New Subclass Framework and Concrete Examples of Strongly Asymmetric Public Key Agreement

: Strongly asymmetric public key agreement (SAPKA) is a class of key exchange between Alice and Bob that was introduced in 2011. The greatest difference from the standard PKA algorithms is that Bob constructs multiple public keys and Alice uses one of these to calculate her public key and her secret shared key. Therefore, the number of public keys and calculation rules for each key differ for each user. Although algorithms with high security and computational efﬁciency exist in this class, the relation between the parameters of SAPKA and its security and computational efﬁciency has not yet been fully clariﬁed. Therefore, our main objective in this study was to classify the SAPKA algorithms according to their properties. By attempting algorithm attacks, we found that certain parameters are more strongly related to the security. On this basis, we constructed concrete algorithms and a new subclass of SAPKA, in which the responsibility of maintaining security is signiﬁcantly more associated with the secret parameters of Bob than those of Alice. Moreover, we demonstrate 1. insufﬁcient but necessary conditions for this subclass, 2. inclusion relations between the subclasses of SAPKA, and 3. concrete examples of this sub-class with reports of implementational experiments.


Introduction
Since Shannon proposed the concept of "perfect secrecy" in crypto-systems [1], in which he introduced a theoretically unbreakable system even against computational power, the distribution of secret keys between the sender (Alice) and receiver (Bob) via an insecure channel has been one of the greatest problems in cryptography.
The Diffie-Hellman (DH) public key agreement (PKA) protocol that was proposed in 1976 [2] and the Rivest-Shamir-Adleman (RSA) crypto-system that was presented in 1978 [3] represented the most significant works in the area of cryptography, and it was previously believed that the problem of key distribution had been resolved.
However, recent considerable developments in the computational power of eavesdroppers have introduced several potential (even if not immediate) threats against standard PKA algorithms and public key cryptographies, particularly for small key lengths [4]. To maintain security, users have been forced to select longer keys, and the increased key length has led to higher computational costs. Thus, the preparation of secure communication infrastructure, particularly for devices with limited memory and computational power, has become challenging. Furthermore, the threat of quantum computers that are currently under development and Shor's algorithm [5] cannot be underestimated.
Considering the demand for algorithms that are resilient against any type of theoretical attack, including quantum algorithm-based attacks, the development and study of new PKA algorithms and public key cryptographies, namely post-quantum cryptography (PQC), has become widespread. PKAs and public key cryptographies based on lattice problems such as the shortest vector problem (SVP), closest vector problem, and learning with errors (LWE) are among the most well known methods. Among these, SVP-based PKA and public key cryptographies, including NTRU prime [6], NTRU-HRSS-KEM [7], and NTRU Encrypt [8], module LWE-based PKA such as CRYSTALS-Kyber [9], and ring LWE-based PKA including NewHope [10] are leading approaches in this research area and have been considered as candidates for the NIST (National Institute of Standards and Technology) standardization of PQC systems [11,12]. When the parameters are properly selected, the above algorithms are considered to be resilient against attacks that use quantum computers and sufficiently computationally efficient to be used in practice.
However, there has been substantial discussion regarding the security of such algorithms. For example, in certain LWE-based algorithms, even if sufficiently large parameters are selected, a possible weakness has been observed [13][14][15]. Moreover, the notion that the difficulty in solving ring LWE is equivalent to that of solving the LWE (the difficulty of LWE is discussed in [14,16]) has not yet been proven; thus, other cases of weakened security [9,10] may arise. Weak parameters for NTRU-type PKA algorithms and public key cryptography are also reported in [17]. Owing to these uncertainties in the parameter settings to maintain security even in an ideal situation (i.e., without assuming limited memory and computational power), the preparation of secure communication infrastructure with these new-generation algorithms for less capable devices has resulted in greater difficulty and insecurity. Although there is no doubt that these algorithms will offer significant benefits even after the post-quantum computer era, security analysis of these algorithms should continue until users can be provided with a "guide" that explains how to set parameters to ensure secure PKA and public key cryptography according to the needs and environments of users.

Research Concept and Goals
We define a function C : N × R + → R + , which shows the computational costs for T calculation steps by a device with efficiency E D (calculation steps per time) as follows: Thus, it is given by time (s, ms, or another unit). Let PKA be a set of PKA algorithms and let T A : PKA × N → N be a function that shows the calculation steps required for Alice to calculate the N ∈ N bit length of the secret shared key (SSK) of an algorithm Alg ∈ PKA, which increases monotonically for N. T B denotes the calculation steps for Bob in a similar manner.
Next, we consider Alg ∈ PKA, which has the following relation: for all N ∈ N. In this case, we suppose that the maximal computational cost that Bob is allowed to incur for the SSK calculation of Alg ∈ PKA, denoted by C B max , is C B max = T B (Alg, N 0 ) × 1 E B , which is achieved when the bit length of the SSK is some N 0 ∈ N, and Bob can compute their SSK for all N ∈ N to satisfy: where E B denotes the device efficiency of Bob. As T B is a monotonically increasing function for the bit size of the SSK, condition (2) is reduced to N ≤ N 0 . Furthermore, if E B = E A , where E A denotes the device efficiency of Alice, the SSK can be computed for all N ≤ N 0 . Thus, Alice and Bob can calculate the SSK of a bit size that is equal to or less than N 0 within time C B max .
For the same Alg ∈ PKA, we assume that E B > E A and the maximal computational cost that Bob is allowed to incur C B max is the same as (2), where N 0 is the smallest bit size of SSK to maintain security. Let Alice's computational cost for calculating her SSK of N ∈ N bits be C A (T A (Alg, N), E A ) := T A (Alg, N) × 1 E A , and if Alice needs to calculate her SSK within the cost C B max as well as Bob, the following relation must be satisfied: where the equality holds for some N 1 ∈ N, but in this case, N 1 < N 0 must be satisfied because T A is a monotonically increasing function for the bit size of the SSK and 1 . This observation indicates that they must either use an N 1 -bit SSK, which is obviously less secure than when using an N 0 -bit SSK, or let Alice incur a cost of T A (Alg, N 0 ) × 1 E A , which is larger than C B max . Most PKA algorithms, including the DH algorithm, satisfy (1), and there are many cases in which E B > E A in modern society where IoT techniques are continually being developed; thus, this situation is inevitable in the near future, if not immediate.
We consider determining an algorithm denoted by Alg A<B ∈ PKA, where being satisfied for all N ∈ N is one solution to the above undesirable situation. We denote the maximal computational cost that Bob is allowed to incur as C B max,A<B , which is defined where N 0 ∈ N and it is the smallest bit size of SSK to maintain security. In addition to the above T A = T B case, we suppose that both Bob and Alice must calculate her SSK within the maximal computational cost that Bob is allowed to incur C B max,A<B . In this case, Alice can calculate all N bits of the SSK to satisfy The equality holds when T A (Alg A<B , In this case, it should be noted that N 1 = N 0 is achieved; that is, Alice calculating the SSK of N 0 bits within time C B max,A<B is possible, provided that holds, which is impossible when (1), because in this case, the left-hand side is equal to 1, but the right-hand side is less than 1. As E A E B is given (we may say that E A E B is a communication environment in which the algorithm is used), (4) is not always achieved for some Alg A<B ∈ PKA and N 0 ∈ N. Conversely, we can determine the minimal environment E A E B where Alice and Bob can calculate N 0 bits SSK within C B max,A<B time using Alg A<B ∈ PKA by simply calculating the left-hand side of (4).
Based on the above considerations, our research goals are as follows: 1. Constructions of Alg A<B ∈ PKA.
2. For Alg A<B ∈ PKA, the determination of T A (Alg A<B , N 0 ) and T B (Alg A<B , N 0 ) for any N 0 ∈ N. 3. The construction of the PKA class to which Alg A<B ∈ PKA belongs and the introduction of conditions for PKA algorithms to be members of this class.
As mentioned above, goal 2 provides a lower bound of E A E B to calculate the SSK of N 0 bits within time C B max,A<B . Goal 3 provides instructions on how to construct PKA algorithms to possess the relation (3). Thus, improving algorithms such as those of [9,10] to possess this property may be possible by attempting to fix their parameters according to the class conditions. We do not attempt to improve these algorithms in this study, but this subject is worthy of consideration and will be one of our most important future works.
We consider that these goals are achievable by fully utilizing the characteristics of the PKA framework known as strongly asymmetric public key agreement (SAPKA) [18]. The characteristics, high level of generality, and asymmetry of the key agreement process of SAPKA are explained in Section 1.2, along with its definition, and concrete methods that are derived from the characteristics are explained in Section 2.
Note that this study is not focused on how to construct secure PKA algorithms against any types of theoretical attacks; rather, it investigates how to reduce Alice's computational complexity while maintaining the security of one given PKA algorithm. Our main theorems (in Section 5) do not provide any instructions on how to enhance the security of PKA algorithms, and resilience against attack such as man-in-the-middle (MITM) attack is not discussed in this paper (we consider that these topics should be discussed after existence of Alg A<B is proven and mentioned in Section 7.1 ).

SAPKA Framework
We provide a brief definition of SAPKA (the explicit definition is presented in Section 2.4) and its characteristics in this section.
First, Bob prepares a multiplicative semi-group S with 1. Subsequently, he selects five maps: where N 1 must be an easily invertible map. In this case, "easily" means that the calculation of N −1 1 • N 1 (y) for all y ∈ S can be performed in polynomial time. Furthermore, x 1 , x 2 , x 3 , and x 4 must satisfy the following equation, which is known as the compatibility condition: for all y ∈ S, where • denotes the map composition. Equation (5) is a condition for Alice and Bob to calculate the same SSK (see the key agreement process in Figure 1). The key agreement process of SAPKA can be described as in Figure 1, and every secret/public key is displayed in Table 1.

Bob
Secret keys Secret key Public key As can be observed from Figure 1 and Table 1, Bob's public keys are described by the map compositions and not by the element of S. Sending a map means sending the calculation rule of the map in combination with a set of parameters, which is the domain of the map. Thus, Alice simply follows the rules of y B,1 and y B,2 to calculate y A and κ A , and to calculate these, she must first receive y B,1 and y B,2 from Bob. Regardless of the x A that Alice selects (provided that x A ∈ S), the equality of κ A and κ B holds, because the compatibility condition (5) holds for all elements of S. The generality mentioned above arises from the fact that there are only several restrictions for the secret keys of Bob, namely x 1 , x 2 , x 3 , x 4 , N 1 , and semi-group S. As the restrictions are only those in (5) and invertible regarding N 1 , Bob has substantial freedom in terms of the choices of these maps and the algebraic structure. By fixing these maps and S concretely, various PKA algorithms can be described, including the most well known of these, namely the DH algorithm (presented in [18]). In this study, we do not attempt to describe new-generation algorithms such as [7,9,10] in the form of SAPKA. However, we are optimistic that these can be described because S can be selected as not only scalars but also matrices, for example, with numerous options for x 1 , x 2 , x 3 , x 4 , N 1 .
Another notable characteristic of SAPKA is the asymmetry of the key agreement process. In this case, the asymmetry means that the number of public keys calculated by Alice and Bob differ, and thus, the two perform essentially different operations. Owing to this characteristic, an eavesdropper (Eve) must attempt attacks against a maximum of two public keys to obtain the secret information of either Bob or Alice. This may allow Alice to select her secret key from a set of small bit sizes and to reduce her computational complexity in certain cases. In Section 2, we explain Eve's strategies for recovering the SSK from public keys, an observation from her strategies, and the research method derived from this observation.

Methods and Abstract of This Study
We explain the strategies for Eve to recover the SSK and the method for our research goal, which can be derived from the observation of her strategies.

Eve's Strategies for Recovering SSK
Eve wishes to calculate κ A or κ B by determining the secret key of Alice or Bob from the public keys. She knows the two composed maps of Bob and one element of Alice, as follows: Eve's Strategy 1 If x 4 is an invertible map, y B,1 is also invertible; thus, she attempts to determine x A from (6) and (8): Subsequently, she can calculate If x 4 is not an invertible map, she obtains a set {x E ∈ S : y A = N −1 1 • x 4 (x E )} instead of an element from (9). However, in this case, she can calculate the SSK as follows: The second equation of (10) is obtained from the compatibility condition (5), and the final equation is obtained from the definition of κ B (see Figure 1 or Step 5 of Section 2.4).

Eve's Strategy 2
First, Eve attempts to obtain a map N 1 from (6) and then attempts to obtain a map x 3,E : S → S that satisfies for all y ∈ S. Finally, she can calculate the SSK as follows: Suppose that Bob constructs y B,1 and y B,2 to satisfy the following two requirements: = y for all y ∈ S in real time, or it is difficult to determine the invertible map of y B,1 , x −1 4 • N 1 in real time. Requirement 2. It is difficult to determine the map N 1 from y B,1 = N −1 1 • x 4 in real time, or it is difficult to obtain a map x 3,E to satisfy (11) in real time.
Then, it is difficult for Eve to obtain x A from (9) and to proceed to (12) in real time; that is, Eve cannot obtain the SSK in real time. It should be noted that the secret key x A that Alice selects is not strongly related to Eve's breaking complexity owing to Requirement 1. This means that Bob may take substantially more responsibility for maintaining security than Alice. In this case, Alice can select her secret key space as a small one in terms of the bit size, provided that an exhaustive search for x A is difficult in real time, and we expect that this will reduce Alice's computational complexity for y A and κ A .

Methods
According to this observation, the methods that can be established for the research goal can be derived as follows: 1. Introduce algorithms from SAPKA (Section 3). 2. Estimate the breaking complexity of these algorithms under the assumption that the secret key space of Alice is smaller than that of Bob and verify whether or not Alice's small key space reduces the breaking complexity of the algorithms (Sections 4.2 and 4.3). 3. For algorithms for which Alice's small key space does not reduce the breaking complexity, estimate their computational complexity to calculate the keys of both Alice and Bob (Sections 4.4 and 4.5). 4. Construct the SAPKA subclass for which the algorithms possess the relation that the complexity of Alice for her keys is smaller than that of Bob (we call this subclass the "main SAPKA subclass" until we give definition of it) and introduce the necessary conditions for the subclass by generalizing the results of 3 (Sections 5.1 and 5.2).
In Section 6, we implement some of the algorithms in Section 3 and report the experimental results. We can concretely observe what can be offered by the algorithms of the subclass constructed in Section 5.1.
At the beginning of Section 5, we add restrictions to the SAPKA framework, particularly for the public keys of Bob, before discussing our main themes. We explain these restrictions briefly below.

Restrictions on SAPKA Framework
We have already explained the high level of generality of SAPKA. However, owing to this generality, algorithms that do not ensure secure PKA are also included in this class. We present one example as follows: Let S be S := Z p for some prime number p. Bob selects the numbers x B , n B ∈ S and keeps them secret. Let the maps x 1 , x 2 , x 3 , x 4 , N 1 : S → S be defined, for y ∈ S, as: In this case, all keys are described as in Table 2. Table 2. Complete list of key of example algorithm of SAPKA.

Key Parameter
Bob Secret keys maps x 1 , x 2 , x 3 , x 4 , N 1 : S → S and elements x B , n B ∈ S Public keys

Alice
Secret key x A ∈ S Public key The SSK calculations are performed as follows: In this case, Bob sending y B,1 means that n −1 B must be a public key, although this element is supposed to be a secret; otherwise, Alice cannot calculate y A . Eve can easily calculate Alice's secret key x A with n B n −1 B x A = x A ; thus, Eve can recover the SSK by calculating . Without limiting this type of algorithm to be included in the SAPKA class, the main subclass that we attempt to construct in Section 5 can include weak algorithms. In this case, the subclass cannot be the one that we aim to construct.
To limit algorithms such as the above example, we add restrictions on the construction of Bob's public keys using a map referred to as a "non-easily invertible map" with the following definition. Definition 1. The map f g : S → S is called as a non-easily invertible map if the calculation f −1 g • f g (y) for all y ∈ S is difficult to compute in the mean of the computational complexity, and the order of complexity for computing f −1 g • f g (y) (y ∈ S) is equal to or greater than O(2 t(n) ), where n is the bit size of y and t : N → R + is a monotonically increasing function: O of this definition is Landau's big-O notation (Definition 5 in Section 4.1). We limit Bob's public keys y B,1 and y B,2 to be constructed as for certain non-easily mapped f g : S → S and certain maps x 1 , x 2 , x 4 , N 1 : S → S. By doing so, attacks from Eve cannot be performed within a polynomial time. Furthermore, with several additional restrictions in Section 5, Requirement 2 of Section 2.1 can be achieved. We attempt 4. of the method mentioned in Section 2.2 within this restricted SAPKA class with a non-easily invertible map (the explicit definition of this restricted SAPKA class by a non-easily invertible map is also provided Section 5).

Explicit Definition of SAPKA
We present the definition of SAPKA [18]. The SAPKA algorithms have the following common ingredients: • a multiplicative semi-group S with 1; • a set M S of easily invertible maps : S → S, known as noise space; and • a set M S of maps : S → S.
In the above, S is public, and M S and M S belong to Bob's secret. From the key space, Bob prepares the quintuple (x 1 , x 2 , x 3 , x 4 , N 1 ) as their secret key, and x 1 , x 2 , x 3 , x 4 must satisfy the following condition, which allows Alice and Bob to obtain the SSK. Definition 2. Let S be a multiplicative semi-group with 1. If the functions x 1 , x 2 , x 3 , x 4 : S → S satisfy the following condition for all y ∈ S: the maps x 1 , x 2 , x 3 , x 4 are said to be compatible, where • denotes a map composition.

Definition 3.
For a multiplicative semi-group S with 1 and the quintuple C : (13), we state that C is a member of the SAPKA class. We express this relation as: The key agreement process of SAPKA is described as follows: Step 1B Bob prepares the maps (x 1 , In this case, each of x 1 , x 2 , x 3 , x 4 , N 1 is their secret key.
Step 2B Bob constructs their public keys y B,1 , y B,2 as a map for each: and sends (y B,1 , y B,2 ) to Alice.
Step 1A Alice selects her secret key x A from S.
Step 2A Alice calculates her public key y A as follows: and sends it to Bob.
Step 3A Alice calculates the SSK denoted by κ A as follows: Step 3B Bob calculates the SSK denoted by κ B as follows:

Abstract of This Study
Here, we give an outline of this study, including research goal, short abstract of each section.

Research Goal
Construction of algorithms that possess the property that Alice's complexity for SSK is smaller than that of Bob's and introduction of SAPKA subclass that includes algorithms of the same property. In this section, we demonstrate what problems that the algorithms of Section 3 are reduced to. Estimations of breaking complexities are done under the assumption that Alice's secret key space is smaller than Bob's secret key space. Here, we can see how problems algorithms reduced to are varied according to algebraic structure and SAPKA parameters. Finally, using some of SAPKA algorithms, we discuss how small Alice's secret key space can be while maintaining security.

Section 5: Generalization
Here, we try to construct the SAPKA subclass of property that Alice's computational complexity for SSK is smaller than that of Bob. At first, we exclude algorithms of weak security from the subclass framework as we mentioned in Section 2.3. Without this procedure, the subclass can contain algorithms of above property but sufficiently weak security so that Eve can obtain the SSK within polynomial time. After this limitation is done, we define the subclass and introducing some conditions (only necessarily conditions for algorithms into the subclass) by expanding the results of Section 4 so that it can be applied to the SAPKA framework.

DH
As demonstrated in [18], the SAPKA class includes the DH algorithm. However, the process is symmetric because, in this case, S := Z p , where p is a prime number (thus, S forms a finite field), g ∈ S is the public parameter, N −1 1 is the identity map, and Alice can calculate the public key y A = x 4 (x A ) = g x A , even before receiving y B,1 . The process is asymmetric in the sense that Alice and Bob use different secret information, but it is symmetric in the sense that the two perform the same operations independently.

Noised DH (NDH)
The following example is a variant of the DH that does not improve its security substantially but is useful to illustrate the concept of SAPKA algorithms simply.
The components are the same as those in Section 3.1. Bob selects their secret keys x B , n B ∈ S. The key agreement process of the NDH algorithm is described by the following steps.
Step 1B Bob prepares the quintuple C NDH := (x 1 , x 2 , x 3 , x 4 , N 1 ) ∈ K B as follows: where y is selected arbitrarily from S.
Step 2B Bob constructs their public keys y B,1 , y B,2 as a map for each and sends (y B,1 , y B,2 ) to Alice. This is equivalent to sending g n B , g x B ∈ S.
Step 1A Alice selects her secret key x A from S.
Step 2A Alice calculates her public key y A as follows, and sends it to Bob.
Step 3A Alice calculates the SSK denoted by κ A as in the DH case: Step 3B Bob calculates the SSK denoted by κ B as follows:

Schur Exponentiation-Based DH (SEDH)
Let S be the multiplicative semi-group S := M(d, Z p ) of d × d matrices with entries in Z p . The algorithm introduced in this section uses Schur exponentiation; that is, element-wise matrix exponentiation. The symbol c •M is defined as follows: The key agreement process is as follows: Step 1B Bob selects a matrix x B ∈ S, an invertible matrix N B ∈ S, and a primitive element g of Z p . Subsequently, he constructs the quintuple C SE : for all a, b ∈ {1, . . . , d} as follows: where y ∈ S. The compatibility condition holds for all y ∈ S and a, b ∈ {1, . . . , d}: Step 2B Bob constructs their public keys y B,1 , y B,2 as a map for each for all a, b ∈ {1, . . . , d}. In this case, y B,1 (y) a,b can also be expressed as follows: Bob sends the maps (y B,1 , y B,2 ) to Alice. This is equivalent to sending the matrices Step 1A Alice selects her secret key x A ∈ S.
Step 2A Alice calculates her public key y A for all a, b ∈ {1, . . . , d} as follows: and sends it to Bob.
Step 3A Alice calculates the SSK denoted by κ A for all a, b ∈ {1, . . . , d} as follows: Step 3B Bob calculates the SSK denoted by κ B for all a, b ∈ {1, . . . , d} as follows: This process is illustrated in Figure 2.
Each of the above maps x 1 , x 2 , x 3 , x 4 , N 1 can also be considered as the map V → V and the condition is satisfied for all y ∈ V and a ∈ {1, . . . , d}, where x B , N B are the same as above. Thus, Alice can select her secret key x A from V and the computational complexity for calculating y A , κ A , and κ B is obviously reduced compared with the case when x A ∈ S = M(d, Z p ). The precise breaking and computational complexities for the C SE of both the x A ∈ V and x A ∈ S cases are investigated in the following section.

Breaking Complexity of SAPKA Algorithms
As mentioned in Section 2.2, we estimate the breaking complexity (Sections 4.2 and 4.3) and computational complexity (Section 4.4) of the algorithms in Sections 3.2 and 3.3 under the assumption in Section 4.1.

Assumptions
Let n and m be numbers in N, and n > m. We define two functions | · | : N → N and | · | S : S → N, which represent the bit lengths of the input. The difference between the two functions is the domains. The input of the first one is from N, and the second one is from S. The semi-groups of the above two algorithms are constructed based on a prime number p, where |p| = n. In this case, we can express the bit size of the element in S as |y| S ≤ n when S = Z p and |y| S ≤ d 2 n when S = M(d, Z p ). We construct subsets denoted by S of S for both the S = Z p and S = M(d, Z p ) cases, respectively, as follows: with the aim of determining whether the complexity of the algorithms in Sections 3.2 and 3.3 are reduced if we suppose that Alice's secret key is selected from the small bit length set S.
Prior to investigating the breaking complexity of the algorithms in Sections 3.2 and 3.3 under the assumption and a certain condition for n and m, we demonstrate that not only the complexity, but also the order of complexity (a definition of order is provided in Definition 5) to compute one discrete logarithm problem (DLP) differ between the cases when an exponent is selected from a larger bit length set and from a smaller bit length set. The required settings are as follows: • a prime number p, where |p| = n; • a semi-group S := Z p ; • a subset S := {y ∈ S : |y| S ≤ m} ⊂ S; and • a map x g : S → S, x g (y) := g y , where g is a primitive element of S. We prove that if n = s(m) > m for some monotonically increasing function s : N → N of not a linear and monic polynomial, the calculation of the DLP, namely is easier when y ∈ S than when y ∈ S in terms of the complexity and order (Proposition 1). First, we name this input y of x g according to the size of set y as per the following definition: Definition 4. Let n and m be numbers in N (n > m), and let n be the bit size of each element of Z p . For a given map x g : Z p → Z p , defined as where g is an element in S, if the set y belongs to S, we call this y an m-bit logarithm. If the set is S, y is known as an n-bit logarithm.
The complexity of obtaining the n-bit logarithm refers to the complexity of calculating x −1 g • x g (y) when y ∈ S (for the m-bit logarithm, y ∈ S). We represent the time complexity using the function T : N → R + , where the input is the bit size and the output is the multiplication steps. The complexity of calculating the DLP of the m-bit logarithm is given by T(m) = 2 m 2 [19,20]. In this case, the complexity of calculating the n-bit logarithm is T(n) = T(s(m)) = 2 s(m) 2 . Obviously, T(n) > T(m) when n = s(m) > m; however, we should also consider how the complexity increases as m increases. We can compare the growth rate of T(m) and T(s(m)) using Landau's big-O notation with the following definition: is satisfied for all m ≥ m 0 , we state that T(m) has an order of g(m) time complexity, and we describe it as T(m) ∈ O(g(m)).
Relation (19) indicates that O(g) is a set defined by:  m)), if we wish to state that the growth rate of T is higher than that of T (the order of T is higher than T), we can simply describe it as follows: for all m. In this case, hold. We can prove that the growth rate of t(s(m)) = 2 s(m) 2 is higher than T(m) = 2 . Suppose that s is a one-degree but non-monic polynomial defined as: 2 ) holds in this case, there must exist the constants c, m 0 ∈ N such that for all m ≥ m 0 , is satisfied. However, in this case, 2 m(h−1)+b 2 ≤ c holds, so that c cannot be a constant. Thus, in this case, holds. When the case s is over a one-degree polynomial, it is obvious that there is no c, m 0 ∈ N to satisfy (20) for all m ∈ m 0 .
If s is a linear and monic polynomial described as Therefore, if Alice and Bob attempt a key exchange using the DH algorithm, where Bob's secret key x B is x B ∈ S and Alice's secret key x A is Eve should attempt to obtain x A , which is easier for her to obtain than x B . The security of the algorithms in Sections 3.2 and 3.3 also depends on the difficulty of the DLP, but these algorithms may not be the same as DH owing to one of Bob's public keys y B,1 and especially the map N 1 . In Section 2.1, we discussed the requirement for y B,1 to allow Alice to select her secret key from a small bit length set without reducing the breaking complexity. For both algorithms, Requirement 2 is satisfied if Bob selects n B , as it is an n-bit logarithm for x g with the algorithm of Section 3.2, and similarly, N B is selected with the algorithm of Section 3.3. Of course, in this case, the number n must be sufficiently large to ensure that the calculation of the n-bit logarithm is not achieved in real time.
At this point, we focus on verifying whether the other algorithms in Sections 3.2 and 3.3 satisfy Requirement 1. of Section 2.1. Subsequently, we attempt to determine the polynomial s; that is, how small m can be and the computational complexity of these algorithms for each key of Alice and Bob when m is selected to be as small as possible (Section 4.4).

Eve Attempts an Attack against NDH
We assume the following: • a prime number p, where |p| = n; • a semi-group S := Z p ; • a subset S := {y ∈ S : |y| S ≤ m} ⊂ S; a map x g : S → S, x g (y) := g y , where g is a primitive element of S; • a non-linear and monic polynomial s, where n = s(m) > m for all m ∈ N.
Eve's goal is to obtain x A from the following public keys and public elements As she does not know n B , it appears that she must obtain the n-bit logarithm n B by calculating log g g n B = n B before obtaining the m-bit logarithm x A . However, (21) can be described as Thus, when we define a map x g : S → S such that x g (y) := x g n B (y) = (g n B ) y , y −1 B,1 = x −1 g , we can construct x g using only g n B , which is public. For this attack, Eve only needs to calculate ) to obtain the m-bit logarithm x A . Therefore, it can be said that Alice selecting a small bit length set S reduces the breaking complexity for Eve; that is, Requirement 1 of Section 2.1 is not satisfied in this case.

Eve Attempts an Attack against SEDH
We assume the following: Eve's goal is to obtain x A from the following public keys: a,l , where a, b ∈ {1, . . . , d}, and the following elements: for all a, b ∈ {1, . . . , d}. It appears that she first needs to obtain an element N B by calculating log g (g •N B ) a,b for all a, b ∈ {1, . . . , d}, the complexity of which is equivalent to the complexity for calculating d 2 n-bit logarithms for the map x g , because she does not know N B , so as to obtain N −1 B . After obtaining N B , she can proceed to the final two equalities of (22), and the complexity of calculating log g (g x A ) a,b = (x A ) a,b for all a, b ∈ {1, . . . , d} is equivalent to the complexity of calculating d 2 m-bit logarithms for the map x g . We now verify that Eve really needs to calculate at least the same amount as to obtain d 2 n-bit logarithms by calculating log g (g •N B ) a,b for all a, b ∈ {1, . . . , d}. In Attack 1, we attempt to find other descriptions for map y B,1 , as in Section 4.2. In Attack 2, we attempt an attack in which Eve avoids calculating d 2 DLPs for N B , and we compare the breaking complexity of the attack with an exhaustive search for x A ∈ S. In Attack 3, we attempt to determine the least complexity that Eve requires to obtain x A . Hereafter, we refer to the logarithm of matrix M ∈ M(d, Z p ) as follows:

Attack 1
Using the known element g •N B , Eve attempts the following calculation for all a, b ∈ {1, . . . , d}: However, unlike in Section 4.2, the relation log g •N B g •N B x A = x A does not hold. She obtains X ∈ S instead of x A ∈ S from (23): In this case, X holds for the relation where • denotes element-wise matrix multiplication. Obviously, X = x A does not always hold, so N −1 1 • x 4 (y A ) = log g •N B (y A ) also does not hold. Moreover, to obtain x A , Eve needs to calculate log g g •N B = N B .

Attack 2
We introduce an attack in which Eve does not calculate log g g •N B = N B . The public key of Alice y A is described as Step 1 For row b ∈ {1, . . . , d} of y A , Eve creates a matrix Step 2 For all a, l ∈ {1, . . . , d}, Eve calculates v a,l := log (g Step 3 For all l ∈ {1, . . . , d}, Eve verifies whether or not is true. Step 4 If (26) is true for all l ∈ {1, . . . , d}, Eve can recover row b ∈ {1, . . . , d} of x A : As N B is an invertible matrix, there exists exactly one (X 1,b , X 2,b , . . . , X d,b ) t ∈ Z d p to satisfy system (24) for a given y A , g •N B of row b ∈ {1, . . . , d}; thus, it must be (x A1,b , x A2,b , . . . , x Ad,b ) t . If (26) is false in some l ∈ {1, . . . , d}, Eve returns to Step 1.
In Step 2, Eve needs to calculate at least two DLPs of m-bit logarithms; thus, she requires 2 · 2 m 2 multiplications. As Z p forms a group under multiplication, for any arbitrary element e in Z p , there exists a unique w (b) a,d ∈ Z p such that: for each a ∈ {1, . . . , d}. Thus, Eve has 2 n(d−1) choices for (w a,d−1 ) and each a ∈ {1, . . . , d}, and therefore, Eve must repeat Steps 2 to 4 at most 2 nd(d−1) times. The total multiplications required for this attack is denoted as: which is much larger than the total multiplications required for an exhaustive search on each row of x A ∈ S, namely: m2 dm

Attack 3
Suppose that Eve attempts to determine x A directly from the formula of Alice's public key y A : As N B is an invertible matrix, this is equivalent to solving the following system for X ∈ S: for all a, b ∈ {1, . . . , d} and given y A , g •N B . The least complexity for finding X from (28) is expressed by the following theorem: Theorem 1. The complexity of solving (28) for X ∈ S is equal to or greater than the complexity of obtaining N B from log g g •N B .
Proof. Suppose that Eve can determine X = x A ∈ S from (28) for a given g •N B and y A with a complexity denoted by the function T : N → R + defined as T(m) := p(m), where p is a polynomial. Under this assumption, Eve can solve system (28) even when x A ∈ S (thus, X ∈ S) because, in this case, the complexity is T(s(m)) = p(s(m)), which is also a polynomial. It should be noted that solving (28) is equivalent to solving the following system for all a, b ∈ {1, . . . , d}: for given matrices (g for all a, b ∈ {1, . . . , d}. This emphasizes that Eve can solve the system of both variable matrices by left multiplication and right multiplication on the Schur exponent of a given matrix. Therefore, once she has obtained X ∈ S and calculates g •X within polynomial time, the following system can also be solved for an unknown N B ∈ S: for all a, b ∈ {1, . . . , d} within polynomial time. As N B is the matrix logarithm of g •N B , we can state that, if Eve can solve system (28) for X within polynomial time, she can obtain d 2 n-bit logarithms within polynomial time.
This theorem claims that the problem of calculating log g g •N B = N B is polynomialtime-reducible to the problem of solving system (28) for X ∈ S.

Determination of n and m
We investigate how large the bit sizes n and m must be, as well as the computational complexity of calculating the public keys and SSK for Alice and Bob according to n and m. If the attacks on SEDH are only those in Section 4.3, Eve must execute an exhaustive search for each row of x A (as the attack is performed by each row, Eve requires d times exhaustive searches within a vector space of size 2 dm ) or must obtain N B , the difficulty of which is equivalent to obtaining d 2 n-bit logarithms, as in the above attacks. We assume that attacks against SEDH are only those described in Section 4.3, and we determine the sizes of n and m. Considering that the difficulty for Eve to obtain N B depends on the difficulty of the DLP and that of obtaining x A directly from (24) by an exhaustive search depends on the vector space of size 2 dm , n and m must satisfy the requirements in Table 3. Table 3. Requirements for n and m.

Requirements n
Sufficiently large for one DLP m 2 dm must be sufficiently large for an exhaustive search As mentioned in Section 4, the complexity of one n-bit logarithm denoted by the function 2 , and the complexity of an exhaustive search for x A of each row denoted by the function T : N → R + is T (m) = 2 dm . (In fact, Eve must solve d 2 DLPs or d exhaustive searches for a vector space Z d 2 m , but d 2 and d are so trivial for exponential functions that we consider these complexities for only one number.) If Alice and Bob would like the breaking complexity for one DLP and that for an exhaustive search for one row of x A to be equalized, the polynomial s : N → N mentioned at the beginning of Section 4.3; that is, the relation between n and m, is obtained by the following theorem: Theorem 2. If the time complexity for obtaining one n-bit logarithm is equal to the complexity of an exhaustive search within a vector space of size 2 dm , the polynomial s : N → N for m ∈ N is obtained by s(m) = 2dm.

Proof. We obtain
With this relation, what does the computational complexity for Alice and Bob become?

Computational Complexity of SEDH for Alice and Bob
requires ds(m) = 2d 2 m multiplications if X ∈ S and dm multiplications if X ∈ S for each a, b ∈ {1, . . . , d}. Thus, according to (14) and (15), the computational complexities required by Alice for y A and her SSK denoted by the functions T y A , T κ A : N → R + of m are As n = s(m) = 2dm, T y B,1 , T y B,2 , and T y κ B can be described as functions of m as follows: Thus, the total complexity for Alice and Bob can be compared: When d is given, T y A (m) + T κ A (m) and T y B,1 (s(m)) + T y B,2 (s(m)) + T κ B (s(m)) have the same order of complexity. 2d 4 and 2d 3 are considered as coefficients.
Of course, we can consider the total complexity for Alice and Bob by the functions T A , T B : N → R + of d, which are defined as for a given m. In this case, Which values of m and d should be given and which should be the input of the functions can be determined the environment in which the algorithm is used, such as the computational resources and communication infrastructure.

Remark 2.
As mentioned in Remark 1, Alice can select her secret key x A not only as a matrix, but also as a vector, whereas x B and N B are selected as matrices. Let V be a vector space of V := Z d p , where |y| ≤ dn (y ∈ V ) and a subset V of V := {y ∈ V : |y| ≤ dm} ⊂ V, and suppose that x A is selected from V. In this case, the breaking strategy against this algorithm for Eve is as follows: • solving d 2 DLPs for N B and d DLPs for x A , and • an exhaustive attack for x A within V, the size of which is 2 sm . That is, the breaking complexity is equivalent to the case when x A ∈ S in terms of the order of complexity. Thus, there is also no problem in selecting n and m from the relation of Theorem 2 in this case. The computational complexities for y A , κ A , and κ B , which are denoted by the functions T y A ,vec , T κ A ,vec , and T κ B ,vec : N → R + , are for a given d. It can be observed that the complexities are reduced from (34), (35), and (38). Moreover, the calculation of (33) is independent for each element a ∈ {1, . . . , d}, and thus, it can be computed in parallel. The calculation is also parallelized for each l ∈ {1, . . . , d}. In Section 6, we report the results of the implementational experiments of SEDH in the case of x A ∈ V. To determine how rapidly the calculation is performed, particularly for Alice, we compare the calculation speed with that of the usual DH algorithm.

Generalization
In this section, all investigations are conducted under the following assumptions: • the numbers n, m ∈ N and a not linear and monic polynomial s, where n = s(m) > m for all m ∈ N; • a number p, where |p| = n; • a semi-group S, where |y| S ≤ kn (y ∈ S, k ∈ N); • a subset S := {y ∈ S : |y| S ≤ km} ⊂ S; and • x A ∈ S.
In the above, | · | S is the same notation as that in Section 4.1. Furthermore, the constant k is uniquely determined by the properties of S, such as the dimensions of the matrices and vectors. For example, k = 1 when S = Z p and k = d 2 when S = M(d, Z p ).
As mentioned in Section 2.3, we first construct a SAPKA subclass, in which the security of each algorithm is ensured by a non-easily invertible map (Definition 1). Thereafter, we attempt to construct the main SAPKA subclass mentioned in Section 2.2. We introduce inclusion relations between other subclasses and necessary conditions for algorithms to belong to the main subclass in Section 5.2.
We present the definition of the subclass based on the non-easily invertible map.

Definition 6.
For a multiplicative semi-group S and the quintuple C := (x 1 , x 2 , x 3 , x 4 , N 1 ), where the maps x 1 , x 2 , x 3 , x 4 satisfy (13) and N 1 is an easily invertible map of N 1 : S → S, if maps x 1 , x 2 , x 3 , x 4 , N 1 : S → S exist, where N 1 is easily invertible and a non-easily invertible map f g : S → S exists such that the following equations: are satisfied for all y ∈ S, where e is an identity element of S, the quintuple C is a member of the SAPKA f g class, and we express this relation as From (40) and (41), and the compatibility condition of (13), the equation for all y ∈ S is automatically satisfied. Using (42), the equation holds for all y ∈ S. Thus, the public keys and SSK of Alice and Bob for the algorithms in this class can be described as Table 4. Table 4. Public keys and SSK of Alice and Bob for SAPKA f g class.

Bob
Public keys Public key Moreover, (41) and (42) ensure that the maps x 1 • x 2 and N −1 1 • x 4 and thus the element x A , cannot be disclosed by Eve within polynomial time. If x 1 • x 2 (e) ∈ S and N −1 1 • x 4 (e) ∈ S, the complexities for calculating are reduced compared to the case when (43) holds (see Remark 3 in Section 5.1). If x 1 , x 2 , x 3 , x 4 , N 1 are linear maps, for example, Eve can obtain a linear map x 3,E • N 1,E : S → S to satisfy: by matrix multiplication, because x 1 • x 2 (e) is described as a matrix. Moreover, as S is a multiplicative semi-group, x 1 • x 2 (y) for any y ∈ S can be expressed as x 1 • x 2 (ye) and either of the equations holds for all y ∈ S. Thus, only if Eve knows the calculation rule of map x 3 • N 1 can she obtain a map x 3,E • N 1,E to satisfy for all y ∈ S. Finally, she can calculate the SSK as follows: Of course, if the maps x 1 , x 2 , x 3 , x 4 , N 1 are not linear, this attack may be impossible, but if (43) holds and n is sufficiently large to make the calculation of f −1 g • f g (y) (y / ∈ S) difficult in real time, Eve cannot proceed to (46). Thus, Requirement 2 of Section 2.1 is achieved for all algorithms in the SAPKA f g class.
Algorithms of SAPKA f g Class It can be proven that C NDH in Section 3.2 and C SE in Section 3.3 belong to the SAPKA f g class. For C NDH , if S := Z p and Bob defines x 1 , then (40) holds, and (41) and (42) are satisfied according to the descriptions of the public keys of Bob in Table 5. Table 5. Public keys of Bob for C NDH .
Public keys of Bob For C SE , if S := M(d, Z p ) and Bob defines x 1 , x 2 , x 3 , x 4 , N 1 , f g as holds, and (41) and (42) are satisfied according to Table 6. Table 6. Public keys of Bob for C SE .
Public keys of Bob At this point, we construct a SAPKA f g subclass, the algorithms of which possess the same property as the SEDH that was investigated in Sections 4.3 and 4.4, namely biased computational complexity to Bob (see Section 5.1). We mainly focus on this class in this study.

Notations and Definitions
Prior to constructing the main subclass (Definition 9), we present several definitions and notations below. Definition 7 provides one SAPKA f g subclass in which the algorithms are symmetric and include DH. In Section 5.2, we investigate how this subclass relates to the main subclass of Definition 9. Definition 8 provides the name for the input y of a given map f g : S → S according to the set of y. We use this definition to emphasize the difference in complexity for calculating f −1 g • f g (y) of a given map f g when y ∈ S and when y ∈ S. The notations directly below Definition 8 are functions that demonstrate the complexity for calculating each key. As these notations and Definition 8 allow us to express the breaking and computational complexity for each key quantitatively, the main subclass can be defined by equalities and inequalities.

Definition 7.
For the quintuple C such that C ∈ SAPKA f g , if N 1 = x 4 = id, we state that C is a member of the symmetric SAPKA f g class, and we express this relation as C ∈ SAPKA f g ,symmetry .
If C ∈ SAPKA f g ,symmetry , one of the public keys of Bob y B,1 is described as where y ∈ S. This means that Bob sending y B,1 is equivalent to simply informing Alice of the construction rule of y A . Alice can calculate y A without any secret/public information from Bob. Symmetry means that the number of public keys that both Alice and Bob construct is essentially one, and they can construct their public keys without any public/secret information from the other. For C NDH in Section 3.2, if the parameter n B is equal to 1, C NDH describes the usual DH. We denote this case of C NDH as C DH , and we obtain C DH ∈ SAPKA f g ,symmetry .
Moreover, C SE in the case of N B = E, denoted by C SE,(N B =E) , is C SE,(N B =E) ∈ SAPKA f g ,symmetry .
Definition 8. For a given non-easily invertible map f g : S → S, if the set to which the input y belongs is S, we refer to the input y as a km-bit f −1 g element. If the set to which the input y belongs is S, we refer to the input y as a kn-bit f −1 g element.
The complexity of obtaining the kn-bit f −1 g element means the complexity of calculating f −1 g • f g (y) when y ∈ S (for the km-bit f −1 g element, y ∈ S). We define the following functions of bit size that demonstrate the complexity of calculating each public key and SSK as well as the complexity for Eve to obtain a certain key: Furthermore, for T Eve x A , T f −1 g , we define the following functions to describe their order: Example 1.
• If T y B,1 , T y B,2 , and T κ B are defined as functions of n, T y A and T κ A are defined as functions of m, and the polynomial s is concretely determined, we can compare the total computational complexity for Alice and Bob as per Section 4.5.

•
The least complexity for Eve to obtain x A in Section 3.3 is determined as • The complexity of obtaining the d 2 n-bit f −1 g element, where f g is the non-easily invertible map of C SE as defined in Table 6, is expressed as The complexity of obtaining the d 2 m-bit f −1 g element is determined as In general, the complexity of obtaining the kn-bit f −1 g element for a given non-easily invertible map f g : S → S is described by T f −1 g (n) = T f −1 g (s(m)), and that of the km-bit f −1 g element is . We can compare not only the complexity but also the order of complexity of the two using the map h f −1 g defined above, as per the following Remark 3.

Remark 3.
When the order of complexity for computing the km-bit f −1 g element for map f g is equal to O(2 am ), where a ∈ R + \ {0}: holds, and the equality holds if and only if s is a linear monic polynomial for some t ∈ N: This can be proven in a similar manner to Proposition 1, and in this case, s is restricted as a non-linear and monic polynomial, so the equality never holds.
When the order of complexity for computing the km-bit f −1 g element is greater than O(2 am ), although the sufficient and necessary condition of s for the equality of (47) may not be the same, holds because, for all m, the ratio is much larger and cannot be a constant in this case. This means that when s is a not linear and monic polynomial, the problem of obtaining the kn-bit f −1 g element by computing f −1 g • f g (y) (y ∈ S) and the problem of obtaining the km-bit f −1 g element by computing f −1 g • f g (y) (y ∈ S) belong to different orders of complexity classes. Furthermore, needless to say,

Definition 9.
For the quintuple C of C ∈ SAPKA f g , if the following relations hold: we state that C is a member of the class that is computationally biased to Bob SAPKA f g , and we write this relation as C ∈ SAPKA f g ,A<B .
If the relation holds, C is a member of the computationally unbiased SAPKA f g class, and we write this relation as C ∈ SAPKA f g ,A=B .
Relation (49) indicates that the breaking complexity of an algorithm that is constructed from C ∈ SAPKA f g ,A<B is equal to or greater than the complexity that is required to obtain the kn-bit f −1 g element, even if x A is selected from S. Furthermore, (51) indicates that when C ∈ SAPKA f g ,A=B , the breaking complexity is equal to or less than that of obtaining the km-bit f −1 g element. As noted in Remark 3, not only does hold, but the orders of complexity are also different, so there cannot exist a C such that C ∈ SAPKA f g ,A<B ∩ SAPKA f g ,A=B . Thus, we obtain Lemma 1 in Section 5.2.

Inclusion Relations between Subclasses of SAPKA and Necessity Condition
Lemma 1. For SAPKA f g ,A<B ⊂ SAPKA f g and SAPKA f g ,A=B ⊂ SAPKA f g , the following relation holds: According to the attack introduced in Section 4.3, we obtain the following results.
Theorem 3. For C SE in Section 3.3, if Attack 2 of Section 4.3 and the exhaustive attack for x A ∈ S are only attacks without calculating log g g •N B = N B or there exist other attacks but the order of complexity is equal to or greater than O(2 dm ), Proof. According to Attack 3 in Section 4.3 and the descriptions of T Eve x A (m) and T f −1 g (s(m)) in Example 1, we obtain Under this assumption, n = s(m) = 2dm holds, and thus, we obtain T y B,1 (s(m)) + T y B,2 (s(m)) + T κ B (s(m)) = 4md 3 + 2md 4 > T y A (m) + T κ A (m) = 2md 3 from Section 4.5.
We introduce two necessary conditions for the SAPKA f g ,A<B class.

holds.
Proof. We prove the contrapositive. If C ∈ SAPKA f g ,symmetry , Alice's public key y A is described as: according to (40), but N 1 and x 4 are identities; thus, y A becomes Because x A ∈ S, x A is a km-bit f −1 g element for map f g , and we obtain .
Corollary 1. The quintuple C DH of the usual DH is and C SE,(N B =E) defined in Section 5.1 is Theorem 5 (Necessary Condition 2). If the quintuple C := (x 1 , x 2 , x 3 , x 4 , N 1 ) ∈ SAPKA f g ,A<B , then there does't exist a map f g : S → S such that to satisfy for all y ∈ S, m ∈ N.
Proof. We prove the contrapositive. We assume that for C ∈ SAPKA f g ,A<B , there exists a map f g : S → S to satisfy for all y ∈ S. According to (54), y A can be described as This indicates that x A is a km-bit f −1 g element for a map f g . In combination with (55), the relation holds. Thus, C ∈ SAPKA f g ,A=B ; that is, C / ∈ SAPKA f g ,A<B is proven.
According to the proof of Theorem 4 and Corollary 2, we obtain the following inclusion relation: Proof. From the proof of Theorem 4, C ∈ SAPKA f g ,symmetry ⇒ C ∈ SAPKA f g ,A=B is obtained. Thus, we obtain SAPKA f g ,symmetry ⊆ SAPKA f g ,A=B .
Moreover, C NDH is related to C NDH / ∈ SAPKA f g ,symmetry , but C NDH ∈ SAPKA f g ,A=B according to Corollary 2. Thus, SAPKA f g ,symmetry ⊂ SAPKA f g ,A=B is obtained.  as well as the necessary conditions (52) and (53) as sufficient conditions for the SAPKA f g ,A<B class have not yet been confirmed. These will be investigated in our subsequent paper.

Implementational Experiments
In this section, we report the simple experimental results. All experiments were performed in the following environment:  Tables 7-9 indicate the computational complexity for Alice (y A , κ A ) and Bob (y B,1 , y B,2 , κ B ) according to d and m while n was fixed as 1024, 3072, and 5120 bits. As can be observed from Tables 7-9, the calculation time for Bob increased as d increased. This is because the calculation complexities of (32) and (33) were dependent only on d, whereas n was fixed. For Alice's computation, there were cases in which the calculation time decreased as d increased (Tables 8 and 9). This can be explained by (32) and (33) for each a ∈ {1, . . . , d}, being independent, and an increase in d resulted in a decrease in m. Therefore, these values can be computed in parallel with a smaller m when d increases. When d > 4, the calculation time will increase despite the decrease in the size of m owing to a shortage in processors for efficient parallel computing.
Moreover, the difference in the order of complexity for Alice and Bob can be observed from Figure 4, where m was fixed as 128 bits and d increased from 2 to 16.   We verified how rapidly the calculation of Alice could be achieved by comparing the speed with that of the usual DH. Table 10 and Figure 5 compare the calculation times of SEDH and DH for y A and κ A for the same security level (n) from 1024 to 7168 bits. The calculation speeds in the following table and figure are the averages of 50 calculations.

Conclusions
In this study, we have estimated the breaking complexity and computational complexity of two SAPKA class algorithms. One of these potentially possesses the property whereby the security is less dependent on the secret key space of Alice than that of Bob. This property allows Alice to calculate her SSK with less complexity than Bob in the algorithm.
Moreover, we generalized these algorithms and constructed SAPKA subclasses according to the security/efficiency properties. We constructed several subclass algorithms in which the above property holds. We expect that algorithms in this class will aid in constructing secure communication infrastructures, even with a small capability of devices for one side (Alice's computational asymmetry). The necessary conditions for this class and inclusion relations with other SAPKA subclasses were also investigated.
In the following Future Work section, we provide several unclear points, which include new problems obtained from this study (indicated by •) and problems not discussed in this paper but that must be investigated for practical use of presented algorithms and frameworks (indicated by •).

Future Works
• Is it true that SAPKA f g ,A<B ∪ SAPKA f g ,A=B = SAPKA f g ? (Remark 5) • Is it true that if the relations (52) and (53) hold for C ∈ SAPKA f g , C is a member of the SAPKA f g ,A<B class? That is, are (52) and (53) also sufficient conditions for the SAPKA f g ,A<B class? As mentioned in Section 2.2, this paper does not provide how to construct secure PKA algorithms resilient to any types of theoretical attacks. However, if sufficient conditions for the SAPKA f g ,A<B class are found, algorithms that cannot be broken at least within polynomial time can be easily constructed because those are protected thanks to non-easily mappable f g (page 23). Of course, conditions might differ depending on required security level, but considering the sufficient conditions surely helps us provide how to construct secure PKA algorithms. • Does S need to be selected as a multiplicative semi-group/group? For example, the algorithms in Section 3.3 are effective even in vector space, which forms an additive group (Remark 1). We should investigate how we can construct PKA algorithms on algebraic structures other than multiplicative semi-groups and then compare the breaking and computational complexities with the original one.

•
We should attempt to describe algorithms such as LWE-based or NTRU-type algorithms with the SAPKA parameters and verify whether these algorithms belong to the SAPKA f g ,A<B class. Otherwise, would it be possible to modify these to belong to the SAPKA f g,A<B class? • It is well known that key agreement algorithms are vulnerable against man-in-themiddle (MITM) attack. Obviously, also algorithms in SAPKA are also not exceptional without any measures. Moreover, the number of public keys especially for Bob is larger than symmetric type algorithms, so they way to manage public keys for SAPKA algorithms must be discussed more. Adaptability with techniques such as digital signature [21,22] and public key certifications [23] must be well discussed. • As mentioned in [1], the SSKs that Alice and Bob calculate should be ephemeral, and each key must have enough randomness. To practically use algorithms introduced in this paper, if public keys and SSK are sufficiently random to protect Eve from deducing SSK must be investigated. Institutional Review Board Statement: Not applicable.
Informed Consent Statement: Not applicable.

Conflicts of Interest:
The authors declare no conflict of interest.