Public Key Protocol Based on Amalgamated Free Product

In the spirit of Diffie Hellman the concept of a protocol algebra is introduced using certain amalgamated free product of Braid group B and Thompson group T together with a nilpotent subgroup H of index 2.

💡 Research Summary

The paper introduces a novel public‑key exchange protocol that builds on the algebraic structure of an amalgamated free product of two well‑studied non‑abelian groups: the braid group B and Thompson’s group T. A nilpotent subgroup H of index 2 (every element is its own inverse) is embedded as the common amalgamating subgroup. By forming the group G = B *_{H} T, the authors retain the computational hardness inherent in each factor while creating additional complexity through the amalgamation.

In the setup phase, public generating sets are chosen for B and T. Each participant selects a private element a ∈ B and b ∈ T. Public keys are constructed as conjugates of the public generators within G (e.g., a s a⁻¹, b t b⁻¹). After exchanging these values, both parties compute a shared secret K = a b h b⁻¹ a⁻¹, where h ∈ H is a non‑trivial element. Because H has exponent 2, K equals its own inverse, which can be used for simple verification.

Security rests on three hard problems: (1) the Amalgamated Word Problem in G, i.e., expressing an arbitrary element as a product of factors from B, T, and H; (2) the Conjugacy Search Problem in the free product, which combines the already NP‑hard conjugacy problems of B and T; and (3) the Subgroup Membership Problem for the index‑2 nilpotent subgroup H. The authors argue that none of these problems admit efficient classical or known quantum algorithms, suggesting post‑quantum resilience.

Implementation challenges are discussed in depth. While braid elements can be handled via Garside normal forms, Thompson elements require tree‑based automorphisms, and a unified data structure for mixed elements is not yet mature. Reduction rules for the amalgamated product involve non‑trivial string‑rewriting systems, leading to higher computational overhead. The nilpotent subgroup H is trivial to store (a single bit), but managing its interaction with the two parent groups adds complexity.

Compared with existing non‑commutative schemes such as the Ko‑Lee‑Cheon‑Han‑Kang braid‑based protocol, the proposed construction incurs slightly larger key sizes and operation costs but offers increased structural diversity, which may thwart attacks that exploit specific group properties. The exponent‑2 nature of H also provides a built‑in symmetry useful for key confirmation.

The paper concludes that, although the theoretical foundation appears solid, extensive experimental evaluation, formal security proofs, and algorithmic optimizations are required before practical deployment. In particular, rigorous analysis of quantum‑resistance and performance benchmarking across various parameter choices are identified as essential future work.