A Novel Provably Secure Key-Agreement Using Secret Subgroup Generator

In this paper, a new key-agreement scheme is proposed and analyzed. In addition to being provably secure in shared secret key indistinguishability model, the scheme has an interesting feature: while using exponentiation over a cyclic subgroup to establish the key-agreement, the generator of that subgroup is hidden to secure the scheme against adversaries that are capable of solving the Discrete Logarithm Problem, which means that the scheme might be candidate as a post-quantum key exchange scheme.


Introduction
Theoretic and technical developments the field of the Quantum Computers− a computers based on principles of quantum physics and utilizes these principles to solve problems that would require infinitely huge amount of time and computational capacity using classical computers− are imposing real challenge on the field of public-key cryptography; most of the currently hard or intractable problems which forms the basis for security of the widely used cryptographic algorithms such as Discrete Logarithm Problem and Integer Factorization Problem will be solved using large-scale quantum computers.Consequently, many of the currently used public-key cryptosystems will be compromised [1].Furthermore, the current cryptosystems which are based number theory are becoming less secure in light of the developments in mathematical and computational cryptanalysis [2] [3].Therefore, there is great interest in developing new cryptographic algorithms that would be secure against both quantum and classical computers.
In this paper we propose new key-agreement scheme that uses exponentiations over subgroup of square matrices over  2 , and yet− unlike many other exponentiation-based key agreements and cryptosystems such as Diffie-Hellman key exchange and ElGamal cryptosystem− does not assume intractability of the Discrete Logarithm Problem.
The Discrete Logarithm Problem (DLP) can generally be stated as follows.Given  an element in some cyclic group , and   for an integer ; find .When the generator  is an unknown, we would have an Unknown-Base DLP which is one equation with two unknowns, and it has at least,  possible solutions in any cyclic group of order .
The basic idea in the proposed scheme is a simple one, we hide the actual group generator being used as base for the exponentiations in the key agreement to deprive the adversary from any advantage of solving the DLP.By hiding the actual subgroup generator, we get rid of the reliance on intractability of the DLP such that capability of solving the DLP does not mean breaking the scheme.
However, for any key agreement protocol to surpass the level of security provided by intractability of the DLP, it has to reach it first.That is, the protocol must first be provably secure under standard intractability assumptions relevant to the DLP.Therefore, at this level, security of scheme is proved using key indistinguishability model, by showing that the shared secret key is indistinguishable from the random under Decisional Diffie-Hellman (DDH) assumption for subgroup of matrices over  2 with prime multiplicative order.
One can easily note that the DDH assumption used in proof of indistinguishability of the shared is reducible to the DLP.This implies that indistinguishability proof would not be valid when the DLP is broken.However, the DDH assumption is used proof of the security against classical (non-quantum) adversary.And it is presented to show that the proposed scheme satisfies basic security standards.
Regarding an adversaries that are capable of breaking the DLP, such as quantum adversaries, indistinguishability of the shared secret key not guaranteed.But the paper shows that solving DLPs derived from the scheme's security equations would not imply computing the shared secret key.

Contribution of this paper
This key exchange scheme gets rid of the reliance on the DLP while retaining simple use of exponentiations to establish key agreement, which means it might be a candidate as a post-quantum key exchange scheme.Furthermore, the scheme might also be applicable in different non-commutative platforms that have the appropriate structural properties.
The paper is organized as follows.In section 2 we introduce the key agreement scheme.In section 3 we give a basic proof for security of scheme against nonquantum adversary using key indistinguishability model.Section 4 discuss security of the scheme against a quantum adversary (or any hypothetical adversary) who is able to solve any kind of DLP, showing that the shared secret key will remain secure and hidden from such adversary.Then conclusion is given in section 5.

Preliminary
A    is a matrix over the binary field  2 ( i.e.  × :   ∈ {0,1}).In the context of this paper, matrix always refers to nonsingular binary matrix, also multiplication and exponentiation, whenever appears, refers to binary matrix multiplication and binary matrix exponentiation where arithmetic operations are performed modulo 2.

3
The Key Agreement In this protocol Alice and Bob first agree on prime number  (generated by algorithm 2.3) then the key agreement goes as follows. ( The shared secret key is . The key exchange protocol is fully described by the distribution  = (, , , , , )

Algorithm 2.3
(1) Obtain a primitive polynomial () of degree , such that 2  − 1 is prime , or has large prime factor . (2) Construct the companion matrix  of ().
Note that if 2  − 1 is prime  then  (2  −1)/ = .Now, the primitive polynomial () is minimal polynomial of its companion matrix , therefore the multiplicative order of  is 2  − 1.

Security Against Non-Quantum Adversary
Every instance of the key agreement is fully identified by  = (, , , , , ). is the shared secret key.
The proof presented in this section is a basic proof, against non-quantum adversary, in order to show that the protocol is secure under a standard intractability assumption, namely Decisional Diffie-Hellman assumption.In the next section, we will give security analysis against quantum adversary who can break the DLP, showing that the shared secret key will remain secure even though.In case of the quantum adversary, the proof based on intractability of the Decisional Diffie-Hellman or the DLP will, of course, be invalid.However, the analysis in section 4 shows that the best of what quantum adversary could have from the solving all possible DLPs derived from security equations of the protocol, is a system of linear equations with number of unknowns greater than number of the equations.Therefore, the adversary will not be able to compute the shared secret key from these equations.
In this section we are going to prove security of the scheme assuming that the matrices  (generated by algorithm 2.3), and ,  (generated by algorithm 2.2) are public.In the actual protocol in the reality, the matrices , , and  are private.Thus, if the protocol is secure when these matrices are public, it must be secure when these matrices are private.
We use key indistinguishability model of security proof showing that there is no probabilistic polynomial time algorithm  to distinguish between the actual secret key  =   ∑      −1 and random matrix  * =    −1 for some integer , under Decisional Diffie-Hellman assumption for subgroup of matrices over  2 with prime order.

Proof of Indistinguishability of The Shared Secret Key
In what follows we prove indistinguishability of the secret key  from the random matrix  * using DDH assumption for the subgroup  of matrices over  2 generated by matrix .This assumption can be stated as follows.
The assumption can be stated formally as follows [4].There is no probabilistic polynomial time algorithm  such that for some  > 0 and sufficiently large .Where (… ) = 1 means the algorithm returns 1 when the quadruple input is proper Diffie-Hellman quadruple.
Thus,  is indistinguishable  * under DDH assumption for the subgroup  of matrices over  2 .

Theorem 1
The distributions  = (, , , , , ) that describes a typical instance of the key agreement protocol and  * = (, , , , ,  * ) are indistinguishable under DDH assumption for the subgroup  of matrices over  2 .Therefore, the secret key  is indistinguishable from the random  * under this assumption.

Proof
We are going to prove that if there is a polynomial time algorithm ℬ that distinguishes  from  * , then ℬ can be used to distinguish  from  * , the thing that contradicts DDH assumption for the subgroup  of matrices generated by   1 , therefore we conclude that there is no probabilistic polynomial time algorithm ℬ that distinguishes  from  * under this assumption.The argument proceeds as follows.Assume that there is a probabilistic polynomial time algorithm ℬ that can distinguish between  and  * , and assume that  and  * are given.We define the algorithm ℋ that maps the distribution  into the distribution  that simulates the key exchange protocol, and maps  * into the distribution  * in the same way.Then algorithm  that distinguishes  from  * is defined as follows.
One can easily see that the tuple  generated by algorithm ℋ, is statistically the same distribution as  that generated by the key exchange protocol, simply by comparing ℋ against the key agreement protocol.Now, if there an algorithm ℬ such that for some ϵ > 0 and arbitrarily large integer .
And since () has the same return value as ℬ() , and ( * ) has the same return value as ℬ( * ) then for some  > 0 and arbitrarily large integer .Which contradicts the DDH assumption for .Therefore, there is no probabilistic polynomial time algorithm ℬ to distinguish between  and  * .Hence, no probabilistic polynomial time algorithm to distinguish  from  * .

What Quantum Adversary Can Do ?
Since   ′ =  2  +  ,   ′ =  3  +  ,there are DLPs Form the similarity of   ′ ,   ′ and   ,   respectively, we have Now, assume that the quantum adversary can solve the DLPs   =    and   =    for  and  by solving DLPs between the relevant eigenvalues of these matrices [using the fact that if  is an eigenvalue of matrix , then   is an eigenvalue of   or using any other technique].
The adversary has also these two equation from the description of the protocol.
Now, each of (I) and (II) is a system of ( − 1) equations in  + 1 unknowns.And the system (III) is a system of two equations in  − 1 unknowns.Therefore, when  > 3, these systems are unsolvable for  −1 or  1 ,…,  .From here we conclude that even the adversary could solve the DLP, the protocol remains secure.

Conclusion
The proposed scheme aims at overcoming the reliance on the DLP, by hiding the subgroup generator being used as an actual base of exponentiations in the key exchange algorithm.By doing so, we deprive the quantum adversary from advantage of breaking the DLP.Thus breaking this problem would not affect security of the scheme in terms of obtaining the shared secret key computationally.On the other hand, to ensure a standard level of security, we have shown that the scheme is secure against distinguishability of the shared secret key under intractability assumption of Decision Diffie-Hellman Problem.
Since the actual generator (i.e. the matrix  generated by algorithm 2.3) used in the protocol is private, the adversary should pick his own generator.However, none of the matrices   ,   , and  can be chosen by the adversary as an alternative generator to .Each of   ,   , and  , has different multiplicative order ( 2, 3 and  respectively), and generates different subgroup, while the multiplicative order of the actual generator  is  = 6.Also, for any two integers  and , since  ≠  , none of the products     , or      can be used an alternative generator.The product      has multiplicative order 2, and cannot be chosen as generator.therefore   ≠     −1 and   ≠     −1 for any matrices  or .This implies that if    is an eigenvalue of   and    eigenvalue of   , the adversary cannot assume that    =     , or    =     .  ′ for some  and .Recall from algorithm 2.2 that order of   ′ is 2 and order   ′ is 3.For any  we have only two possibilities: 1  1 + ⋯ +     = 2  1  1 + ⋯ +     = 3In summary, the best of what a quantum adversary or any adversary from solving DLPs, is the systems of equations (I) and (II) and 1  1 + ⋯ +     = 2  1  1 + ⋯ +     = 3 � (III)where   ,   , ,   ,  are given positive integers and , , , ,   ,     are unknowns. ∈ [1, ].To break the protocol the adversary must obtain either  −1 or  1 ,…,  .