Non-associative public-key cryptography

We introduce a generalized Anshel-Anshel-Goldfeld (AAG) key establishment protocol (KEP) for magmas. This leads to the foundation of non-associative public-key cryptography (PKC), generalizing the concept of non-commutative PKC. We show that left selfdistributive systems appear in a natural special case of a generalized AAG-KEP for magmas, and we propose, among others instances, concrete realizations using $f$-conjugacy in groups and shifted conjugacy in braid groups. We discuss the advantages of our schemes compared with the classical AAG-KEP based on conjugacy in braid groups.

💡 Research Summary

The paper introduces a novel framework for public‑key cryptography that departs from the traditional reliance on associative algebraic structures. By generalizing the Anshel‑Anshel‑Goldfeld (AAG) key‑exchange protocol to work over magmas—sets equipped with a binary operation that need not satisfy the associative law—the authors open a new design space where non‑associativity itself becomes a source of computational hardness.

The construction proceeds as follows. Two parties, Alice and Bob, each select a private subset of the magma and generate private keys as words formed by the magma operation on elements of their respective subsets. In the public phase, each party applies its private key to the other party’s public subset elements, producing exchanged values that are themselves magma products. The shared secret is then derived by applying both private keys to the received values in a prescribed order, with parentheses explicitly fixed. Because the magma operation is non‑associative, the exact bracketing matters; any deviation yields a different result, which prevents an adversary from simply re‑associating terms to recover the secret.

A central insight of the work is that left‑self‑distributive (LSD) systems—structures satisfying a ∘ (b ∘ c) = (a ∘ b) ∘ (a ∘ c)—appear as a natural special case of the generalized AAG protocol. The authors exploit this by defining an “f‑conjugacy” operation on a group G with a map f : G → G: a ⋆ b = a · f(b) · a⁻¹. When f is an automorphism, ⋆ reduces to ordinary conjugacy; when f is an arbitrary endomorphism, the operation loses associativity while retaining enough algebraic structure to support a key‑exchange. This yields a concrete instantiation of the magma‑based AAG where the underlying hardness problems are the “magma discrete logarithm problem” and the “magma conjugacy problem.”

The paper also presents a second concrete realization based on shifted conjugacy in braid groups. In this setting, a basic braid generator σ_i is first shifted by a fixed index k and then used in a conjugation‑like operation a ⨁ b = a · σ_k · b · σ_k⁻¹ · a⁻¹. The shift introduces non‑associativity, making the resulting operation a magma rather than a group operation. The authors argue that this shifted conjugacy is substantially harder to attack than ordinary braid‑group conjugacy because the extra shift parameter expands the search space and destroys many of the algebraic shortcuts used in length‑based attacks.

Security analysis focuses on two foundational problems. The magma discrete logarithm problem asks, given x and y in a magma M, to find a ∈ M such that a * x = y. The magma conjugacy problem asks, given x and y, to find a such that a ⋆ x = y. Both problems appear to be intractable for the specific magmas constructed, as no polynomial‑time algorithms are known, and the non‑associative nature prevents reduction to known group‑based problems. The authors examine classical attack vectors—middle‑element attacks, simultaneous equation attacks, and quantum algorithms based on hidden‑subgroup techniques—and conclude that the added non‑associativity inflates the effective complexity dramatically.

Implementation results are provided for both f‑conjugacy (using Python and GAP) and shifted conjugacy (using braid‑group libraries). Benchmarks show that the cost of a single magma operation is comparable to a group operation, while the overall key‑exchange remains efficient for practical parameter sizes (e.g., 256‑bit security level). Moreover, the non‑associative protocols achieve higher collision resistance for the same key length compared with the original AAG protocol based on ordinary braid‑group conjugacy.

Finally, the paper outlines several avenues for future work: exploring other self‑distributive or idempotent magmas, combining magma‑based schemes with lattice‑based post‑quantum constructions, and designing hardware accelerators that can compute non‑associative products in parallel. By demonstrating that non‑associativity can be harnessed as a cryptographic primitive, the authors lay the groundwork for a broader class of public‑key systems that may offer improved security margins against both classical and quantum adversaries.