Nothing Special   »   [go: up one dir, main page]

Next Article in Journal
Improve Parallel Resistance of Hashcash Tree
Previous Article in Journal
Efficient and Universal Merkle Tree Inclusion Proofs via OR Aggregation
You seem to have javascript disabled. Please note that many of the page functionalities won't work as expected without javascript enabled.
 
 
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

Public Key Protocols from Twisted-Skew Group Rings

by
Javier de la Cruz
1,*,
Edgar Martínez-Moro
2,
Steven Muñoz-Ruiz
3 and
Ricardo Villanueva-Polanco
4
1
Department of Mathematics and Statistics, Universidad del Norte, Barranquilla 081007, Colombia
2
Institute of Mathematics, Universidad de Valladolid, 47011 Valladolid, Spain
3
Department of Mathematics, University of Miami, Coral Gables, FL 33146, USA
4
Cryptography Research Center, Technology Innovation Institute, Abu Dhabi P.O. Box 9639, United Arab Emirates
*
Author to whom correspondence should be addressed.
Cryptography 2024, 8(3), 29; https://doi.org/10.3390/cryptography8030029
Submission received: 3 April 2024 / Revised: 10 June 2024 / Accepted: 13 June 2024 / Published: 5 July 2024

Abstract

:
This article studies some algebraic structures known as twisted-skew group rings in the context of public key cryptography. We first present some background related to these structures to then specifically introduce particular twisted-skew group rings and show how to utilize them as the underlying algebraic structure to build cryptographic protocols. We closely follow an incremental-like methodology to construct these protocols by putting parts together. As as result, we first introduce a key-agreement protocol and then generalize it to a group key-agreement protocol. We then proceed to construct a probabilistic public key encryption from our two-party key agreement and, finally, introduce a key-encapsulation mechanism from a well-known generic construction applied to probabilistic public encryption. Furthermore, we provide an in-depth security analysis for each cryptographic construction under new related algebraic assumptions and supply a proof-of-concept implementation for various candidate chosen groups.

1. Introduction

While the increasingly close possibility of bringing about quantum technology for massive use in the coming years approaches, which will render current public key schemes insecure, the cryptographic community has devoted efforts to design, implement, and deploy quantum-safe public key primitives that replace current public key algorithms. Thus far, many candidates have been proposed via standardization calls for proposals and independent and individual efforts [1,2,3]. Those candidates may roughly be classified into several categories or groups, namely lattice-based schemes, code-based schemes, isogeny schemes, MPC-in-the-Head schemes, multivariate schemes, and symmetric-based schemes [1,2,3].
Nevertheless, recent papers [4,5,6,7] propose different, promising cryptographic schemes based on group ring generalizations, which seem to be quantum-secure [8]. The research articles [5,6,7] introduce cryptographic protocols whose security hinges on algebraic problems defined on the structure of a twisted dihedral group algebra, while [4] presents constructions that are supported on a skew dihedral group ring structure. Specifically, Ref. [7] proposes a two-cocycle α λ to form the twisted algebra F q α λ D 2 n for a non-square λ in the field F q , where D 2 n = x , y : x n = y 2 = 1 , y x y 1 = x 1 is the dihedral group of order 2 n . More precisely, the two-cocycle α λ : D 2 n × D 2 n F q * is defined by α λ ( g , h ) = λ for g = x i y , h = x j y with i , j { 0 , , n 1 } and α λ ( g , h ) = 1 otherwise. Furthermore, following an incremental-like methodology as employed by us in this paper, the authors of [7] introduce a key exchange protocol, a probabilistic public key scheme, and a key-encapsulation mechanism over the twisted algebra F q α λ D 2 n . Furthermore, their constructions and their proof-of-concept implementation are enhanced by exploiting the properties of the twisted algebra. On the other hand, Ref. [4] proposes cryptographic protocols supported on an algebraic structure that is called the skew dihedral group ring. This algebraic platform, denoted by F q 2 θ σ D 2 n , is formed of the dihedral group D 2 n and the group homomorphism described by θ σ ( g ) = σ , where σ ( a ) = a q for all a F q 2 , for g = x i y , i { 0 , , n 1 } , and θ σ ( g ) = 1 otherwise. Furthermore, using an incremental-like methodology, the authors of [4] similarly propose a key-exchange protocol, a probabilistic public key scheme, and a key-encapsulation mechanism over the skew dihedral group ring F q 2 θ σ D 2 n .
Concerning other related works, the research articles [9,10] investigate ideals as codes in twisted-skew group rings. In particular, they characterize all linear codes that are twisted-skew group codes in terms of their automorphism group.
Our main contribution is generalizing previous approaches [4,5,6,7] in the sense that we present a novel algebraic structure, which is a twisted-skew group ring and generalizes those in [4,5,6,7], and exhibit various cryptographic protocols supported on this structure. This structure features a two-cocycle α λ and a group homomorphism θ σ . We particularly consider G to be a finite group of even order and N G such that | N | = | G | / 2 = n , i.e., [ G : N ] = 2 , and hence, G = N N y with y G N . For λ F q * , the map α λ : G × G F q * as α ( g , h ) = λ if g N and h N and α λ ( g , h ) = 1 otherwise is a two-cocycle of the group G over F q . Also, the map θ σ : G Gal ( F q 2 , F q ) defined by θ σ ( g ) = σ if g N and θ σ ( g ) = 1 otherwise is a group homomorphism. We then define the twisted-skew group ring F q 2 θ σ , α λ G , over which we build cryptographic constructions. By closely following an incremental-like methodology as previously used in [4,7], we construct a key-agreement protocol and then generalize it to a group key-agreement protocol. We then proceed to build a probabilistic public key encryption from our two-party key agreement and, finally, introduce a key-encapsulation mechanism from a well-known generic construction applied to the probabilistic public encryption. Furthermore, we provide an in-depth security analysis for each cryptographic construction under new related algebraic assumptions and supply a proof-of-concept implementation for various candidate chosen groups.
The outline of the paper is as follows. In Section 2, we will present background material and formally introduce the twisted-skew group ring over which we will build our cryptographic protocols. Section 3 will formally introduce our intractability assumptions. In particular, we will formally define attack games for the algebraic problems on which the security of our cryptographic constructions rely. Section 4 first gives a detailed account of our two-party key-agreement protocol together with its corresponding security analysis and then focuses on its generalization along with the corresponding security analysis. Section 5 will delineate a probabilistic public key-encryption scheme derived from our two-party key-agreement protocol and the corresponding security analysis. Section 6 will portray our key-encapsulation mechanism derived from the probabilistic public key-encryption scheme from Section 5. In Section 7, we will describe the pseudo-code of our proof-of-concept Python implementation for our cryptographic constructions and conclude this section by hinting at potential applications of our protocols. Finally, Section 8 will conclude our work and outline future research directions.

2. A Twisted-Skew Group Ring

Let G be a finite group and F q be the finite field of order q = p m and characteristic p. We denote the automorphism group of F q by Aut ( F q ) , and Gal ( F q k , F q ) Aut ( F q ) always denotes the group of all automorphisms of F q k that fix F q , which is called the Galois group of F q k over F q . A well-known result is that the Galois group Gal ( F q k , F q ) is a cyclic group of order k and that the Frobenius automorphism σ of F q k over F q is a generator, which is defined as σ ( a ) = a q for all a F q k . Moreover, by Hom ( G , Aut ( F q k ) ) and Hom ( G , Gal ( F q k , F q ) ) , we denote the set of group homomorphisms from G to Aut ( F q k ) and Gal ( F q k , F q ) , respectively. Additionally, the map α : G × G F q { 0 } is called a two-cocycle of G if α ( 1 , 1 ) = 1 and
α ( g , h k ) α ( h , k ) = α ( g h , k ) α ( g , h )
for all g , h , k G . Let Z 2 ( G , F q ) denote the set of all two-cocycles of G.
We say that the cocycle α is stabilized by the group θ ( G ) Aut ( F q ) , if
θ ( g ) α ( x , y ) = α ( x , y )
for all g , x , y G .
For α , β Z 2 ( G , F q * ) , we define α β Z 2 ( G , F q * ) as α β ( g , h ) = α ( g , h ) β ( g , h ) for all g , h G . With this operation, Z 2 ( G , F q * ) becomes a multiplicative Abelian group. If β : G F q * is a map such that β ( 1 ) = 1 , the coboundary  β defined by β ( g , h ) = β ( g ) 1 β ( h ) 1 β ( g h ) for all g , h G is in Z 2 ( G , F q * ) . We denote the set of all coboundaries of G by B 2 ( G , F q * ) , which forms a subgroup of the group Z 2 ( G , F q * ) . Given a two-cocycle α Z 2 ( G , F q * ) , its coset is denoted by [ α ] : = α B 2 ( G , F q * ) . Additionally, we call the quotient group
H 2 ( G , F q * ) = Z 2 ( G , F q * ) / B 2 ( G , F q * )
the second cohomology group of G with values in F q * .
Definition 1
(See [10]). Let G be a finite multiplicative group; let α Z 2 ( G , F q ) be a two- c o c y c l e of G; let θ Hom ( G , Aut ( F q ) ) be a group homomorphism. The twisted-skew group ring F q θ , α G is the set of all formal sums g G a g g ¯ , where a g F q , with the following twisted-skew multiplication:
a g g ¯ · b h h ¯ = a g ( θ ( g ) ( b h ) ) α ( g , h ) g h ¯ .
In [10], it is proven that, if the cocycle α is stabilized by θ ( G ) , then F q θ , α G is an associative ring with identity 1 ¯ .
Note that F q 1 , 1 G is nothing else than the group algebra F q G , while F q 1 , α G is the twisted group algebra F q α G , and F q θ , 1 G is the skew group ring F q θ G (see [4,9,10]). Moreover, by [10], Lemma 1.5, for θ Hom ( G , Aut ( F q ) ) , we have that F q θ , α G and F q θ , 1 G = F q θ G are isomorphic, if α is a coboundary. In particular, F q α G = F q 1 , α G F q 1 , 1 G = F q G as F q -algebras, if α is a coboundary.
Definition 2
(See [10]). For an element a = g G a g g ¯ F q θ , α G , we define its adjunct as
a ^ : = φ ( a ) = g G θ ( g 1 ) ( a g ) α ( g , g 1 ) g 1 ¯ .
In the sequel, we will always consider that G is a finite group of even order and N G such that | N | = | G | / 2 = n , i.e., [ G : N ] = 2 , and hence, G = N N y with y G N . Also, we assume the elements of G are ordered according to some fixed order. In particular, N = { n 0 , n 1 , , n n 1 } and G = { n i y j i { 0 , 1 , , n 1 } , j { 0 , 1 } } . Some possible groups G satisfying the previous conditions are as follows:
  • Dihedral group: A presentation of the dihedral group D of order 2 n is given by
    D = x , y : x n = y 2 = 1 , y x y 1 = x 1 ,
    where N = x i and | N | = n .
  • Quasidihedral group: A presentation of the quasidihedral group G of order 2 n is given by
    G = x , y : x 2 n 1 = y 2 = 1 , y x y = x 2 n 2 1 ,
    where N = x i and | N | = n = 2 n 1 .
  • Modular maximal-cyclic group: A presentation of the modular maximal-cyclic group M of order 2 n is given by
    M = x , y : x 2 n 1 = y 2 = 1 , y x y = x 2 n 2 + 1 ,
    where N = x i and | N | = n = 2 n 1 .
  • Generalized quaternion group: A presentation of the generalized quaternion group Q of order 2 n is given by
    Q = x , y : x 2 n 1 = y 4 = 1 , x 2 n 2 = y 2 , y x y 1 = x 1 ,
    where N = x i and | N | = n = 2 n 1 .
Lemma 1.
Let y G N . Then, we have the following:
  • F q θ , α G is a free F q θ , α N -module with basis { 1 , y } . Therefore, F q θ , α G = F q θ , α N F q θ , α N y as the direct sum of F q -vector spaces.
  • F q θ , α N F q θ , α N y as F q θ , α N -modules.
  • For a F q θ , α N y , a b F q θ , α N if b F q θ , α N y or a b F q θ , α N y if b F q θ , α N .
  • If a F q θ , α N , then a ^ F q θ , α N .
  • If a F q θ , α N y , then a ^ F q θ , α N y .
Proof. 
Let y G N :
  • Since { 1 , y } is a transversal of N, the assertion follows.
  • Consider the map σ : F q θ , α N F q θ , α N y given by σ ( g ) = g y for all g N , then σ is an F q θ , α N -module isomorphism.
  • Since [ G : N ] = 2 , then g h N if and only if g , h N or g , h N y . Therefore, the assertion follows.
  • If g N , then g 1 N since N is a subgroup. Hence, the assertion follows.
  • If g N y , then g 1 N y since [ G : N ] = 2 . Hence, the assertion follows.
   □
Definition 3.
We define the ( θ , α ) -reversible subspace of F q θ , α N y as the vector subspace Γ θ , α = { a = i = 0 n 1 a i n i y ¯ F q θ , α N y : a i = a [ i ] n for all i = 1 , 2 , , n 1 } .
The following lemma introduces the two-cocycle α λ on the group G, for a given element λ in F q * .
Lemma 2.
Let λ F q * . Then, the map α λ : G × G F q * defined by α ( g , h ) = λ if g N and h N and α λ ( g , h ) = 1 otherwise is a two-cocycle of the group G over F q .
Proof. 
By definition, α λ ( g , h ) ( 1 , 1 ) = 1 . Therefore, α λ is a two-cocycle if α λ ( g , h ) α λ ( g h , k ) = α λ ( g , h k ) α λ ( h , k ) for all g , h , k G . Let us first assume g N and h , k G , then a straightforward calculation shows that α λ ( g , h ) α λ ( g h , k ) = α λ ( g , h k ) α λ ( h , k ) holds. On the other hand, if g N y , then a straightforward calculation also shows that α λ ( g , h ) α λ ( g h , k ) = α λ ( g , h k ) α λ ( h , k ) holds.    □
Lemma 3.
Let α λ be the two-cocycle defined in Lemma 2:
  • If λ is a square in F q * , then α λ is a coboundary.
  • If λ is a non-square in F q * and there exists g N y such that g 2 = 1 , then α λ cannot be a coboundary.
  • If λ 1 , λ 2 are non-squares in F q * , then α λ 1 and α λ 2 are congruent.
Proof. 
  • Suppose λ is a square in F q * , then there exists t F q such that t 2 = λ . Let us define β ( g ) = 1 if g N , or else β ( g ) = t 1 . We have α λ ( g , h ) = β ( g ) 1 β ( h ) 1 β ( g h ) for all g , h G , since g h N if and only if g , h N or g , h N y .
  • Suppose there exists a function β such that β ( 1 ) = 1 and α λ ( g , h ) = β ( g ) 1 β ( h ) 1 β ( g h ) . Therefore, α λ ( g , g ) = λ = β ( g ) 1 β ( g ) 1 β ( g 2 ) = [ β ( g ) 1 ] 2 , a contradiction.
  • Let ξ be a primitive element of F q * . Since λ 1 , λ 2 are non-squares in F q * , then λ 1 = ξ 1 k and λ 2 = ξ 2 k with k 1 and k 2 being odd. Therefore, λ 1 = ξ 1 k = λ 2 ξ k 3 , where k 3 is even, i.e., ξ k 3 is a square in F q . Let us define β ( g ) = 1 if g N and β ( g ) = ξ k 3 / 2 otherwise. We, therefore, have α λ 1 ( g , h ) = α λ 2 ( g , h ) β ( g ) β ( h ) β ( g h ) 1 for all g , h G , since g h N if and only if g , h N or g , h N y .
   □
Remark 1.
Note that, since ( λ 2 m 1 ) 2 = λ , for all λ F 2 m and m N , then F 2 m G and F q θ , α λ G are isomorphic. By this, we will assume that c h a r F q 2 .
Let F q 2 be a quadratic extension of F q . From now on, we only will take into consideration a quadratic extension of F q since the ambient space over which we define our cryptographic constructions is the twisted-skew group ring F q 2 θ σ , α λ G , where θ σ Hom ( G , Aut ( F q 2 ) ) is a group homomorphism. We next introduce θ σ .
Lemma 4.
Let σ Gal ( F q 2 , F q ) ) be the Frobenius automorphism of F q 2 over F q . Then, the map θ σ : G Gal ( F q 2 , F q ) defined by θ σ ( g ) = σ if g N and θ σ ( g ) = 1 otherwise is a group homomorphism.
Proof. 
Let g , h G and γ F q 2 . There are four cases to check:
  • g , h N is easy to check.
  • g N y h N , θ ( g h ) ( γ ) = σ ( γ ) = Id ( σ ( γ ) ) = θ ( g ) θ ( h ) ( γ ) .
  • h N y g N , θ ( g h ) ( γ ) = σ ( γ ) = σ ( Id ( γ ) ) = θ ( g ) θ ( h ) ( γ ) .
  • g , h N , θ ( g h ) ( γ ) = γ = σ ( σ ( γ ) ) = θ ( g ) θ ( h ) ( γ ) .
   □
Remark 2.
θ σ relies on the Frobenius automorphism σ. Moreover, since Gal ( F q 2 , F q ) Aut ( F q 2 ) , then θ σ Hom ( G , Gal ( F q 2 , F q ) ) . Furthermore, if λ F q F q 2 , then ( λ q + 1 2 ) ( q 1 ) = λ q 2 1 2 = 1 , i.e., it is a square, and also, α λ is stabilized by the group θ σ ( G ) ; therefore, the twisted-skew group ring F q 2 θ σ , α λ G is isomorphic to the skew group ring F q 2 θ σ G introduced in [4]. However, if λ F q 2 F q , then the cocycle α λ is not stabilized by the group θ σ ( G ) , and so, the twisted-skew multiplication is not necessarily associative. In fact, for none of the possible four groups G we consider the twisted-skew multiplication is associative.
Lemma 5.
Let α λ be the two-cocycle defined in Lemma 2 and θ σ H o m ( G , Gal ( F q 2 , F q ) ) the group homomorphism defined in Lemma 4. Then, we have the following:
  • a b = b a for a , b F q 2 θ σ , α λ N .
  • a b ^ = b a ^ for a , b Γ θ σ , α λ .
  • a ^ b = b ^ a for a , b Γ θ σ , α λ .
  • ( ( a h ) γ ) = ( a ( h γ ) ) for a F q 2 θ σ , α λ N , h F q 2 θ σ , α λ G , γ Γ θ σ , α λ .
Proof.  
  • Let a = i = 0 n 1 a i n i ¯ F q θ σ , α λ N and b = i = 0 n 1 b i n i ¯ F q θ σ , α λ N .
    a b = i = 0 n 1 a i n i ¯ j = 0 n 1 b j n j ¯ = k N n i n j = k a i b j k ¯
    b a = i = 0 n 1 b i n i ¯ j = 0 n 1 a j n j ¯ = k N n i n j = k b i a j k ¯
    Note that the second sum of Equations (2) and (3) follows from the definitions of θ σ and α λ . Therefore, a b = b a .
  • Let a = i = 0 n 1 a i n i y ¯ Γ θ σ , α λ and b = i = 0 n 1 b i n i y ¯ Γ θ σ , α λ . Then, a b ^ can be expressed as
    i = 0 n 1 a i n i y ¯ j = 0 n 1 θ ( ( n j y ) 1 ) ( b j ) α λ ( n j y , ( n j y ) 1 ) ( n j y ) 1 ¯     = k N ( n i y ) ( n j y ) = k a i b j λ q + 1 k ¯
    and b a ^ as
    i = 0 n 1 b i n i y ¯ j = 0 n 1 θ ( ( n j y ) 1 ) ( a j ) α λ ( n j y , ( n j y ) 1 ) ( n j y ) 1 ¯     = k N ( n i y ) ( n j y ) = k b i a j λ q + 1 k ¯
    The first sum of Equations (4) and (5) follows from the definitions and that, for all ω N y , α ( ω , ω 1 ) = λ . The second sum of Equations (4) and (5) follows from θ σ being a homomorphism, and thus, θ σ ( g ) ( θ σ ( h ) ( a ) ) = θ σ ( g h ) ( a ) = a for a F q 2 and θ σ ( g ) ( λ ) = σ ( λ ) = λ q .
    Since a , b Γ θ σ , α λ , then a i = a [ i ] n and b j = b [ j ] n for i , j { 0 , 1 , , n 1 } . Therefore, the ( i , j ) -th term a i b j λ q + 1 of ( n i y ) ( n j y ) = k a i b j λ q + 1 in (4) coincides with the ( [ j ] n , [ i ] n ) -th term b [ j ] n a [ i ] n λ q + 1 of ( n i y ) ( n j y ) = k b i a j λ q + 1 in (5), which implies the equality.
  • Let a = i = 0 n 1 a i n i y ¯ Γ θ σ , α λ and b = i = 0 n 1 b i n i y ¯ Γ θ σ , α λ . Then, we can write a ^ b as
    i = 0 n 1 θ ( ( n i y ) 1 ) ( a i ) α λ ( n i y , ( n i y ) 1 ) ( n i y ) 1 ¯ j = 0 n 1 b j n j y ¯     = i = 0 n 1 a i q λ ( n i y ) 1 ¯ j = 0 n 1 b j n j y ¯       = k N ( n i y ) 1 ( n j y ) = k a i q b j q λ 2 k ¯
    and b ^ a is
    i = 0 n 1 θ ( ( n i y ) 1 ) ( b i ) α λ ( n i y , ( n i y ) 1 ) ( n i y ) 1 ¯ j = 0 n 1 a j n j y ¯     = i = 0 n 1 b i q λ ( n i y ) 1 ¯ j = 0 n 1 a j n j y ¯       = k N ( n i y ) 1 ( n j y ) = k b i q a j q λ 2 k ¯
    The last sum of Equations (6) and (7) follows from the definitions, α ( ω , ω 1 ) = λ and θ σ ( ω ) ( a ) = a q for ω N y , a F q 2 .
    Since a , b Γ θ σ , α λ , then a i = a [ i ] n and b j = b [ j ] n for i , j { 0 , 1 , , n 1 } . Therefore, the ( i , j ) -th term a i q b j q λ 2 of ( n i y ) ( n j y ) = k a i q b j q λ 2 in (4) coincides with the ( [ j ] n , [ i ] n ) -th term b [ j ] n q a [ i ] n q λ 2 of ( n i y ) ( n j y ) = k b i q a j q λ 2 in (5), which implies the equality.
   □

3. Intractability Assumptions

This section will describe some attack games concerning the algebraic problems on which the security of our cryptographic constructions lies [4,7,11,12]. Before giving a detailed account of them, we will introduce some notation that we will use for the remaining part of this paper:
  • Let G be a finite group of even order and N G such that | N | = | G | / 2 = n .
  • Let p be a prime number and q = p m for some m N . Let F q 2 be the quadratic extension of F q .
  • The two-cocycle α λ is instantiated by selecting λ such that it is a non-square in F q 2 . Additionally, θ σ is chosen as specified by Lemma 4.
  • We set h = h 1 + h 2 as a public element, where h 1 F q 2 θ σ , α λ N and h 2 F q 2 θ σ , α λ N y are random non-zero elements.
  • We denote the secret key space by SK = F q 2 θ σ , α λ N × Γ θ σ , α λ . Given a secret key sk = ( a , γ ) SK , we denote ( a , γ ^ ) by sk ^ . Besides, we define ψ : SK × F q 2 θ σ , α λ G F q 2 θ σ , α λ G as ψ ( sk , h ) = a h γ .
Game 1
(Twisted-Skew Product Decomposition). Let A be an efficient adversary. We define the Twisted-Skew Product Decomposition (TSPD) Attack Game as shown by Algorithm 1
Algorithm 1 defines the Twisted-Skew Product Decomposition (TSPD) Attack Game
  • The challenger C executes
1:
( a , γ ) R SK ;
2:
pk ψ ( ( a , γ ) , h ) ;
3:
( a ˜ , γ ˜ ) A ( pk ) ;
4:
return [ [ a ˜ h γ ˜ = a h γ ] ] ;
In the TSPD attack game, [ [ a ˜ h γ ˜ = a h γ ] ] denotes a Boolean value, which is 1 when a ˜ h γ ˜ = a h γ , or 0 otherwise. We define E 1 as the event that the TSPD attack game outputs 1 after A plays it for F q 2 θ σ , α λ G . Furthermore, we define A ’s advantage in solving the TSPD problem for F q 2 θ σ , α λ G as the probability of E 1 and denote it by TSPDadv [ A , F q 2 θ σ , α λ G ] .
Definition 4
(Twisted-Skew Product Decomposition Assumption). We say that the TSPD assumption holds for F q 2 θ σ , α λ G if, for all efficient adversaries A , the quantity TSPDadv [ A , F q 2 θ σ , α λ G ] is negligible.
Game 2
(Computational Twisted-Skew Product). Let A be an efficient adversary. We define the Computational Twisted-Skew Product (CTSP) Attack Game as shown by Algorithm 2.
Algorithm 2 defines the Computational Twisted-Skew Product Attack Game
  • The challenger C executes
1:
( a 1 , γ 1 ) R SK ;
2:
( a 2 , γ 2 ) R SK ;
3:
pk 1 ψ ( ( a 1 , γ 1 ) , h ) ;
4:
pk 2 ψ ( ( a 2 , γ 2 ) , h ) ;
5:
k ψ ( ( a 2 , γ 2 ^ ) , pk 1 ) ;
6:
k ˜ A ( pk 1 , pk 2 ) ;
7:
return [ [ k ˜ = k ] ] ;
We define E 2 as the event that the CTSP attack game outputs 1 after A plays it for F q 2 θ σ , α λ G . Moreover, we define A ’s advantage in solving the CTSP problem for F q 2 θ σ , α λ G as the probability of E 2 and denote it by CTSPadv [ A , F q 2 θ σ , α λ G ] .
Definition 5
(Computational Twisted-Skew Product Assumption). We say that the CTSP assumption holds for F q 2 θ σ , α λ G if, for all efficient adversaries A , the quantity CTSPadv [ A , F q 2 θ σ , α λ G ] is negligible.
Lemma 6.
If the TSPD assumption does not hold for F q 2 θ σ , α λ G , then the CTSP assumption does not hold for F q 2 θ σ , α λ G .
Proof. 
Since the TSPD assumption does not hold for F q 2 θ σ , α λ G , then there exists an efficient adversary B that can win the TSPD attack game with non-negligible probability ρ , i.e., B can output ( a ˜ , γ ˜ ) SK such that a ˜ h γ ˜ = a h γ = pk with non-negligible probability ρ .
We now construct an efficient adversary A that plays and wins the CTSP attack game with non-negligible probability ρ . A simply uses B as the subroutine. Upon receiving pk 1 and pk 2 from its challenger, A calls B upon the input either pk 1 or pk 2 . In either case, if B succeeds in returning a ( a ˜ , γ ˜ ) SK such that pk ˜ = a ˜ h γ ˜ = a b h γ b = pk b ( b { 1 , 2 } ) , then A will calculate k ˜ = a ˜ pk b ¯ γ ˜ ^ , with b ¯ = 3 b , and return k ˜ to its challenger. Because of the choice of θ σ and α λ and Lemma 5, then
k ˜ = a ˜ pk b ¯ γ ˜ ^ = a ˜ a b ¯ h γ b ¯ γ ˜ ^ = a b ¯ a ˜ h γ ˜ γ b ¯ ^ = a b ¯ pk ˜ γ b ¯ ^ = a b ¯ pk b γ b ¯ ^ = k
In conclusion, A is an efficient adversary and may succeed in computing the correct k in the CTSP attack game with non-negligible probability ρ .    □
Game 3
(Decisional Twisted-Skew Product). Let A be an efficient adversary. We define the Decisional Twisted-Skew Product (DTSP) Attack Game by two experiments indexed by a bit b as shown by Algorithm 3.
Algorithm 3 defines the Decisional Twisted-Skew Product Attack Game
For Experiment b, the challenger C executes
1:
( a 1 , γ 1 ) R SK ;
2:
( a 2 , γ 2 ) R SK ;
3:
( a 3 , γ 3 ) R SK ;
4:
pk 1 ψ ( ( a 1 , γ 1 ) , h ) ; pk 2 ψ ( ( a 2 , γ 2 ) , h ) ;
5:
k 0 ψ ( ( a 2 , γ 2 ^ ) , pk 1 ) ; k 1 ψ ( ( a 3 , γ 3 ) , h ) ;
6:
b ˜ A ( pk 1 , pk 2 , k b )
7:
return [ [ b = b ˜ ] ] ;
Remark 3.
Game 3 defines two experiments indexed by a random bit b chosen by the challenger. Therefore, the challenger returns either ( pk 1 , pk 2 , k 0 ) or ( pk 1 , pk 2 , k 1 ) to the adversary A , depending on the experiment the challenger is playing, i.e., the challenger gives ( pk 1 , pk 2 , k b ) to A . We denote the experiment b by D T S P ( b ) .
We define W b as the event that A outputs the bit 1 after playing the experiment b in the DTSP attack game for F q 2 θ σ , α λ G . Furthermore, we define A ’s advantage in solving the DTSP problem for F q 2 θ σ , α λ G as | Pr [ W 0 ] Pr [ W 1 ] | and denote it by DTSPadv [ A , F q 2 θ σ , α λ G ] .
Definition 6
(Decisional Twisted-Skew Product Assumption). We say that the DTSP assumption holds for F q 2 θ σ , α λ G if, for all efficient adversaries A , the quantity DTSPadv [ A , F q 2 θ σ , α λ G ] is negligible.
Lemma 7.
If the CTSP assumption does not hold for F q 2 θ σ , α λ G , then the DTSP assumption does not hold for F q 2 θ σ , α λ G .
Proof. 
Since the CTSP assumption does not hold for F q 2 θ σ , α λ G , then there exists an efficient adversary B that outputs k ˜ F q 2 θ σ , α λ G such that k ˜ = k after being given public keys pk 1 and pk 2 with non-negligible probability.
We now construct an efficient adversary A that plays and wins the DTSP attack game with non-negligible probability. This adversary A uses B as the subroutine. In particular, upon receiving ( pk 1 , pk 2 , k b ) from its challenger, A calls B upon the input ( pk 1 , pk 2 ) . If B solves this instance of the CTSP problem for given pk 1 and pk 2 and returns k ˜ to A , then A compares k ˜ and k b to see whether they are equal. If so, then A returns 0, or 1 otherwise.
In summary, A is an efficient adversary and may succeed in winning the DTSP attack game with non-negligible probability.    □

The Hardness of the TSPD Problem

The TSPD problem is similar to both the Dihedral Product Decomposition (DPD) and Skew Dihedral Product Decomposition (SDPD) problems. The former was introduced in [5], then formalized in [7] and extended in [6], while the latter was introduced in [4] as an extension of the former. The key difference between both is that the latter is defined over the Dihedral Skew Group Ring F q 2 θ σ D 2 n , which is structurally different from the algebra F q α λ D 2 n over which the former is defined.
We remark that the algorithmic analysis presented for the DPD problem over F q α λ D 2 n in [7] can be adjusted easily to both the SDPD and TSPD problems. Furthermore, note that, if λ is non-square, then the twisted-skew multiplication defined over F q 2 θ σ , α λ G is not associative, which motives the claim that the TSPD problem is defined over a less-structured algebraic structure.

4. Key-Agreement Protocols from Twisted-Skew Group Rings

This section introduces key-agreement protocols using two-sided multiplications over a twisted-skew group ring F q 2 θ σ , α λ G .
We note that previous research papers have introduced similar key-exchange protocols using two-sided semi-group actions or matrices over groups [13,14,15,16,17]. However, our approach may be seen as an alternative proposal, since it follows in design and generalizes the works presented in [4,6,7], which propose key-agreement protocols using two-sided multiplications over dihedral twisted (skewed) group rings.

4.1. Choice of Parameters

Here, we will outline our choice of parameters. We remark that Section 7.7 will provide more details regarding specific values assigned to some of them:
  • Let G be a finite group of even order and N G such that | N | = | G | / 2 = n . In particular, we may select a group from the set { D , G , M , Q } .
  • Let p be a prime number and q = p m for some m N . Let F q 2 be the quadratic extension of F q .
  • The two-cocycle α λ is instantiated by selecting λ such that it is a non-square in F q 2 . Additionally, θ σ is chosen as specified by Lemma 4.
  • We set h = h 1 + h 2 as a public element, where h 1 F q 2 θ σ , α λ N and h 2 F q 2 θ σ , α λ N y are random non-zero elements.
  • We denote the secret key space by SK = F q 2 θ σ , α λ N × Γ θ σ , α λ . Given a secret key sk = ( a , γ ) SK , we denote ( a , γ ^ ) by sk ^ . Besides, we define ψ : SK × F q 2 θ σ , α λ G F q 2 θ σ , α λ G as ψ ( sk , h ) = a h γ .

4.2. Two-Party Key-Agreement Protocol

We begin by introducing some notation. A set of identifiers is denoted by ID = { 0 , 1 } + . The identifier for the principal P i is denoted by ID i ID . A session id is denoted by a bit string s. The two-party key-agreement protocol between P i and P j runs as shown in Algorithm 4.
Algorithm 4 Describes our two-party key-exchange protocol
1:
Upon the input ( ID i , ID j , s ) , the principal P i randomly selects a secret pair sk i = ( a i , γ i ) R SK , then generates the corresponding public key by invoking pk i = ψ ( sk i , h ) , and finally, transmits ( ID i , s , pk i ) to P j ;
2:
After receiving ( ID i , s , pk i ) from P i , the principal P j randomly selects a secret pair sk j = ( a j , γ j ) R SK , then generates the corresponding public key by executing pk j = ψ ( sk j , h ) , and transmits ( ID j , s , pk j ) to P i . Additionally, P j computes k j = ψ ( sk j ^ , pk i ) , securely erases ( a j , γ j ) , and outputs the key k j under the session id s;
3:
After receiving ( ID j , s , pk j ) from P j , the principal P i calls k i = ψ ( sk i ^ , pk j ) to obtain the shared key k i under the session id s, then securely erases ( a i , γ i ) , and outputs the key k i under the session id s.

Security Analysis of Our Two-Party Key-Exchange Protocol

This section is devoted to providing an analysis of our two-party key-exchange protocol in the authenticated links adversarial model [18,19,20]. We will present a description of this security model for completeness:
  • Let us denote by P = { P 1 , P 2 , , P n } a finite set of principals.
  • Let A be an adversary controlling all messages between two principals; however, we have the following:
    • A is not permitted to insert or alter messages, except for those messages transmitted by corrupted principals or sessions.
    • A may opt for not forwarding a message at all. However, in case A decides to forward a message m, then A should transmit it to its right destination, only on one occasion and refraining from making partial or minor changes to it.
    • Principals freely transfer the possession of their egress messages to A , who has the power to influence their transmission by means of the Send query. A may make a principal P i operative by Send queries, i.e., the adversary holds the power or ability to create protocol sessions, which occur within each principal. Two sessions, with ids s 1 and s 0 , respectively, are said to be matching when egress messages from one side are the ingress messages from the other side, and vice versa.
      Additionally, A is given the ability to make queries to the following oracles:
      SessionStateReveal oracle.
      Whenever A queries it for a clearly identified session id s within some principal P i , then A will acquire the contents of the specified session id s within P i , including any secret information. This event will be registered and produce no further output.
      SessionKeyReveal oracle.
      Whenever A queries it for a clearly identified session id s, then A will acquire the session key for the specified session id s, as long as s has an associated session.
      Corrupt oracle.
      Whenever A queries it for a clearly identified principal P i , then A will assume control of the principal P i , i.e., A will have the opportunity to obtain all information in P i ’s memory, which includes long-lived keys and any session-specific, remaining data. A corrupted principal will yield no further output.
    • A may query the test oracle on one occasion and at any point for a completed, fresh, unexpired session id s. When queried on input s, the test oracle randomly picks a bit, b R { 0 , 1 } , then it will return the session key associated with the specified session id s if b = 0 . Otherwise, it will return a random value in the key space. Additionally, A can issue subsequent queries to the other oracles as desired, but it cannot expose the test session. At any further point, the adversary will try to guess b.
    • We denote the probability of the event that A correctly guesses b by Guess [ A , F q 2 θ σ , α λ G ] , and define the advantage as
      SKAdv [ A , F q 2 θ σ , α λ G ] = | Guess [ A , F q 2 θ σ , α λ G ] 1 / 2 | .
Theorem 1.
Let A be an efficient adversary in the authenticated links adversarial model (AM). If the DTSP assumption holds for F q 2 θ σ , α λ G , then our key exchange protocol is session key-secure in this setting, i.e., the two-party key-agreement protocol satisfies the following:
  • If two principals engage in a protocol session s, are not corrupted during the execution of it, and complete it successfully, then each principal will compute matching keys.
  • SKAdv [ A , F q 2 θ σ , α λ G ] is negligible.
Proof. 
The following proof is essentially an adaptation of the proofs given for each key-exchange protocol presented, respectively, in [4,7]:
  • Let us assume that two principals P i and P j engage in a protocol session s, are not corrupted during the execution of it, and complete it successfully. We claim that each principal will compute matching keys. By Lemma 5 and the choice of θ σ and α λ , the claim follows. Indeed,
    k i = a i pk j γ i ^ = a i a j h γ j γ i ^ = a j a i h γ i γ j ^ = a j pk i γ j ^ = k j .
  • We will prove this statement by way of contradiction. Let us suppose A is an adversary against our protocol such that SKAdv [ A , F q 2 θ σ , α λ G ] is non-negligible. Let B be an upper bound on the number of session calls by A in any interaction.
    We now present a distinguisher D for the DTSP problem, depicted by Algorithm 5.
    Algorithm 5 depicts distinguisher D for the DTSP problem
     1:
    function   D ( h , F q 2 θ σ , α λ G , pk 1 , pk 2 , k )
     2:
         s R { 1 , , B } ;
     3:
       Let A interact with principals P 1 , , P n with identifiers ID 1 , , ID n , except for the s -th session. For the s -th session, let P i , P j interact with each other, and run Algorithm 4. In particular, P i will transmit ( ID i , s , pk i = a i h γ i ) to P j , while P j will send ( ID j , s , pk j = a j h γ j ) to P i ;
     4:
        if  A has chosen the s -th session as its test session then
     5:
            Return k to A as the response to its test oracle query;
     6:
             b A ( k ) ;
     7:
        else
     8:
             b R { 0 , 1 } ;
     9:
        end if
    10:
       return  b
    11:
    end function
    We now analyze the distinguisher D in two cases:
    (a)
    Let us assume that A randomly chooses the s -th one as its test session. This implies that A will receive either k 0 or k 1 . This is a result of the DTSP challenger, because upon request, it always picks a random bit b and then returns ( pk 1 , pk 2 , k b ) to D . Therefore, the probability of correctly distinguishing them by A is 1 / 2 + ϵ with non-negligible ϵ , since, by assumption, SKAdv [ A , F q 2 θ σ , α λ G ] is non-negligible.
    (b)
    If A does not pick the s -th one as its test session, then, by design, D returns a random bit, and therefore, the distinguishing probability is 1 / 2 .
    Let E r be the event of A selecting the test session as the s -th session. Hence, the probabilities of E s and E s ¯ are 1 / B and 1 1 / B , respectively. Consequently, the overall probability for D to win the DTSP game is
    1 / ( 2 B ) + ϵ / B + 1 / 2 1 / ( 2 B ) = 1 / 2 + ϵ / B ,
    which is non-negligible.
   □

4.3. Generalizing Our Two-Party Key-Agreement Protocol

Throughout this section, we will focus on generalizing our two-party key-exchange protocol to a group key-exchange protocol [21,22,23].
Let us assume there are η > 0 principals whose respective identifiers are I D 1 , , I D η . Thus, the generalized protocol runs as follows:
  • The principal I D 1 randomly generates a secret pair sk 1 = ( a 1 , γ 1 ) R SK and then transmits the list:
    M 1 = [ m 1 1 = h , m 1 2 = ψ ( sk 1 , h ) = a 1 h γ 1 ]
    to the principal I D 2 .
  • For i { 2 , , η 1 } , the principal I D i randomly generates its secret pair sk i = ( a i , γ i ) R SK and sets a i = sk i and b i = sk i ^ if i is even, or else, it sets a i = sk i ^ and b i = sk i . This principal constructs a list M i and transmits it to the principal I D i + 1 , where M i contains i + 1 messages enumerated as m i j = ψ ( a i , m i 1 j ) for j { 1 , , i 1 } , m i i = m i 1 i and m i i + 1 = ψ ( b i , m i 1 i ) .
  • The principal I D η randomly generates its secret pair sk η = ( a η , γ η ) R SK , then sets a η = sk η and b η = sk η ^ if η is even. Otherwise, it sets a η = sk η ^ and b η = sk η .
    This principal then constructs a list M η containing η messages enumerated as m η j = ψ ( a η , m η 1 j ) for j { 1 , η 1 } and m η η = m η 1 η and then broadcasts M η to all other principals. Finally, this principal computes the shared key k = ψ ( b η , m η η = m η 1 η ) .
  • For i { 1 , , η 1 } , each principal with identifier I D i finally computes the shared key k by calculating either k = ψ ( s k i , m η i ) if η is odd or k = ψ ( s k i ^ , m η i ) otherwise.
Theorem 2.
Our group key exchange protocol satisfies the following:
  • If η uncorrupted principals having identifiers I D 1 , , I D η , respectively, complete a run of the group key-agreement protocol successfully, then each principal will output the same shared key.
  • If the DTSP assumption holds for F q 2 θ σ , α λ G , then an efficient adversary A will not be able to distinguish the shared group key from an arbitrary element in F q 2 θ σ , α λ G .
Proof.  
  • This first statement will be proven by induction on the number of principals η .
    Base case:
    Let us set η to 2. For this case, the principal I D 1 computes M 1 = { h , a 1 h γ 1 } and transmits it to the principal I D 2 . Upon receiving M 1 , the principal I D 2 computes M 2 = [ a 2 h γ 2 ] and k = a 2 a 1 h γ 1 γ 2 ^ . Finally, it transmits M 2 back to the principal I D 1 , which computes k = a 2 a 1 h γ 1 γ 2 ^ .
    Inductive case:
    By induction hypothesis, we assume that, if η uncorrupted principals run the protocol, each will successfully obtain the corresponding shared key k η .
    We will prove that if η + 1 uncorrupted principals run the protocol, each will successfully obtain the corresponding shared key k η + 1 .
    Assume now that there are η + 1 principals running the protocol. By the induction hypothesis, the principal I D η receives the correct M η 1 from the principal I D η 1 and, hence, correctly computes M η and forwards it to the principal I D η + 1 . This principal constructs the list M η + 1 by calculating the following:
    (a)
    M η + 1 = { m η + 1 i = ψ ( s k η + 1 , m η i ) for i { 1 , 2 , , η } } if η + 1 is even. This principal then transmits M η + 1 to the other principals.
    Upon receiving M η + 1 from the principal I D η + 1 , each principal I D i computes
    k η + 1 = ψ ( s k i ^ , m η + 1 i ) = a i m η + 1 i γ i ^     = a i ψ ( s k η + 1 , m η i ) γ i ^ = a i a η + 1 m η i γ η + 1 γ i ^       = a η + 1 k η γ η + 1 ^ ,
    for i { 1 , , η } , while the principal I D η + 1 computes
    k η + 1 = ψ ( s k η + 1 ^ , m η η + 1 ) = a η + 1 m η η + 1 γ η + 1 ^   = a η + 1 ψ ( s k η , m η 1 η ) γ η + 1 ^ = a η + 1 k η γ η + 1 ^ .
    (b)
    M η + 1 = { m η + 1 i = ψ ( s k η + 1 ^ , m η i ) for i { 1 , 2 , , η } } if η + 1 is odd. This principal then transmits M η + 1 to the other principals.
    Upon receiving M η + 1 from the principal I D η + 1 , each principal I D i computes
    k η + 1 = ψ ( s k i , m η + 1 i ) = a i m η + 1 i γ i     = a i ψ ( s k η + 1 ^ , m η i ) γ i = a i a η + 1 m η i γ η + 1 ^ γ i     = a η + 1 k η γ η + 1 ,
    for i { 1 , , η } , while the principal I D η + 1 computes
    k η + 1 = ψ ( s k η + 1 , m η η + 1 ) = a η + 1 m η η + 1 γ η + 1   = a η + 1 ψ ( s k η ^ , m η 1 η ) γ η + 1 = a η + 1 k η γ η + 1 .
    This concludes the proof of this first statement.
  • To prove this second statement, we can easily adapt the proof of Theorem 1 in [6] to this setting.
   □

5. An Encryption Scheme from Twisted-Skew Group Rings

This section focuses on presenting a public key-encryption scheme that is procured from the two-party key-agreement protocol analyzed in Section 4.2. Our derivation approach mimics a well-known generic approach previously employed to obtain a probabilistic encryption scheme from instances of a key-exchange protocol [4,5,7,12,24] as, for instance, ElGamal encryption [25] being obtained from instances of the Diffie–Hellman protocol [26].
Before presenting our probabilistic public key encryption, we first establish some notation. The public key space is denoted by PK = F q 2 θ σ , α λ G ; the message space is denoted by M = F q 2 θ σ , α λ G ; finally, the ciphertext space is denoted by C = F q 2 θ σ , α λ G .
We now introduce the public key-encryption scheme E = ( Gen , Enc , Dec ) . Algorithm 6 describes the function Gen; Algorithm 7 depicts the function Enc; finally, Algorithm 8 presents the function Dec.
Algorithm 6 generates a key pair
1:
function Gen( h F q 2 θ σ , α λ G )
2:
     ( a 1 , γ 1 ) R SK ;
3:
     sk ( a 1 , γ 1 ) ;
4:
     pk ψ ( sk , h ) ;
5:
    return  sk , pk ;
6:
end function
Algorithm 7 encrypts a message and returns a ciphertext
1:
function  Enc( m M , pk PK , r 2 SK , h F q 2 θ σ , α λ G )
2:
     ( a 2 , γ 2 ) r 2 ;
3:
     c 1 ψ ( ( a 2 , γ 2 ) , h ) ;
4:
     c 2 m + ψ ( ( a 2 , γ 2 ^ ) , p k ) ;
5:
     c ( c 1 , c 2 ) ;
6:
    return  c ;
7:
end function
Algorithm 8 decrypts a ciphertext and returns a message
1:
function   Dec( c C , sk SK )
2:
     ( c 1 , c 2 ) c ;
3:
     k ψ ( sk ^ , c 1 ) ;
4:
     m c 2 k ;
5:
    return  m ;
6:
end function
Theorem 3.
Let  h  be a public element in F q 2 θ σ , α λ G , and let E be the public key-encryption scheme:
  • For any message m M , r 2 R SK and ( pk , sk ) Gen ( h ) , it holds that
    m Dec ( Enc ( m , pk , r 2 , h ) , sk )
  • If the DTSP assumption holds for F q 2 θ σ , α λ G , then E is semantically secure.
Proof. 
The proofs of these two items are an adaptation of the proofs of Lemma 5.1 and Theorem 5.2 , respectively, from [7]:
  • Given m M , r 2 SK uniformly chosen at random and ( pk , sk ) Gen ( h ) , then we have
    ( c 1 = a 2 h γ 2 , c 2 = m + a 2 pk γ ^ 2 ) Enc ( m , pk , r 2 , h ) .
    By calling Dec ( ( c 1 , c 2 ) , sk ) , then
    k = a 1 c 1 γ ^ 1 = a 1 a 2 h γ 2 γ ^ 1 = a 2 a 1 h γ 1 γ ^ 2 = a 2 pk γ ^ 2 ,
    and therefore,
    c 2 k = m + a 2 pk γ ^ 2 a 2 pk γ ^ 2 = m .
  • For this statement, we consider an efficient adversary A and define Game 0 as the semantic security (SS) attack game against A . Algorithm 9 depicts Game 0 .
    Algorithm 9 depicts attack games defined for the proof of Theorem 3
     1:
    function  Game 0
     2:
         ( ( a 1 , γ 1 ) , pk 1 ) R Gen ( h ) ;
     3:
         ( m 0 , m 1 ) A ( pk 1 ) ;
     4:
         b R { 0 , 1 } ;
     5:
         ( a 2 , γ 2 ) R SK ; pk 2 a 2 h γ 2 ;
     6:
         k a 2 pk 1 γ 2 ^ ;
     7:
         c m b + k ;
     8:
         b ˜ A ( pk 1 , pk 2 , c ) ;
     9:
        return  [ [ b = b ˜ ] ] ;
    10:
    end function
     1:
    function   Game 1
     2:
         ( ( a 1 , γ 1 ) , pk 1 ) R Gen ( h ) ;
     3:
         ( m 0 , m 1 ) A ( pk 1 ) ;
     4:
         b R { 0 , 1 } ;
     5:
         ( a 2 , γ 2 ) R SK ; pk 2 a 2 h γ 2 ;
     6:
         ( a 3 , γ 3 ) R SK ; k a 3 h γ 3 ;
     7:
         c m b + k ;
     8:
         b ˜ A ( pk 1 , pk 2 , c ) ;
     9:
        return  [ [ b = b ˜ ] ] ;
    10:
    end function
    Recall [ [ b = b ˜ ] ] denotes a Boolean value. In particular, [ [ b = b ˜ ] ] is 0 if both b and b ˜ differ, or 1 otherwise. In Game 0 , A sends the challenger two messages m 0 , m 1 M of the same length in bits.
    Let us define S 0 as the event of Game 0 returning 1, then A ’s SS-advantage is given by | P r [ S 0 ] 1 / 2 | . The proof essentially will show that | P r [ S 0 ] 1 / 2 | is negligible if the DTSP assumption holds. Let us define Game 1 by modifying Game 0 as shown in Algorithm 9.
    Let us define S 1 as the event of Game 1 outputting 1. From Game 1 , it is clear that b , pk 1 , pk 2 , and c are mutually independent; so are b and b ˜ A ( pk 1 , pk 2 , c ) , and hence, P r [ S 1 ] = 1 / 2 .
    We now demonstrate an adversary B that performs the DTSP attack game 3 defined in Section 3. In particular, the adversary B will assume the role of challenger for A , and its part is as follows. B will first communicate with its own challenger from which it will receive the three-tuple ( pk 1 , pk 2 , k ) . It then forwards pk 1 to A . When it obtains ( m 0 , m 1 ) from A , then B chooses a bit b at random, computes c m b + k , and transmits ( pk 1 , pk 2 , c ) to A . Once B finally procures a final response bit b ˜ by A , it returns [ [ b = b ˜ ] ] in the DTSP attack game. Clearly, B is an efficient adversary, since A is also an efficient adversary.
    Recall that W b ¯ is the event that B outputs 1 in game DTSP ( b ¯ ) ; thus, B ’s advantage for solving the DTSP problem for F q 2 θ σ , α λ G is given by
    DTSPadv [ A , F q 2 θ σ , α λ G ] = | Pr [ W 0 ] Pr [ W 1 ] | .
    A key observation here is the following.
    On the one hand, whenever B ’s challenger is playing game DTSP ( 0 ) , A is in turn playing Game 0 , since B obtains from its challenger
    ( pk 1 = a 1 h γ 1 , pk 2 = a 2 h γ 2 , k = a 2 pk 1 γ 2 ^ ) .
    Therefore, P r [ W 0 ] = P r [ S 0 ] .
    On the other hand, whenever B ’s challenger is playing Game DTSP ( 1 ) , A is in turn playing Game 1 , because B obtains from its challenger
    ( pk 1 = a 1 h γ 1 , pk 2 = a 2 h γ 2 , k = a 3 h γ 3 ) .
    Therefore, P r [ W 1 ] = P r [ S 1 ] .
    By hypothesis, | P r [ W 0 ] P r [ W 1 ] | is negligible; therefore, | P r [ S 0 ] 1 / 2 | is negligible, and the assertion follows.
   □

6. A Key-Encapsulation Mechanism from Twisted-Skew Group Rings

In this section, we will focus on deriving a CCA-secure key-encapsulation mechanism from our probabilistic public key encryption E . To accomplish this task, we will apply a generic transformation from [27] to E . We will next describe this generic transformation a bit more.
Let PKE = ( Gen , Enc , Dec ) be a public key-encryption scheme with message space M , ciphertext space C , and randomness space R . Let KeyLength N and G : M R and H : { 0 , 1 } * { 0 , 1 } KeyLength be hash functions. This transformation is a variant of the Fujisaki–Okamoto transformation with “implicit rejection” of inconsistent ciphertexts. Formally, it is defined as KEMCryptography 08 00029 i001 = K0Cryptography 08 00029 i001 ( PKE , G , H ) : = UCryptography 08 00029 i001 [ T [ PKE , G ] , H ] = ( Gen , Encaps , Decaps ) (see [27] for more details). Algorithm 10 summarizes functions ( Gen , Encaps , Decaps ) after applying the transformation to PKE, converting it into a CCA-secure key-encapsulation mechanism. We remark that the proof that this generic transformation converts a public key encryption scheme into a CCA-secure key-encapsulation mechanism may be found in [27].
Algorithm 10 depicts the CCA-secure key-encapsulation mechanism ( Gen , Encaps , Decaps ) from PKE
1:
function Gen ()
2:
     ( pk , sk ) PKE . Gen ;
3:
     s R M ;
4:
     sk ( sk , s ) ;
5:
    return  ( sk , pk ) ;
6:
end function
1:
function   Encaps ( pk )
2:
     m R M ;
1:
function   Decaps ( sk = ( sk , s ) , c )
2:
     m PKE . Dec ( sk , c ) ;
3:
    if  c = PKE . Enc ( pk , m , G ( m ) )  then
4:
        return  H ( m , c ) ;
5:
    else
6:
        return  H ( s , c ) ;
7:
    end if
8:
end function
3:
     c PKE . Enc ( pk , m , G ( m ) ) ;
4:
     k H ( m , c ) ;
5:
    return  ( k , c ) ;
6:
end function
 
To apply this transformation to our scheme E , we proceed by establishing the following. Let K = { 0 , 1 } KeyLength be the key space and BinaryRep ( x ) be a function that returns the binary representation of x. Furthermore, recall that the randomness space is SK = F q 2 θ σ , α λ N × Γ θ σ , α λ , the public key space is PK = F q 2 θ σ , α λ G , the message space is M = F q 2 θ σ , α λ G , and the ciphertext space is C = F q 2 θ σ , α λ G . Finally, we will define the hash function H 1 and H 2 as follows:
  • H 1 : { 0 , 1 } * SK is a hash function, which, upon the input of a variable-length bit string x , returns ( a , γ ) SK . Using the notation of [28], this function may be defined as H 1 ( x ) = SHAKE 256 ( x , ζ ) , where ζ = 2 log 2 ( q ) ( n + n 2 ) is the bit length of the output and | N | = | G | / 2 = n . The bit string bitstring returned by SHAKE 256 can be converted into a element in SK by carefully dividing the bit string into two parts, the first of length 2 log 2 ( q ) n bits and the second of length 2 log 2 ( q ) n 2 bits, each being employed to derive a , γ , respectively.
    Let m 1 , m 2 M , and we define G ( m 1 , m 2 ) : = H 1 BinaryRep ( m 1 ) | | BinaryRep ( m 2 ) .
  • H 2 : { 0 , 1 } * K is a hash function that, upon the input of a variable-length bit string x , returns k K . This function may be defined as H 2 ( x ) = SHAKE 256 ( p 1 | | x , KeyLength ) , where KeyLength is the bit length of the output and p 1 is a prepended fixed bit string to make it different from H 1 .
    Let m , c M . We define H ( m , c ) : = H 2 BinaryRep ( m ) | | BinaryRep ( c ) .
After applying the generic transformation to E , i.e., UCryptography 08 00029 i001 [ T [ E , G ] , H ] , we obtain KEM = ( KeyGen , Encaps , Decaps ) . Algorithm 11 describes the functions KeyGen, Encaps and Decaps.
Algorithm 11 depicts the CCA-secure key-encapsulation mechanism ( KeyGen , Encaps , Decaps ) from E
1:
functionKeyGen( h )
2:
     ( pk , sk ) E . Gen ( h ) ;
3:
     s R M ;
4:
    return  ( sk , s , pk ) ;
5:
end function
1:
function  Encaps( pk , h )
2:
     m R M ;
3:
     r G ( m , pk ) ;
1:
function  Decaps( ( sk , s , pk ) , c , h )
2:
     m E . Dec ( c , sk ) ;
3:
     r G ( m , pk ) ;
4:
    if  c = E . Enc ( m , pk , r , h )  then
5:
        return  H ( m , c ) ;
6:
    else
7:
        return  H ( s , c ) ;
8:
    end if
9:
end function
4:
     c E . Enc ( m , pk , r , h ) ;
5:
     K H ( m , c ) ;
6:
    return  ( K , c ) ;
7:
end function
 

7. Implementation of Our Cryptographic Constructions

The proof-of-concept implementation of our cryptographic constructions was coded in Python. The interested reader can see it on Google Colaboratory [29].

7.1. Group Representation

Recall that G = N N y , where | N | = | G | / 2 = n . For our protocols, we only considered G { D , G , M , Q } . For any choice, N = x i is a cyclic group, and thus, a group element g G is of the form g = x i y j , which may be represented as an integer g = j · n + i , where i { 0 , , n 1 } and j { 0 , 1 } .
The computation of the integer representation of either g 1 · g 2 or g 1 1 , g 1 , g 2 G , will hinge on the form of the group elements and the specific presentation of G. Note that, by exploiting each group presentation, explicit formulae can be derived to compute both g 1 · g 2 and g 1 1 efficiently. The interested reader can see the implementation [29].

7.2. Two-Cocycle α λ

The function 2 cocycle ( k 1 , k 2 ) takes two group element representations, k 1 and k 2 , as the input, then the function returns λ if n k 1 < 2 n  and  n k 2 < 2 n . Otherwise, it returns 1.

7.3. Homomorphism θ σ

The function homomorphism ( k 1 ) takes a group element representation, k 1 , as the input, then this function returns a pointer to the function σ if n k 1 < 2 n . Otherwise, it returns a pointer to the identity function I. Algorithm 12 shows both functions.
Algorithm 12 presents functions involved in computing the homomorphism θ σ
 1:
function   σ ( a F q 2 )
 2:
     [ b s , b s 1 , , b 0 ] BinaryRep ( q ) ;
 3:
     r getOneFromQuadraticField ( ) ;
1:
function   I ( a F q 2 )
2:
    return a
3:
end function
 4:
    for i s t o 0  do
 5:
         r r · r ;
 6:
        if  b i = 1  then
 7:
            r r · a ;
 8:
        end if
 9:
    end for
10:
    return r;
11:
end function
 

7.4. The Twisted-Skew Group Ring F q 2 θ σ , α λ G

To represent an element a = i = 0 n 1 a i x i + i = 0 n 1 a n + i x i y in the group ring F q 2 θ σ , α λ G , we make use of an array of 2 n field elements a = [ a 0 , a 1 , a 2 , , a 2 n 1 ] , where a i is the representation of the field element a i F q 2 . Algorithms 13 and 14 describe the addition and product operations, respectively.
Algorithm 13 computes the addition of two ring elements
1:
function   addition( a , b )
2:
     c [ 0 , , 0 ] ;
3:
    for  ( i 0 ; i < 2 n ; i i + 1 )  do
4:
         c [ i ] a [ i ] + b [ i ] ;
5:
    end for
6:
    return c;
7:
end function
Algorithm 14 computes the product of two ring elements
 1:
function  product( a , b )
 2:
     c [ 0 , , 0 ] ;
 3:
    for  ( i 0 ; i < 2 n ; i i + 1 )  do
 4:
        for  ( j 0 ; j < 2 n ; j j + 1 )  do
 5:
            k G . eval ( i , j ) ;
 6:
            outH homomorphism ( i ) ( b [ j ] ) ;
 7:
            out 2 c 2 cocylce ( i , j ) ;
 8:
            fe a [ i ] · outH · out 2 c ;
 9:
            c [ k ] c [ k ] + fe ;
10:
        end for
11:
    end for
12:
    return c;
13:
end function

Addition and Product Costs

We now quantify the cost of Algorithms 13 and 14. Let us denote
  • FA and FM as the costs of a field addition and a field multiplication respectively.
  • GE and HC as bounds on the cost of calling G . eval ( i , j ) and the number of field multiplications to compute homomorphism ( i ) ( b [ j ] ) respectively.
  • C α λ as the constant cost of executing 2 cocylce ( i , j ) .
On the one hand, Algorithm 13 has a cost of 2 n FA when computing a ring element c . On the other hand, Algorithm 14 has a cost of 4 n 2 ( FA + ( 2 + HC ) FM + GE + C α λ ) .

7.5. Auxiliary Functions

As auxiliary functions, we implemented the following functions:
  • Algorithm 15 computes the adjunct of a ring element, and its cost is 2 n ( GI + ( HC + 1 ) FM + C α λ ) , where GI is a bound on the cost of calling G . inverse ( i ) .
  • Functions for computing random elements in different sets are implemented. They are described in Algorithm 16.
Algorithm 15 computes the adjunct of a ring element
 1:
function   adjunct( a )
 2:
     c [ 0 , , 0 ] ;
 3:
    for  ( i 0 ; i < 2 n ; i i + 1 )  do
 4:
         j inverse ( i ) ;
 5:
         f 1 homomorphism ( j ) ( a [ i ] ) ;
 6:
         f 2 2 cocylce ( i , j ) ;
 7:
         c [ j ] f 1 · f 2 ;
 8:
    end for
 9:
    return c
10:
end function
Algorithm 16 presents functions for computing a random element in different sets
 1:
function   GETPUBLICELEMENT ()
 2:
     sw 1 False ;
 3:
    while  not sw 1  do
 4:
         a getRandomFG ( ) ;
 5:
         i 0 ;
 6:
         sw 2 False ;
 7:
        while  i < n and not sw 2  do
 8:
           if  a [ i ] 0  then
 9:
                sw 2 True ;
10:
           end if
11:
            i i + 1 ;
12:
        end while
13:
         i n ;
14:
         sw 3 False ;
15:
        while  i < 2 n and not sw 3  do
16:
           if  a [ i ] 0  then
17:
                sw 3 True ;
18:
           end if
19:
            i i + 1 ;
20:
        end while
21:
         sw 1 sw 2 and sw 3 ;
22:
    end while
1:
function   GETRANDOMFG ()
2:
     c [ 0 , , 0 ] ;
3:
    for  ( i 0 ; i < 2 n ; i i + 1 )  do
4:
         c [ i ] getRandomFieldElement ( ) ;
5:
    end for
6:
    return c;
7:
end function
1:
function   GETRANDOMFH ()
2:
     c [ 0 , , 0 ] ;
3:
    for  ( i 0 ; i < n ; i i + 1 )  do
4:
         c [ i ] getRandomFieldElement ( ) ;
5:
    end for
6:
    return c;
7:
end function
1:
function   GETRANDOMFHY ()
2:
     c [ 0 , , 0 ] ;
3:
    for  ( i n ; i < 2 n ; i i + 1 )  do
4:
         c [ i ] getRandomFieldElement ( ) ;
5:
    end for
6:
    return c;
7:
end function
23:
    return a;
24:
end function
 1:
function   GETRANDOMFROMT ()
 2:
     c [ 0 , , 0 ] ;
 3:
     c [ n ] getRandomFieldElement ( ) ;
 4:
     n 1 n / 2 ;
 5:
    for  ( i 1 ; i n 1 ; i i + 1 )  do
 6:
         c [ i + n ] getRandomFieldElement ( ) ;
 7:
         c [ n + ( n i ) mod n ] c [ i + n ] ;
 8:
    end for
 9:
    return c;
10:
end function
 

7.6. Key Sizes

We next provide estimates for the memory sizes in bits required to store both a public key and a private key.
A field element requires NFE = 2 log 2 ( q ) bits. On the one hand, a public key pk PK is a ring element, which can be stored as an array of | G | field elements. Therefore, storing a public key requires | G | · NFE bits.
On the other hand, a private key ( a , γ ) SK is a pair of two ring elements. Therefore, storing a full private key requires 2 · | G | · NFE bits. This number of bits can be decreased further if the form of the private key is exploited. Note that, since ( a , γ ) F q 2 θ σ , α λ N × Γ θ σ , α λ , only n + n 2 field elements need storing, and hence, a compressed private key requires ( n + n 2 ) · NFE bits. For completeness, Algorithms 17 and 18 describe the process of compressing and decompressing a private key, respectively.
Algorithm 17 compresses a private key
 1:
function   COMPRESSPRIVATEKEY ( sk SK )
 2:
     l n + n / 2 ;
 3:
     c [ 0 0 , , 0 l 1 ] ;
 4:
    for  ( i 0 ; i < n ; i i + 1 )  do
 5:
         c [ i ] a [ i ] ;
 6:
    end for
 7:
    for  ( i n ; i < l ; i i + 1 )  do
 8:
         c [ i ] γ [ n + i ] ;
 9:
    end for
10:
    return c;
11:
end function
Algorithm 18 decompresses a private key
 1:
function   DECOMPRESSPRIVATEKEY ( sk )
 2:
     l n / 2 ;
 3:
     a [ 0 0 , , 0 2 n 1 ] ;
 4:
     γ [ 0 0 , , 0 2 n 1 ] ;
 5:
    for  ( i 0 ; i < n ; i i + 1 )  do
 6:
         a [ i ] sk [ i ] ;
 7:
    end for
 8:
     γ [ n ] sk [ n ] ;
 9:
    for  ( i 1 ; i < l ; i i + 1 )  do
10:
         γ [ n + i ] sk [ n + i ] ;
11:
         γ [ 2 n i ] sk [ n + i ] ;
12:
    end for
13:
    return ( a , γ ) ;
14:
end function

7.7. Parameter Choices

In reference to our key-encapsulation mechanism, we suggest using the parameters displayed by Table 1, which supplies varying and increasing security levels. Table 1 displays four sets of parameters, where KeyLength { 128 , 192 , 256 } denotes the output key length. The values displayed in the column labeled as “Level of Security in Bits” have been computed as proposed in [7]. The interested reader may see our implementation here [29].

7.8. Potential Applications

We believe that our protocols might find applications in environments like the Internet of Things (IoT) for various reasons. One first reason is that they may potentially be implemented in constrained devices and the overhead of running them in those devices might be small. This viewpoint stems from observing that the algorithms involved in computing encryptions (or shared keys) are relatively simple, as evinced in this section. Secondly, the key sizes are relatively small compared to other schemes [3], which offers an advantage for storing purposes. Furthermore, we remark that the study on the deployability of post-quantum cryptographic algorithms on constrained devices is of current interest, as evidenced in [30]. On the other hand, we also believe that it might be possible to derive password authentication key exchange (PAKE) protocols from our protocols. If so, these PAKE protocols are versatile and may be used in many scenarios, such as credential recovery, device paring, and end-to-end (E2E)-secure channels, as shown in [31]. However, our protocols per se might be adapted and used in some of those potential scenarios, particularly E2E-secure channels.

8. Conclusions

This paper introduced the twisted-skew group ring F q 2 θ σ , α λ G , where α λ is a two-cocycle, θ σ a group homomorphism, and G a finite group of even order with N G such that | N | = | G | / 2 = n , i.e., [ G : N ] = 2 , and hence, G = N N y with y G N . Over this algebraic platform, we built several cryptographic constructions following a incremental-like methodology. In particular, we first introduced a two-party key-agreement protocol and its generalization. Additionally, we derived a probabilistic public key encryption from the two-party key-agreement protocol and key-encapsulation mechanism from the probabilistic public key encryption.
As a future research direction, it would be interesting to explore the possibility of constructing other key-exchange protocols from twisted-skew group rings, namely a password authentication key exchange protocol, which might be suitable in environments like the IoT.

Author Contributions

Conceptualization, J.d.l.C., E.M.-M., S.M.-R. and R.V.-P.; methodology, J.d.l.C., E.M.-M., S.M.-R. and R.V.-P.; software, R.V.-P.; validation, J.d.l.C., E.M.-M., S.M.-R. and R.V.-P.; formal analysis, J.d.l.C., E.M.-M., S.M.-R. and R.V.-P.; investigation, J.d.l.C., E.M.-M., S.M.-R. and R.V.-P.; resources, J.d.l.C.; writing—original draft preparation, J.d.l.C., E.M.-M. and R.V.-P.; writing—review and editing, J.d.l.C., E.M.-M. and R.V.-P.; supervision, J.d.l.C. and R.V.-P.; project administration, J.d.l.C.; funding acquisition, J.d.l.C. All authors have read and agreed to the published version of the manuscript.

Funding

The first author is grateful for the support of Fundación para la Promoción de la Investigación y la Tecnología del Banco de la República under project 4649, and the second author is partially supported by Grant TED2021-130358B-I00 funded by MCIN/AEI/10.13039/501100011033 and by the “European Union NextGenerationEU/PRTR”.

Data Availability Statement

The original contributions presented in the study are included in the article, further inquiries can be directed to the corresponding author.

Conflicts of Interest

The authors declare no conflicts of interest.

References

  1. National Institute of Standards and Technology, NIST Post-Quantum Cryptography. Available online: https://csrc.nist.gov/Projects/post-quantum-cryptography/selected-algorithms-2022 (accessed on 1 June 2024).
  2. National Institute of Standards and Technology, Post-Quantum Cryptography: Digital Signature Schemes. Available online: https://csrc.nist.gov/Projects/pqc-dig-sig/round-1-additional-signatures (accessed on 1 June 2024).
  3. Dam, D.-T.; Tran, T.-H.; Hoang, V.-P.; Pham, C.-K.; Hoang, T.-T. A Survey of Post-Quantum Cryptography: Start of a New Race. Cryptography 2023, 7, 40. [Google Scholar] [CrossRef]
  4. de la Cruz, J.; Martínez-Moro, E.; Villanueva-Polanco, R. Public Key Protocols over Skew Dihedral Group Rings. Mathematics 2022, 10, 3343. [Google Scholar] [CrossRef]
  5. Gómez Olvera, M.D.; López Ramos, J.A.; Torrecillas Jover, B. Public Key Protocols over Twisted Dihedral Group Rings. Symmetry 2019, 11, 1019. [Google Scholar] [CrossRef]
  6. Gómez Olvera, M.D.; López Ramos, J.A.; Torrecillas Jover, B. Secure Group Communications Using Twisted Group Rings. Mathematics 2022, 10, 2845. [Google Scholar] [CrossRef]
  7. de la Cruz, J.; Villanueva-Polanco, R. Public key cryptography based on twisted dihedral group algebras. Adv. Math. Commun. 2024, 18, 857–877. [Google Scholar] [CrossRef]
  8. Suo, J.; Wang, L.; Yang, S.; Zheng, W.; Zhang, J. Quantum algorithms for typical hard problems: A perspective of cryptanalysis. Quantum Inf. Process. 2020, 19, 178. [Google Scholar] [CrossRef]
  9. de la Cruz, J.; Willems, W. Twisted group codes. IEEE Trans. Inf. Theory 2021, 67, 5178–5184. [Google Scholar] [CrossRef]
  10. Behajaina, A.; Borello, M.; de la Cruz, J.; Willems, W. Twisted skew G-codes. Des. Codes Cryptogr. 2024, 92, 1803–1821. [Google Scholar] [CrossRef]
  11. Shoup, V. Sequences of Games: A Tool for Taming Complexity in Security Proofs, Cryptology ePrint Archive, Report 2004/332. 2004. Available online: http://eprint.iacr.org/2004/332 (accessed on 1 December 2023).
  12. Boneh, D.; Shoup, V. A Graduate Course in Applied Cryptography, Textbook. Available online: http://toc.cryptobook.us/book.pdf (accessed on 1 June 2024).
  13. Lopez-Ramos, J.A.; Rosenthal, J.; Schipani, D.; Schnyder, R. An application of group theory in confidential network communications. Math. Meth. Apply Sci. 2018, 41, 2294–2298. [Google Scholar] [CrossRef]
  14. Kahrobaei, D.; Koupparis, C.; Shpilrain, V. Public key exchange using matrices over group rings. Groups Complex Cryptol. 2013, 5, 97–115. [Google Scholar] [CrossRef]
  15. Eftekhari, M. Cryptanalysis of Some Protocols Using Matrices over Group Rings. In Progress in Cryptology—AFRICACRYPT 2017; Joye, M., Nitaj, A., Eds.; AFRICACRYPT 2017; Lecture Notes in Computer Science; Springer: Cham, Switzerland, 2017; Volume 10239. [Google Scholar]
  16. Maze, G.; Monico, C.; Rosenthal, J. Public key cryptography based on semigroup actions. Adv. Math. Commun. 2007, 1, 489–507. [Google Scholar] [CrossRef]
  17. Roman’kov, V. A General Encryption Scheme Using Two-Sided Multiplications with Its Cryptanalysis. arXiv 2017, arXiv:1709.06282. [Google Scholar]
  18. Bader, C.; Hofheinz, D.; Jager, T.; Kiltz, E.; Li, Y. Tightly-Secure Authenticated Key Exchange. In Theory of Cryptography; Dodis, Y., Nielsen, J.B., Eds.; TCC 2015; Lecture Notes in Computer Science; Springer: Berlin/Heidelberg, Germany, 2015; Volume 9014. [Google Scholar]
  19. Jager, T.; Kiltz, E.; Riepel, D.; Schäge, S. Tightly-Secure Authenticated Key Exchange, Revisited, Cryptology ePrint Archive: Report 2020/1279. 2020. Available online: https://eprint.iacr.org/2020/1279 (accessed on 3 June 2024).
  20. Canetti, R.; Krawczyk, H. Analysis of Key-Exchange Protocols and Their Use for Building Secure Channels. In Advances in Cryptology-EUROCRYPT 2001; Pfitzmann, B., Ed.; EUROCRYPT 2001; Lecture Notes in Computer Science; Springer: Berlin/Heidelberg, Germany, 2001; Volume 2045. [Google Scholar]
  21. Steiner, M.; Tsudik, G.; Waidner, M. Diffie-Hellman key distribution extended to group communication. In Proceedings of the 3rd ACM Conference on Computer and Communications Security (CCS ’96), New Delhi, India, 14–15 March 1996; Association for Computing Machinery: New York, NY, USA, 1996; pp. 31–37. [Google Scholar] [CrossRef]
  22. Boyd, C.; Mathuria, A.; Stebila, D. Protocols for Authentication and Key Establishment, Second Edition, Information Security and Cryptography; Springer: Berlin/Heidelberg, Germany, 2019. [Google Scholar]
  23. Steiner, M.; Tsudik, G.; Waidner, M. Key agreement in dynamic peer groups. IEEE Trans. Parallel Distrib. Syst. 2000, 11, 769–780. [Google Scholar] [CrossRef]
  24. Jao, D.; De Feo, L. Towards Quantum-Resistant Cryptosystems from Supersingular Elliptic Curve Isogenies. In Post-Quantum Cryptography; Yang, B.Y., Ed.; PQCrypto 2011; Lecture Notes in Computer Science; Springer: Berlin/Heidelberg, Germany, 2011; Volume 7071. [Google Scholar]
  25. ElGamal, T. A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms. In Advances in Cryptology; Blakley, G.R., Chaum, D., Eds.; CRYPTO 1984, Lecture Notes in Computer Science; Springer: Berlin/Heidelberg, Germany, 1984; Volume 196. [Google Scholar]
  26. Diffie, W.; Hellman, M.E. New Directions in Cryptography. IEEE Trans. Inf. Theory 1976, 22, 644–654. [Google Scholar] [CrossRef]
  27. Hofheinz, D.; Hövelmanns, K.; Kiltz, E. A Modular Analysis of the Fujisaki-Okamoto Transformation; Kalai, Y., Reyzin, L., Eds.; Theory of Cryptography; TCC 2017; Lecture Notes in Computer Science; Springer: Cham, Switzerland, 2017; Volume 10677. [Google Scholar]
  28. Dworkin, M.J. SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions. Federal Inf. Process. Stds. (NIST FIPS). 2015. Available online: https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf (accessed on 3 June 2024).
  29. de la Cruz, J.; Martínez-Moro, E.; Muñoz-Martinez, S.; Villanueva-Polanco, R. Implementation of Cryptographic Constructions Based on a Twisted-Skew Group Rings. Available online: https://colab.research.google.com/drive/1QA_hktpdTDVG9cPfkj4Cq2IVeKMGy68Y?usp=sharing (accessed on 3 June 2024).
  30. Fitzgibbon, G.; Ottaviani, C. Constrained Device Performance Benchmarking with the Implementation of Post-Quantum Cryptography. Cryptography 2024, 8, 21. [Google Scholar] [CrossRef]
  31. Hao, F.; van Oorschot, P.C. SoK: Password-Authenticated Key Exchange – Theory, Practice, Standardization and Real-World Lessons. In Proceedings of the 2022 ACM on Asia Conference on Computer and Communications Security (ASIA CCS ’22), Nagasaki, Japan, 30 May–3 June 2022; Association for Computing Machinery: New York, NY, USA, 2022; pp. 697–711. [Google Scholar] [CrossRef]
Table 1. Proposed parameters.
Table 1. Proposed parameters.
pmnGroupKeyLength (bits)Level of Security in Bits
19120Dihedral { 128 , 192 , 256 } 130
19123Dihedral { 128 , 192 , 256 } 149
19132Any of the four candidate groups { 128 , 192 , 256 } 207
19164Any of the four candidate groups { 128 , 192 , 256 } 410
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

de la Cruz, J.; Martínez-Moro, E.; Muñoz-Ruiz, S.; Villanueva-Polanco, R. Public Key Protocols from Twisted-Skew Group Rings. Cryptography 2024, 8, 29. https://doi.org/10.3390/cryptography8030029

AMA Style

de la Cruz J, Martínez-Moro E, Muñoz-Ruiz S, Villanueva-Polanco R. Public Key Protocols from Twisted-Skew Group Rings. Cryptography. 2024; 8(3):29. https://doi.org/10.3390/cryptography8030029

Chicago/Turabian Style

de la Cruz, Javier, Edgar Martínez-Moro, Steven Muñoz-Ruiz, and Ricardo Villanueva-Polanco. 2024. "Public Key Protocols from Twisted-Skew Group Rings" Cryptography 8, no. 3: 29. https://doi.org/10.3390/cryptography8030029

APA Style

de la Cruz, J., Martínez-Moro, E., Muñoz-Ruiz, S., & Villanueva-Polanco, R. (2024). Public Key Protocols from Twisted-Skew Group Rings. Cryptography, 8(3), 29. https://doi.org/10.3390/cryptography8030029

Article Metrics

Back to TopTop