A New Key-Agreement-Protocol

A new 4-pass Key-Agreement Protocol is presented. The security of the protocol mainly relies on the existence of a (polynomial-computable) One-Way-Function and the supposed computational hardness of solving a specific system of equations.

💡 Research Summary

The paper introduces a four‑pass key‑agreement protocol that relies on a publicly agreed matrix C∈Fₚ^{n×n}, a prime p of size roughly 2√n log n, and a polynomial‑time computable injective one‑way function h:Fₚ→{0,1}^m. Alice and Bob each pick a secret field element (α for Alice, β for Bob), n secret bits (t₁…tₙ and s₁…sₙ), and a secret permutation (σ for Alice, ρ for Bob).

In the first round Alice sends μ_j = Σ_i t_i·c_{i,j} + σ(j)·α for j=1…n. In the second round Bob sends ν_i = Σ_j s_j·c_{i,j} + ρ(i)·β for i=1…n together with τ_A = Σ_j s_j·μ_j. In the third round Alice computes τ_B = Σ_i t_i·ν_i and, for every k in the range 0…n(n−1)/2, sends the hash values h(τ_A−kα) together with τ_B. In the final round Bob computes h(τ_B−lβ) for every l in the same range, finds a pair (k₀,l₀) such that h(τ_A−k₀α)=h(τ_B−l₀β), and sends k₀ to Alice. Both parties then obtain the common secret g = τ_A−k₀α = τ_B−l₀β.

Correctness follows from the identities τ_A = Σ_{i,j} t_i s_j c_{i,j} + α·k′ and τ_B = Σ_{i,j} t_i s_j c_{i,j} + β·l′, where k′ and l′ lie in the prescribed range, guaranteeing at least one matching pair. The computational cost is dominated by O(n²) field operations and O(n² log n) time for sorting the hash lists; evaluating h is assumed to take Ω(log p) elementary steps.

Security is claimed to rest on two hard problems: (1) inverting the injective one‑way function h, and (2) solving a system of equations that essentially forms an ultra‑high‑density knapsack together with hidden permutations σ and ρ. The authors define “Challenge 1”: given all public data (the μ_j, ν_i, τ_A, τ_B, the list of h(τ_A−kα) values, and k₀), compute g. They argue heuristically that any algorithm must explore roughly 2^{ε√n log n} possibilities for the secret bits t_i (or equivalently for the permutations), because the knapsack equation τ_B = Σ_i t_i ν_i admits about 2^{n−log p} solutions and each guessed permutation adds only a linear number of extra equations, leaving an exponential number of candidate assignments. Consequently they conjecture a lower bound of Ω(2^{ε√n log n}) operations for any attack.

However, the paper provides no formal reduction, no concrete lower‑bound proof, and no experimental evidence. Ultra‑high‑density knapsack instances are known to be vulnerable to lattice‑basis reduction (LLL, BKZ) and often become easier as density increases, contrary to the authors’ intuition. The hidden‑permutation component resembles the “hidden permutation” or “permuted subset‑sum” problems, which have been attacked by algebraic or statistical methods in related settings. Moreover, the security of h is only assumed; without explicit collision resistance or pre‑image resistance guarantees, an adversary could exploit birthday attacks on the hash lists to find matching values faster than the claimed exponential bound.

In summary, while the protocol presents an interesting four‑round structure and a novel combination of linear algebraic operations with a hash‑based matching step, its security foundation is weak. The reliance on an uncharacterized one‑way function and on the presumed hardness of solving an ultra‑high‑density knapsack with hidden permutations lacks rigorous justification. Existing cryptanalytic techniques suggest that the protocol may be vulnerable to lattice attacks, permutation recovery, or hash collisions, and the claimed exponential security margin is not substantiated. Further work would need to provide a solid reduction to a well‑studied hard problem, a precise analysis of the one‑way function’s properties, and concrete parameter recommendations before the scheme could be considered for practical deployment.