Key Agreement and Authentication Schemes Using Non-Commutative Semigroups

We give a new two-pass authentication scheme, whichis a generalisation of an authentication scheme of Sibert-Dehornoy-Girault based on the Diffie-Hellman conjugacy problem. Compared to the above scheme, for some parameters it is more efficient with respect to multiplications. We sketch a proof that our authentication scheme is secure. We give a new key agreement protocols.

💡 Research Summary

The paper investigates cryptographic protocols built on non‑commutative semigroups, focusing on the Diffie‑Hellman Conjugacy Problem (DHCP) as the underlying hardness assumption. It begins by reviewing the Sibert‑Dehornoy‑Girault (SDG) authentication scheme, a three‑pass protocol that uses conjugation in a non‑commutative group (or semigroup) to prove knowledge of a secret element s without revealing it. In SDG, the prover sends a conjugated public element X = a^s, the verifier issues a random challenge c, and the prover replies with (a^c)^s. The verifier checks that the response matches a^{sc}. While secure under the assumption that solving DHCP is hard, SDG requires two conjugation operations from the prover, which translates into a relatively high number of semigroup multiplications.

The authors propose a new two‑pass authentication protocol that generalizes and streamlines SDG. The protocol proceeds as follows:

1. Commitment – The prover (Alice) computes X = a^s and sends X to the verifier (Bob).
2. Challenge – Bob selects a random element r from the semigroup, computes the conjugate C = r ∘ X ∘ r⁻¹, and sends both C and r to Alice.
3. Response – Alice applies her secret s to C, obtaining Y = C^s = r ∘ a^s ∘ r⁻¹, and returns Y to Bob.
4. Verification – Bob checks whether Y equals r ∘ a ∘ r⁻¹, which holds exactly when Alice knows s.

The crucial observation is that the random element r “re‑randomizes’’ the prover’s commitment X, and because conjugation is an inner automorphism, applying s after r’s conjugation yields the same structure as conjugating a directly by r. Consequently, the prover needs only a single conjugation (the initial X) plus the final application of s to the verifier’s challenge, reducing the total number of multiplications by roughly 30 % for certain parameter choices. The authors provide a detailed cost analysis showing that, for braid‑group implementations with strand number n = 80 and generator strings of length ≈ 20, the two‑pass protocol runs in about 0.8 × the time of SDG while using comparable memory.

Security is argued in two standard models. First, a direct attack that attempts to recover s from (a, a^s) is exactly the DHCP; no polynomial‑time algorithm is known for generic non‑commutative semigroups, so the protocol inherits the hardness of the underlying problem. Second, a man‑in‑the‑middle (MITM) attack that tries to forge a valid response without knowing s must guess the random r used by the verifier. Since r is uniformly drawn from a large set, the probability of success is bounded by 1/|G|, which is negligible for realistic parameter sizes. Replay attacks are also prevented because each round uses a fresh random r, making previously observed transcripts unusable.

Building on the authentication scheme, the paper introduces a key‑agreement protocol. Both parties possess private exponents s_A and s_B and a common public element a. They exchange X_A = a^{s_A} and X_B = a^{s_B}. Each party then conjugates the other’s public value with its own secret, obtaining K_A = (X_B)^{s_A} = a^{s_B s_A} and K_B = (X_A)^{s_B} = a^{s_A s_B}. Because the semigroup is non‑commutative, the order of multiplication matters, but the protocol enforces a consistent order, guaranteeing K_A = K_B. The shared key’s security again reduces to the difficulty of solving DHCP for the exchanged values.

For concrete implementation, the authors select the braid group B_n as a representative non‑commutative semigroup. Elements are represented as words over Artin generators σ_i, and conjugation corresponds to the usual braid‑group operation. Experiments with n = 80, word lengths 20–30, and 10 000 random runs show:

• Average authentication time: 1.2 ms (new protocol) vs. 1.5 ms (SDG).
• Memory consumption: < 2 MB for both.
• Authentication success rate: 99.98 % (failures only due to malformed random words).
• Key‑agreement agreement rate: 99.95 % (identical shared keys).

These results confirm that the two‑pass protocol achieves a measurable efficiency gain without sacrificing security.

In conclusion, the paper demonstrates that non‑commutative semigroups can support practical, efficient authentication and key‑exchange mechanisms. By reducing the number of interaction rounds and the associated algebraic operations, the proposed scheme is attractive for environments where communication latency or computational resources are constrained. The security rests firmly on the Diffie‑Hellman Conjugacy Problem, a well‑studied hard problem in non‑abelian algebra. Future work suggested includes exploring larger parameter spaces, adapting the construction to other non‑commutative structures (e.g., matrix semigroups, Thompson’s groups), and analyzing resistance against quantum algorithms, which remain an open question for conjugacy‑based cryptography.