purpose would work as follows.
Let S be a finite set, G be a non-abelian semigroup, and φ a G-action on S, and a public element h ∈ S. The extended Diffie-Hellman key exchange in (G, S, φ) is the following protocol: 1. Alice chooses a ∈ G and computes φ(a, h). Alice's private key is a, and her public key is p A = φ(a, h). 2. Bob chooses b ∈ G and computes φ(b, h). Bob's private key is b, and his public key is p B = φ(b, h).

Their common secret key is then
where a * , b * depend on a, b and also on the algebraic setting, in our case, in the cocycle of the twisted group ring. In this way, the symmetry that we found using the secret key twice during the key exchange does not occur, and we can show that this is an advantage, for example, when facing attacks like the decomposition attack [3].
The rest of this paper is organized as follows: In Section 2, we give an algebraic setting of twisted group rings. In Section 3, we provide our proposed key exchange and a security analysis of this protocol. Section 4 shows a computationally equivalent cryptosystem. In Section 5, we extend our proposal for n users, where we can observe clearly that there is a lack of symmetry concerning the action of every user. Finally, conclusions are presented in Section 6.

Algebraic Setting
In this section, twisted group rings are defined, and we also show some properties that make the key exchange possible. Firstly, we recall the definition of 2-cocycles, which will allow us to define the twisted multiplication. Definition 1. Let G be a group and A be an abelian group. An application Now we define twisted group rings as follows. Definition 2. Let K be a ring, G be a multiplicative group, and α be a cocycle in U(K). The group ring K α G is defined to be the set of all finite sums of the form where r i ∈ K and all but a finite number of r i are zero. The sum of two elements in K α G is given by And multiplication, which is twisted by a cocycle, is given by When the cocycle α is trivial, R α G is the classical group ring R[G].
As an example, consider the field K, its primitive root of unity t, and the dihedral group of 2m elements, D 2m =< x, y : with α(x i , x j y k ) = 1 and α(x i y, x j y k ) = t j i, j = 1, ..., 2m − 1, is a twisted group ring.
This example is our concrete proposal for the key exchange, the twisted dihedral group ring K α D 2m , where K is a finite field of characteristic p such that p | 2m. This is required in order to R is not a semisimple ring, which has its consequence in the security analysis.
Once we have defined our setting, we establish some useful properties that will allow us to make our key exchange possible.
, where t is the primitive root of unity that generates K and α is the cocycle defined above. Given h ∈ R, where r i ∈ K and x, y ∈ D 2m . We define h * ∈ K α D 2m : where r i ∈ K and x, y ∈ D m .
Note that R = K α D 2m can be written as where R 1 = KC m and R 2 = K α C m y, and C m is a cyclic group of order m. In this context, we can define A j ≤ R j as The proof can be seen in Appendix A.

Twisted Key Exchange Protocol
In this section, we explain the key exchange proposed, over the twisted group ring R = K α D 2m , and discuss the security and complexity of the protocol.
Let h ∈ R be a random public element. The key exchange between Alice and Bob is as follows: 1. Alice selects a secret pair s A = (g 1 , 3. Alice sends Bob p A = g 1 hk 1 , and Bob sends Alice p B = g 2 hk 2 . 4. Alice computes K A = g 1 p B k * 1 , and Bob computes K B = g 2 p A k * 2 , and they get the same secret shared key.
We can easily check that they get the same shared key, computing since we had g 1 g 2 = g 2 g 1 and k 1 k * 2 = k 2 k * 1 by Proposition 1.

Security Analysis of the Protocol
Security of the protocol described above is based on the assumption that the following problem is computationally hard: and the public elements h, y ∈ R, and the map * : The stronger decisional version of this assumption would be: and the public elements h, y ∈ R, and the map * : R → R, it is hard to distinguish a ∈ R 1 , b ∈ A 2 ≤ R 2 such that ahb * = y from a random element of the form ghk, where g ∈ R 1 and k ∈ R 2 . Now we discuss the security of our protocol against various types of attacks in the literature. The first attack given by [4] takes advantage of the algebraic setting; the second one, from [3], involves the underlying computational problem; the third attack is a variation on our case, and finally, we check the brute force attack.
1. Attacks using decomposition of group rings. Our proposed protocol over K α D 2m is not susceptible to this kind of attack because in our case, char(K) = p | 2m = |D 2m |, so our group ring is never semisimple. 2. Decomposition attack (Roman'kov). This attack by Roman'kov cannot be applied directly since secret keys in our case are not selected in that way. But we propose the necessary changes for it to be applicable (mainly, where the secret key belongs). Our proposal is robust against this attack, as can be observed in the following example.
A passive eavesdropper, Eve, might obtain a basis B of R 1 hR 2 p A , So she can see p A as We can see that this attack would not work since our shared key K cannot be expressed in terms of the basis B.
3. Decomposition as 1-side multiplication. This decomposition is not always possible, and if that is the case, it does not necessarily imply breaking our protocol. We show it by using the following example.

Example 2.
Let us consider R, h, s A , s B as in the preceding example. A passive eavesdropper, Eve, would try to recover K from p A and p B . Let us assume that she can find γ such that In this case, Eve finds γ = y. But applying this γ to p B is helpless, 4. Brute force attack. The complexity of our algorithm is O(p 3 4 k ) for a k-bits long key.
Complexity can be obtained by computing the number of possible keys. Given h public, we have that the set of private keys is R 1 hA 2 and the set of shared keys is R 1 hA 1 . Recall that R 1 = KC m , In both cases, we have so an eavesdropper would have to try (p n ) m · (p n ) In terms of complexity, we could say that our protocol is not as good as other protocols in group rings, such as the key exchange proposed in [5] (in our case, the key should be larger for the same security against a brute force attack), but it is still competitive, and it is resistant against attacks such as [4], which breaks the proposal in [5].
Finally, note that we have studied passive attacks, but in case of an active attack, such as a man-in-the-middle attack, we would need extra security in our protocol. It could be solved by using an authenticated channel, with digital signatures.

A Public Key Cryptosystem
In this section, we show a computationally equivalent cryptosystem. Let R = K α D 2m be a twisted group ring by the 2-cocycle α, and recall R = R 1 ⊕ R 2 . We consider the following Elgamal-type cryptosystem for encryption and decryption. Suppose Bob wants to send a message to Alice. We have R, and a random element h ∈ R, both public. Alice establishes her public key as follows: she selects g 1 ∈ R 1 and k 1 ∈ R 2 , and computes p A = g 1 hk 1 .

Encryption.
To encrypt a message, Bob executes the following steps: 1. Bob selects two secret elements g 2 ∈ R 1 and k 2 ∈ R 2 and computes x 1 = g 2 hk 2 . 2. Bob represents the message as an element m ∈ R. 3. Bob computes x 2 = m + g 2 p A k * 2 and sends (x 1 , x 2 ) to Alice. Decryption. Alice decrypts the message m by calculating given that g 1 g 2 = g 2 g 1 and k 1 k * 2 = k 2 k * 1 by Proposition 1.

Proposition 2.
Breaking the cryptosystem above is equivalent to breaking the key exchange proposed.
Proof. Assume that an eavesdropper, Eve, can solve the key exchange, and she wants to get m from the pair (x 1 , x 2 ) = (g 2 hk 2 , m + g 2 p a k * 2 ).
Since she is able to break the key exchange, knowing Alice's public key g 1 hk 1 and Bob's g 2 hk 2 allows her to get g 2 g 1 hk 1 k * 2 (the shared key). So she can recover the message Now, assume that Eve can solve the cryptosystem. Then she can obtain any message m if she knows h, g 1 hk 1 , g 2 hk 2 , m + g 2 g 1 hk 1 k * 2 . Eve encrypts a message m using g 2 hk 2 , obtaining (x 1 , x 2 ) = (g 2 hk 2 , m + g 2 g 1 hk 1 k * 2 ).
Since she can break the cryptosystem, she recovers m, and obtains the shared key by computing

Group Key Management
In this section, we present a key exchange protocol for n users. As stated before, we observe very clearly the lack of symmetry concerning the action of every user. We also discuss the rekeying process.
Let h ∈ R = R 1 ⊕ R 2 , described above. For i = 1, ..., n, user U i has a secret pair s i = (g i , k i ), where g i ∈ R 1 and k i ∈ A 2 ≤ R 2 . Let φ(s i , h) = g i hk i , 2-sided multiplication. We will denote s * i = (g i , k * i ). 1. For i = 1, ..., n, user U i sends to user U i+1 the message where C 1 1 = h, C 2 1 = g 1 hk 1 and User U n computes φ(s n , C n n−1 ) if n is odd and φ(s * n , C n n−1 ) if n is even. 3. User U n broadcasts {C 1 n , C 2 n , ..., C n n }.

User
if n is even, and gets the shared key.

Proposition 3.
After this protocol, users U 1 , ..., U n agree on a common key.
So all users U 1 , ..., U n get the same key for n odd. Secondly, we show that this also works for n even. We prove by induction that for i = j, i, j ∈ {1, ..., n − 1}. And this also equals U n key, φ(s n , C n n−1 ). For s = 4, 3 )) using that g i ∈ R 1 commute and In addition, φ(s * 4 , Then we have So the shared key φ s i , φ(s * n+1 , C i n ) is the same for every i ∈ {1, ..., n − 1}, and also, and all users U 1 , ..., U n have the same shared key, and we are done.
An important issue in group key management is rekeying after the initial key agreement. There exist three situations: the first is due to key caducity, and the members of the group are the same; the second is when a user leaves the group, and the third is when a new user joins it. We describe these procedures in the following lines.
Let us consider the first situation. Every user U i has the information C i n received from the user U n . The rekeying process can be carried out by any of them, as is suggested in [6]. We call this user U c . He chooses a new element s c = (g c , k c ), where g c ∈ R 1 and k c ∈ A 2 . If n is odd, he changes his private key to s * c s c and broadcasts the message If n is even, he changes his private key to s c s * c and broadcasts the message Then every user recovers the common key using the private key s i if n is even, and s * i if n is odd. We can easily check that this shared key is the same for every user. Recall that we proved that φ(s i , C i n ) = φ(s j , C j n ) for i, j = 1, ..., n − 1 and odd n. Now we have and φ(s n , C n n−1 ) = φ(s n−1 , C n−1 n ) implies that , so all users get the same shared key. This can be proved analogously for odd n. Note that every time we rekey, we need to consider that a new user has been added to the key agreement (just to decide if we use the procedure for odd or even n), so the second time we rekey we will consider that they are n + 1 users, and so on.
In the second case, when some user leaves the group, the corresponding position in the rekeying message is omitted.
In the last case, when a new user U n+1 joins the group, if n is odd, then U c adds the element φ(s c , C n n ) and sends the following to the new user: If n is even, U c adds the element φ(s * c , C n n ) and sends to U n+1 the following: Finally, user U n+1 proceeds to step 3 of the group key protocol and sends the other users the information to obtain the shared key using their private keys.
Our next objective is showing that the security of this protocol for n users is equivalent to the security of the key exchange in the case of two users, as is the case of [6] and any other similar proposal such as [7] or more recently, [8], among many others.

Conclusions
Our contribution is proposing twisted group rings as interesting structures for key management, combined with the decomposition problem, since they seem to be quantum-safe for the time being. More specifically, we have introduced a key exchange protocol using the group ring K α [D 2m ] and have shown a security and complexity analysis. We have also proposed an Elgamal cryptosystem and discussed its security. Finally, we have extended this protocol for several users. 1. Given h 1 , h 2 ∈ R 1 , we have

So then
2. Given h 1 , h 2 ∈ A 2 , these elements can be written as if m is even. It is worth showing now that the following equality holds: This is because we will need to use it in both bases, for even and odd m. Since we have that with basic elements we get (r i x i y + r i x −i y) · (t −j s j x j y + t j s j x −j y) = (s j x j y + s j x −j y) · (t −i r i x i y + t i r i x −i y), (r i x i y + r i x −i y) · (t −j s j x j y + t j s j x −j y) = r i x i y · t −j s j x j y + r i x i y · t j s j x −j y + r i x −i y · t −j s j x j y + r i x −i y · t j s j x −j y = r i s j t −j α(x i y, x j y)x i yx j y + r i s j t j α(x i y, x −j y)x i yx −j y +r i s j t −j α(x −i y, x j y)x −i yx j y + r i s j t j α( (s j x j y + s j x −j y) · (t −i r i x i y + t i r i x −i y) = s j x j y · t −i r i x i y + s j x j y · t i r i x −i y + s j x −j y · t −i r i x i y + s j x −j y · t i r i x −i y = s j r i t −i α(x j y, x i y)x j yx i y + s j r i t i α(x j y,

Now we show that
-If m is odd: j=1 (t −j s j x j y + t j s j x m−j y) = r 0 y · s 0 y + r 0 y ∑ m−1 2 j=1 (t −j s j x j y + t j s j x m−j y) j=1 (t −j s j x j y + t j s j x m−j y) = s 0 y · r 0 y + s 0 y ∑ i=1 (t −i r i x i y + t i r i x m−i y) = h 2 h * 1 , where we have used that • ∑ n i=1 (r i x i y + r i x m−i ) ∑ n j=1 (t −j s j x j y + t j s j x m−j ) = ∑ n j=1 (s j x j y + s j x m−j ) ∑ n i=1 (t −i r i x i y + t i r i x m−i ) A1, • r 0 y · ∑ m−2 2 j=1 (t −j s j x j y + t j s j x m−j y) = ∑ m−2 2 j=1 (s j x j y + s j x m−j y) · r 0 y A2, j=1 (t −j s j x j y + t j s j x m−j y) + ∑ Figure A1. Implementation of the key exchange in Mathematica