A new 4-pass Key-Agreement Protocol is presented. The security of the protocol mainly relies on the existence of a (polynomial-computable) One-Way-Function and the supposed computational hardness of solving a specific system of equations.
Deep Dive into A New Key-Agreement-Protocol.
A new 4-pass Key-Agreement Protocol is presented. The security of the protocol mainly relies on the existence of a (polynomial-computable) One-Way-Function and the supposed computational hardness of solving a specific system of equations.
At the end of a Key-Agreement-Protocol two parties, say Alice and Bob, share a common bit string s. During the protocol they are allowed to exchange a fixed number of messages m i , i = 1, . . . , r, over a public channel. The protocol is called secure, if no algorithm exist that computes the string s from the m i 's in a polynomial number of steps. Whether secure Key-Agreement-Protocols exist is still an open issue, although quite a few have been proposed -maybe the most popular being the Diffie-Hellman-Protocol [2], where the security is linked to the task of computing the element γ ab of a given cyclic group from the elements γ a and γ b .
In this article, we present a new Key-Agreement-Protocol that uses four rounds of message exchange. Its security mainly relies on the existence of a (polynomial-time computable) One-Way-Function and the supposed computational hardness of solving a specific system of equations.
Public data: Suppose Alice and Bob want to exchange a secret key. They start by agreeing on a positive integer n and a prime p of size ∼ 2 √ nlog n . They further agree on a random matrix C := (c i,j ) i,j ∈ F n×n p , with i, j ∈ {1, . . . , n}, and an injective (polynomial-time computable) One-Way-Function h : F p -→ {0, 1} m , where F p denotes the finite field with p elements.
Private data: Next, Alice (resp. Bob) chooses a random element α ∈ F p (resp. β), n random bits t 1 , . . . , t n (resp. s 1 , . . . , s n ) and a random permutation σ on the set {1, . . . , n} (resp. ρ), all of which she (resp. he) keeps secret.
The computations that follow are all taking place in the finite field F p .
First round: Alice computes for j = 1, . . . , n:
and sends (µ j ) j to Bob.
Second round: Bob computes for i = 1, . . . , n:
and sends ((ν i ) i , τ A ) to Alice.
Third round: Alice computes for k = 1, . . . , n(n-1)
:
and sends ((h(τ Akα)) k , τ B ) to Bob.
Final round: Bob computes for l = 1, . . . , n(n-1)
and sends k 0 to Alice.
Alice and Bob now share a common element g := τ Ak 0 α = τ Bl 0 β.
We start by showing the correctness of the protcol and calculate the computational cost:
Theorem 1 After the final step both parties share a common element g. The number of computational steps on both sides equals O(n 2 • cost of evaluation of h).
Proof. The correctness of the protocol follows from the easy observation that
and respectively
and the fact that 1 k ′ , l ′ n(n -1)/2, which means that at least one pair of integers (k 0 , l 0 ) within the given range exists, such that g := τ Ak 0 α = τ Bl 0 β. The number of computational steps is also clear, since Bob can sort the list (h(τ Akα)) k in O(n 2 log n) steps, while the evaluation of the injective function h requires Ω(log p) operations.
The above protocol gives rise to the following
We (i.e. the author of this article) are not aware of any lower bound for the number of steps it takes to compute the element g from Challenge 1.
In what follows, we will present an algorithm that conjecturally requires Ω(2 ε √ nlog n ) operations, for some constant ε > 0.
We will try to compute the secrect bits t 1 , . . . , t n of Alice. As is easily seen, the knowledge of these bits will lead in a polynomial number of steps to the secret key. At the beginning there is only one equation for these bits, that is
Now, heuristically speaking, while there are 2 n ways to select the values of the x i ’s but only p ∼ 2 √ nlog n possible values for τ B , there are approximately
solutions to equation (7) (in the language of Knapsack-Cryptography, we could speak of an ultra-high density Knapsack, since the density of this Knapsack tends to infinity [4]).
The other equations from (1) involving the t i ’s can not be used immediately, since the permutation σ and the element α are both secret, but we can try to get rid of α by guessing r values of the permutation σ, say σ ′ (1), . . . , σ ′ (r), which gives us r -1 additional equations:
Again, by the same heuristic argument, the system of these equations together with equation ( 7) has approximately 2 n-rlog p ∼ 2 n(1-r √ logn/n) solutions, which means that we can not even be sure whether our guess was right, unless nr log p ∼ log κ n, for some constant κ.
To summarize the discussion, the probability of guessing enough equations to compute the t i (where we did not even talk about the computational cost of really solving these equations) is about n -εn/log p ∼ 2 -ε √ nlog n , for some constant ε > 0, which is, at least from a theoretical point of view not too far away from the probability of guessing the secret α (resp. the secret key g) directly.
It is almost superfluous to say that these heuristic considerations do not prove anything about the security of the stated protocol. Nevertheless, in the author’s opinion, Challenge 1 seems worth further investigation.
This content is AI-processed based on ArXiv data.
