An Alternative Difﬁe-Hellman Protocol

: The Difﬁe–Hellman protocol, ingenious in its simplicity, is still the major solution in protocols for generating a shared secret in cryptography for e-trading and many other applications after an impressive number of decades. However, lately, the threat from a future quantum computer has prompted successors resilient to quantum computer-based attacks. Here, an algorithm similar to Difﬁe–Hellman is presented. In contrast to the classic Difﬁe–Hellman, it involves ﬂoating point numbers of arbitrary size in the generation of a shared secret. This can, in turn, be used for encrypted communication based on symmetric cyphers. The validity of the algorithm is veriﬁed by proving that a vital part of the algorithm satisﬁes a one-way property. The decimal part is deployed for the one-way function in a way that makes the protocol a post-quantum key generation procedure. This is concluded from the fact that there is, as of yet, no quantum computer algorithm reverse engineering the one-way function. An example illustrating the use of the protocol in combination with XOR encryption is given.


Introduction
More than 40 years ago, Whitfield Diffie and Martin Hellman introduced their paradigm-shifting protocol for encryption key generation [1]. By deployment of public parameters, their suggestion provides a means to secure privacy without the need for transmission of secret parameters. The security depends on the difficulty of solving the Diffie Hellman Problem, i.e., given integers q (the order of a group), g (a generator of that group), g a mod q (and possibly g b mod q), guess the value of g ab mod q. This problem has been proven to be equivalent to the Discrete logarithm Problem, i.e., given integers q, g and g a mod q, guess the smallest positive integer value a. The Diffie-Hellman protocol was improved by adding authentication (to deal with threats such as the Man-in-the-middle-attack) and refined into descendants, e.g., the Needham-Shroeder and MQV protocols. The development of the Diffie-Hellman protocol by [2] provide a means for including three parties in the session key generation. The concept with a public key protocol for the generation of a shared secret was revolutionary and the achievement is well documented in the literature in the field (see e.g., [3]).
Nevertheless, since 1997, there has been the threat against the Diffie-Hellman protocol from a future more capable version of a quantum computer utilizing Shor's algorithm for determining the discrete logarithm [4]. Therefore, the desire to develop encryption key algorithms which are resilient to this future threat has been pronounced.

Related literature
The threat from the quantum computer threat has raised the demands for security assurance of algorithms in that they do not depend on the integer factoring problem or the discrete logarithm problem. One such new candidate for a different core mechanism is the shortest vector problem, in turn, related to the closest vector problem. These are the core guarantees for the security of the lattice-based

The suggested protocol
An initial transcendental parameter, x ∈ R \ Q, is common to both Alice and Bob. The security benefits from distributing x via a secure channel, but this is not necessary. This could be done in the spirit of [12], using a quantum particle state teleported from Alice to Bob or from a TTP to both. This number can, despite being transcendental, have a finite description (such as e or √ 2 or something). Thereafter, Alice calculates a = ax mod 1 with some specified finite number of digits of accuracy. This she sends to Bob via an open insecure channel using her secret a. Bob uses his secret b to determine b = bx mod 1, which he sends to Alice. Finally, Alice calculates k = ab mod 1, which coincides with Bob's k = a b mod 1 according to Theorem 1 in the Appendix.
The suggested protocol for the generation of a common secret key is summarized in Algorithm 1. The function F : Z → R \ Q is typically a pseudo random number generator (where s is the seed). B n is the set of the integers {2 n−1 , 2 n−1 + 1, . . . , 2 n − 1}. For a definition of the operation ( · mod 1), see Definition 2 in the Appendix. Thus, the shared secret, k, is established. The shared secret can subsequently be used for encrypted communication over an insecure channel via symmetric cyphers, such as XOR [13] or AES [14].

Core function
The protocol depends fundamentally on a core function, C x , which should possess both a one-way property and a symmetry property. The parameter x belongs to a parameter space, S. Here, S = R \ Q.
The former property, the one-way property, means that given a, it should be simple to calculate C x (a) for any x ∈ S, while for any x ∈ S and given c, it should be difficult to calculate a such that C x (a) = c. This very problem, given x and c, both in R \ Q, the problem of guessing a ∈ Z such that C x (a) = ax mod 1 = c is henceforth referred to as the Modulo 1 Factoring Problem, M1FP as defined in Definition 3 in the Appendix. Assuming that binary arithmetics is used, the maximum number of steps of C x are achieved in polynomial time (Theorem 2) while solving M1FP is NP-hard (Theorem 3).
The latter property is the symmetry property that Algorithm 1: The suggested key agreement protocol. input : s ∈ Z generated uniformly on B n output : Shared secret k ∈ Q consisting of n binary digits Alice: Choice step: a is chosen uniformly on B n 3 a ← ax mod 1 4 Exchange step: sends a to Bob Bob: Exchange step: Sends b to Alice end Alice: Start over with Alice's Choice step above else k ← ab mod 1 end Bob: Start over with Bob's Choice step above else k ← a b mod 1 end end 6 return k for all x ∈ S in the parameter space and feasible values a, b. This has to be satisfied for establishment of a key agreement protocol. In this case, that function is the map C x : Z → (0, 1) defined by C x (a) = ax mod 1. The symmetry property of C x is given by Theorem 1 stated and proven in the Appendix.

Security aspects
All aspects of robustness and security of a new means for encrypted communication need to be listed and scrutinized step by step. Regarding the proposed protocol, two points of scepticism that may come to mind are 1. If the transcendental x is distributed via a secure channel, why not use this number directly as the encryption key? 2. In computers, numbers are always finite-transcendental numbers with infinite extent are not possible, but rather floating point numbers with a finite extent are used as an approximation of the exact numbers. In what way does this use of finite floating point non-integers differ from the methods based on large integers?
As for point 1, using the transcendental x as the encryption key would, of course, be a possibility.
A problem though is one of robustness; if the secrecy of this number was to be compromised, the encryption would be completely broken if this was the actual key. However, with this protocol, the rest of the procedure would then serve as an additional layer of security. Nevertheless, these treatments also add to the cryptanalytic computation complexity but two extra multiplications and an exchange of numbers are the prices to pay for this enhancement of security.
Regarding point 2, by specifying a transcendental number, there is no indication about how many decimals will be used for the finite key. Using software packages (like the Gnu Multiprecision Library, GMP, see [15]) arbitrarily makes many digits of the floating point approximations of the transcendental numbers possible. However, the length of the numbers a and b sent from Alice to Bob and vice versa via insecure channels, of course, reveal something about how many digits of accuracy are used in the floating point approximations. Moreover, for the final result (the secret shared between Alice and Bob) consisting of n digits, which are identical for both parties, the number of digits in both a and b needs to be at least 2n + 1. Then again, the security benefits by having the number of digits in a and b much larger than that.

One or two layers of security
If both the initial number s and the parameters a and b are secret, this provides two layers of security. This version of the algorithm is referred to as Version 1. The use of such a protocol between parties unknown to each other would, of course, be awkward due to the necessity of having to secretly agree on the initial number. Nevertheless, for planned communication between parties prepared in advance, secret initial numbers can be distributed in advance and used later according to some scheme to gain an extra level of security when this is appropriate.
Alternatively, a one-layer security protocol may be implemented by letting the initial number be public. This version of the algorithm is referred to as Version 2. Then, all the security depends on M1FP and the secrecy of a and b. Still, if transcendental x is calculated with very many decimals, then there is an additional element of difficulty for the cryptanalyst provided by not knowing how many digits of accuracy in the transcendental are needed for the actual encryption key. The advantage of a public initial parameter is wanted in the case of initial contact for business communications by insecure channels [1]. In this situation, it is desired for the system for encrypted communication not to require parameters distributed by a secure channel. A protocol that allows the use of a public initial integer s is imperative to the establishment of successful communication and business deals between parties previously unknown to each other.

Comments about the initial transcendental number
In the implementation of the suggested protocol, it is desired for the number x = F(s) ∈ R \ Q to be entirely different for similar s ∈ Z to improve the unpredictability of the numbers involved. This means that if there is another t ∈ Z such that s = t but s ≈ t, this should not imply that F(s) mod 1 ≈ F(t) mod 1. More precisely, this property of discontinuity may be defined as If a pseudo random number generator is used to this end, this discontinuity property should be satisfied to make the procedure less vulnerable.

Choices of the secret integers
As opposed to cryptography based on the integer factorization problem, discrete logarithm problem or elliptic curve versions of these problems, the integer parameters of the suggested protocol need not be prime numbers or satisfy any inter-relational conditions other than that secrets a and b must not be identical to each other.

Attacks and countermeasures
Depending on whether the initial seed s is secret or not, a Naïve attack against the suggested protocol may be launched as indicated by Algorithm 2 below. It is done under the assumption that the function F, rendering the transcendental x from the seed s, is known to the attacker.
The case in which s is secret is referred to as Version 1 and the one when s is public is called Version 2. Having intercepted a and b , Eve guesses at s ∈ B n = {2 n−1 , 2 n−1 + 1, . . . , 2 n − 1} whether this is a secret. Having made her guess σ of s, she guesses θ at a ∈ B n and b ∈ B n . Then, she calculates θ = [α2 n F(σ)] comparing θ to a and θ = [β2 n F(σ)] comparing this θ value to b . Once agreement (θ = a or θ = b ) is established, the shared secret κ = θθ mod 1 is revealed. Based upon the number of digits in a and b , she can infer how many digits N of accuracy the floating point x can be. The defense against this attack is the computation complexity, see Theorem 3 in the Appendix. If the input s ∈ B n is public, Eve only needs to guess at a ∈ B n and b ∈ B n which obviously reduces the computation complexity. This corresponds to omitting the outer for-loop in the naïve attack Algorithm 2 above.
The most well known threat to the Diffie-Hellman protocol is the man-in-the-middle attack. This may, of course, also be carried out for the suggested protocol. Therefore, modifications corresponding to MQV and Needham-Schroeder protocols resilient to this attack through authentication procedures may be developed to block this opportunity for an eavesdropper.

Resilience against quantum computer
The core function of the suggested key agreement protocol involves arithmetic properties other than those of integer factorization and discrete logarithm. Thus, a capable future quantum computer so far does not impose a threat to the suggested algorithm.

Computation complexity
According to Theorem 2 below, the computation complexity of the proposed algorithm is polynomial, while according to Theorem 3, the cryptanalysis by means of the naïve attack is NP-hard. These figures are on par with the computation efficiency of the Diffie-Hellman method [1].

An example
Assume that Alice wants to send the message "I am Alice" to Bob. To facilitate the reading, the number base 10 is used in this example but for practical use, everything, of course, translates to binary numbers or any other base desired. She transforms the message "I am Alice" to a plaintext sequence of three-digit ASCII numbers M = 077032097109032065108105099101. Then, for the key generation, Alice reads the number publically announced or secretly shared by them, uniformly picked on D n = {10 n , 10 n + 1, . . . , 10 n+1 − 1} (where n could be 1000 for a decent level of security with today's capacity) where D n corresponds for decimal numbers to B n for binary numbers. This is a seed to be fed to a PRNG, which returns a real number, x, on (0, 1). Here, with, say, s → log(s) mod 1 and the seed s = 2 (for this simple example), Alice gets (using the decimal sequence of k as an integer and ⊕ as bitwise addition modulo 10), which she sends to Bob. Bob decrypts with the shared secret k consisting of his first 30 decimal digits simply by c k = 077032097109032065108105099101 (with as bitwise subtraction modulo 10) which is readily transformed back to "I am Alice" by ASCII decoding.

Conclusion
Apart from being resilient to quantum computers, the great achievement of the suggested protocol as opposed to the Diffie-Hellman finite fields methodology is the use of the decimal part of a transcendental number rather than large finite integers. The use of transcendental numbers does not, by nature, restrict the number of digits in the calculation as do integers. In the case with finite fields, the secret numbers are limited by the order of the finite field q. For brute force guessing, one only has to systematically try all numbers less than q. With the proposed method, there is another bound indicated by the number of digits in the transmitted numbers a and b . However, the cryptanalysis made possible by Shor's and Grover's algorithm does not seem to be a threat to this procedure.
Moreover, compared to the Diffie-Hellman method for the generation of a shared secret, the benefits of the suggested protocol are that it requires the transfer of fewer numbers initially and that the key size is unknown. This could, however, possibly be improved by the use of implementation of the algorithm in quantum computers because of their different treatments of transcendental numbers (see [16]). This remains an urgent path for pursuit in future research. Acknowledgments: The reviewers of the earlier stages of this manuscript are greatly acknowledged for their constructive criticism.

Conflicts of Interest:
The author declares no conflict of interest.

Appendix A
In order to define a protocol which deploys transcendental numbers and group arithmetics of mod 1, let us start by defining the integer part of a real number.
since y = [y] as y ∈ Z. Definition 2. The decimal part of a real number x, x mod 1, is For a symmetric encryption key agreement protocol, a one-way function C x with the symmetry property C C x (b) (a) = C C x (a) (b) for all feasible values a, b may be used. To this end, the decimal part as the map C x turns out to possess precisely that property.

Theorem 1. For any real number x and integers a, b
(ax mod 1)b mod 1 = (bx mod 1)a mod 1 Proof: Given any real number x and integers a, b we have, according to Lemma 1, Changing the places of a and b above yields (bx mod 1)a mod 1 = bxa mod 1 which equals to the left side due to the commutativity of the real numbers.
Next, the encryption is proven to be carried out in polynomial time.

Theorem 2. Algorithm 1 is in P.
Proof: The calculation generating the transcendental x ∈ R \ Q from the seed s is not considered as a part of the algorithm since it can be done in advance. When using x with N bits of accuracy (as a floating point number ∈ Q) in the algorithm, the calculation of the first step a = ax mod 1 may be done in O(N log N log log N) steps. The same goes for the calculation of b = bx mod 1. Finally, the generation of the key k is performed by the calculation of ab mod 1 and a b mod 1, respectively, thus adding O(N log N log log N) to the steps of the calculation. In total, this means that the calculation of Algorithm 1 is made in polynomial time.
To make statements about the cryptanalysis complexity, the core problem, M1FP, is formally defined. Definition 3. The problem: given x and c, both in R \ Q, the problem of guessing a ∈ Z such that C x (a) = ax mod 1 = c is henceforth referred to as the Modulo 1 Factoring Problem, M1FP.
In addition, a mall result about the expected time required to successfully guess the secret a or b is necessary to support the statement about M1FP and consequently, about the Naïve attack against the proposed method.
Finally, the cryptanalysis attack according to the Naïve attack (in Algorithm 2) can be stated to be higher than the exponentialtime, i.e., NP-hard.
Proof: Version 1 (when the seed s is secret): Assuming that the secrets s, a and b have been chosen entirely randomly (i.e., uniformly) on B n , then the expected number of attempts required to guess the right value of σ = s is 1 2 · #B n = 2 n−1 . Correspondingly, to guess θ = a or θ = b, the expected number of steps is according to Lemma 2 more than 2 n−1 . Adding to this the O(n log n log log n) steps for multiplications θθ mod 1, we end up with a total complexity of O(2 2n n log n log log n). This makes the naïve attack neither in P nor in NP but rather an NP-hard problem. Version 2 (when the seed s is public): The argument is similar to Version 1 except that the initial guessing at s is omitted. This boils down to a total complexity of O(2 n n log n log log n), still making the attack an NP-hard.