Public Key Protocols from Twisted-Skew Group Rings

Abstract

This article studies some algebraic structures known as twisted-skew group rings in the context of public key cryptography. We first present some background related to these structures to then specifically introduce particular twisted-skew group rings and show how to utilize them as the underlying algebraic structure to build cryptographic protocols. We closely follow an incremental-like methodology to construct these protocols by putting parts together. As as result, we first introduce a key-agreement protocol and then generalize it to a group key-agreement protocol. We then proceed to construct a probabilistic public key encryption from our two-party key agreement and, finally, introduce a key-encapsulation mechanism from a well-known generic construction applied to probabilistic public encryption. Furthermore, we provide an in-depth security analysis for each cryptographic construction under new related algebraic assumptions and supply a proof-of-concept implementation for various candidate chosen groups.

1. Introduction

While the increasingly close possibility of bringing about quantum technology for massive use in the coming years approaches, which will render current public key schemes insecure, the cryptographic community has devoted efforts to design, implement, and deploy quantum-safe public key primitives that replace current public key algorithms. Thus far, many candidates have been proposed via standardization calls for proposals and independent and individual efforts [1,2,3]. Those candidates may roughly be classified into several categories or groups, namely lattice-based schemes, code-based schemes, isogeny schemes, MPC-in-the-Head schemes, multivariate schemes, and symmetric-based schemes [1,2,3].

Nevertheless, recent papers [4,5,6,7] propose different, promising cryptographic schemes based on group ring generalizations, which seem to be quantum-secure [8]. The research articles [5,6,7] introduce cryptographic protocols whose security hinges on algebraic problems defined on the structure of a twisted dihedral group algebra, while [4] presents constructions that are supported on a skew dihedral group ring structure. Specifically, Ref. [7] proposes a two-cocycle ${\alpha }_{\lambda }$ to form the twisted algebra ${\mathbb{F}}_q^{{\alpha }_{\lambda }}{D}_{2n}$ for a non-square $\lambda$ in the field ${\mathbb{F}}_q$, where $D_{2n}=⟨x,y:x^n=y^2=1,yx{y}^{-1}=x^{-1}⟩$ is the dihedral group of order $2n$. More precisely, the two-cocycle ${\alpha }_{\lambda }:D_{2n}\times D_{2n}⟶{\mathbb{F}}_q^{*}$ is defined by ${\alpha }_{\lambda }(g,h)=\lambda$ for $g=x^{i}y$, $h=x^{j}y$ with $i,j\in \{0,\dots ,n-1\}$ and ${\alpha }_{\lambda }(g,h)=1$ otherwise. Furthermore, following an incremental-like methodology as employed by us in this paper, the authors of [7] introduce a key exchange protocol, a probabilistic public key scheme, and a key-encapsulation mechanism over the twisted algebra ${\mathbb{F}}_q^{{\alpha }_{\lambda }}{D}_{2n}$. Furthermore, their constructions and their proof-of-concept implementation are enhanced by exploiting the properties of the twisted algebra. On the other hand, Ref. [4] proposes cryptographic protocols supported on an algebraic structure that is called the skew dihedral group ring. This algebraic platform, denoted by ${\mathbb{F}}_{q^2}^{{\theta }_{\sigma }}{D}_{2n}$, is formed of the dihedral group $D_{2n}$ and the group homomorphism described by ${\theta }_{\sigma }\left(g\right)=\sigma$, where $\sigma \left(a\right)=a^q$ for all $a\in {\mathbb{F}}_{q^2}$, for $g=x^{i}y$, $i\in \{0,\dots ,n-1\}$, and ${\theta }_{\sigma }\left(g\right)=1$ otherwise. Furthermore, using an incremental-like methodology, the authors of [4] similarly propose a key-exchange protocol, a probabilistic public key scheme, and a key-encapsulation mechanism over the skew dihedral group ring ${\mathbb{F}}_{q^2}^{{\theta }_{\sigma }}{D}_{2n}$.

Concerning other related works, the research articles [9,10] investigate ideals as codes in twisted-skew group rings. In particular, they characterize all linear codes that are twisted-skew group codes in terms of their automorphism group.

Our main contribution is generalizing previous approaches [4,5,6,7] in the sense that we present a novel algebraic structure, which is a twisted-skew group ring and generalizes those in [4,5,6,7], and exhibit various cryptographic protocols supported on this structure. This structure features a two-cocycle ${\alpha }_{\lambda }$ and a group homomorphism ${\theta }_{\sigma }$. We particularly consider G to be a finite group of even order and $N\le G$ such that $\left|N\right|=\left|G\right|/2=n$, i.e., $[G:N]=2$, and hence, $G=N\cup Ny$ with $y\in G\setminus N$. For $\lambda \in {\mathbb{F}}_q^{*}$, the map ${\alpha }_{\lambda }:G\times G\to {\mathbb{F}}_q^{*}$ as $\alpha (g,h)=\lambda$ if $g\notin N$ and $h\notin N$ and ${\alpha }_{\lambda }(g,h)=1$ otherwise is a two-cocycle of the group G over ${\mathbb{F}}_q$. Also, the map ${\theta }_{\sigma }:G\to \mathrm{Gal}({\mathbb{F}}_{q^2},{\mathbb{F}}_q)$ defined by ${\theta }_{\sigma }\left(g\right)=\sigma$ if $g\notin N$ and ${\theta }_{\sigma }\left(g\right)=1$ otherwise is a group homomorphism. We then define the twisted-skew group ring ${\mathbb{F}}_{q^2}^{{\theta }_{\sigma },{\alpha }_{\lambda }}G$, over which we build cryptographic constructions. By closely following an incremental-like methodology as previously used in [4,7], we construct a key-agreement protocol and then generalize it to a group key-agreement protocol. We then proceed to build a probabilistic public key encryption from our two-party key agreement and, finally, introduce a key-encapsulation mechanism from a well-known generic construction applied to the probabilistic public encryption. Furthermore, we provide an in-depth security analysis for each cryptographic construction under new related algebraic assumptions and supply a proof-of-concept implementation for various candidate chosen groups.

The outline of the paper is as follows. In Section 2, we will present background material and formally introduce the twisted-skew group ring over which we will build our cryptographic protocols. Section 3 will formally introduce our intractability assumptions. In particular, we will formally define attack games for the algebraic problems on which the security of our cryptographic constructions rely. Section 4 first gives a detailed account of our two-party key-agreement protocol together with its corresponding security analysis and then focuses on its generalization along with the corresponding security analysis. Section 5 will delineate a probabilistic public key-encryption scheme derived from our two-party key-agreement protocol and the corresponding security analysis. Section 6 will portray our key-encapsulation mechanism derived from the probabilistic public key-encryption scheme from Section 5. In Section 7, we will describe the pseudo-code of our proof-of-concept Python implementation for our cryptographic constructions and conclude this section by hinting at potential applications of our protocols. Finally, Section 8 will conclude our work and outline future research directions.

2. A Twisted-Skew Group Ring

Let G be a finite group and ${\mathbb{F}}_q$ be the finite field of order $q=p^m$ and characteristic p. We denote the automorphism group of ${\mathbb{F}}_q$ by $\mathrm{Aut}\left({\mathbb{F}}_q\right)$, and $\mathrm{Gal}({\mathbb{F}}_{q^k},{\mathbb{F}}_q)\le \mathrm{Aut}\left({\mathbb{F}}_q\right)$ always denotes the group of all automorphisms of ${\mathbb{F}}_{q^k}$ that fix ${\mathbb{F}}_q$, which is called the Galois group of ${\mathbb{F}}_{q^k}$ over ${\mathbb{F}}_q$. A well-known result is that the Galois group $\mathrm{Gal}({\mathbb{F}}_{q^k},{\mathbb{F}}_q)$ is a cyclic group of order k and that the Frobenius automorphism $\sigma$ of ${\mathbb{F}}_{q^k}$ over ${\mathbb{F}}_q$ is a generator, which is defined as $\sigma \left(a\right)=a^q$ for all $a\in {\mathbb{F}}_{q^k}$. Moreover, by $\mathrm{Hom}(G,\mathrm{Aut}\left({\mathbb{F}}_{q^k}\right))$ and $\mathrm{Hom}(G,\mathrm{Gal}({\mathbb{F}}_{q^k},{\mathbb{F}}_q))$, we denote the set of group homomorphisms from G to $\mathrm{Aut}\left({\mathbb{F}}_{q^k}\right)$ and $\mathrm{Gal}({\mathbb{F}}_{q^k},{\mathbb{F}}_q)$, respectively. Additionally, the map $\alpha :G\times G\to {\mathbb{F}}_q\setminus \left\{0\right\}$ is called a two-cocycle of G if $\alpha (1,1)=1$ and

$$\alpha (g,hk)\alpha (h,k)=\alpha (gh,k)\alpha (g,h)$$

for all $g,h,k\in G$. Let $Z^2(G,{\mathbb{F}}_q)$ denote the set of all two-cocycles of G.

We say that the cocycle $\alpha$ is stabilized by the group $\theta \left(G\right)\le \mathrm{Aut}\left({\mathbb{F}}_q\right)$, if

$$\theta \left(g\right)\alpha (x,y)=\alpha (x,y)$$

(1)

for all $g,x,y\in G$.

For $\alpha ,\beta \in {\mathrm{Z}}^2(\mathrm{G},{\mathbb{F}}_{\mathrm{q}}^{*})$, we define $\alpha \beta \in {\mathrm{Z}}^2(\mathrm{G},{\mathbb{F}}_{\mathrm{q}}^{*})$ as $\alpha \beta (g,h)=\alpha (g,h)\beta (g,h)$ for all $g,h\in G$. With this operation, ${\mathrm{Z}}^2(\mathrm{G},{\mathbb{F}}_{\mathrm{q}}^{*})$ becomes a multiplicative Abelian group. If $\beta :G⟶{\mathbb{F}}_q^{*}$ is a map such that $\beta \left(1\right)=1$, the coboundary $\partial \beta$ defined by $\partial \beta (g,h)=\beta {\left(g\right)}^{-1}\beta {\left(h\right)}^{-1}\beta \left(gh\right)$ for all $g,h\in G$ is in ${\mathrm{Z}}^2(\mathrm{G},{\mathbb{F}}_{\mathrm{q}}^{*})$. We denote the set of all coboundaries of G by ${\mathrm{B}}^2(G,{\mathbb{F}}_q^{*})$, which forms a subgroup of the group ${\mathrm{Z}}^2(\mathrm{G},{\mathbb{F}}_{\mathrm{q}}^{*})$. Given a two-cocycle $\alpha \in {\mathrm{Z}}^2(\mathrm{G},{\mathbb{F}}_{\mathrm{q}}^{*})$, its coset is denoted by $\left[\alpha \right]:=\alpha {\mathrm{B}}^2(G,{\mathbb{F}}_q^{*})$. Additionally, we call the quotient group

$${\mathrm{H}}^2(\mathrm{G},{\mathbb{F}}_{\mathrm{q}}^{*})={\mathrm{Z}}^2(\mathrm{G},{\mathbb{F}}_{\mathrm{q}}^{*})/{\mathrm{B}}^2(\mathrm{G},{\mathbb{F}}_{\mathrm{q}}^{*})$$

the second cohomology group of G with values in ${\mathbb{F}}_q^{*}$.

Definition 1

(See [10]). Let G be a finite multiplicative group; let $\alpha \in Z^2(G,{\mathbb{F}}_q)$ be a two-$cocycle$ of G; let $\theta \in \mathrm{Hom}(G,\mathrm{Aut}\left({\mathbb{F}}_q\right))$ be a group homomorphism. The twisted-skew group ring ${\mathbb{F}}_q^{\theta ,\alpha }G$ is the set of all formal sums ${\sum }_{g\in G}{a}_g\overline{g}$, where $a_g\in {\mathbb{F}}_q$, with the following twisted-skew multiplication:

$$a_g\overline{g}·b_h\overline{h}=a_g\left(\theta \left(g\right)\left(b_h\right)\right)\alpha (g,h)\overline{gh}.$$

In [10], it is proven that, if the cocycle $\alpha$ is stabilized by $\theta \left(G\right)$, then ${\mathbb{F}}_q^{\theta ,\alpha }G$ is an associative ring with identity $\overline{1}.$

Note that ${\mathbb{F}}_q^{1,1}G$ is nothing else than the group algebra ${\mathbb{F}}_{q}G$, while ${\mathbb{F}}_q^{1,\alpha }G$ is the twisted group algebra ${\mathbb{F}}_q^{\alpha }G$, and ${\mathbb{F}}_q^{\theta ,1}G$ is the skew group ring ${\mathbb{F}}_q^{\theta }G$ (see [4,9,10]). Moreover, by [10], Lemma 1.5, for $\theta \in \mathrm{Hom}(G,\mathrm{Aut}\left({\mathbb{F}}_q\right))$, we have that ${\mathbb{F}}_q^{\theta ,\alpha }G$ and ${\mathbb{F}}_q^{\theta ,1}G={\mathbb{F}}_q^{\theta }G$ are isomorphic, if $\alpha$ is a coboundary. In particular, ${\mathbb{F}}_q^{\alpha }G={\mathbb{F}}_q^{1,\alpha }G\cong {\mathbb{F}}_q^{1,1}G={\mathbb{F}}_{q}G$ as ${\mathbb{F}}_q$-algebras, if $\alpha$ is a coboundary.

Definition 2

(See [10]). For an element $a={\sum }_{g\in G}{a}_g\overline{g}\in {\mathbb{F}}_q^{\theta ,\alpha }G$, we define its adjunct as

$$\widehat{a}:=\phi \left(a\right)=\sum _{g\in G}\theta \left(g^{-1}\right)\left(a_g\right)\alpha (g,g^{-1})\overline{g^{-1}}.$$

In the sequel, we will always consider that G is a finite group of even order and $N\le G$ such that $\left|N\right|=\left|G\right|/2=n$, i.e., $[G:N]=2$, and hence, $G=N\cup Ny$ with $y\in G\setminus N$. Also, we assume the elements of G are ordered according to some fixed order. In particular, $N=\{n_0,n_1,\dots ,n_{n-1}\}$ and $G=\{n_i{y}^j\mid i\in \{0,1,\dots ,n-1\},j\in \{0,1\}\}.$ Some possible groups G satisfying the previous conditions are as follows:

• Dihedral group: A presentation of the dihedral group D of order $2n$ is given by

  $$D=⟨x,y:x^n=y^2=1,yx{y}^{-1}=x^{-1}⟩,$$

  where $N=⟨x^i⟩$ and $\left|N\right|=n$.
• Quasidihedral group: A presentation of the quasidihedral group $\mathfrak{G}$ of order $2^{\mathfrak{n}}$ is given by

  $$\mathfrak{G}=⟨x,y:x^{2^{\mathfrak{n}-1}}=y^2=1,yxy=x^{2^{\mathfrak{n}-2}-1}⟩,$$

  where $N=⟨x^i⟩$ and $\left|N\right|=n=2^{\mathfrak{n}-1}$.
• Modular maximal-cyclic group: A presentation of the modular maximal-cyclic group $\mathfrak{M}$ of order $2^{\mathfrak{n}}$ is given by

  $$\mathfrak{M}=⟨x,y:x^{2^{\mathfrak{n}-1}}=y^2=1,yxy=x^{2^{\mathfrak{n}-2}+1}⟩,$$

  where $N=⟨x^i⟩$ and $\left|N\right|=n=2^{\mathfrak{n}-1}$.
• Generalized quaternion group: A presentation of the generalized quaternion group $\mathfrak{Q}$ of order $2^{\mathfrak{n}}$ is given by

  $$\mathfrak{Q}=⟨x,y:x^{2^{\mathfrak{n}-1}}=y^4=1,x^{2^{\mathfrak{n}-2}}=y^2,yx{y}^{-1}=x^{-1}⟩,$$

  where $N=⟨x^i⟩$ and $\left|N\right|=n=2^{\mathfrak{n}-1}$.

Lemma 1.

Let $y\in G\setminus N$. Then, we have the following:

• ${\mathbb{F}}_q^{\theta ,\alpha }G$ is a free ${\mathbb{F}}_q^{\theta ,\alpha }N$-module with basis $\{1,y\}$. Therefore, ${\mathbb{F}}_q^{\theta ,\alpha }G={\mathbb{F}}_q^{\theta ,\alpha }N\oplus {\mathbb{F}}_q^{\theta ,\alpha }Ny$ as the direct sum of ${\mathbb{F}}_q$-vector spaces.
• ${\mathbb{F}}_q^{\theta ,\alpha }N\cong {\mathbb{F}}_q^{\theta ,\alpha }Ny$ as ${\mathbb{F}}_q^{\theta ,\alpha }N$-modules.
• For $a\in {\mathbb{F}}_q^{\theta ,\alpha }Ny$, $ab\in {\mathbb{F}}_q^{\theta ,\alpha }N$ if $b\in {\mathbb{F}}_q^{\theta ,\alpha }Ny$ or $ab\in {\mathbb{F}}_q^{\theta ,\alpha }Ny$ if $b\in {\mathbb{F}}_q^{\theta ,\alpha }N$.
• If $a\in {\mathbb{F}}_q^{\theta ,\alpha }N$, then $\widehat{a}\in {\mathbb{F}}_q^{\theta ,\alpha }N$.
• If $a\in {\mathbb{F}}_q^{\theta ,\alpha }Ny$, then $\widehat{a}\in {\mathbb{F}}_q^{\theta ,\alpha }Ny$.

Proof. 

Let $y\in G\setminus N$:

• Since $\{1,y\}$ is a transversal of N, the assertion follows.
• Consider the map $\sigma :{\mathbb{F}}_q^{\theta ,\alpha }N\to {\mathbb{F}}_q^{\theta ,\alpha }Ny$ given by $\sigma \left(g\right)=gy$ for all $g\in N$, then $\sigma$ is an ${\mathbb{F}}_q^{\theta ,\alpha }N$-module isomorphism.
• Since $[G:N]=2$, then $gh\in N$ if and only if $g,h\in N$ or $g,h\in Ny$. Therefore, the assertion follows.
• If $g\in N$, then $g^{-1}\in N$ since N is a subgroup. Hence, the assertion follows.
• If $g\in Ny$, then $g^{-1}\in Ny$ since $[G:N]=2$. Hence, the assertion follows.

   □

Definition 3.

We define the $(\theta ,\alpha )$-reversible subspace of ${\mathbb{F}}_q^{\theta ,\alpha }Ny$ as the vector subspace ${\Gamma }_{\theta ,\alpha }=\{a={\sum }_{i=0}^{n-1}{a}_i\overline{n_{i}y}\in {\mathbb{F}}_q^{\theta ,\alpha }Ny:a_i=a_{{[-i]}_n}\mathit{for}\mathit{all}i=1,2,\dots ,n-1\}.$

The following lemma introduces the two-cocycle ${\alpha }_{\lambda }$ on the group G, for a given element $\lambda$ in ${\mathbb{F}}_q^{*}$.

Lemma 2.

Let $\lambda \in {\mathbb{F}}_q^{*}$. Then, the map ${\alpha }_{\lambda }:G\times G\to {\mathbb{F}}_q^{*}$ defined by $\alpha (g,h)=\lambda$ if $g\notin N$ and $h\notin N$ and ${\alpha }_{\lambda }(g,h)=1$ otherwise is a two-cocycle of the group G over ${\mathbb{F}}_q$.

Proof. 

By definition, ${\alpha }_{\lambda }(g,h)(1,1)=1$. Therefore, ${\alpha }_{\lambda }$ is a two-cocycle if ${\alpha }_{\lambda }(g,h){\alpha }_{\lambda }(gh,k)={\alpha }_{\lambda }(g,hk){\alpha }_{\lambda }(h,k)$ for all $g,h,k\in G$. Let us first assume $g\in N$ and $h,k\in G$, then a straightforward calculation shows that ${\alpha }_{\lambda }(g,h){\alpha }_{\lambda }(gh,k)={\alpha }_{\lambda }(g,hk){\alpha }_{\lambda }(h,k)$ holds. On the other hand, if $g\in Ny$, then a straightforward calculation also shows that ${\alpha }_{\lambda }(g,h){\alpha }_{\lambda }(gh,k)={\alpha }_{\lambda }(g,hk){\alpha }_{\lambda }(h,k)$ holds.    □

Lemma 3.

Let ${\alpha }_{\lambda }$ be the two-cocycle defined in Lemma 2:

• If λ is a square in ${\mathbb{F}}_q^{*}$, then ${\alpha }_{\lambda }$ is a coboundary.
• If λ is a non-square in ${\mathbb{F}}_q^{*}$ and there exists $g\in Ny$ such that $g^2=1$, then ${\alpha }_{\lambda }$ cannot be a coboundary.
• If ${\lambda }_1$, ${\lambda }_2$ are non-squares in ${\mathbb{F}}_q^{*}$, then ${\alpha }_{{\lambda }_1}$ and ${\alpha }_{{\lambda }_2}$ are congruent.

Proof. 

• Suppose $\lambda$ is a square in ${\mathbb{F}}_q^{*}$, then there exists $t\in {\mathbb{F}}_q$ such that $t^2=\lambda$. Let us define $\beta \left(g\right)=1$ if $g\in N$, or else $\beta \left(g\right)=t^{-1}$. We have ${\alpha }_{\lambda }(g,h)=\beta {\left(g\right)}^{-1}\beta {\left(h\right)}^{-1}\beta \left(gh\right)$ for all $g,h\in G$, since $gh\in N$ if and only if $g,h\in N$ or $g,h\in Ny.$
• Suppose there exists a function $\beta$ such that $\beta \left(1\right)=1$ and ${\alpha }_{\lambda }(g,h)=\beta {\left(g\right)}^{-1}\beta {\left(h\right)}^{-1}\beta \left(gh\right)$. Therefore, ${\alpha }_{\lambda }(g,g)=\lambda =\beta {\left(g\right)}^{-1}\beta {\left(g\right)}^{-1}\beta \left(g^2\right)={\left[\beta {\left(g\right)}^{-1}\right]}^2$, a contradiction.
• Let $\xi$ be a primitive element of ${\mathbb{F}}_q^{*}$. Since ${\lambda }_1$, ${\lambda }_2$ are non-squares in ${\mathbb{F}}_q^{*}$, then ${\lambda }_1={\xi }_1^k$ and ${\lambda }_2={\xi }_2^k$ with $k_1$ and $k_2$ being odd. Therefore, ${\lambda }_1={\xi }_1^k={\lambda }_2{\xi }^{k_3}$, where $k_3$ is even, i.e., ${\xi }^{k_3}$ is a square in ${\mathbb{F}}_q$. Let us define $\beta \left(g\right)=1$ if $g\in N$ and $\beta \left(g\right)={\xi }^{k_3/2}$ otherwise. We, therefore, have ${\alpha }_{{\lambda }_1}(g,h)={\alpha }_{{\lambda }_2}(g,h)\beta \left(g\right)\beta \left(h\right)\beta {\left(gh\right)}^{-1}$ for all $g,h\in G$, since $gh\in N$ if and only if $g,h\in N$ or $g,h\in Ny.$

   □

Remark 1.

Note that, since ${\left({\lambda }^{2^{m-1}}\right)}^2=\lambda$, for all $\lambda \in {\mathbb{F}}_{2^m}$ and $m\in \mathbb{N}$, then ${\mathbb{F}}_{2^m}G$ and ${\mathbb{F}}_q^{\theta ,{\alpha }_{\lambda }}G$ are isomorphic. By this, we will assume that $char{\mathbb{F}}_q\ne 2$.

Let ${\mathbb{F}}_{q^2}$ be a quadratic extension of ${\mathbb{F}}_q$. From now on, we only will take into consideration a quadratic extension of ${\mathbb{F}}_q$ since the ambient space over which we define our cryptographic constructions is the twisted-skew group ring ${\mathbb{F}}_{q^2}^{{\theta }_{\sigma },{\alpha }_{\lambda }}G$, where ${\theta }_{\sigma }\in \mathrm{Hom}(G,\mathrm{Aut}\left({\mathbb{F}}_{q^2}\right))$ is a group homomorphism. We next introduce ${\theta }_{\sigma }$.

Lemma 4.

Let $\sigma \in \mathrm{Gal}({\mathbb{F}}_{q^2},{\mathbb{F}}_q))$ be the Frobenius automorphism of ${\mathbb{F}}_{q^2}$ over ${\mathbb{F}}_q$. Then, the map ${\theta }_{\sigma }:G\to \mathrm{Gal}({\mathbb{F}}_{q^2},{\mathbb{F}}_q)$ defined by ${\theta }_{\sigma }\left(g\right)=\sigma$ if $g\notin N$ and ${\theta }_{\sigma }\left(g\right)=1$ otherwise is a group homomorphism.

Proof. 

Let $g,h\in G$ and $\gamma \in {\mathbb{F}}_{q^2}$. There are four cases to check:

• $g,h\in N$ is easy to check.
• $g\in N$ y $h\notin N$, $\theta \left(gh\right)\left(\gamma \right)=\sigma \left(\gamma \right)=\mathrm{Id}\left(\sigma \right(\gamma \left)\right)=\theta \left(g\right)\theta \left(h\right)\left(\gamma \right)$.
• $h\in N$ y $g\notin N$, $\theta \left(gh\right)\left(\gamma \right)=\sigma \left(\gamma \right)=\sigma \left(\mathrm{Id}\right(\gamma \left)\right)=\theta \left(g\right)\theta \left(h\right)\left(\gamma \right)$.
• $g,h\notin N$, $\theta \left(gh\right)\left(\gamma \right)=\gamma =\sigma \left(\sigma \right(\gamma \left)\right)=\theta \left(g\right)\theta \left(h\right)\left(\gamma \right)$.

   □

Remark 2.

${\theta }_{\sigma }$ relies on the Frobenius automorphism σ. Moreover, since $\mathrm{Gal}({\mathbb{F}}_{q^2},{\mathbb{F}}_q)\le \mathrm{Aut}\left({\mathbb{F}}_{q^2}\right)$, then ${\theta }_{\sigma }\in \mathrm{Hom}(G,\mathrm{Gal}({\mathbb{F}}_{q^2},{\mathbb{F}}_q)).$ Furthermore, if $\lambda \in {\mathbb{F}}_q\subset {\mathbb{F}}_{q^2}$, then $({\lambda }^{\frac{q+1}{2}}{)}^{(q-1)}={\lambda }^{\frac{q^2-1}{2}}=1$, i.e., it is a square, and also, ${\alpha }_{\lambda }$ is stabilized by the group ${\theta }_{\sigma }\left(G\right)$; therefore, the twisted-skew group ring ${\mathbb{F}}_{q^2}^{{\theta }_{\sigma },{\alpha }_{\lambda }}G$ is isomorphic to the skew group ring ${\mathbb{F}}_{q^2}^{{\theta }_{\sigma }}G$ introduced in [4]. However, if $\lambda \in {\mathbb{F}}_{q^2}\setminus {\mathbb{F}}_q$, then the cocycle ${\alpha }_{\lambda }$ is not stabilized by the group ${\theta }_{\sigma }\left(G\right)$, and so, the twisted-skew multiplication is not necessarily associative. In fact, for none of the possible four groups G we consider the twisted-skew multiplication is associative.

Lemma 5.

Let ${\alpha }_{\lambda }$ be the two-cocycle defined in Lemma 2 and ${\theta }_{\sigma }\in Hom(G,\mathrm{Gal}({\mathbb{F}}_{q^2},{\mathbb{F}}_q))$ the group homomorphism defined in Lemma 4. Then, we have the following:

• $ab=ba$ for $a,b\in {\mathbb{F}}_{q^2}^{{\theta }_{\sigma },{\alpha }_{\lambda }}N$.
• $a\widehat{b}=b\widehat{a}$ for $a,b\in {\Gamma }_{{\theta }_{\sigma },{\alpha }_{\lambda }}$.
• $\widehat{a}b=\widehat{b}a$ for $a,b\in {\Gamma }_{{\theta }_{\sigma },{\alpha }_{\lambda }}$.
• $\left(\right(ah\left)\gamma \right)=\left(a\right(h\gamma \left)\right)$ for $a\in {\mathbb{F}}_{q^2}^{{\theta }_{\sigma },{\alpha }_{\lambda }}N,h\in {\mathbb{F}}_{q^2}^{{\theta }_{\sigma },{\alpha }_{\lambda }}G,\gamma \in {\Gamma }_{{\theta }_{\sigma },{\alpha }_{\lambda }}$.

Proof.  

• Let $a={\sum }_{i=0}^{n-1}{a}_i\overline{n_i}\in {\mathbb{F}}_q^{{\theta }_{\sigma },{\alpha }_{\lambda }}N$ and $b={\sum }_{i=0}^{n-1}{b}_i\overline{n_i}\in {\mathbb{F}}_q^{{\theta }_{\sigma },{\alpha }_{\lambda }}N.$

  $$ab=\sum _{i=0}^{n-1}{a}_i\overline{n_i}\sum _{j=0}^{n-1}{b}_j\overline{n_j}=\sum _{k\in N}\left(\sum _{n_i{n}_j=k}{a}_i{b}_j\right)\overline{k}$$

  (2)

  $$ba=\sum _{i=0}^{n-1}{b}_i\overline{n_i}\sum _{j=0}^{n-1}{a}_j\overline{n_j}=\sum _{k\in N}\left(\sum _{n_i{n}_j=k}{b}_i{a}_j\right)\overline{k}$$

  (3)
  Note that the second sum of Equations (2) and (3) follows from the definitions of ${\theta }_{\sigma }$ and ${\alpha }_{\lambda }$. Therefore, $ab=ba$.
• Let $a={\sum }_{i=0}^{n-1}{a}_i\overline{n_{i}y}\in {\Gamma }_{{\theta }_{\sigma },{\alpha }_{\lambda }}$ and $b={\sum }_{i=0}^{n-1}{b}_i\overline{n_{i}y}\in {\Gamma }_{{\theta }_{\sigma },{\alpha }_{\lambda }}.$ Then, $a\widehat{b}$ can be expressed as

  $$\begin{array}{cc}\sum _{i=0}^{n-1}{a}_i\overline{n_{i}y}\sum _{j=0}^{n-1}\theta \left({\left(n_{j}y\right)}^{-1}\right)\left(b_j\right){\alpha }_{\lambda }(n_{j}y,{\left(n_{j}y\right)}^{-1})\overline{{\left(n_{j}y\right)}^{-1}}\hfill & \\ & \hfill =\sum _{k\in N}\left(\sum _{\left(n_{i}y\right)\left(n_{j}y\right)=k}{a}_i{b}_j{\lambda }^{q+1}\right)\overline{k}\end{array}$$

  (4)

  and $b\widehat{a}$ as

  $$\begin{array}{cc}\sum _{i=0}^{n-1}{b}_i\overline{n_{i}y}\sum _{j=0}^{n-1}\theta \left({\left(n_{j}y\right)}^{-1}\right)\left(a_j\right){\alpha }_{\lambda }(n_{j}y,{\left(n_{j}y\right)}^{-1})\overline{{\left(n_{j}y\right)}^{-1}}\hfill & \\ & \hfill =\sum _{k\in N}\left(\sum _{\left(n_{i}y\right)\left(n_{j}y\right)=k}{b}_i{a}_j{\lambda }^{q+1}\right)\overline{k}\end{array}$$

  (5)
  The first sum of Equations (4) and (5) follows from the definitions and that, for all $\omega \in Ny$, $\alpha (\omega ,{\omega }^{-1})=\lambda$. The second sum of Equations (4) and (5) follows from ${\theta }_{\sigma }$ being a homomorphism, and thus, ${\theta }_{\sigma }\left(g\right)\left({\theta }_{\sigma }\left(h\right)\left(a\right)\right)={\theta }_{\sigma }\left(gh\right)\left(a\right)=a$ for $a\in {\mathbb{F}}_{q^2}$ and ${\theta }_{\sigma }\left(g\right)\left(\lambda \right)=\sigma \left(\lambda \right)={\lambda }^q$.
  Since $a,b\in {\Gamma }_{{\theta }_{\sigma },{\alpha }_{\lambda }}$, then $a_i=a_{{[-i]}_n}$ and $b_j=b_{{[-j]}_n}$ for $i,j\in \{0,1,\dots ,n-1\}$. Therefore, the $(i,j)$-th term $a_i{b}_j{\lambda }^{q+1}$ of ${\sum }_{\left(n_{i}y\right)\left(n_{j}y\right)=k}{a}_i{b}_j{\lambda }^{q+1}$ in (4) coincides with the $({[-j]}_n,{[-i]}_n)$-th term $b_{{[-j]}_n}{a}_{{[-i]}_n}{\lambda }^{q+1}$ of ${\sum }_{\left(n_{i}y\right)\left(n_{j}y\right)=k}{b}_i{a}_j{\lambda }^{q+1}$ in (5), which implies the equality.
• Let $a={\sum }_{i=0}^{n-1}{a}_i\overline{n_{i}y}\in {\Gamma }_{{\theta }_{\sigma },{\alpha }_{\lambda }}$ and $b={\sum }_{i=0}^{n-1}{b}_i\overline{n_{i}y}\in {\Gamma }_{{\theta }_{\sigma },{\alpha }_{\lambda }}.$ Then, we can write $\widehat{a}b$ as

  $$\begin{array}{ccc}\sum _{i=0}^{n-1}\theta \left({\left(n_{i}y\right)}^{-1}\right)\left(a_i\right){\alpha }_{\lambda }\hfill & (n_{i}y,{\left(n_{i}y\right)}^{-1})\overline{{\left(n_{i}y\right)}^{-1}}\sum _{j=0}^{n-1}{b}_j\overline{n_{j}y}\hfill & \\ & =\sum _{i=0}^{n-1}{a}_i^q\lambda \overline{{\left(n_{i}y\right)}^{-1}}\sum _{j=0}^{n-1}{b}_j\overline{n_{j}y}& \\ & & =\sum _{k\in N}\left(\sum _{{\left(n_{i}y\right)}^{-1}\left(n_{j}y\right)=k}{a}_i^q{b}_j^q{\lambda }^2\right)\overline{k}\hfill \end{array}$$

  (6)

  and $\widehat{b}a$ is

  $$\begin{array}{ccc}\sum _{i=0}^{n-1}\theta \left({\left(n_{i}y\right)}^{-1}\right)\left(b_i\right){\alpha }_{\lambda }\hfill & (n_{i}y,{\left(n_{i}y\right)}^{-1})\overline{{\left(n_{i}y\right)}^{-1}}\sum _{j=0}^{n-1}{a}_j\overline{n_{j}y}\hfill & \\ & =\sum _{i=0}^{n-1}{b}_i^q\lambda \overline{{\left(n_{i}y\right)}^{-1}}\sum _{j=0}^{n-1}{a}_j\overline{n_{j}y}& \\ & & =\sum _{k\in N}\left(\sum _{{\left(n_{i}y\right)}^{-1}\left(n_{j}y\right)=k}{b}_i^q{a}_j^q{\lambda }^2\right)\overline{k}\hfill \end{array}$$

  (7)
  The last sum of Equations (6) and (7) follows from the definitions, $\alpha (\omega ,{\omega }^{-1})=\lambda$ and ${\theta }_{\sigma }\left(\omega \right)\left(a\right)=a^q$ for $\omega \in Ny,a\in {\mathbb{F}}_q^2$.
  Since $a,b\in {\Gamma }_{{\theta }_{\sigma },{\alpha }_{\lambda }}$, then $a_i=a_{{[-i]}_n}$ and $b_j=b_{{[-j]}_n}$ for $i,j\in \{0,1,\dots ,n-1\}$. Therefore, the $(i,j)$-th term $a_i^q{b}_j^q{\lambda }^2$ of ${\sum }_{\left(n_{i}y\right)\left(n_{j}y\right)=k}{a}_i^q{b}_j^q{\lambda }^2$ in (4) coincides with the $({[-j]}_n,{[-i]}_n)$-th term $b_{{[-j]}_n}^q{a}_{{[-i]}_n}^q{\lambda }^2$ of ${\sum }_{\left(n_{i}y\right)\left(n_{j}y\right)=k}{b}_i^q{a}_j^q{\lambda }^2$ in (5), which implies the equality.

   □

3. Intractability Assumptions

This section will describe some attack games concerning the algebraic problems on which the security of our cryptographic constructions lies [4,7,11,12]. Before giving a detailed account of them, we will introduce some notation that we will use for the remaining part of this paper:

• Let G be a finite group of even order and $N\le G$ such that $\left|N\right|=\left|G\right|/2=n$.
• Let p be a prime number and $q=p^m$ for some $m\in \mathbb{N}$. Let ${\mathbb{F}}_{q^2}$ be the quadratic extension of ${\mathbb{F}}_q$.
• The two-cocycle ${\alpha }_{\lambda }$ is instantiated by selecting $\lambda$ such that it is a non-square in ${\mathbb{F}}_{q^2}$. Additionally, ${\theta }_{\sigma }$ is chosen as specified by Lemma 4.
• We set $\mathtt{h}={\mathtt{h}}_1+{\mathtt{h}}_2$ as a public element, where ${\mathtt{h}}_1\in {\mathbb{F}}_{q^2}^{{\theta }_{\sigma },{\alpha }_{\lambda }}N$ and ${\mathtt{h}}_2\in {\mathbb{F}}_{q^2}^{{\theta }_{\sigma },{\alpha }_{\lambda }}Ny$ are random non-zero elements.
• We denote the secret key space by $\mathcal{SK}={\mathbb{F}}_{q^2}^{{\theta }_{\sigma },{\alpha }_{\lambda }}N\times {\Gamma }_{{\theta }_{\sigma },{\alpha }_{\lambda }}$. Given a secret key $\mathtt{sk}=(\mathtt{a},\gamma )\in \mathcal{SK}$, we denote $(\mathtt{a},\widehat{\gamma })$ by $\widehat{\mathtt{sk}}$. Besides, we define $\psi :\mathcal{SK}\times {\mathbb{F}}_{q^2}^{{\theta }_{\sigma },{\alpha }_{\lambda }}G⟶{\mathbb{F}}_{q^2}^{{\theta }_{\sigma },{\alpha }_{\lambda }}G$ as $\psi (\mathtt{sk},h)=\mathtt{a}h\gamma$.

Game 1

(Twisted-Skew Product Decomposition). Let $\mathcal{A}$ be an efficient adversary. We define the Twisted-Skew Product Decomposition (TSPD) Attack Game as shown by Algorithm 1

Algorithm 1 defines the Twisted-Skew Product Decomposition (TSPD) Attack Game

The challenger $\mathcal{C}$ executes 1: $(\mathtt{a},\gamma )\stackrel{R}{\leftarrow }\mathcal{SK}$; 2: $\mathtt{pk}\leftarrow \psi \left(\right(\mathtt{a},\gamma ),\mathtt{h})$; 3: $(\tilde{\mathtt{a}},\tilde{\gamma })\leftarrow \mathcal{A}\left(\mathtt{pk}\right)$; 4: return$\left[[\tilde{\mathtt{a}}\mathtt{h}\tilde{\gamma }=\mathtt{a}\mathtt{h}\gamma ]\right];$

In the TSPD attack game, $\left[[\tilde{\mathtt{a}}\mathtt{h}\tilde{\gamma }=\mathtt{a}\mathtt{h}\gamma ]\right]$ denotes a Boolean value, which is 1 when $\tilde{\mathtt{a}}\mathtt{h}\tilde{\gamma }=\mathtt{a}\mathtt{h}\gamma$, or 0 otherwise. We define $E_1$ as the event that the TSPD attack game outputs 1 after $\mathcal{A}$ plays it for ${\mathbb{F}}_{q^2}^{{\theta }_{\sigma },{\alpha }_{\lambda }}G$. Furthermore, we define $\mathcal{A}$’s advantage in solving the TSPD problem for ${\mathbb{F}}_{q^2}^{{\theta }_{\sigma },{\alpha }_{\lambda }}G$ as the probability of $E_1$ and denote it by $\mathrm{TSPDadv}[\mathcal{A},{\mathbb{F}}_{q^2}^{{\theta }_{\sigma },{\alpha }_{\lambda }}G]$.

Definition 4

(Twisted-Skew Product Decomposition Assumption). We say that the TSPD assumption holds for ${\mathbb{F}}_{q^2}^{{\theta }_{\sigma },{\alpha }_{\lambda }}G$ if, for all efficient adversaries $\mathcal{A}$, the quantity $\mathit{TSPDadv}[\mathcal{A},{\mathbb{F}}_{q^2}^{{\theta }_{\sigma },{\alpha }_{\lambda }}G]$ is negligible.

Game 2

(Computational Twisted-Skew Product). Let $\mathcal{A}$ be an efficient adversary. We define the Computational Twisted-Skew Product (CTSP) Attack Game as shown by Algorithm 2.

Algorithm 2 defines the Computational Twisted-Skew Product Attack Game

The challenger $\mathcal{C}$ executes 1: $({\mathtt{a}}_1,{\gamma }_1)\stackrel{R}{\leftarrow }\mathcal{SK};$ 2: $({\mathtt{a}}_2,{\gamma }_2)\stackrel{R}{\leftarrow }\mathcal{SK};$ 3: ${\mathtt{pk}}_1\leftarrow \psi (({\mathtt{a}}_1,{\gamma }_1),\mathtt{h});$ 4: ${\mathtt{pk}}_2\leftarrow \psi (({\mathtt{a}}_2,{\gamma }_2),\mathtt{h});$ 5: $\mathtt{k}\leftarrow \psi (({\mathtt{a}}_2,\widehat{{\gamma }_2}),{\mathtt{pk}}_1);$ 6: $\tilde{\mathtt{k}}\leftarrow \mathcal{A}({\mathtt{pk}}_1,{\mathtt{pk}}_2)$; 7: return$\left[[\tilde{\mathtt{k}}=\mathtt{k}]\right];$

We define $E_2$ as the event that the CTSP attack game outputs 1 after $\mathcal{A}$ plays it for ${\mathbb{F}}_{q^2}^{{\theta }_{\sigma },{\alpha }_{\lambda }}G$. Moreover, we define $\mathcal{A}$’s advantage in solving the CTSP problem for ${\mathbb{F}}_{q^2}^{{\theta }_{\sigma },{\alpha }_{\lambda }}G$ as the probability of $E_2$ and denote it by $\mathrm{CTSPadv}[\mathcal{A},{\mathbb{F}}_{q^2}^{{\theta }_{\sigma },{\alpha }_{\lambda }}G]$.

Definition 5

(Computational Twisted-Skew Product Assumption). We say that the CTSP assumption holds for ${\mathbb{F}}_{q^2}^{{\theta }_{\sigma },{\alpha }_{\lambda }}G$ if, for all efficient adversaries $\mathcal{A}$, the quantity $\mathit{CTSPadv}[\mathcal{A},{\mathbb{F}}_{q^2}^{{\theta }_{\sigma },{\alpha }_{\lambda }}G]$ is negligible.

Lemma 6.

If the TSPD assumption does not hold for ${\mathbb{F}}_{q^2}^{{\theta }_{\sigma },{\alpha }_{\lambda }}G$, then the CTSP assumption does not hold for ${\mathbb{F}}_{q^2}^{{\theta }_{\sigma },{\alpha }_{\lambda }}G$.

Proof. 

Since the TSPD assumption does not hold for ${\mathbb{F}}_{q^2}^{{\theta }_{\sigma },{\alpha }_{\lambda }}G$, then there exists an efficient adversary $\mathcal{B}$ that can win the TSPD attack game with non-negligible probability $\rho$, i.e., $\mathcal{B}$ can output $(\tilde{\mathtt{a}},\tilde{\gamma })\in \mathcal{SK}$ such that $\tilde{\mathtt{a}}\mathtt{h}\tilde{\gamma }=\mathtt{a}\mathtt{h}\gamma =\mathtt{pk}$ with non-negligible probability $\rho$.

We now construct an efficient adversary $\mathcal{A}$ that plays and wins the CTSP attack game with non-negligible probability $\rho$. $\mathcal{A}$ simply uses $\mathcal{B}$ as the subroutine. Upon receiving ${\mathtt{pk}}_1$ and ${\mathtt{pk}}_2$ from its challenger, $\mathcal{A}$ calls $\mathcal{B}$ upon the input either ${\mathtt{pk}}_1$ or ${\mathtt{pk}}_2$. In either case, if $\mathcal{B}$ succeeds in returning a $(\tilde{\mathtt{a}},\tilde{\gamma })\in \mathcal{SK}$ such that $\widetilde{\mathtt{pk}}=\tilde{\mathtt{a}}\mathtt{h}\tilde{\gamma }={\mathtt{a}}_b\mathtt{h}{\gamma }_b={\mathtt{pk}}_b(b\in \{1,2\})$, then $\mathcal{A}$ will calculate $\tilde{\mathtt{k}}=\tilde{\mathtt{a}}{\mathtt{pk}}_{\overline{b}}\widehat{\tilde{\gamma }}$, with $\overline{b}=3-b$, and return $\tilde{\mathtt{k}}$ to its challenger. Because of the choice of ${\theta }_{\sigma }$ and ${\alpha }_{\lambda }$ and Lemma 5, then

$$\tilde{\mathtt{k}}=\tilde{\mathtt{a}}{\mathtt{pk}}_{\overline{b}}\widehat{\tilde{\gamma }}=\tilde{\mathtt{a}}{\mathtt{a}}_{\overline{b}}\mathtt{h}{\gamma }_{\overline{b}}\widehat{\tilde{\gamma }}={\mathtt{a}}_{\overline{b}}\tilde{\mathtt{a}}\mathtt{h}\tilde{\gamma }\widehat{{\gamma }_{\overline{b}}}={\mathtt{a}}_{\overline{b}}\widetilde{\mathtt{pk}}\widehat{{\gamma }_{\overline{b}}}={\mathtt{a}}_{\overline{b}}{\mathtt{pk}}_b\widehat{{\gamma }_{\overline{b}}}=\mathtt{k}$$

In conclusion, $\mathcal{A}$ is an efficient adversary and may succeed in computing the correct $\mathtt{k}$ in the CTSP attack game with non-negligible probability $\rho$.    □

Game 3

(Decisional Twisted-Skew Product). Let $\mathcal{A}$ be an efficient adversary. We define the Decisional Twisted-Skew Product (DTSP) Attack Game by two experiments indexed by a bit b as shown by Algorithm 3.

Algorithm 3 defines the Decisional Twisted-Skew Product Attack Game

For Experiment b, the challenger $\mathcal{C}$ executes

1: $({\mathtt{a}}_1,{\gamma }_1)\stackrel{R}{\leftarrow }\mathcal{SK};$ 2: $({\mathtt{a}}_2,{\gamma }_2)\stackrel{R}{\leftarrow }\mathcal{SK};$ 3: $({\mathtt{a}}_3,{\gamma }_3)\stackrel{R}{\leftarrow }\mathcal{SK};$ 4: ${\mathtt{pk}}_1\leftarrow \psi (({\mathtt{a}}_1,{\gamma }_1),\mathtt{h});$${\mathtt{pk}}_2\leftarrow \psi (({\mathtt{a}}_2,{\gamma }_2),\mathtt{h});$ 5: ${\mathtt{k}}_0\leftarrow \psi (({\mathtt{a}}_2,\widehat{{\gamma }_2}),{\mathtt{pk}}_1);{\mathtt{k}}_1\leftarrow \psi (({\mathtt{a}}_3,{\gamma }_3),\mathtt{h});$ 6: $\tilde{\mathtt{b}}\leftarrow \mathcal{A}({\mathtt{pk}}_1,{\mathtt{pk}}_2,{\mathtt{k}}_{\mathtt{b}})$ 7: return$\left[[b=\tilde{\mathtt{b}}]\right];$

Remark 3.

Game 3 defines two experiments indexed by a random bit b chosen by the challenger. Therefore, the challenger returns either $({\mathrm{pk}}_1,{\mathcal{pk}}_2,{\mathcal{k}}_0)$ or $({\mathcal{pk}}_1,{\mathcal{pk}}_2,{\mathcal{k}}_1)$ to the adversary $\mathcal{A}$, depending on the experiment the challenger is playing, i.e., the challenger gives $({\mathcal{pk}}_1,{\mathcal{pk}}_2,{\mathcal{k}}_{\mathcal{b}})$ to $\mathcal{A}$. We denote the experiment b by $DTSP\left(b\right)$.

We define $W_{\mathtt{b}}$ as the event that $\mathcal{A}$ outputs the bit 1 after playing the experiment $\mathtt{b}$ in the DTSP attack game for ${\mathbb{F}}_{q^2}^{{\theta }_{\sigma },{\alpha }_{\lambda }}G$. Furthermore, we define $\mathcal{A}$’s advantage in solving the DTSP problem for ${\mathbb{F}}_{q^2}^{{\theta }_{\sigma },{\alpha }_{\lambda }}G$ as $|\mathrm{Pr}\left[W_0\right]-\mathrm{Pr}\left[W_1\right]|$ and denote it by $\mathrm{DTSPadv}[\mathcal{A},{\mathbb{F}}_{q^2}^{{\theta }_{\sigma },{\alpha }_{\lambda }}G].$

Definition 6

(Decisional Twisted-Skew Product Assumption). We say that the DTSP assumption holds for ${\mathbb{F}}_{q^2}^{{\theta }_{\sigma },{\alpha }_{\lambda }}G$ if, for all efficient adversaries $\mathcal{A}$, the quantity $\mathit{DTSPadv}[\mathcal{A},{\mathbb{F}}_{q^2}^{{\theta }_{\sigma },{\alpha }_{\lambda }}G]$ is negligible.

Lemma 7.

If the CTSP assumption does not hold for ${\mathbb{F}}_{q^2}^{{\theta }_{\sigma },{\alpha }_{\lambda }}G$, then the DTSP assumption does not hold for ${\mathbb{F}}_{q^2}^{{\theta }_{\sigma },{\alpha }_{\lambda }}G$.

Proof. 

Since the CTSP assumption does not hold for ${\mathbb{F}}_{q^2}^{{\theta }_{\sigma },{\alpha }_{\lambda }}G$, then there exists an efficient adversary $\mathcal{B}$ that outputs $\tilde{\mathtt{k}}\in {\mathbb{F}}_{q^2}^{{\theta }_{\sigma },{\alpha }_{\lambda }}G$ such that $\tilde{\mathtt{k}}=\mathtt{k}$ after being given public keys ${\mathtt{pk}}_1$ and ${\mathtt{pk}}_2$ with non-negligible probability.

We now construct an efficient adversary $\mathcal{A}$ that plays and wins the DTSP attack game with non-negligible probability. This adversary $\mathcal{A}$ uses $\mathcal{B}$ as the subroutine. In particular, upon receiving $({\mathtt{pk}}_1,{\mathtt{pk}}_2,{\mathtt{k}}_{\mathtt{b}})$ from its challenger, $\mathcal{A}$ calls $\mathcal{B}$ upon the input $({\mathtt{pk}}_1,{\mathtt{pk}}_2)$. If $\mathcal{B}$ solves this instance of the CTSP problem for given ${\mathtt{pk}}_1$ and ${\mathtt{pk}}_2$ and returns $\tilde{\mathtt{k}}$ to $\mathcal{A}$, then $\mathcal{A}$ compares $\tilde{\mathtt{k}}$ and ${\mathtt{k}}_{\mathtt{b}}$ to see whether they are equal. If so, then $\mathcal{A}$ returns 0, or 1 otherwise.

In summary, $\mathcal{A}$ is an efficient adversary and may succeed in winning the DTSP attack game with non-negligible probability.    □

The Hardness of the TSPD Problem

The TSPD problem is similar to both the Dihedral Product Decomposition (DPD) and Skew Dihedral Product Decomposition (SDPD) problems. The former was introduced in [5], then formalized in [7] and extended in [6], while the latter was introduced in [4] as an extension of the former. The key difference between both is that the latter is defined over the Dihedral Skew Group Ring ${\mathbb{F}}_{q^2}^{{\theta }_{\sigma }}{D}_{2n}$, which is structurally different from the algebra ${\mathbb{F}}_q^{{\alpha }_{\lambda }}{D}_{2n}$ over which the former is defined.

We remark that the algorithmic analysis presented for the DPD problem over ${\mathbb{F}}_q^{{\alpha }_{\lambda }}{D}_{2n}$ in [7] can be adjusted easily to both the SDPD and TSPD problems. Furthermore, note that, if $\lambda$ is non-square, then the twisted-skew multiplication defined over ${\mathbb{F}}_{q^2}^{{\theta }_{\sigma },{\alpha }_{\lambda }}G$ is not associative, which motives the claim that the TSPD problem is defined over a less-structured algebraic structure.

4. Key-Agreement Protocols from Twisted-Skew Group Rings

This section introduces key-agreement protocols using two-sided multiplications over a twisted-skew group ring ${\mathbb{F}}_{q^2}^{{\theta }_{\sigma },{\alpha }_{\lambda }}G$.

We note that previous research papers have introduced similar key-exchange protocols using two-sided semi-group actions or matrices over groups [13,14,15,16,17]. However, our approach may be seen as an alternative proposal, since it follows in design and generalizes the works presented in [4,6,7], which propose key-agreement protocols using two-sided multiplications over dihedral twisted (skewed) group rings.

4.1. Choice of Parameters

Here, we will outline our choice of parameters. We remark that Section 7.7 will provide more details regarding specific values assigned to some of them:

• Let G be a finite group of even order and $N\le G$ such that $\left|N\right|=\left|G\right|/2=n$. In particular, we may select a group from the set $\{D,\mathfrak{G},\mathfrak{M},\mathfrak{Q}\}$.
• Let p be a prime number and $q=p^m$ for some $m\in \mathbb{N}$. Let ${\mathbb{F}}_{q^2}$ be the quadratic extension of ${\mathbb{F}}_q$.
• The two-cocycle ${\alpha }_{\lambda }$ is instantiated by selecting $\lambda$ such that it is a non-square in ${\mathbb{F}}_{q^2}$. Additionally, ${\theta }_{\sigma }$ is chosen as specified by Lemma 4.
• We set $\mathtt{h}={\mathtt{h}}_1+{\mathtt{h}}_2$ as a public element, where ${\mathtt{h}}_1\in {\mathbb{F}}_{q^2}^{{\theta }_{\sigma },{\alpha }_{\lambda }}N$ and ${\mathtt{h}}_2\in {\mathbb{F}}_{q^2}^{{\theta }_{\sigma },{\alpha }_{\lambda }}Ny$ are random non-zero elements.
• We denote the secret key space by $\mathcal{SK}={\mathbb{F}}_{q^2}^{{\theta }_{\sigma },{\alpha }_{\lambda }}N\times {\Gamma }_{{\theta }_{\sigma },{\alpha }_{\lambda }}$. Given a secret key $\mathtt{sk}=(\mathtt{a},\gamma )\in \mathcal{SK}$, we denote $(\mathtt{a},\widehat{\gamma })$ by $\widehat{\mathtt{sk}}$. Besides, we define $\psi :\mathcal{SK}\times {\mathbb{F}}_{q^2}^{{\theta }_{\sigma },{\alpha }_{\lambda }}G⟶{\mathbb{F}}_{q^2}^{{\theta }_{\sigma },{\alpha }_{\lambda }}G$ as $\psi (\mathtt{sk},h)=\mathtt{a}h\gamma$.

4.2. Two-Party Key-Agreement Protocol

We begin by introducing some notation. A set of identifiers is denoted by $\mathcal{ID}={\{0,1\}}^{+}$. The identifier for the principal $P_i$ is denoted by ${\mathtt{ID}}_i\in \mathcal{ID}$. A session id is denoted by a bit string s. The two-party key-agreement protocol between $P_i$ and $P_j$ runs as shown in Algorithm 4.

Algorithm 4 Describes our two-party key-exchange protocol

1: Upon the input $({\mathtt{ID}}_i,{\mathtt{ID}}_j,s)$, the principal $P_i$ randomly selects a secret pair ${\mathtt{sk}}_i=({\mathtt{a}}_i,{\gamma }_i)\stackrel{R}{\leftarrow }\mathcal{SK}$, then generates the corresponding public key by invoking ${\mathtt{pk}}_i=\psi ({\mathtt{sk}}_i,\mathtt{h})$, and finally, transmits $({\mathtt{ID}}_i,s,{\mathtt{pk}}_i)$ to $P_j$; 2: After receiving $({\mathtt{ID}}_i,s,{\mathtt{pk}}_i)$ from $P_i$, the principal $P_j$ randomly selects a secret pair ${\mathtt{sk}}_j=({\mathtt{a}}_j,{\gamma }_j)\stackrel{R}{\leftarrow }\mathcal{SK}$, then generates the corresponding public key by executing ${\mathtt{pk}}_j=\psi ({\mathtt{sk}}_j,\mathtt{h})$, and transmits $({\mathtt{ID}}_j,s,{\mathtt{pk}}_j)$ to $P_i$. Additionally, $P_j$ computes ${\mathtt{k}}_j=\psi (\widehat{{\mathtt{sk}}_j},{\mathtt{pk}}_i)$, securely erases $({\mathtt{a}}_j,{\gamma }_j)$, and outputs the key ${\mathtt{k}}_j$ under the session id s; 3: After receiving $({\mathtt{ID}}_j,s,{\mathtt{pk}}_j)$ from $P_j$, the principal $P_i$ calls ${\mathtt{k}}_i=\psi (\widehat{{\mathtt{sk}}_i},{\mathtt{pk}}_j)$ to obtain the shared key ${\mathtt{k}}_i$ under the session id s, then securely erases $({\mathtt{a}}_i,{\gamma }_i)$, and outputs the key ${\mathtt{k}}_i$ under the session id s.

Security Analysis of Our Two-Party Key-Exchange Protocol

This section is devoted to providing an analysis of our two-party key-exchange protocol in the authenticated links adversarial model [18,19,20]. We will present a description of this security model for completeness:

• Let us denote by $P=\{P_1,P_2,\dots ,P_n\}$ a finite set of principals.
• Let $\mathcal{A}$ be an adversary controlling all messages between two principals; however, we have the following:
  • $\mathcal{A}$ is not permitted to insert or alter messages, except for those messages transmitted by corrupted principals or sessions.
  • $\mathcal{A}$ may opt for not forwarding a message at all. However, in case $\mathcal{A}$ decides to forward a message m, then $\mathcal{A}$ should transmit it to its right destination, only on one occasion and refraining from making partial or minor changes to it.
  • Principals freely transfer the possession of their egress messages to $\mathcal{A}$, who has the power to influence their transmission by means of the Send query. $\mathcal{A}$ may make a principal $P_i$ operative by Send queries, i.e., the adversary holds the power or ability to create protocol sessions, which occur within each principal. Two sessions, with ids $s_1$ and $s_0$, respectively, are said to be matching when egress messages from one side are the ingress messages from the other side, and vice versa.
    Additionally, $\mathcal{A}$ is given the ability to make queries to the following oracles:

    −

    SessionStateReveal oracle.

    Whenever $\mathcal{A}$ queries it for a clearly identified session id s within some principal $P_i$, then $\mathcal{A}$ will acquire the contents of the specified session id s within $P_i$, including any secret information. This event will be registered and produce no further output.

    −

    SessionKeyReveal oracle.

    Whenever $\mathcal{A}$ queries it for a clearly identified session id s, then $\mathcal{A}$ will acquire the session key for the specified session id s, as long as s has an associated session.

    −

    Corrupt oracle.

    Whenever $\mathcal{A}$ queries it for a clearly identified principal $P_i$, then $\mathcal{A}$ will assume control of the principal $P_i$, i.e., $\mathcal{A}$ will have the opportunity to obtain all information in $P_i$’s memory, which includes long-lived keys and any session-specific, remaining data. A corrupted principal will yield no further output.

  • $\mathcal{A}$ may query the test oracle on one occasion and at any point for a completed, fresh, unexpired session id s. When queried on input s, the test oracle randomly picks a bit, $b\stackrel{R}{\leftarrow }\{0,1\}$, then it will return the session key associated with the specified session id s if $b=0$. Otherwise, it will return a random value in the key space. Additionally, $\mathcal{A}$ can issue subsequent queries to the other oracles as desired, but it cannot expose the test session. At any further point, the adversary will try to guess b.
  • We denote the probability of the event that $\mathcal{A}$ correctly guesses b by $\mathrm{Guess}[\mathcal{A},{\mathbb{F}}_{q^2}^{{\theta }_{\sigma },{\alpha }_{\lambda }}G]$, and define the advantage as

    $$\mathrm{SKAdv}[\mathcal{A},{\mathbb{F}}_{q^2}^{{\theta }_{\sigma },{\alpha }_{\lambda }}G]=|\mathrm{Guess}[\mathcal{A},{\mathbb{F}}_{q^2}^{{\theta }_{\sigma },{\alpha }_{\lambda }}G]-1/2|.$$

Theorem 1.

Let $\mathcal{A}$ be an efficient adversary in the authenticated links adversarial model (AM). If the DTSP assumption holds for ${\mathbb{F}}_{q^2}^{{\theta }_{\sigma },{\alpha }_{\lambda }}G$, then our key exchange protocol is session key-secure in this setting, i.e., the two-party key-agreement protocol satisfies the following:

• If two principals engage in a protocol session s, are not corrupted during the execution of it, and complete it successfully, then each principal will compute matching keys.
• $\mathit{SKAdv}[\mathcal{A},{\mathbb{F}}_{q^2}^{{\theta }_{\sigma },{\alpha }_{\lambda }}G]$ is negligible.

Proof. 

The following proof is essentially an adaptation of the proofs given for each key-exchange protocol presented, respectively, in [4,7]:

• Let us assume that two principals $P_i$ and $P_j$ engage in a protocol session s, are not corrupted during the execution of it, and complete it successfully. We claim that each principal will compute matching keys. By Lemma 5 and the choice of ${\theta }_{\sigma }$ and ${\alpha }_{\lambda }$, the claim follows. Indeed,

  $${\mathtt{k}}_i={\mathtt{a}}_i{\mathtt{pk}}_j\widehat{{\gamma }_i}={\mathtt{a}}_i{\mathtt{a}}_j\mathtt{h}{\gamma }_j\widehat{{\gamma }_i}={\mathtt{a}}_j{\mathtt{a}}_i\mathtt{h}{\gamma }_i\widehat{{\gamma }_j}={\mathtt{a}}_j{\mathtt{pk}}_i\widehat{{\gamma }_j}={\mathtt{k}}_j.$$
• We will prove this statement by way of contradiction. Let us suppose $\mathcal{A}$ is an adversary against our protocol such that $\mathrm{SKAdv}[\mathcal{A},{\mathbb{F}}_{q^2}^{{\theta }_{\sigma },{\alpha }_{\lambda }}G]$ is non-negligible. Let $\mathfrak{B}$ be an upper bound on the number of session calls by $\mathcal{A}$ in any interaction.
  We now present a distinguisher $\mathcal{D}$ for the DTSP problem, depicted by Algorithm 5.

  Algorithm 5 depicts distinguisher D for the DTSP problem

  1: function  $\mathcal{D}$($h,{\mathbb{F}}_{q^2}^{{\theta }_{\sigma },{\alpha }_{\lambda }}G,{\mathtt{pk}}_1,{\mathtt{pk}}_2,\mathtt{k}$)  2:     $\mathfrak{s}\stackrel{R}{\leftarrow }\{1,\dots ,\mathfrak{B}\}$;  3:    Let $\mathcal{A}$ interact with principals $P_1,\dots ,P_n$ with identifiers ${\mathtt{ID}}_1,\dots ,{\mathtt{ID}}_n$, except for the $\mathfrak{s}$-th session. For the $\mathfrak{s}$-th session, let $P_i$, $P_j$ interact with each other, and run Algorithm 4. In particular, $P_i$ will transmit $({\mathtt{ID}}_i,\mathfrak{s},{\mathtt{pk}}_i={\mathtt{a}}_i\mathtt{h}{\gamma }_i)$ to $P_j$, while $P_j$ will send $({\mathtt{ID}}_j,\mathfrak{s},{\mathtt{pk}}_j={\mathtt{a}}_j\mathtt{h}{\gamma }_j)$ to $P_i$;  4:     if $\mathcal{A}$ has chosen the $\mathfrak{s}$-th session as its test session then  5:         Return $\mathtt{k}$ to $\mathcal{A}$ as the response to its test oracle query;  6:         $\mathtt{b}\leftarrow \mathcal{A}\left(\mathtt{k}\right)$;  7:     else  8:         $\mathtt{b}\stackrel{R}{\leftarrow }\{0,1\}$;  9:     end if 10:    return $\mathtt{b}$ 11: end function

  We now analyze the distinguisher $\mathcal{D}$ in two cases:

  (a)

  Let us assume that $\mathcal{A}$ randomly chooses the $\mathfrak{s}$-th one as its test session. This implies that $\mathcal{A}$ will receive either ${\mathtt{k}}_{\mathtt{0}}$ or ${\mathtt{k}}_{\mathtt{1}}$. This is a result of the DTSP challenger, because upon request, it always picks a random bit b and then returns $({\mathtt{pk}}_1,{\mathtt{pk}}_2,{\mathtt{k}}_b)$ to $\mathcal{D}$. Therefore, the probability of correctly distinguishing them by $\mathcal{A}$ is $1/2+ϵ$ with non-negligible $ϵ$, since, by assumption, $\mathrm{SKAdv}[\mathcal{A},{\mathbb{F}}_{q^2}^{{\theta }_{\sigma },{\alpha }_{\lambda }}G]$ is non-negligible.

  (b)

  If $\mathcal{A}$ does not pick the $\mathfrak{s}$-th one as its test session, then, by design, $\mathcal{D}$ returns a random bit, and therefore, the distinguishing probability is $1/2$.

  Let $E_r$ be the event of $\mathcal{A}$ selecting the test session as the $\mathfrak{s}$-th session. Hence, the probabilities of $E_{\mathfrak{s}}$ and $\overline{E_{\mathfrak{s}}}$ are $1/\mathfrak{B}$ and $1-1/\mathfrak{B}$, respectively. Consequently, the overall probability for $\mathcal{D}$ to win the DTSP game is

  $$1/\left(2\mathfrak{B}\right)+ϵ/\mathfrak{B}+1/2-1/\left(2\mathfrak{B}\right)=1/2+ϵ/\mathfrak{B},$$

  which is non-negligible.

   □

4.3. Generalizing Our Two-Party Key-Agreement Protocol

Throughout this section, we will focus on generalizing our two-party key-exchange protocol to a group key-exchange protocol [21,22,23].

Let us assume there are $\eta >0$ principals whose respective identifiers are $I{D}_1,\dots ,I{D}_{\eta }$. Thus, the generalized protocol runs as follows:

• The principal $I{D}_1$ randomly generates a secret pair ${\mathtt{sk}}_1=({\mathtt{a}}_1,{\gamma }_1)\stackrel{R}{\leftarrow }\mathcal{SK}$ and then transmits the list:

  $${\mathcal{M}}_1=[m_1^1=h,m_1^2=\psi ({\mathtt{sk}}_1,\mathtt{h})=a_{1}h{\gamma }_1]$$

  to the principal $I{D}_2$.
• For $i\in \{2,\dots ,\eta -1\}$, the principal $I{D}_i$ randomly generates its secret pair ${\mathtt{sk}}_i=({\mathtt{a}}_i,{\gamma }_i)\stackrel{R}{\leftarrow }\mathcal{SK}$ and sets $a_i={\mathtt{sk}}_i$ and $b_i=\widehat{{\mathtt{sk}}_i}$ if i is even, or else, it sets $a_i=\widehat{{\mathtt{sk}}_i}$ and $b_i={\mathtt{sk}}_i$. This principal constructs a list ${\mathcal{M}}_i$ and transmits it to the principal $I{D}_{i+1}$, where ${\mathcal{M}}_i$ contains $i+1$ messages enumerated as $m_i^j=\psi (a_i,m_{i-1}^j)$ for $j\in \{1,\dots ,i-1\}$, $m_i^i=m_{i-1}^i$ and $m_i^{i+1}=\psi (b_i,m_{i-1}^i)$.
• The principal $I{D}_{\eta }$ randomly generates its secret pair ${\mathtt{sk}}_{\eta }=({\mathtt{a}}_{\eta },{\gamma }_{\eta })\stackrel{R}{\leftarrow }\mathcal{SK}$, then sets $a_{\eta }={\mathtt{sk}}_{\eta }$ and $b_{\eta }=\widehat{{\mathtt{sk}}_{\eta }}$ if $\eta$ is even. Otherwise, it sets $a_{\eta }=\widehat{{\mathtt{sk}}_{\eta }}$ and $b_{\eta }={\mathtt{sk}}_{\eta }$.
  This principal then constructs a list ${\mathcal{M}}_{\eta }$ containing $\eta$ messages enumerated as $m_{\eta }^j=\psi (a_{\eta },m_{\eta -1}^j)$ for $j\in \{1\dots ,\eta -1\}$ and $m_{\eta }^{\eta }=m_{\eta -1}^{\eta }$ and then broadcasts ${\mathcal{M}}_{\eta }$ to all other principals. Finally, this principal computes the shared key $\mathtt{k}=\psi (b_{\eta },m_{\eta }^{\eta }=m_{\eta -1}^{\eta })$.
• For $i\in \{1,\dots ,\eta -1\}$, each principal with identifier $I{D}_i$ finally computes the shared key $\mathtt{k}$ by calculating either $\mathtt{k}=\psi (s{k}_i,m_{\eta }^i)$ if $\eta$ is odd or $\mathtt{k}=\psi (\widehat{s{k}_i},m_{\eta }^i)$ otherwise.

Theorem 2.

Our group key exchange protocol satisfies the following:

• If η uncorrupted principals having identifiers $I{D}_1,\dots ,I{D}_{\eta }$, respectively, complete a run of the group key-agreement protocol successfully, then each principal will output the same shared key.
• If the DTSP assumption holds for ${\mathbb{F}}_{q^2}^{{\theta }_{\sigma },{\alpha }_{\lambda }}G$, then an efficient adversary $\mathcal{A}$ will not be able to distinguish the shared group key from an arbitrary element in ${\mathbb{F}}_{q^2}^{{\theta }_{\sigma },{\alpha }_{\lambda }}G$.

Proof.  

• This first statement will be proven by induction on the number of principals $\eta$.
  Base case:
  Let us set $\eta$ to 2. For this case, the principal $I{D}_1$ computes ${\mathcal{M}}_1=\{h,a_{1}h{\gamma }_1\}$ and transmits it to the principal $I{D}_2$. Upon receiving ${\mathcal{M}}_1$, the principal $I{D}_2$ computes ${\mathcal{M}}_2=\left[a_{2}h{\gamma }_2\right]$ and $k=a_2{a}_{1}h{\gamma }_1\widehat{{\gamma }_2}$. Finally, it transmits ${\mathcal{M}}_2$ back to the principal $I{D}_1$, which computes $k=a_2{a}_{1}h{\gamma }_1\widehat{{\gamma }_2}.$
  Inductive case:
  By induction hypothesis, we assume that, if $\eta$ uncorrupted principals run the protocol, each will successfully obtain the corresponding shared key $k_{\eta }$.
  We will prove that if $\eta +1$ uncorrupted principals run the protocol, each will successfully obtain the corresponding shared key $k_{\eta +1}.$
  Assume now that there are $\eta +1$ principals running the protocol. By the induction hypothesis, the principal $I{D}_{\eta }$ receives the correct ${\mathcal{M}}_{\eta -1}$ from the principal $I{D}_{\eta -1}$ and, hence, correctly computes ${\mathcal{M}}_{\eta }$ and forwards it to the principal $I{D}_{\eta +1}$. This principal constructs the list $M_{\eta +1}$ by calculating the following:

  (a)

  ${\mathcal{M}}_{\eta +1}=\{m_{\eta +1}^i=\psi (s{k}_{\eta +1},m_{\eta }^i)$ for $i\in \{1,2,\dots ,\eta \}\}$ if $\eta +1$ is even. This principal then transmits ${\mathcal{M}}_{\eta +1}$ to the other principals.

  Upon receiving ${\mathcal{M}}_{\eta +1}$ from the principal $I{D}_{\eta +1}$, each principal $I{D}_i$ computes

  $$\begin{array}{lll}{k}_{\eta +1}=\psi (\widehat{s{k}_i},m_{\eta +1}^i)\hfill & =a_i{m}_{\eta +1}^i\widehat{{\gamma }_i}& \\ & =a_i\psi (s{k}_{\eta +1},m_{\eta }^i)\widehat{{\gamma }_i}=a_i{a}_{\eta +1}{m}_{\eta }^i{\gamma }_{\eta +1}\widehat{{\gamma }_i}& \\ & & =a_{\eta +1}{k}_{\eta }\widehat{{\gamma }_{\eta +1}},\end{array}$$

  for $i\in \{1,\dots ,\eta \}$, while the principal $I{D}_{\eta +1}$ computes

  $$\begin{array}{ll}{k}_{\eta +1}=\psi (\widehat{s{k}_{\eta +1}},m_{\eta }^{\eta +1})=a_{\eta +1}\hfill & m_{\eta }^{\eta +1}\widehat{{\gamma }_{\eta +1}}\\ & =a_{\eta +1}\psi (s{k}_{\eta },m_{\eta -1}^{\eta })\widehat{{\gamma }_{\eta +1}}=a_{\eta +1}{k}_{\eta }\widehat{{\gamma }_{\eta +1}}.\end{array}$$

  (b)

  ${\mathcal{M}}_{\eta +1}=\{m_{\eta +1}^i=\psi (\widehat{s{k}_{\eta +1}},m_{\eta }^i)$ for $i\in \{1,2,\dots ,\eta \}\}$ if $\eta +1$ is odd. This principal then transmits ${\mathcal{M}}_{\eta +1}$ to the other principals.

  Upon receiving ${\mathcal{M}}_{\eta +1}$ from the principal $I{D}_{\eta +1}$, each principal $I{D}_i$ computes

  $$\begin{array}{lll}{k}_{\eta +1}=\psi (s{k}_i,m_{\eta +1}^i)& =a_i{m}_{\eta +1}^i{\gamma }_i& \\ & =a_i\psi (\widehat{s{k}_{\eta +1}},m_{\eta }^i){\gamma }_i=a_i{a}_{\eta +1}{m}_{\eta }^i\widehat{{\gamma }_{\eta +1}}{\gamma }_i\\ & & \hfill =a_{\eta +1}{k}_{\eta }{\gamma }_{\eta +1},\end{array}$$

  for $i\in \{1,\dots ,\eta \}$, while the principal $I{D}_{\eta +1}$ computes

  $$\begin{array}{ll}{k}_{\eta +1}=\psi (s{k}_{\eta +1},m_{\eta }^{\eta +1})=a_{\eta +1}\hfill & m_{\eta }^{\eta +1}{\gamma }_{\eta +1}\\ & \hfill =a_{\eta +1}\psi (\widehat{s{k}_{\eta }},m_{\eta -1}^{\eta }){\gamma }_{\eta +1}=a_{\eta +1}{k}_{\eta }{\gamma }_{\eta +1}.\end{array}$$

  This concludes the proof of this first statement.
• To prove this second statement, we can easily adapt the proof of Theorem 1 in [6] to this setting.

   □

5. An Encryption Scheme from Twisted-Skew Group Rings

This section focuses on presenting a public key-encryption scheme that is procured from the two-party key-agreement protocol analyzed in Section 4.2. Our derivation approach mimics a well-known generic approach previously employed to obtain a probabilistic encryption scheme from instances of a key-exchange protocol [4,5,7,12,24] as, for instance, ElGamal encryption [25] being obtained from instances of the Diffie–Hellman protocol [26].

Before presenting our probabilistic public key encryption, we first establish some notation. The public key space is denoted by $\mathcal{PK}={\mathbb{F}}_{q^2}^{{\theta }_{\sigma },{\alpha }_{\lambda }}G$; the message space is denoted by $\mathcal{M}={\mathbb{F}}_{q^2}^{{\theta }_{\sigma },{\alpha }_{\lambda }}G$; finally, the ciphertext space is denoted by $\mathcal{C}={\mathbb{F}}_{q^2}^{{\theta }_{\sigma },{\alpha }_{\lambda }}G$.

We now introduce the public key-encryption scheme $\mathcal{E}=(\mathtt{Gen},\mathtt{Enc},\mathtt{Dec})$. Algorithm 6 describes the function Gen; Algorithm 7 depicts the function Enc; finally, Algorithm 8 presents the function Dec.

Algorithm 6 generates a key pair

1: function Gen($\mathtt{h}\in {\mathbb{F}}_{q^2}^{{\theta }_{\sigma },{\alpha }_{\lambda }}G$) 2:     $({\mathtt{a}}_1,{\gamma }_1)\stackrel{R}{\leftarrow }\mathcal{SK};$ 3:     $\mathtt{sk}\leftarrow ({\mathtt{a}}_1,{\gamma }_1);$ 4:     $\mathtt{pk}\leftarrow \psi (\mathtt{sk},h);$ 5:     return $\mathtt{sk},\mathtt{pk};$ 6: end function

Algorithm 7 encrypts a message and returns a ciphertext

1: function  Enc($\mathtt{m}\in \mathcal{M},\mathtt{pk}\in \mathcal{PK},{\mathtt{r}}_2\in \mathcal{SK},\mathtt{h}\in {\mathbb{F}}_{q^2}^{{\theta }_{\sigma },{\alpha }_{\lambda }}G$) 2:     $({\mathtt{a}}_2,{\gamma }_2)\leftarrow {\mathtt{r}}_2;$ 3:     ${\mathtt{c}}_1\leftarrow \psi (({\mathtt{a}}_2,{\gamma }_2),h);$ 4:     ${\mathtt{c}}_2\leftarrow \mathtt{m}+\psi (({\mathtt{a}}_2,\widehat{{\gamma }_2}),pk);$ 5:     $\mathtt{c}\leftarrow ({\mathtt{c}}_1,{\mathtt{c}}_2);$ 6:     return $\mathtt{c};$ 7: end function

Algorithm 8 decrypts a ciphertext and returns a message

1: function   Dec($\mathtt{c}\in \mathcal{C},\mathtt{sk}\in \mathcal{SK}$) 2:     $({\mathtt{c}}_1,{\mathtt{c}}_2)\leftarrow \mathtt{c};$ 3:     $\mathtt{k}\leftarrow \psi (\widehat{\mathtt{sk}},{\mathtt{c}}_1);$ 4:     $\mathtt{m}\leftarrow {\mathtt{c}}_2-\mathtt{k};$ 5:     return $\mathtt{m};$ 6: end function

Theorem 3.

Let  h  be a public element in ${\mathbb{F}}_{q^2}^{{\theta }_{\sigma },{\alpha }_{\lambda }}G$, and let $\mathcal{E}$ be the public key-encryption scheme:

• For any message $m\in \mathcal{M}$, ${\mathcal{r}}_2\stackrel{R}{\leftarrow }\mathcal{SK}$ and $(\mathcal{pk},\mathcal{sk})\leftarrow \mathcal{Gen}\left(\mathcal{h}\right),$ it holds that

  $$m\leftarrow \mathcal{Dec}(\mathcal{Enc}(m,\mathcal{pk},r_2,h),\mathcal{sk})$$
• If the DTSP assumption holds for ${\mathbb{F}}_{q^2}^{{\theta }_{\sigma },{\alpha }_{\lambda }}G$, then $\mathcal{E}$ is semantically secure.

Proof. 

The proofs of these two items are an adaptation of the proofs of Lemma $5.1$ and Theorem $5.2$, respectively, from [7]:

• Given $\mathtt{m}\in \mathcal{M}$, ${\mathtt{r}}_2\in \mathcal{SK}$ uniformly chosen at random and $(\mathtt{pk},\mathtt{sk})\leftarrow \mathtt{Gen}\left(\mathtt{h}\right)$, then we have

  $$({\mathtt{c}}_1={\mathtt{a}}_2\mathtt{h}{\gamma }_2,{\mathtt{c}}_2=\mathtt{m}+{\mathtt{a}}_2\mathtt{pk}{\widehat{\gamma }}_2)\leftarrow \mathtt{Enc}(\mathtt{m},\mathtt{pk},{\mathtt{r}}_2,\mathtt{h}).$$
  By calling $\mathtt{Dec}(({\mathtt{c}}_1,{\mathtt{c}}_2),\mathtt{sk})$, then

  $$\mathtt{k}={\mathtt{a}}_1{\mathtt{c}}_1{\widehat{\gamma }}_1={\mathtt{a}}_1{\mathtt{a}}_2\mathtt{h}{\gamma }_2{\widehat{\gamma }}_1={\mathtt{a}}_2{\mathtt{a}}_1\mathtt{h}{\gamma }_1{\widehat{\gamma }}_2={\mathtt{a}}_2\mathtt{pk}{\widehat{\gamma }}_2,$$

  and therefore,

  $${\mathtt{c}}_2-\mathtt{k}=\mathtt{m}+{\mathtt{a}}_2\mathtt{pk}{\widehat{\gamma }}_2-{\mathtt{a}}_2\mathtt{pk}{\widehat{\gamma }}_2=\mathtt{m}.$$
• For this statement, we consider an efficient adversary $\mathcal{A}$ and define ${\mathtt{Game}}_0$ as the semantic security (SS) attack game against $\mathcal{A}$. Algorithm 9 depicts ${\mathtt{Game}}_0$.

  Algorithm 9 depicts attack games defined for the proof of Theorem 3

  1: function  ${\mathtt{Game}}_0$  2:     $(({\mathtt{a}}_1,{\gamma }_1),{\mathtt{pk}}_1)\stackrel{R}{\leftarrow }\mathtt{Gen}\left(h\right)$;  3:     $({\mathtt{m}}_0,{\mathtt{m}}_1)\leftarrow \mathcal{A}\left({\mathtt{pk}}_1\right)$;  4:     $\mathtt{b}\stackrel{R}{\leftarrow }\{0,1\}$;  5:     $({\mathtt{a}}_2,{\gamma }_2)\stackrel{R}{\leftarrow }\mathcal{SK}$; ${\mathtt{pk}}_2\leftarrow {\mathtt{a}}_{2}h{\gamma }_2$;  6:     $\mathtt{k}\leftarrow {\mathtt{a}}_2{\mathtt{pk}}_1\widehat{{\gamma }_2}$;  7:     $\mathtt{c}\leftarrow {\mathtt{m}}_b+\mathtt{k}$;  8:     $\tilde{\mathtt{b}}\leftarrow \mathcal{A}({\mathtt{pk}}_1,{\mathtt{pk}}_2,\mathtt{c})$;  9:     return $\left[[\mathtt{b}=\tilde{\mathtt{b}}]\right]$; 10: end function

  1: function   ${\mathtt{Game}}_1$  2:     $(({\mathtt{a}}_1,{\gamma }_1),{\mathtt{pk}}_1)\stackrel{R}{\leftarrow }\mathtt{Gen}\left(h\right)$;  3:     $({\mathtt{m}}_0,{\mathtt{m}}_1)\leftarrow \mathcal{A}\left({\mathtt{pk}}_1\right)$;  4:     $\mathtt{b}\stackrel{R}{\leftarrow }\{0,1\}$;  5:     $({\mathtt{a}}_2,{\gamma }_2)\stackrel{R}{\leftarrow }\mathcal{SK}$; ${\mathtt{pk}}_2\leftarrow {\mathtt{a}}_{2}h{\gamma }_2$;  6:     $({\mathtt{a}}_3,{\gamma }_3)\stackrel{R}{\leftarrow }\mathcal{SK}$; $\mathtt{k}\leftarrow {\mathtt{a}}_{3}h{\gamma }_3$;  7:     $\mathtt{c}\leftarrow {\mathtt{m}}_b+\mathtt{k}$;  8:     $\tilde{\mathtt{b}}\leftarrow \mathcal{A}({\mathtt{pk}}_1,{\mathtt{pk}}_2,\mathtt{c})$;  9:     return $\left[[\mathtt{b}=\tilde{\mathtt{b}}]\right]$; 10: end function

  Recall $\left[[\mathtt{b}=\tilde{\mathtt{b}}]\right]$ denotes a Boolean value. In particular, $\left[[\mathtt{b}=\tilde{\mathtt{b}}]\right]$ is 0 if both $\mathtt{b}$ and $\tilde{\mathtt{b}}$ differ, or 1 otherwise. In ${\mathtt{Game}}_0$, $\mathcal{A}$ sends the challenger two messages ${\mathtt{m}}_0,{\mathtt{m}}_1\in \mathcal{M}$ of the same length in bits.
  Let us define $S_0$ as the event of ${\mathtt{Game}}_0$ returning 1, then $\mathcal{A}$’s SS-advantage is given by $\left|Pr\right[S_0]-1/2|$. The proof essentially will show that $\left|Pr\right[S_0]-1/2|$ is negligible if the DTSP assumption holds. Let us define ${\mathtt{Game}}_1$ by modifying ${\mathtt{Game}}_0$ as shown in Algorithm 9.
  Let us define $S_1$ as the event of ${\mathtt{Game}}_1$ outputting 1. From ${\mathtt{Game}}_1$, it is clear that $\mathtt{b}$, ${\mathtt{pk}}_1$, ${\mathtt{pk}}_2$, and $\mathtt{c}$ are mutually independent; so are $\mathtt{b}$ and $\tilde{\mathtt{b}}\leftarrow \mathcal{A}({\mathtt{pk}}_1,{\mathtt{pk}}_2,\mathtt{c})$, and hence, $Pr\left[S_1\right]=1/2$.
  We now demonstrate an adversary $\mathcal{B}$ that performs the DTSP attack game 3 defined in Section 3. In particular, the adversary $\mathcal{B}$ will assume the role of challenger for $\mathcal{A}$, and its part is as follows. $\mathcal{B}$ will first communicate with its own challenger from which it will receive the three-tuple $({\mathtt{pk}}_1,{\mathtt{pk}}_2,\mathtt{k})$. It then forwards ${\mathtt{pk}}_1$ to $\mathcal{A}$. When it obtains $({\mathtt{m}}_0,{\mathtt{m}}_1)$ from $\mathcal{A}$, then $\mathcal{B}$ chooses a bit $\mathtt{b}$ at random, computes $\mathtt{c}\leftarrow {\mathtt{m}}_b+\mathtt{k}$, and transmits $({\mathtt{pk}}_1,{\mathtt{pk}}_2,\mathtt{c})$ to $\mathcal{A}$. Once $\mathcal{B}$ finally procures a final response bit $\tilde{\mathtt{b}}$ by $\mathcal{A}$, it returns $\left[[\mathtt{b}=\tilde{\mathtt{b}}]\right]$ in the DTSP attack game. Clearly, $\mathcal{B}$ is an efficient adversary, since $\mathcal{A}$ is also an efficient adversary.
  Recall that $W_{\overline{b}}$ is the event that $\mathcal{B}$ outputs 1 in game $\mathtt{DTSP}\left(\overline{\mathtt{b}}\right)$; thus, $\mathcal{B}$’s advantage for solving the DTSP problem for ${\mathbb{F}}_{q^2}^{{\theta }_{\sigma },{\alpha }_{\lambda }}G$ is given by

  $$\mathrm{DTSPadv}[\mathcal{A},{\mathbb{F}}_{q^2}^{{\theta }_{\sigma },{\alpha }_{\lambda }}G]=|\mathrm{Pr}\left[W_0\right]-\mathrm{Pr}\left[W_1\right]|.$$
  A key observation here is the following.
  On the one hand, whenever $\mathcal{B}$’s challenger is playing game $\mathtt{DTSP}\left(0\right)$, $\mathcal{A}$ is in turn playing ${\mathtt{Game}}_0$, since $\mathcal{B}$ obtains from its challenger

  $$({\mathtt{pk}}_1={\mathtt{a}}_{1}h{\gamma }_1,{\mathtt{pk}}_2={\mathtt{a}}_{2}h{\gamma }_2,\mathtt{k}={\mathtt{a}}_2{\mathtt{pk}}_1\widehat{{\gamma }_2}).$$
  Therefore, $Pr\left[W_0\right]=Pr\left[S_0\right]$.
  On the other hand, whenever $\mathcal{B}$’s challenger is playing Game $\mathtt{DTSP}\left(1\right)$, $\mathcal{A}$ is in turn playing ${\mathtt{Game}}_1$, because $\mathcal{B}$ obtains from its challenger

  $$({\mathtt{pk}}_1={\mathtt{a}}_{1}h{\gamma }_1,{\mathtt{pk}}_2={\mathtt{a}}_{2}h{\gamma }_2,\mathtt{k}={\mathtt{a}}_{3}h{\gamma }_3).$$
  Therefore, $Pr\left[W_1\right]=Pr\left[S_1\right].$
  By hypothesis, $|Pr\left[W_0\right]-Pr\left[W_1\right]|$ is negligible; therefore, $\left|Pr\right[S_0]-1/2|$ is negligible, and the assertion follows.

   □

6. A Key-Encapsulation Mechanism from Twisted-Skew Group Rings

In this section, we will focus on deriving a CCA-secure key-encapsulation mechanism from our probabilistic public key encryption $\mathcal{E}$. To accomplish this task, we will apply a generic transformation from [27] to $\mathcal{E}$. We will next describe this generic transformation a bit more.

Let $\mathtt{PKE}=(\mathtt{Gen},\mathtt{Enc},\mathtt{Dec})$ be a public key-encryption scheme with message space $\mathcal{M}$, ciphertext space $\mathcal{C}$, and randomness space $\mathcal{R}$. Let $\mathtt{KeyLength}\in \mathbb{N}$ and $\mathcal{G}:\mathcal{M}\to \mathcal{R}$ and $\mathcal{H}:{\{0,1\}}^{*}\to {\{0,1\}}^{\mathtt{KeyLength}}$ be hash functions. This transformation is a variant of the Fujisaki–Okamoto transformation with “implicit rejection” of inconsistent ciphertexts. Formally, it is defined as KEM = K0 $(\mathtt{PKE},\mathcal{G},\mathcal{H}):=$ U $[\mathrm{T}[\mathtt{PKE},\mathcal{G}],\mathcal{H}]=(\mathtt{Gen},\mathtt{Encaps},\mathtt{Decaps})$ (see [27] for more details). Algorithm 10 summarizes functions $(\mathtt{Gen},\mathtt{Encaps},\mathtt{Decaps})$ after applying the transformation to PKE, converting it into a CCA-secure key-encapsulation mechanism. We remark that the proof that this generic transformation converts a public key encryption scheme into a CCA-secure key-encapsulation mechanism may be found in [27].

Algorithm 10 depicts the CCA-secure key-encapsulation mechanism $(\mathtt{Gen},\mathtt{Encaps},\mathtt{Decaps})$ from $\mathtt{PKE}$
1: function$\mathtt{Gen}$() 2:     $(\mathtt{pk},\mathtt{sk})\leftarrow \mathtt{PKE}.\mathtt{Gen}$; 3:     $\mathtt{s}\stackrel{R}{\leftarrow }\mathcal{M}$; 4:     ${\mathtt{sk}}^{\prime }\leftarrow (\mathtt{sk},s)$; 5:     return $({\mathtt{sk}}^{\prime },\mathtt{pk})$; 6: end function 1: function  $\mathtt{Encaps}$($\mathtt{pk}$) 2:     $\mathtt{m}\stackrel{R}{\leftarrow }\mathcal{M}$;	1: function  $\mathtt{Decaps}$(${\mathtt{sk}}^{\prime }=(\mathtt{sk},\mathtt{s}),\mathtt{c}$) 2:     ${\mathtt{m}}^{\prime }\leftarrow \mathtt{PKE}.\mathtt{Dec}(\mathtt{sk},\mathtt{c})$; 3:     if $\mathtt{c}=\mathtt{PKE}.\mathtt{Enc}(\mathtt{pk},{\mathtt{m}}^{\prime },\mathcal{G}\left(m^{\prime }\right))$ then 4:         return $\mathcal{H}({\mathtt{m}}^{\prime },\mathtt{c})$; 5:     else 6:         return $\mathcal{H}(\mathtt{s},\mathtt{c})$; 7:     end if 8: end function
3:     $\mathtt{c}\leftarrow \mathtt{PKE}.\mathtt{Enc}(\mathtt{pk},m,\mathcal{G}(m\left)\right)$; 4:     $\mathtt{k}\leftarrow \mathcal{H}(\mathtt{m},\mathtt{c})$; 5:     return $(\mathtt{k},\mathtt{c})$; 6: end function

To apply this transformation to our scheme $\mathcal{E}$, we proceed by establishing the following. Let $\mathcal{K}={\{0,1\}}^{\mathtt{KeyLength}}$ be the key space and $\mathtt{BinaryRep}\left(x\right)$ be a function that returns the binary representation of x. Furthermore, recall that the randomness space is $\mathcal{SK}={\mathbb{F}}_{q^2}^{{\theta }_{\sigma },{\alpha }_{\lambda }}N\times {\Gamma }_{{\theta }_{\sigma },{\alpha }_{\lambda }}$, the public key space is $\mathcal{PK}={\mathbb{F}}_{q^2}^{{\theta }_{\sigma },{\alpha }_{\lambda }}G$, the message space is $\mathcal{M}={\mathbb{F}}_{q^2}^{{\theta }_{\sigma },{\alpha }_{\lambda }}G$, and the ciphertext space is $\mathcal{C}={\mathbb{F}}_{q^2}^{{\theta }_{\sigma },{\alpha }_{\lambda }}G$. Finally, we will define the hash function ${\mathcal{H}}_1$ and ${\mathcal{H}}_2$ as follows:

• ${\mathcal{H}}_1:{\{0,1\}}^{*}⟶\mathcal{SK}$ is a hash function, which, upon the input of a variable-length bit string $\mathtt{x}$, returns $(\mathtt{a},\gamma )\in \mathcal{SK}$. Using the notation of [28], this function may be defined as ${\mathcal{H}}_1\left(\mathtt{x}\right)={\mathtt{SHAKE}}_{256}(\mathtt{x},\zeta )$, where $\zeta =2\lceil {log}_2\left(q\right)\rceil (n+\lceil \frac{n}{2}\rceil )$ is the bit length of the output and $\left|N\right|=\left|G\right|/2=n$. The bit string $\mathtt{bitstring}$ returned by ${\mathtt{SHAKE}}_{256}$ can be converted into a element in $\mathcal{SK}$ by carefully dividing the bit string into two parts, the first of length $2\lceil {log}_2\left(q\right)\rceil n$ bits and the second of length $2\lceil {log}_2\left(q\right)\rceil \lceil \frac{n}{2}\rceil$ bits, each being employed to derive $\mathtt{a},\gamma$, respectively.
  Let ${\mathtt{m}}_1,{\mathtt{m}}_2\in \mathcal{M}$, and we define $\mathcal{G}({\mathtt{m}}_1,{\mathtt{m}}_2):={\mathcal{H}}_1\left(\mathtt{BinaryRep}\left({\mathtt{m}}_1\right)\left|\right|\mathtt{BinaryRep}\left({\mathtt{m}}_2\right)\right).$
• ${\mathcal{H}}_2:{\{0,1\}}^{*}⟶\mathcal{K}$ is a hash function that, upon the input of a variable-length bit string $\mathtt{x}$, returns $\mathtt{k}\in \mathcal{K}$. This function may be defined as ${\mathcal{H}}_2\left(\mathtt{x}\right)={\mathtt{SHAKE}}_{256}({\mathtt{p}}_1\left|\right|\mathtt{x},\mathtt{KeyLength})$, where $\mathtt{KeyLength}$ is the bit length of the output and ${\mathtt{p}}_1$ is a prepended fixed bit string to make it different from ${\mathcal{H}}_1$.
  Let $\mathtt{m},\mathtt{c}\in \mathcal{M}$. We define $\mathcal{H}(\mathtt{m},\mathtt{c}):={\mathcal{H}}_2\left(\mathtt{BinaryRep}\left(\mathtt{m}\right)\left|\right|\mathtt{BinaryRep}\left(\mathtt{c}\right)\right)$.

After applying the generic transformation to $\mathcal{E}$, i.e., U$[\mathrm{T}[\mathcal{E},\mathcal{G}],\mathcal{H}]$, we obtain $\mathtt{KEM}=(\mathtt{KeyGen},\mathtt{Encaps},\mathtt{Decaps}).$ Algorithm 11 describes the functions KeyGen, Encaps and Decaps.

Algorithm 11 depicts the CCA-secure key-encapsulation mechanism $(\mathtt{KeyGen},\mathtt{Encaps},\mathtt{Decaps})$ from $\mathcal{E}$
1: functionKeyGen($\mathtt{h}$) 2:     $(\mathtt{pk},\mathtt{sk})\leftarrow \mathcal{E}.\mathtt{Gen}\left(\mathtt{h}\right);$ 3:     $\mathtt{s}\stackrel{R}{\leftarrow }\mathcal{M};$ 4:     return $(\mathtt{sk},\mathtt{s},\mathtt{pk});$ 5: end function 1: function  Encaps($\mathtt{pk},\mathtt{h}$) 2:     $\mathtt{m}\stackrel{R}{\leftarrow }\mathcal{M};$ 3:     $\mathtt{r}\leftarrow \mathcal{G}(\mathtt{m},\mathtt{pk});$	1: function  Decaps($(\mathtt{sk},\mathtt{s},\mathtt{pk}),\mathtt{c},\mathtt{h}$) 2:     ${\mathtt{m}}^{\prime }\leftarrow \mathcal{E}.\mathtt{Dec}(\mathtt{c},\mathtt{sk});$ 3:     ${\mathtt{r}}^{\prime }\leftarrow \mathcal{G}({\mathtt{m}}^{\prime },\mathtt{pk});$ 4:     if $\mathtt{c}=\mathcal{E}.\mathtt{Enc}({\mathtt{m}}^{\prime },\mathtt{pk},{\mathtt{r}}^{\prime },\mathtt{h})$ then 5:         return $\mathcal{H}({\mathtt{m}}^{\prime },\mathtt{c});$ 6:     else 7:         return $\mathcal{H}(\mathtt{s},\mathtt{c});$ 8:     end if 9: end function
4:     $\mathtt{c}\leftarrow \mathcal{E}.\mathtt{Enc}(\mathtt{m},\mathtt{pk},\mathtt{r},\mathtt{h});$ 5:     $\mathtt{K}\leftarrow \mathcal{H}(\mathtt{m},\mathtt{c});$ 6:     return $(\mathtt{K},\mathtt{c});$ 7: end function

7. Implementation of Our Cryptographic Constructions

The proof-of-concept implementation of our cryptographic constructions was coded in Python. The interested reader can see it on Google Colaboratory [29].

7.1. Group Representation

Recall that $G=N\cup Ny$, where $\left|N\right|=\left|G\right|/2=n$. For our protocols, we only considered $G\in \{D,\mathfrak{G},\mathfrak{M},\mathfrak{Q}\}$. For any choice, $N=⟨x^i⟩$ is a cyclic group, and thus, a group element $g\in G$ is of the form $g=x^i{y}^j$, which may be represented as an integer $\mathtt{g}=j·n+i$, where $i\in \{0,\dots ,n-1\}$ and $j\in \{0,1\}.$

The computation of the integer representation of either $g_1·g_2$ or $g_1^{-1}$, $g_1,g_2\in G$, will hinge on the form of the group elements and the specific presentation of G. Note that, by exploiting each group presentation, explicit formulae can be derived to compute both $g_1·g_2$ and $g_1^{-1}$ efficiently. The interested reader can see the implementation [29].

7.2. Two-Cocycle ${\alpha }_{\lambda }$

The function $\mathtt{2}\mathtt{cocycle}(k_1,k_2)$ takes two group element representations, $k_1$ and $k_2$, as the input, then the function returns $\lambda$ if $n\le k_1<2n$ and $n\le k_2<2n$. Otherwise, it returns 1.

7.3. Homomorphism ${\theta }_{\sigma }$

The function $\mathtt{homomorphism}\left(k_1\right)$ takes a group element representation, $k_1$, as the input, then this function returns a pointer to the function $\sigma$ if $n\le k_1<2n$. Otherwise, it returns a pointer to the identity function I. Algorithm 12 shows both functions.

Algorithm 12 presents functions involved in computing the homomorphism ${\theta }_{\sigma }$
1: function  $\sigma$($a\in {\mathbb{F}}_{q^2}$)  2:     $[b_s,b_{s-1},\dots ,b_0]\leftarrow \mathtt{BinaryRep}\left(q\right);$  3:     $r\leftarrow \mathtt{getOneFromQuadraticField}\left(\right);$	1: function  $\mathtt{I}$($a\in {\mathbb{F}}_{q^2}$) 2:     return a 3: end function
4:     for $i\leftarrow sto0$ do  5:         $r\leftarrow r·r$;  6:         if $b_i=1$ then  7:            $r\leftarrow r·a$;  8:         end if  9:     end for 10:     return r; 11: end function

7.4. The Twisted-Skew Group Ring ${\mathbb{F}}_{q^2}^{{\theta }_{\sigma },{\alpha }_{\lambda }}G$

To represent an element $a={\sum }_{i=0}^{n-1}{a}_i{x}^i+{\sum }_{i=0}^{n-1}{a}_{n+i}{x}^{i}y$ in the group ring ${\mathbb{F}}_{q^2}^{{\theta }_{\sigma },{\alpha }_{\lambda }}G$, we make use of an array of $2n$ field elements $\mathtt{a}=[{\mathtt{a}}_0,{\mathtt{a}}_1,{\mathtt{a}}_2,\dots ,{\mathtt{a}}_{2n-1}]$, where ${\mathtt{a}}_i$ is the representation of the field element $a_i\in {\mathbb{F}}_{q^2}$. Algorithms 13 and 14 describe the addition and product operations, respectively.

Algorithm 13 computes the addition of two ring elements

1: function   addition($\mathtt{a},\mathtt{b}$) 2:     $\mathtt{c}\leftarrow [\mathtt{0},\cdots ,\mathtt{0}]$; 3:     for $(i\leftarrow 0;i<2n;i\leftarrow i+1)$ do 4:         $\mathtt{c}\left[i\right]\leftarrow \mathtt{a}\left[i\right]+\mathtt{b}\left[i\right]$; 5:     end for 6:     return c; 7: end function

Algorithm 14 computes the product of two ring elements

1: function  product($\mathtt{a},\mathtt{b}$)  2:     $\mathtt{c}\leftarrow [\mathtt{0},\cdots ,\mathtt{0}]$;  3:     for $(i\leftarrow 0;i<2n;i\leftarrow i+1)$ do  4:         for $(j\leftarrow 0;j<2n;j\leftarrow j+1)$ do  5:            $k\leftarrow \mathtt{G}.\mathtt{eval}(i,j)$;  6:            $\mathtt{outH}\leftarrow \mathtt{homomorphism}\left(i\right)\left(\mathtt{b}\right[j\left]\right)$;  7:            $\mathtt{out}\mathtt{2}\mathtt{c}\leftarrow \mathtt{2}\mathtt{cocylce}(i,j)$;  8:            $\mathtt{fe}\leftarrow \mathtt{a}\left[i\right]·\mathtt{outH}·\mathtt{out}\mathtt{2}\mathtt{c}$;  9:            $\mathtt{c}\left[k\right]\leftarrow \mathtt{c}\left[k\right]+\mathtt{fe}$; 10:         end for 11:     end for 12:     return c; 13: end function

Addition and Product Costs

We now quantify the cost of Algorithms 13 and 14. Let us denote

• $\mathtt{FA}$ and $\mathtt{FM}$ as the costs of a field addition and a field multiplication respectively.
• $\mathtt{GE}$ and $\mathtt{HC}$ as bounds on the cost of calling $\mathtt{G}.\mathtt{eval}(i,j)$ and the number of field multiplications to compute $\mathtt{homomorphism}\left(i\right)\left(b\right[j\left]\right)$ respectively.
• ${\mathtt{C}}_{{\alpha }_{\lambda }}$ as the constant cost of executing $\mathtt{2}\mathtt{cocylce}(i,j)$.

On the one hand, Algorithm 13 has a cost of $2n\mathtt{FA}$ when computing a ring element $\mathtt{c}$. On the other hand, Algorithm 14 has a cost of $4n^2(\mathtt{FA}+(2+\mathtt{HC})\mathtt{FM}+\mathtt{GE}+{\mathtt{C}}_{{\alpha }_{\lambda }})$.

7.5. Auxiliary Functions

As auxiliary functions, we implemented the following functions:

• Algorithm 15 computes the adjunct of a ring element, and its cost is $2n(\mathtt{GI}+(\mathtt{HC}+1)\mathtt{FM}+{\mathtt{C}}_{{\alpha }_{\lambda }})$, where $\mathtt{GI}$ is a bound on the cost of calling $\mathtt{G}.\mathtt{inverse}\left(i\right)$.
• Functions for computing random elements in different sets are implemented. They are described in Algorithm 16.

Algorithm 15 computes the adjunct of a ring element

1: function   adjunct($\mathtt{a}$)  2:     $\mathtt{c}\leftarrow [\mathtt{0},\cdots ,\mathtt{0}]$;  3:     for $(i\leftarrow 0;i<2n;i\leftarrow i+1)$ do  4:         $j\leftarrow \mathtt{inverse}\left(i\right)$;  5:         ${\mathtt{f}}_1\leftarrow \mathtt{homomorphism}\left(j\right)\left(\mathtt{a}\left[i\right]\right);$  6:         ${\mathtt{f}}_2\leftarrow \mathtt{2}\mathtt{cocylce}(i,j);$  7:         $\mathtt{c}\left[j\right]\leftarrow {\mathtt{f}}_1·{\mathtt{f}}_2$;  8:     end for  9:     return c 10: end function

Algorithm 16 presents functions for computing a random element in different sets
1: function   $\mathtt{GETPUBLICELEMENT}$()  2:     ${\mathtt{sw}}_1\leftarrow \mathbf{False}$;  3:     while $\mathtt{not}{\mathtt{sw}}_1$ do  4:         $\mathtt{a}\leftarrow \mathtt{getRandomFG}\left(\right)$;  5:         $i\leftarrow 0$;  6:         ${\mathtt{sw}}_2\leftarrow \mathbf{False}$;  7:         while $i<n\mathtt{and}\mathtt{not}{\mathtt{sw}}_2$ do  8:            if $\mathtt{a}\left[i\right]\ne \mathtt{0}$ then  9:                ${\mathtt{sw}}_2\leftarrow \mathbf{True}$; 10:            end if 11:            $i\leftarrow i+1$; 12:         end while 13:         $i\leftarrow n$; 14:         ${\mathtt{sw}}_3\leftarrow \mathbf{False}$; 15:         while $i<2n\mathtt{and}\mathtt{not}{\mathtt{sw}}_3$ do 16:            if $\mathtt{a}\left[i\right]\ne \mathtt{0}$ then 17:                ${\mathtt{sw}}_3\leftarrow \mathbf{True}$; 18:            end if 19:            $i\leftarrow i+1$; 20:         end while 21:         ${\mathtt{sw}}_1\leftarrow {\mathtt{sw}}_2\mathtt{and}{\mathtt{sw}}_3$; 22:     end while	1: function  $\mathtt{GETRANDOMFG}$() 2:     $\mathtt{c}\leftarrow [\mathtt{0},\cdots ,\mathtt{0}]$; 3:     for $(i\leftarrow 0;i<2n;i\leftarrow i+1)$ do 4:         $\mathtt{c}\left[i\right]\leftarrow \mathtt{getRandomFieldElement}\left(\right)$; 5:     end for 6:     return c; 7: end function 1: function  $\mathtt{GETRANDOMFH}$() 2:     $\mathtt{c}\leftarrow [\mathtt{0},\cdots ,\mathtt{0}]$; 3:     for $(i\leftarrow 0;i<n;i\leftarrow i+1)$ do 4:         $\mathtt{c}\left[i\right]\leftarrow \mathtt{getRandomFieldElement}\left(\right)$; 5:     end for 6:     return c; 7: end function 1: function  $\mathtt{GETRANDOMFHY}$() 2:     $\mathtt{c}\leftarrow [\mathtt{0},\cdots ,\mathtt{0}]$; 3:     for $(i\leftarrow n;i<2n;i\leftarrow i+1)$ do 4:         $\mathtt{c}\left[i\right]\leftarrow \mathtt{getRandomFieldElement}\left(\right)$; 5:     end for 6:     return c; 7: end function
23:     return a; 24: end function  1: function  $\mathtt{GETRANDOMFROMT}$()  2:     $\mathtt{c}\leftarrow [\mathtt{0},\cdots ,\mathtt{0}]$;  3:     $\mathtt{c}\left[n\right]\leftarrow \mathtt{getRandomFieldElement}\left(\right)$;  4:     $n_1\leftarrow n/2$;  5:     for $(i\leftarrow 1;i\le n_1;i\leftarrow i+1)$ do  6:         $\mathtt{c}[i+n]\leftarrow \mathtt{getRandomFieldElement}\left(\right)$;  7:         $\mathtt{c}[n+(n-i\left)\mathrm{mod}n\right]\leftarrow \mathtt{c}[i+n]$;  8:     end for  9:     return c; 10: end function

7.6. Key Sizes

We next provide estimates for the memory sizes in bits required to store both a public key and a private key.

A field element requires $\mathtt{NFE}=2\lceil {log}_2\left(q\right)\rceil$ bits. On the one hand, a public key $\mathtt{pk}\in \mathcal{PK}$ is a ring element, which can be stored as an array of $\left|G\right|$ field elements. Therefore, storing a public key requires $\left|G\right|·\mathtt{NFE}$ bits.

On the other hand, a private key $(\mathtt{a},\gamma )\in \mathcal{SK}$ is a pair of two ring elements. Therefore, storing a full private key requires $2·\left|G\right|·\mathtt{NFE}$ bits. This number of bits can be decreased further if the form of the private key is exploited. Note that, since $(\mathtt{a},\gamma )\in {\mathbb{F}}_{q^2}^{{\theta }_{\sigma },{\alpha }_{\lambda }}N\times {\Gamma }_{{\theta }_{\sigma },{\alpha }_{\lambda }}$, only $n+\lceil \frac{n}{2}\rceil$ field elements need storing, and hence, a compressed private key requires $(n+\lceil \frac{n}{2}\rceil )·\mathtt{NFE}$ bits. For completeness, Algorithms 17 and 18 describe the process of compressing and decompressing a private key, respectively.

Algorithm 17 compresses a private key

1: function   $\mathtt{COMPRESSPRIVATEKEY}$($\mathtt{sk}\in \mathcal{SK}$)  2:     $\mathtt{l}\leftarrow n+\lceil n/2\rceil$;  3:     $\mathtt{c}\leftarrow [{\mathtt{0}}_0,\cdots ,{\mathtt{0}}_{l-1}]$;  4:     for $(i\leftarrow 0;i<n;i\leftarrow i+1)$ do  5:         $\mathtt{c}\left[i\right]\leftarrow \mathtt{a}\left[i\right]$;  6:     end for  7:     for $(i\leftarrow n;i<\mathtt{l};i\leftarrow i+1)$ do  8:         $\mathtt{c}\left[i\right]\leftarrow \gamma [n+i]$;  9:     end for 10:     return c; 11: end function

Algorithm 18 decompresses a private key

1: function   $\mathtt{DECOMPRESSPRIVATEKEY}$($\mathtt{sk}$)  2:     $\mathtt{l}\leftarrow \lceil n/2\rceil$;  3:     $\mathtt{a}\leftarrow [{\mathtt{0}}_0,\cdots ,{\mathtt{0}}_{2n-1}]$;  4:     $\gamma \leftarrow [{\mathtt{0}}_0,\cdots ,{\mathtt{0}}_{2n-1}]$;  5:     for $(i\leftarrow 0;i<n;i\leftarrow i+1)$ do  6:         $\mathtt{a}\left[i\right]\leftarrow \mathtt{sk}\left[i\right]$;  7:     end for  8:     $\gamma \left[n\right]\leftarrow \mathtt{sk}\left[n\right]$;  9:     for $(i\leftarrow 1;i<\mathtt{l};i\leftarrow i+1)$ do 10:         $\gamma [n+i]\leftarrow \mathtt{sk}[n+i]$; 11:         $\gamma [2n-i]\leftarrow \mathtt{sk}[n+i]$; 12:     end for 13:     return $(\mathtt{a},\gamma )$; 14: end function

7.7. Parameter Choices

In reference to our key-encapsulation mechanism, we suggest using the parameters displayed by Table 1, which supplies varying and increasing security levels. Table 1 displays four sets of parameters, where $\mathtt{KeyLength}\in \{128,192,256\}$ denotes the output key length. The values displayed in the column labeled as “Level of Security in Bits” have been computed as proposed in [7]. The interested reader may see our implementation here [29].

Table 1. Proposed parameters.

p	m	n	Group	KeyLength (bits)	Level of Security in Bits
19	1	20	Dihedral	$\{128,192,256\}$	130
19	1	23	Dihedral	$\{128,192,256\}$	149
19	1	32	Any of the four candidate groups	$\{128,192,256\}$	207
19	1	64	Any of the four candidate groups	$\{128,192,256\}$	410

7.8. Potential Applications

We believe that our protocols might find applications in environments like the Internet of Things (IoT) for various reasons. One first reason is that they may potentially be implemented in constrained devices and the overhead of running them in those devices might be small. This viewpoint stems from observing that the algorithms involved in computing encryptions (or shared keys) are relatively simple, as evinced in this section. Secondly, the key sizes are relatively small compared to other schemes [3], which offers an advantage for storing purposes. Furthermore, we remark that the study on the deployability of post-quantum cryptographic algorithms on constrained devices is of current interest, as evidenced in [30]. On the other hand, we also believe that it might be possible to derive password authentication key exchange (PAKE) protocols from our protocols. If so, these PAKE protocols are versatile and may be used in many scenarios, such as credential recovery, device paring, and end-to-end (E2E)-secure channels, as shown in [31]. However, our protocols per se might be adapted and used in some of those potential scenarios, particularly E2E-secure channels.

8. Conclusions

This paper introduced the twisted-skew group ring ${\mathbb{F}}_{q^2}^{{\theta }_{\sigma },{\alpha }_{\lambda }}G$, where ${\alpha }_{\lambda }$ is a two-cocycle, ${\theta }_{\sigma }$ a group homomorphism, and G a finite group of even order with $N\le G$ such that $\left|N\right|=\left|G\right|/2=n$, i.e., $[G:N]=2$, and hence, $G=N\cup Ny$ with $y\in G\setminus N$. Over this algebraic platform, we built several cryptographic constructions following a incremental-like methodology. In particular, we first introduced a two-party key-agreement protocol and its generalization. Additionally, we derived a probabilistic public key encryption from the two-party key-agreement protocol and key-encapsulation mechanism from the probabilistic public key encryption.

As a future research direction, it would be interesting to explore the possibility of constructing other key-exchange protocols from twisted-skew group rings, namely a password authentication key exchange protocol, which might be suitable in environments like the IoT.