However, recent considerable developments in the computational power of eavesdroppers have introduced several potential (even if not immediate) threats against standard PKA algorithms and public key cryptographies, particularly for small key lengths [
4]. To maintain security, users have been forced to select longer keys, and the increased key length has led to higher computational costs. Thus, the preparation of secure communication infrastructure, particularly for devices with limited memory and computational power, has become challenging. Furthermore, the threat of quantum computers that are currently under development and Shor’s algorithm [
5] cannot be underestimated.
Considering the demand for algorithms that are resilient against any type of theoretical attack, including quantum algorithm-based attacks, the development and study of new PKA algorithms and public key cryptographies, namely post-quantum cryptography (PQC), has become widespread. PKAs and public key cryptographies based on lattice problems such as the shortest vector problem (SVP), closest vector problem, and learning with errors (LWE) are among the most well known methods. Among these, SVP-based PKA and public key cryptographies, including NTRU prime [
6], NTRU-HRSS-KEM [
7], and NTRU Encrypt [
8], module LWE-based PKA such as CRYSTALS–Kyber [
9], and ring LWE-based PKA including NewHope [
10] are leading approaches in this research area and have been considered as candidates for the NIST (National Institute of Standards and Technology) standardization of PQC systems [
11,
12]. When the parameters are properly selected, the above algorithms are considered to be resilient against attacks that use quantum computers and sufficiently computationally efficient to be used in practice.
However, there has been substantial discussion regarding the security of such algorithms. For example, in certain LWE-based algorithms, even if sufficiently large parameters are selected, a possible weakness has been observed [
13,
14,
15]. Moreover, the notion that the difficulty in solving ring LWE is equivalent to that of solving the LWE (the difficulty of LWE is discussed in [
14,
16]) has not yet been proven; thus, other cases of weakened security [
9,
10] may arise. Weak parameters for NTRU-type PKA algorithms and public key cryptography are also reported in [
17]. Owing to these uncertainties in the parameter settings to maintain security even in an ideal situation (i.e., without assuming limited memory and computational power), the preparation of secure communication infrastructure with these new-generation algorithms for less capable devices has resulted in greater difficulty and insecurity. Although there is no doubt that these algorithms will offer significant benefits even after the post-quantum computer era, security analysis of these algorithms should continue until users can be provided with a “guide” that explains how to set parameters to ensure secure PKA and public key cryptography according to the needs and environments of users.
  1.1. Research Concept and Goals
We define a function 
, which shows the computational costs for 
T calculation steps by a device with efficiency 
 (calculation steps per time) as follows:
Thus, it is given by time (s, ms, or another unit). Let  be a set of PKA algorithms and let  be a function that shows the calculation steps required for Alice to calculate the  bit length of the secret shared key (SSK) of an algorithm , which increases monotonically for N.  denotes the calculation steps for Bob in a similar manner.
Next, we consider 
, which has the following relation:
        for all 
. In this case, we suppose that the maximal computational cost that Bob is allowed to incur for the SSK calculation of 
, denoted by 
, is 
, which is achieved when the bit length of the SSK is some 
, and Bob can compute their SSK for all 
 to satisfy:
        where 
 denotes the device efficiency of Bob. As 
 is a monotonically increasing function for the bit size of the SSK, condition (
2) is reduced to 
. Furthermore, if 
, where 
 denotes the device efficiency of Alice, the SSK can be computed for all 
. Thus, Alice and Bob can calculate the SSK of a bit size that is equal to or less than 
 within time 
.
For the same 
, we assume that 
 and the maximal computational cost that Bob is allowed to incur 
 is the same as (
2), where 
 is the smallest bit size of SSK to maintain security. Let Alice’s computational cost for calculating her SSK of 
 bits be 
, and if Alice needs to calculate her SSK within the cost 
 as well as Bob, the following relation must be satisfied:
        where the equality holds for some 
, but in this case, 
 must be satisfied because 
 is a monotonically increasing function for the bit size of the SSK and 
. This observation indicates that they must either use an 
-bit SSK, which is obviously less secure than when using an 
-bit SSK, or let Alice incur a cost of 
, which is larger than 
. Most PKA algorithms, including the DH algorithm, satisfy (
1), and there are many cases in which 
 in modern society where IoT techniques are continually being developed; thus, this situation is inevitable in the near future, if not immediate.
We consider determining an algorithm denoted by 
, where
        
        being satisfied for all 
 is one solution to the above undesirable situation. We denote the maximal computational cost that Bob is allowed to incur as 
, which is defined as 
, where 
 and it is the smallest bit size of SSK to maintain security. In addition to the above 
 case, we suppose that both Bob and Alice must calculate her SSK within the maximal computational cost that Bob is allowed to incur 
. In this case, Alice can calculate all 
N bits of the SSK to satisfy
        
The equality holds when 
 holds for some 
. In this case, it should be noted that 
 is achieved; that is, Alice calculating the SSK of 
 bits within time 
 is possible, provided that
        
        holds, which is impossible when (
1), because in this case, the left-hand side is equal to 1, but the right-hand side is less than 1. As 
 is given (we may say that 
 is a communication environment in which the algorithm is used), (
4) is not always achieved for some 
 and 
. Conversely, we can determine the minimal environment 
 where Alice and Bob can calculate 
 bits SSK within 
 time using 
 by simply calculating the left-hand side of (
4).
Based on the above considerations, our research goals are as follows:
- Constructions of . 
- For , the determination of  and  for any . 
- The construction of the PKA class to which  belongs and the introduction of conditions for PKA algorithms to be members of this class. 
As mentioned above, goal 2 provides a lower bound of 
 to calculate the SSK of 
 bits within time 
. Goal 3 provides instructions on how to construct PKA algorithms to possess the relation (
3). Thus, improving algorithms such as those of [
9,
10] to possess this property may be possible by attempting to fix their parameters according to the class conditions. We do not attempt to improve these algorithms in this study, but this subject is worthy of consideration and will be one of our most important future works.
We consider that these goals are achievable by fully utilizing the characteristics of the PKA framework known as strongly asymmetric public key agreement (SAPKA) [
18]. The characteristics, high level of generality, and asymmetry of the key agreement process of SAPKA are explained in 
Section 1.2, along with its definition, and concrete methods that are derived from the characteristics are explained in 
Section 2.
Note that this study is not focused on how to construct secure PKA algorithms against any types of theoretical attacks; rather, it investigates how to reduce Alice’s computational complexity while maintaining the security of one given PKA algorithm. Our main theorems (in 
Section 5) do not provide any instructions on how to enhance the security of PKA algorithms, and resilience against attack such as man-in-the-middle (MITM) attack is not discussed in this paper (we consider that these topics should be discussed after existence of 
 is proven and mentioned in 
Section 7.1 ).
  1.2. SAPKA Framework
We provide a brief definition of SAPKA (the explicit definition is presented in 
Section 2.4) and its characteristics in this section.
First, Bob prepares a multiplicative semi-group 
 with 1. Subsequently, he selects five maps:
        where 
 must be an easily invertible map. In this case, “easily” means that the calculation of 
 for all 
 can be performed in polynomial time. Furthermore, 
, and 
 must satisfy the following equation, which is known as the compatibility condition:
        for all 
, where ∘ denotes the map composition. Equation (
5) is a condition for Alice and Bob to calculate the same SSK (see the key agreement process in 
Figure 1). The key agreement process of SAPKA can be described as in 
Figure 1, and every secret/public key is displayed in 
Table 1.
As can be observed from 
Figure 1 and 
Table 1, Bob’s public keys are described by the map compositions and not by the element of 
. Sending a map means sending the calculation rule of the map in combination with a set of parameters, which is the domain of the map. Thus, Alice simply follows the rules of 
 and 
 to calculate 
 and 
, and to calculate these, she must first receive 
 and 
 from Bob. Regardless of the 
 that Alice selects (provided that 
), the equality of 
 and 
 holds, because the compatibility condition (
5) holds for all elements of 
. The generality mentioned above arises from the fact that there are only several restrictions for the secret keys of Bob, namely 
, and semi-group 
. As the restrictions are only those in (
5) and invertible regarding 
, Bob has substantial freedom in terms of the choices of these maps and the algebraic structure. By fixing these maps and 
 concretely, various PKA algorithms can be described, including the most well known of these, namely the DH algorithm (presented in [
18]). In this study, we do not attempt to describe new-generation algorithms such as [
7,
9,
10] in the form of SAPKA. However, we are optimistic that these can be described because 
 can be selected as not only scalars but also matrices, for example, with numerous options for 
.
Another notable characteristic of SAPKA is the asymmetry of the key agreement process. In this case, the asymmetry means that the number of public keys calculated by Alice and Bob differ, and thus, the two perform essentially different operations. Owing to this characteristic, an eavesdropper (Eve) must attempt attacks against a maximum of two public keys to obtain the secret information of either Bob or Alice. This may allow Alice to select her secret key from a set of small bit sizes and to reduce her computational complexity in certain cases. In 
Section 2, we explain Eve’s strategies for recovering the SSK from public keys, an observation from her strategies, and the research method derived from this observation.