Next Article in Journal
Security Analysis of Lightweight IoT Cipher: Chaskey
Next Article in Special Issue
Chaotic Quantum Key Distribution
Previous Article in Journal
Optimized CSIDH Implementation Using a 2-Torsion Point
Previous Article in Special Issue
Security and Performance of Single Sign-on Based on One-Time Pad Algorithm
Open AccessArticle

Implementation of a New Strongly-Asymmetric Algorithm and Its Optimization

1
Information Science Department, Tokyo University of Science, 2641 Yamazaki, Noda, Chiba 278-0022, Japan
2
DICII, Engineering Faculty Via del Politecnico Universitá di Roma Tor Vergata, 1, 00133 Roma, Italy
*
Author to whom correspondence should be addressed.
Cryptography 2020, 4(3), 21; https://doi.org/10.3390/cryptography4030021
Received: 4 June 2020 / Revised: 28 July 2020 / Accepted: 28 July 2020 / Published: 30 July 2020
(This article belongs to the Special Issue Cryptographic Protocols 2020)

Abstract

A new public key agreement (PKA) algorithm, called the strongly-asymmetric algorithm (SAA-5), was introduced by Accardi et al. The main differences from the usual PKA algorithms are that Bob has some independent public keys and Alice produces her public key by using some part of the public keys from Bob. Then, the preparation and calculation processes are essentially asymmetric. This algorithms has several free parameters more than the usual symmetric PKA algorithms and the velocity of calculation is largely dependent on the parameters chosen; however, the performance of it has not yet been tested. The purpose of our study was to discuss efficient parameters to share the key with high speeds in SAA-5 and to optimize SAA-5 in terms of calculation speed. To find efficient parameters of SAA-5, we compared the calculation speed with Diffie–Hellman (D-H) while varying values of some parameters under the circumstance where the length of the secret shared key (SSK) was fixed. For optimization, we discuss a more general framework of SAA-5 to find more efficient operations. By fixing the parameters of the framework properly, a new PKA algorithm with the same security level as SAA-5 was produced. The result shows that the calculation speed of the proposed PKA algorithm is faster than D-H, especially for large key lengths. The calculation speed of the proposed PKA algorithm increases linearly as the SSK length increases, whereas D-H increases exponentially.
Keywords: public key exchange; security; asymmetric; asymmetric algorithm; cryptography; framework; generalization public key exchange; security; asymmetric; asymmetric algorithm; cryptography; framework; generalization

1. Introduction

The discovery of the Diffie–Hellman(D-H) [1] public key agreement (PKA) protocol and RSA [2] asymmetric cryptography are two of the greatest achievements for the literature of data protection. Although it has been over 40 years since the discovery of those algorithms, they are still utilized not only for key agreement but also for various scenes (e.g., digital signature) along with algorithms such as ElGamal [3], Elliptic curve D-H [4], etc.
However, a lot of threats were developed at the same time. Because of recent increase in the computational power of eavesdroppers, the small key lengths of D-H or RSA are no longer safe [5]. Even for longer keys, these algorithms are expected to become vulnerable in the near future because of Shor’s quantum algorithm for both the integer factorization problem and discrete logarithm problem [6].
As a solution against these threats, studies of a modern PKA and asymmetric cryptography are widely spread. Algorithms based on multivariate polynomial equations [7,8] and lattices [9,10] are the most well known ones. These algorithms utilize matrices and security, which are based on NP-hard problems, e.g., the difficulty of solving a system of multivariate quadratic polynomial equations and the difficulty of the shortest vector problem. In 2019, NIST announced 26 public key cryptographic algorithms as candidates for the standardization of post-quantum-cryptographic systems [11]. The lattice based ones, such as NewHope [12] and NTRU [13], and the multivariate polynomial based digital signature algorithms such as GeMSS [14] are included in the list.
In [15], Accardi et al. proposed a new scheme of public key agreement based on non-commutative algebra called a strongly asymmetric public key agreement (SAPKA). Because this scheme is very general, we need concrete realizations to estimate computational and breaking complexity. In [16], strongly-asymmetric algorithm 3 (SAA-3) is introduced as one of the concrete realizations of SAPKA. SAA-3 is based on matrix algebra with element-wise matrix exponentiation, which is called the Schur-product. Strongly-asymmetric algorithm 5 (SAA-5), introduced in [17], has a similar structure to SAA-3, but there are differences. The main differences between them are:
  • The public parameter α is removed.
  • The secret key of Alice is scalar in [16]. In [17], this is replaced by a matrix set.
  • The constraints on Bob’s secret keys are reduced to the requirement that certain matrices should not be invertible.
Strictly speaking, SAA-5 cannot be described in the form of SAPKA because of the secret key structure of Alice, but both computational and breaking complexity are improved from SAA-3.
In this paper, we explain the mathematical setting of SAA-5 and the breaking strategy introduced in [17] and report our performance test compared with D-H. After that, we tried to realize a much faster PKA than SAA-5 by considering the general PKA class that SAA-5 belongs to and has much more freedom than SAPKA in term of the key structure of Alice.

2. Mathematical Setting and Key Agreement Protocol of SAA-5

The key agreement process between Alice and Bob are:
Step 1. 
Alice and Bob share following public information:
a natural integer d N ,
a finite field F : = Z p where p is a large prime number ,
a finite set I N .
Step 2. 
Bob creates his secret keys as matrices:
x B M ( d ; F ) ,
N B M ( d ; F ) ,
c F ,
and as a set of matrices:
A : = { A j M ( d , F ) , j I } .
For all secret keys of Bob, the following conditions must be satisfied:
- N B must be invertible
- Each A j ( j I ) must not be invertible.
Step 3. 
Bob creates his public keys for all j I as:
y B , 2 ; j : = c ( A j N B ) M ( d ; F ) ,
y B , 3 ; j : = c ( A j x B ) M ( d ; F ) .
Here, the symbol c M denotes the matrix:
c M : = c M a , g ; a , g { 1 , , d } ,
which is called the Schur exponentiation of c by M.
Step 4. 
Alice creates her secret key as a matrix set as:
x A : = { x A , j M ( d , F ) , j I } ,
and creates her public key y A M ( d , F ) using one of Bob’s public key y B , 2 ; j as: For each a , g { 1 , , d } ,
y A ; a , g = j I b { 1 , , d } ( y B , 2 ; j ) b , g ( x A , j ) a , b = j I b { 1 , , d } ( c A j N B ) b , g ( x A , j ) a , b
= j I b { 1 , , d } ( c ( x A , j ) a , b ( A j N B ) b , g ) = c j I b { 1 , , d } ( x A , j ) a , b ( A j N B ) b , g
= c ( j I x A , j A j N B ) a , g = c j I x A , j A j N B .
Step 5. 
Bob computes his secret shared key (SSK) κ B M ( d , F ) using the public key of Alice and his own secret keys x B and N B as: For each a , g { 1 , , d } ,
κ B = b { 1 , , d } ( y A ) a , b ( N B 1 x B ) b , g = b { 1 , , d } ( c j I x A , j A j N B ) a , b ( N B 1 x B ) b , g .
Step 6. 
Alice computes her SSK κ A M ( d , F ) by using y B , 3 ; j and her own secret key x A as:
κ A = j I b { 1 , , d } ( y B , 3 ; j ) b , g ( x A , j ) a , b = j I b { 1 , , d } ( c A j x B ) b , g ( x A , j ) a , b .
The equality of κ A and κ B is guaranteed by the following equations. The SSK of Alice is:
κ A = j I b { 1 , , d } ( c A j x B ) b , g ( x A , j ) a , b = j I b { 1 , , d } ( c ( x A , j ) a , b ( A j x B ) b , g )
= c j I b { 1 , , d } ( x A , j ) a , b ( A j x B ) b , g = c j I x A , j A j x B a , g
= c j I x A , j A j x B .
and the SSK of Bob is:
κ B = b { 1 , , d } ( c j I x A , j A j N B ) a , b ( N B 1 x B ) b , g
= b { 1 , , d } c ( j I x A , j A j N B ) a , b ( N B 1 x B ) b , g = c b { 1 , , d } ( j I x A , j A j N B ) a , b ( N B 1 x B ) b , g
= c ( j I x A , j A j N B N B 1 x B ) a , g = c ( j I x A , j A j x B ) a , g
= c j I x A , j A j x B .
Obviously (2) = (3).

2.1. Breaking Complexity of SAA-5

The breaking complexity of SAA-5 is already discussed in [17]. The eavesdropper(Eve) tries to recover the SSK by using the following public parameters:
  • Common parameters d, p, I.
  • Public keys of Bob y B , 2 ; j , y B , 3 ; j for all j I .
  • Public key of Alice y A .
Alice knows the following values for all j I , denoting x 1 : = j I x A , j A j , x 2 : = N B , x 3 , j : = A j , x 4 : = x B and log c :
α 1 = log y A = j I x A , j A j N B log c = x 1 x 2 log c ,
α 2 , j = log y B , 2 ; j = A j N B log c = x 3 , j x 2 log c ,
α 3 , j = log y B , 3 ; j = A j x B log c = x 3 , j x 4 log c .
But, for Eve to get α 1 , α 2 , j and α 3 , j , she needs to solve the discrete logarithm problem for each value. Here, we assume the cost for solving discrete logarithm problem is 0 so, Eve can immediately calculate all α 1 , α 2 , j and α 3 , j in this case.
After getting all α 1 , α 2 , j and α 3 , j , her strategy is to calculate log κ from the equation:
log κ = j I x A , j A j x B log c = x 1 x 4 log c ,
by deducing x 1 , x 2 , x 3 , j , x 4 and log c from (4)–(6). This system contains 4 d 2 + 1 unknowns for 3 d 2 number of polynomials so, x 1 , x 2 , x 3 , j , x 4 and log c are not determined uniquely. we try to brute-force attack one unknown of the above system to estimate the breaking complexity of the algorithm. As an example, we try this on x 2 and S b f ; x 2 denotes the space she has to search for this attack.

2.2. The Brute-Force Attack

Eve has as the same number of choices as the cardinality of G L ( d ; F ) for x 2 . If she finds x 2 equal to N B , then x 1 log c = j I x A , j A j log c and x 3 , j log c = A j log c are satisfied from (4) and (5) because x 2 = N B is invertible. From (6), she wants to know x 4 to satisfy x 4 = x B , however, x 3 , j log c is not an invertible matrix and the solution of (6) contains d 2 r a n k ( x 3 , j log c ) number of arbitrary elements. This means one from p d 2 r a n k ( x 3 , j log c ) number of candidates satisfies x 4 = x B so, S b f ; x 2 is:
S b f ; x 2 = | G L ( d ; F ) | p d 2 r a n k ( x 3 , j log c ) ,
which is extremely large even if p is relatively small such as 16 bit or 32 bit. Moreover, she cannot judge whether x 2 = N B and x 4 = x B are satisfied because N B and x 4 are kept secret by Bob. This fact shows that even an exhaustive search is impracticable for this strategy.
For other security analyses, please refer to the attacks in Section 4 of [17], which more adequately shows the difficulty of the attacks.

3. Performance Estimation and Evaluation of SAA-5

We already know the difficulty in breaking the above-mentioned algorithm, however, the high-speed calculation for generating the SSK is also needed from the view point of practicality. Here, we estimate the time spent to generate the SSK and report our performance tests of SAA-5 verses D-H.

3.1. Performance Estimation

The computational complexity of SAA-5 is already analyzed in [17]. We show the estimated total multiplication steps needed to share the SSK.
The exponentiation of elements in Z p needs log 2 p steps of multiplication in the worst case. Then, the Schur-exponential:
( c M ) a , g = ( c M a , g ) a , g ,
requires d 2 log 2 p steps of multiplication. The calculation:
b { 1 , , d } ( A a , b ) B b , g ,
requires d 2 ( d + log 2 p ) = d 3 + d log 2 p steps of multiplication. Therefore, the calculation:
j I b { 1 , , d } ( A a , b ) B b , g ,
requires ( | I | 1 ) d 2 ( d + log 2 p ) = ( | I | 1 ) ( d 3 + d 2 log 2 p ) steps of multiplication. Hence, we can estimate the multiplication steps needed for generating the SSK as the Table 1.
Note that the bit length of element in Z p is expressed as log 2 p , so, the bit length of modular matrix in M ( d , Z p ) is expressed as d 2 log 2 p bits. As can be seen, the calculation steps is expected to be on the order of d 3 .

3.2. Discussion: Efficient Parameters of SAA-5 and Comparison with D-H

Here, we report our performance test of SAA-5 versus D-H. Hereafter, We implement all PKA algorithms in the following environment:
  • macOS Mojave ver10.14.6.
  • 1.3 GHz Intel Core i5.
  • 8 GB 1867 MHz LPDDR3.
  • Language: JAVA.
We compare SAA-5 with D-H by fixing the length of the SSK. When the key length of the SSK is fixed, denoted by κ ¯ , the total multiplication steps for sharing the SSK in SAA-5 (denoted by C C S A A 5 ) is described as:
C C S A A 5 = 4 | I | ( d 3 + κ ¯ ) ,
because κ ¯ = d 2 log p . In this case, the total computational complexity of D-H (denoted by C C D H ) is described as:
C C D H 4 κ ¯ ,
because Alice and Bob calculate a public key and their own SSK for each and the bit size of each secret key is the same size as that of the SSK, which is κ ¯ . Since κ ¯ is constant, the calculation time of SAA-5 is expected to depend only on the parameter d. However, the fact that the time needed for calculating scalar exponentiation in Z p depends on the size of p and increases at an exponential rate is well known (for example, see pp. 5–6 of [18]). Therefore, we expect that the calculation time depends not only on d but also on p. Before comparing SAA-5 with D-H, we show our experimental result, which shows how the parameters p and d effect the calculation speed of SAA-5, while the SSK length is fixed (16,384 bits).
The white circle in Figure 1 indicates the total time spent calculating the SSK for Alice and Bob, and the black diamond indicates the bit length of the SSK. The pair of dimension and bit length of Figure 1 are:
( d , log p ) = ( 2 , 4096 ) , ( 4 , 1024 ) , ( 8 , 256 ) , ( 16 , 64 ) , ( 32 , 16 ) .
Roughly speaking, the time needed to share the SSK can be reduced by decreasing p and increasing d while keeping the length of SSK.
Finally, we show the experimental result in which we compare SAA-5 with D-H. Table 2 and Figure 2 shows our result of comparison with D-H. Java codes of the algorithms can be referred in [19].

3.3. Experimental Result: Comparison with D-H

In this experiment, we fixed the SAA-5 parameters as d = 8 and | I | = 5 so, the size of the prime number (denoted by p S A A 5 ) is given by κ ¯ / 64 because the length of the SSK κ ¯ is expressed as d 2 log p . The size of each public key of D-H is the same size as that of the SSK, which is κ ¯ , so as a bit length of the prime. The bit size of the prime used in SAA-5 and D-H (denoted by p D H ) is shown in Table 3. As can be seen from Table 2 and Figure 2, when the length of the SSK is over 2048 bit, the SAA-5 out-performs D-H, and the larger the SSK becomes, the the larger the difference of calculation speed between them becomes (SAA-5 is approximately 15 times faster than D-H when the SSK is 5120 bit).

4. Performance Improvement

We showed that the performance of SAA-5 is more effective than the D-H, especially for large keys because of its algebraic property and variety of parameters.
In this section, we try to realize a faster PKA with the same breaking complexity as SAA-5 by the following steps. As a first step, we extract the condition from SAA-5 that allows Alice and Bob to create their SSK, that is, we construct a new PKA framework similar to SAPKA [15] in which key agreement process is described by compositions of maps. As a second step, we fix the parameters (maps) of the framework to produce a new PKA algorithm. Then, we check if the new PKA algorithm possesses the same security level as and more efficient than SAA-5.

4.1. The SAPKA with Multiple Keys Class

Here, we define the new class called SAPKA with Multiple Keys class (SAPKA-MK). The main property of this class is that Alice produces her secret key as a set { x A , j P ; j I } , not a single element as [15].
The SAPKA-MK algorithms have the following common ingredients:
-
a semigroup P together with some operation •.
-
a set M ^ P of easily invertible maps P P , called noise space.
-
a set M P of maps : P P .
-
a finite set I : = { i 1 , i 2 , , i n } N .
where | I | = n .
Of these ingredients P is public and M P , M ^ P belong to the secret keys of B. The set
K B : = { M P } × M P × M P × { M P } × M P ^ × M P ^ ,
is used by Bob to construct his secret and public keys according to the following scheme. All maps are defined by a finite set of parameters, so to send a map means to send the corresponding set of parameters and the rules to combine them. Unless explicitly mentioned, an equality between two functions means that these functions have the same domain of definition and equality holds on it.
Definition 1.
 Let S be a semigroup together with some operation • and let the functions be
y 1 , j , y 2 , y 3 , y 4 , j : S S ,
for all j I : = { i 1 , i 2 , , i n } N . The ordered quadruple ( { y 1 , j ; j I } , y 2 , y 3 , { y 4 , j ; j I } ) is said to satisfy the multiple compatibility condition if the following equation:
( y 1 , i 1 y 2 ( x i 1 ) ) ( y 1 , i 2 y 2 ( x i 2 ) ) ( y 1 , i n y 2 ( x i n ) )
= y 3 ( y 4 , i 1 ( x i 1 ) y 4 , i 2 ( x i 2 ) y 4 , i n ( x i n ) ) ,
is satisfied for all x j ( j I ) . Hereafter, above symbol ∘ denotes map composition unless otherwise specified. If the condition (9) is satisfied only on a sub-semigroup S 0 S , one says that the multiple compatibility condition is satisfied on S 0 .
The key agreement for an algorithm belongs to SAPKA-MK is performed as:
Step 1. 
Bob chooses maps ( { y 1 , j ; j I } , y 2 , y 3 , { y 4 , j ; j I } , N 1 , N 2 ) K B . By conjugating ( y 1 , j , y 2 , y 3 , y 4 , j , N 1 , N 2 ) for each j I , Bob constructs quadruple:
( { y 1 , j ; j I } , y 2 , y 3 , { y 4 , j ; j I } ) ,
satisfies (9). and he uses y 3 as secret key of him as a function:
x B : = y 3 ,
and public keys ( y B , 1 , y B , 2 ) as following functions:
y B , 1 ( x i 1 , x i 2 , , x i n ) : = ( y 1 , i 1 y 2 ( x i 1 ) ) ( y 1 , i 2 y 2 ( x i 2 ) ) ( y 1 , i n y 2 ( x i n ) ) ,
y B , 2 ( x i 1 , x i 2 , , x i n ) : = y 4 , i 1 ( x i 1 ) y 4 , i 2 ( x i 2 ) y 4 , i n ( x i n ) .
Step 2. 
Bob sends the public keys ( y B , 1 , y B , 2 ) to Alice.
Step 3. 
Alice chooses her secret key as a set { x A , j P ; j I } then, she constructs her public key as an element:
y A : = y B , 2 ( x A , i 1 , x A , i 2 , , x A , i n ) P .
Step 4. 
Alice sends the public key y A to Bob.
Step 5. 
Alice computes the secret shared key (SSK) κ as:
κ = y B , 1 ( x A , i 1 , x A , i 2 , , x A , i n ) = ( y 1 , i 1 y 2 ( x A , i 1 ) ) ( y 1 , i 2 y 2 ( x A , i 2 ) ) ( y 1 , i n y 2 ( x A , i n ) ) .
Step 6. 
Bob computes κ as:
κ = x B ( y A ) = y 3 ( y 4 , i 1 ( x A , i 1 ) y 4 , i 2 ( x A , i 2 ) y 4 , i n ( x A , i n ) ) .
Remark 1.
When n = 1 , SAPKA-MK is equivalent to the SAPKA algorithm. This means that SAPKA-MK is one of general forms of SAPKA in terms of the number of Alice’s secret key.
Here, we introduce a lemma, which provides a constructive way to produce families to satisfy (9).
Lemma 1.
 Let S be as Definition 1 and functions given as:
y 1 , j , y 2 , y 3 , y 4 , j : S S ,
for all j I . If the conditions:
1. 
Each ( y 1 , j , y 2 , y 3 , y 4 , j ) satisfies the equation:
y 1 , j y 2 = y 3 y 4 , j
2. 
y 3 { s e m i - g r o u p e n d o m o r p h i s m S S }
are satisfied for all j I , (9) is achieved.
Proof. 
From the first condition, the equation:
( y 1 , i 1 y 2 ( x i 1 ) ) ( y 1 , i 2 y 2 ( x i 2 ) ) ( y 1 , i n y 2 ( x i n ) )
= ( y 3 y 4 , i 1 ( x i 1 ) ) ( y 3 y 4 , i 2 ( x i 2 ) ) ( y 3 y 4 , i n ( x i n ) ) ,
is obvious for all x j ( j I ) . By the endomorphism property of y 3 on S , the equation:
( y 3 y 4 , i 1 ( x i 1 ) ) ( y 3 y 4 , i 2 ( x i 2 ) ) ( y 3 y 4 , i n ( x i n ) )
= y 3 ( y 4 , i 1 ( x i 1 ) y 4 , i 2 ( x i 2 ) y 4 , i n ( x i n ) ) ,
is satisfied. Therefore, one gets:
( y 1 , i 1 y 2 ( x i 1 ) ) ( y 1 , i 2 y 2 ( x i 2 ) ) ( y 1 , i n y 2 ( x i n ) )
= y 3 ( y 4 , i 1 ( x i 1 ) y 4 , i 2 ( x i 2 ) y 4 , i n ( x i n ) ) .
 □

4.2. SAPKA-MK Version of SAA-5

SAA-5 can be described in the form of SAPKA-MK as:
The ingredients for this algorithm are:
I : = { i 1 , i 2 , , i n } N ,
P : = M ( d , Z p ) ,
and an operation • denotes the Schur-product, which is the element-wise matrix multiplication.
Here, ( P , ) forms a semigroup because for any x , y P :
x y P ,
and for any x , y , z P :
x ( y z ) = ( x y ) z .
Denoting L (resp. R) the left (resp. right) action of M ( d , Z p ) on itself, defined by:
L x ( m ) : = ( b { 1 , , d } x a , b m b , g ) ; R x ( m ) : = ( b { 1 , , d } x b , g m a , b ) ; x , m M ( d , Z p ) .
Then, additional ingredients are:
M P : = { L x : x M ( d , Z p ) } { R x : x M ( d , Z p ) } ,
M ^ P : = { invertible elements of M P } .
If Bob defines the six-tuple ( { y 1 , j ; j I } , y 2 , y 3 , { y 4 , j ; j I } , N 1 , N 2 ) for each j I as:
y 1 , j ( x ) : = b { 1 , , d } ( c B j x B ) b , g ( x ) a , b = R c B j x B ( x )
= c x B j x B ,
y 2 : = i d P ,
y 3 ( x ) : = b { 1 , , d } x a , b ( x B ) b , g = L x ( x B ) ,
y 4 , j ( x ) : = b { 1 , , d } ( c B j ) b , g ( x ) a , b = R c B j ( x ) = c x B j ,
N 1 : = i d P ,
N 2 ( x ) : = b { 1 , , d } x a , b ( N B 1 ) b , g : = L x ( N B 1 ) ,
and constructs the quadruple ( { y 1 , j ; j I } , y 2 , y 3 , { y 4 , j ; j I } ) as:
y 1 , j : = y 1 , j N 1 1 ; y 2 : = N 1 y 2 ; y 3 : = y 3 N 2 ; y 4 , j : = N 2 1 y 4 , j ,
for all j I , then Lemma 1 is achieved, i.e.,
y 1 , j y 2 ( x ) = y 1 , j y 2 ( x ) = c x B j x B =
c x B j N B N B 1 x B = y 3 N 2 N 2 1 y 4 , j ( x ) = y 3 y 4 , j ( x ) ,
and for x , z P :
y 3 ( x z ) = b { 1 , , d } ( x z ) a , b ( N B 1 x B ) b , g = b { 1 , , d } x a , b ( N B 1 x B ) b , g z a , b ( N B 1 x B ) b , g
= b { 1 , , d } x a , b ( N B 1 x B ) b , g b { 1 , , d } z a , b ( N B 1 x B ) b , g = y 3 ( x ) y 3 ( z ) .
By the formation of maps, each process of SAPKA-MK key agreement can be described.

4.3. SAA-5 without Schur-Exponentiations

In this section, we introduce a new PKA, which we call SAA-5 without Schur-Exponentiations (SAA-5-no-SE). SAA-5-no-SE can be described as follows.
The public parameters for this algorithm are:
d N ; a finite set I N ,
P : = M ( d , Z p ) : = { d × d - matrices with entries in Z p } .
Denoting L (resp. R) the left (resp. right) action of M ( d , Z p ) on itself, defined by:
L x ( m ) : = x m ; R x ( m ) : = m x ; x , m M ( d , Z p ) .
Additional public parameters are:
M P : = { L x : x M ( d , Z p ) } { R x : x M ( d , Z p ) } ,
M ^ P : = { invertible elements of M P } .
Bob’s secret ingredients are:
N B , x B M ( d , Z p )
a set
B : = { B j P : j I , non invertible }
Step 1. 
Bob defines, for each j I , the following six maps:
y 1 , j ( x ) = x B j x B = R B j x B ( x ) ,
y 2 = i d P ,
y 3 ( x ) = x x B = R x B ( x ) ,
y 4 , j ( x ) = x B j = R B j ( x ) ,
N 1 = i d P ,
N 2 ( x ) = x N B 1 = R N B 1 ( x ) .
From the six-tuple ( { y 1 , j ; j I } , y 2 , y 3 , { y 4 , j ; j I } , N 1 , N 2 ) , Bob constructs the quadruple ( { y 1 , j ; j I } , y 2 , y 3 , { y 4 , j ; j I } ) as:
y 1 , j : = y 1 , j N 1 1 ; y 2 : = N 1 y 2 ; y 3 : = y 3 N 2 ; y 4 , j : = N 2 1 y 4 , j ,
for all j I . With this construction, (12) is satisfied, i.e.,
y 1 , j y 2 ( x ) = y 1 , j y 2 ( x ) = x B j x B = x B j N B N B 1 x B = y 3 N 1 N 1 1 y 4 , j ( x ) = y 3 y 4 , j ( x ) .
Moreover, for any x , z P , y 3 satisfies:
y 3 ( x + z ) = y 3 N 2 ( x + z ) = ( x + z ) x B N B 1 = x x B N B 1 + z x B N B 1
= y 3 N 2 ( x ) + y 3 N 2 ( z ) = y 3 ( x ) + y 3 ( z ) .
Thus, the multiple compatibility condition (9) is satisfied from Lemma 1.
Hence, for any choice of x j P ( j I ), following equation:
j I y 1 , j y 2 ( x j ) = y 3 j I y 4 , j ( x j ) ,
is satisfied. Then, Bob prepares his secret key as a function:
x B : = y 3 N 2 = y 3 ,
and produces the public keys as following functions:
y B , 1 ( x i 1 , x i 2 , , x i n ) = j I y 1 , j y 2 ( x j ) = j I y 1 N 1 1 N 1 y 2 ( x j ) = j I x j B j x B ,
y B , 2 ( x i 1 , x i 2 , , x i n ) = j I y 4 , j ( x j ) = j I N 2 1 y 4 , j ( x j ) = j I x j B j N B .
Step 2. 
In order to send the public keys ( y B , 1 , y B , 2 ) to Alice, Bob sends the public matrices:
B j x B , B j N B ( j I ) .
Step 3. 
Alice chooses as her secret key a set of matrices:
{ x A , j M ( d , Z p ) ; j I } ,
and constructs her public key:
y A = y B , 2 ( x A , i 1 , x A , i 2 , , x A , i n ) = j I x A , j B j N B .
Step 4. 
Alice sends the public key y A to Bob.
Step 5. 
The secret shared key (SSK) κ is:
κ : = j I x A , j B j x B .
Alice knows the B j x B , so she can compute:
κ = y B , 1 ( x A , i 1 , x A , i 2 , , x A , i n ) = j I x A , j B j x B .
Step 6. 
Bob computes κ as:
κ = x 3 ( y A ) = x 3 N 2 ( j I x A , j B j N B ) = ( j I x A , j B j N B ) N B 1 x B = j I x A , j B j x B .

4.4. The Comparison of Breaking Complexity between SAA-5 And SAA-5-no-SE

The breaking complexity of SAA-5 is already evaluated. In this section, we assume 0 cost for solving the discrete logarithm problem, the same as [17] and Section 2.1. Under this assumption, we can prove the breaking complexity of SAA-5-no-SE is equivalent to that of SAA-5 by considering Eve’s strategy to find the SSK of both algorithms.
Theorem 1.
 The breaking complexity of SAA-5 is equivalent to that of SAA-5-no-E.
Proof. (Strategy of Eve against SAA-5-no-SE)
Eve knows the following finite set of integer I = { i 1 , i 2 , , i n } where | I | = n and matrices B j x B , B j N B , y A = j I x A , j B j N B for all j I . She also knows following equation:
κ = j I x A , j B j x B ,
is held. She tries to recover κ from public keys B j x B , B j N B , y A = j I x A , j B j N B where all B j , x B , N B and x A , j are unknown for Eve.
(Strategy of Eve against SAA-5)
In this case, Eve’s strategy to break the algorithm is that she gets the following logarithm of public keys as:
log c B j x B = B j x B log c ,
log c B j N B = B j N B log c ,
log y A = j I x A , j B j N B log c = j I x A , j log c B j N B ,
for all j I . Then she try to recover log κ , which is:
log κ = j I x A , j B j x B log c = j I x A , j log c B j x B .
But, by putting B j = B j log c , Eve knows the following equations:
log c B j x B = B j x B ,
log c B j N B = B j N B ,
log y A = j I x A , j log c B j N B = j I x A , j B j N B ,
and tries to recover
log κ = j I x A , j log c B j x B = j I x A , j B j x B ,
are held. She tries to recover log κ from public keys B j x B , B j N B , y A = j I x A , j B j N B where all B j , x B , N B and x A , j are unknown for Eve. For Eve, this is the same strategy as against the SAA-5-no-SE case.  □

4.5. Discussion: Performance of SAA-5-no-SE

Here, we estimate the computational complexity and report the performance test of SAA-5-no-SE. The total estimated number of multiplications for SAA-5-no-SE is given in Table 4. Notice that one matrix multiplication requires d 3 number of scalar multiplications. Although the calculation time is expected to be on the order of d 3 , as in the SAA-5 case, it does not need extra d 2 log p number of multiplications, which are needed for the calculation of scalar exponentiations in SAA-5. We already know that the calculations of scalar exponentiations heavily effect the performance of SAA-5, so the calculation speed of it is expected to be much faster than SAA-5 with same condition.
Here, we compare the calculation speed with SAA-5 for two settings. In the first setting, we measure the calculation speed of both algorithms for each SSK length from 800 bit to 16,000 bit, while d and | I | are both fixed as 10 to see the impact of p and the SSK length on speed (results are in Table 5 and Figure 3). In the second setting, the calculation speed of SAA-5-no-SE for each SSK length from 512 bit to 5120 bit while d = 8 and | I | = 5 is measured, and has the same settings as in Table 2 and Figure 2. Since the SSK length of SAA-5-no-SE is given by d 2 log p , which is the same number as SAA-5, the relation of size of prime numbers for D-H, SAA-5 and SAA-5-no-SE are described as:
κ ¯ = p D H = 64 p S A A 5 = 64 p S A A 5 n o S E
where p S A A 5 n o S E is the bit size of prime used in SAA-5-no-SE and κ ¯ is that of fixed SSK. Also, the computational complexity of SAA-5-no-SE (denoted by C C S A A 5 n o S E ) when the SSK length is fixed as κ ¯ is shown in Table 6 along with that of S A A 5 and D-H.

4.6. Experimental Result: Performance of SAA-5-no-SE

In Figure 3, the white circle indicates the time spent to calculate in SAA-5-no-SE, and the black diamond indicates the time in SAA-5. As we expected, we can see the prime p does not effect the calculation speed of SAA-5-no-SE. Moreover, the calculation time of SAA-5-no-SE is not heavily influenced by its SSK length.
In Table 7 and Figure 4, the white circle indicates the time spent to calculate in SAA-5, and the black circle indicates the time in SAA-5-no-SE. Note that the calculation time of SAA-5 shown in Figure 4 is the value of Table 2 and Figure 2. With Table 2 and Figure 2, we can check SAA-5-no-SE out-performs not only SAA-5 of all SSK lengths but also D-H of over 1536 bit. Especially when the SSK lengths are 5120 bit, SAA-5-no-SE is approximately 100 times faster than D-H.
As for performances of other standard PKA/asymmetric cryptography, such as ElGamal, RSA and Elliptic curve D-H, there are not many differences with that of D-H (see Table 1 of [20], FigureS 1–3 of [21] and Figure 3, Figure 4 of [18]) and the speed of their algorithms increases exponentially as the SSK length increases. Although some algorithms might be faster than SAA-5 or SAA-5-no-SE, especially for short key lengths, the calculation speed of SAA-5 and SAA-5-no-SE increase linearly, not exponentially. This is one of the advantage points of SAA-5 and SAA-5-no-SE.

5. Conclusions

In this paper, we showed that the performance of SAA-5 is much more effective than D-H, especially for large keys, because of its algebraic property and variety of parameters.
Moreover, a more general scheme of SAA-5, called SAPKA-MK, is proposed. SAA-5 is shown to be described in the form of SAPKA-MK, and a new PKA algorithm called SAA-5-no-SE is introduced as a concrete example of SAPKA-MK. Alice’s secret key structure of SAA-5-no-SE is the same as that of SAA-5, but the functions used in the public key and SSK generation steps are different in several ways. Our performance test on SAA-5-no-SE showed its calculation time increases linearly not exponentially as the SSK length increases. The test also showed that SAA-5-no-SE is a much more efficient PKA algorithm than not only D-H of over 1536bit but also the SAA-5 of all SSK lengths, and its security level is as high as SAA-5.

Author Contributions

Conceptualization, K.J., S.I. and M.R.; formal analysis, K.J. and S.I.; software, M.R.; writing—original draft, K.J. and S.I.; writing—review and editing, K.J., S.I. and M.R. All authors have read and agreed to the published version of the manuscript.

Funding

This research received no external funding.

Conflicts of Interest

The authors declare no conflict of interest.

Abbreviations

The following abbreviations are used in this manuscript:
PKApublic key agreement
D-HDiffie-Hellman
SAPKAstrongly-asymmetric public key agreement
SAAstrongly-asymmetric algorithm
SSKsecret shared key

References

  1. Diffie, W.; Hellman, M. New directions in cryptography. IEEE Trans. Inf. Theory 1976, 22, 644–654. [Google Scholar] [CrossRef]
  2. Rivest, R.L.; Shamir, A.; Adleman, L. Method for obtaining digital signatures and public key cryptosystems. Commun. ACM 1978, 21, 120–126. [Google Scholar] [CrossRef]
  3. ElGamal, T. A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Trans. Inf. Theory 1985, 31, 469–472. [Google Scholar] [CrossRef]
  4. Koblitz, N. Elliptic curve cryptosystems. Math. Comput. 1987, 48, 203–209. [Google Scholar] [CrossRef]
  5. Adrian, D.; Bhargavan, K.; Durumeric, Z.; Gaudry, P.; Green, M.; Halderman, J.A.; Heninger, N.; Springall, D.; Thome, E.; Valenta, L.; et al. Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, Denver, CO, USA, 12–16 October 2015; pp. 5–17. [Google Scholar]
  6. Shor, P. Polynomial-time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer. SIAM J. Comput. 1997, 25, 1484–1509. [Google Scholar] [CrossRef]
  7. Patarin, J. Hidden fields equations (HFE) and isomorphisms of polynomials (IP): Two new families of asymmetric algorithms. In Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques, Saragossa, Spain, 12–16 May 1996; Springer: Berlin/Heidelberg, Germany, 1996; pp. 33–48. [Google Scholar]
  8. Porras, J.; Baena, J.; Ding, J. ZHFE, a new multivariate public key encryption scheme. In Proceedings of the International Workshop on Post-Quantum Cryptography, Waterloo, ON, Canada, 1–3 October 2014; pp. 229–245. [Google Scholar]
  9. Ajtai, M.; Dwork, C. A public-key cryptosystem with worst-case/average-case equivalence. In Proceedings of the 50th ACM Symposium on Theory of Computing, El Paso, TX, USA, 4–6 May 1997; pp. 284–293. [Google Scholar]
  10. Khot, S. Hardness of approximating the shortest vector problem in lattices. J. ACM (JACM) 2005, 52, 789–808. [Google Scholar] [CrossRef]
  11. Post-Quantum Cryptography Competition Round 2 Submittions. Available online: https://csrc.nist.gov/projects/post-quantum-cryptography/round-2-submissions (accessed on 24 July 2020).
  12. Alkim, E.; Ducas, L.; Poppelmann, T.; Schwabe, P. Post-quantum key exchange—A new hope. In Proceedings of the 25th USENIX Security Symposium (USENIX Security 16), Austin, TX, USA, 10–12 August 2016; pp. 327–343. [Google Scholar]
  13. Hoffstein, J.; Pipher, J.; Silverman, J.H. NTRU: A ring-based public key cryptosystem. In Proceedings of the International Algorithmic Number Theory Symposium, Portland, OR, USA, 21–25 June 1998; Springer: Berlin/Heidelberg, Germany, 1998; pp. 267–288. [Google Scholar]
  14. Casanova, A.; Faugere, J.C.; Macario-Rat, G.; Patarin, J.; Perret, L.; Ryckeghem, J. GeMSS: A Great Multivariate Short Signature. Available online: https://www-polsys.lip6.fr/Links/NIST/GeMSS_specification_round2_V2.pdf (accessed on 29 July 2020).
  15. Accardi, L.; Iriyama, S.; Regoli, M.; Ohya, M. Strongly Asymmetric Public Key Agreement Algorithms; Technical Report ISEC2011-20; IEICE: Tokyo, Japan, 2011; pp. 115–121. [Google Scholar]
  16. Accardi, L.; Regoli, M. On a class of strongly asymmetric PKA algorithms. J. Math. Crypt. 2015, 9, 151–159. [Google Scholar] [CrossRef]
  17. Accardi, L.; Iriyana, S.; Jimbo, K.; Regoli, M. A New Class of Strongly Asymmetric PKA Algorithms: SAA-5. Cryptography 2019, 3, 9. [Google Scholar] [CrossRef]
  18. Ottaviani, V.; Zanoni, A.; Regoli, M. Conjugation as public key agreement protocol in mobile cryptography. In Proceedings of the 2010 International Conference on Security and Cryptography (SECRYPT), Athens, Greece, 26–28 July 2010; pp. 1–6. [Google Scholar]
  19. Jimbo, K.; Iriyama, S.; Regoli, M. Project Name: Implementation of a New Strongly Asymmetric Algorithms and Its Optimization. GitHub Repository. 2020. Available online: https://github.com/jimbobmij/project_KSM (accessed on 29 July 2020).
  20. Großschädl, J.; Kizhvatov, I. Performance and security aspects of client-side SSL/TLS processing on mobile devices. In Proceedings of the International Conference on Cryptology and Network Security, Kuala Lumpur, Malaysia, 12–14 December 2010; Springer: Berlin/Heidelberg, Germany, 2010; pp. 44–61. [Google Scholar]
  21. Okeyinka, A.E. Computational speeds analysis of RSA and ElGamal algorithms on text data. In Proceedings of the World Congress on Engineering and Computer Science, San Francisco, CA, USA, 21–23 October 2015; Volume 1. [Google Scholar]
Figure 1. Changing time to compute a fixed-length key when d is a variable.
Figure 1. Changing time to compute a fixed-length key when d is a variable.
Cryptography 04 00021 g001
Figure 2. Comparison of the time to generate SSK.
Figure 2. Comparison of the time to generate SSK.
Cryptography 04 00021 g002
Figure 3. Calculation speed for each SSK Length with strongly-asymmetric algorithm (SAA-5) while d = 10 and | I | = 10 .
Figure 3. Calculation speed for each SSK Length with strongly-asymmetric algorithm (SAA-5) while d = 10 and | I | = 10 .
Cryptography 04 00021 g003
Figure 4. Comparison of the generation time of the SSK with SAA-5.
Figure 4. Comparison of the generation time of the SSK with SAA-5.
Cryptography 04 00021 g004
Table 1. Key size and estimation of the time for multiplication of keys.
Table 1. Key size and estimation of the time for multiplication of keys.
KeyBit SizeSteps
y A d 2 log p ( | I | 1 ) ( d 3 + d 2 log p )
κ A d 2 log p ( | I | 1 ) ( d 3 + d 2 log p )
y B 2 d 2 I log p | I | ( d 3 + d 2 log p )
y B 3 d 2 I log p | I | ( d 3 + d 2 log p )
κ B d 2 log p 2 ( d 3 + d 2 log p )
Total 4 I ( d 3 + d 2 log p )
Table 2. Comparison of the time to generate the secret shared key (SSK).
Table 2. Comparison of the time to generate the secret shared key (SSK).
SSK Length (bit)SAA-5 (msec)D-H (msec)
51212.451.45
102420.633.37
153616.1910.87
204818.1024.21
256028.7745.68
307223.5483.39
358423.35120.29
409624.42219.90
460838.12332.46
512039.58620.86
Table 3. Comparison of the bit size of the prime number.
Table 3. Comparison of the bit size of the prime number.
SSK Length (bit) p SAA 5 (bit) p SAA 5 (bit)
5128512
1024161024
1536241536
2048322048
2560402560
3072483072
3584563584
4096644096
4608724608
5120805120
Table 4. Key size and estimation of the time for multiplication of keys.
Table 4. Key size and estimation of the time for multiplication of keys.
KeyBit SizeSteps
y A d 2 log p ( | I | 1 ) d 3
κ A d 2 log p ( | I | 1 ) d 3
y B 2 d 2 | I | log p | I | d 3
y B 3 d 2 | I | log p | I | d 3
κ B d 2 log p 2 d 3
Total 4 | I | d 3
Table 5. Calculation speed for each SSK length while d = 10 and | I | = 10 .
Table 5. Calculation speed for each SSK length while d = 10 and | I | = 10 .
SSK Length (bit)p (bit)SAA-5SAA-5-no-SE
800834.4216.88
16001640.269.58
24002444.989.92
32003252.3612.86
40004089.8219.24
48004875.1818.78
56005683.9414.74
640064101.1614.76
720072145.0415.62
800080150.5814.68
880088164.8417.64
960096176.4417.68
10,400104191.2017.46
11,200112202.7617.22
12,000120213.3615.96
12,800128223.3016.54
13,600136314.0818.24
14,400144336.2417.58
15,200152349.9618.02
16,000160364.6620.30
Table 6. Computational complexity of each algorithm when SSK length is κ ¯ .
Table 6. Computational complexity of each algorithm when SSK length is κ ¯ .
CC D H CC SAA 5 CC SAA 5 no SE
4 κ ¯ 4 | I | ( d 3 + κ ¯ ) 4 | I | d 3
Table 7. The time to generate SSK.
Table 7. The time to generate SSK.
SSK Length (bit)SAA-5-no-SE(msec)
5128.32
10245.63
15364.57
20485.26
25607.41
30726.84
35846.15
40964.80
46085.75
51206.02
Back to TopTop