PQC: R-Propping of Burmester-Desmedt Conference Key Distribution System

Abstract

Post-quantum cryptography (PQC) is a trend that has a deserved NIST status, and which aims to be resistant to quantum computer attacks like Shor and Grover algorithms. NIST is currently leading the third-round search of a viable set of standards, all based on traditional approaches as code-based, lattice-based, multi quadratic-based, or hash-based cryptographic protocols [1]. We choose to follow an alternative way of replacing all numeric field arithmetic with GF(28) field operations [2]. By doing so, it is easy to implement R-propped asymmetric systems as the present paper shows [3,4]. Here R stands for Rijndael as we work over the AES field. This approach yields secure post-quantum protocols since the resulting multiplicative monoid is immune against quantum algorithms and resist classical linearization attacks like Tsaban’s Algebraic Span [5] or Roman’kov linearization attacks [6]. The Burmester-Desmedt (B-D) conference key distribution protocol [7] has been proved to be secure against passive adversaries if the computational Diffie-Hellman problem remains hard. The authors refer that the proposed scheme could also be secure against active adversaries under the same assumptions as before if an authentication step is included to foil attacks like MITM (man in the middle). Also, this protocol proved to be semantical secure against adaptative IND-CPA2 [8, 9] if the discrete log problem is intractable. We discuss the features of our present work and a practical way to include an authentication step. Classical and quantum security levels are also discussed. Finally, we present a numerical example of the proposed R-Propped protocol.

Full text

PQC: R-Propping of Burmester-Desmedt
Conference Key Distribution System
Pedro Hecht
Information Security Master, School of Economic Sciences,
School of Exact and Natural Sciences and Engineering School (ENAP-FCE),
University of Buenos Aires, Av. Cordoba 2122 2
nd
Floor,
CABA C1120AAP, República Argentina
phecht@dc.uba.ar
Abstract.
Post-quantum cryptography (PQC) is a trend that has a deserved NIST
status, and which aims to be resistant to quantum computer attacks like Shor a nd
Grover a lgorithms. NIST is currently leading the third-r ound search of a viable set of
standards, all based on traditional approaches as code-based, lattice -based, multi
quadratic-based, or hash-based cryptographic protocols [1]. We choose to follow an
alternative way of replacing
all numer ic field arithmetic with GF(2
8
) field
operati ons [2]. By do
ing so, it is easy to implement R-propped
asym metric systems
as the pres ent paper shows [3,4]. Here R stands for Rijndael as we work over the
AES fi eld. This approach yields secure
post-quantum protocols since the res ulting
multiplicative monoid is immune against quantum algorithm s and resist clas sical
linearization attacks like Tsaban’s Algebrai c Span [5] or Roman’k ov linearization
attacks [6]. The Burmester-Desmedt (B-D) conference key distri bution protocol [7]
has been proved to be secure against passive adversarie s if the computational Diffie-
Hellman problem remains hard. T he authors refer that the proposed scheme could
also be secure against active adversaries under the same assumpti ons as before if an
authentication step i s i ncluded to foil attacks like M ITM (man in the middle). Also,
this protocol proved to be se man tical secure against adaptative IND-CPA2 [8, 9] if
the discrete log problem is intractable. We discuss the features of our present work
and a practical way to include an authentication step. Classical and quantum security
levels are also discussed. Finally, we present a numerical example of the prop osed R-
Propped protocol.
Keywords: Post-quantum cryptography, conference key distribution, finite
fields, combinatorial group theory, R-propping, public-key cryptography,
non-commutative cryptography, AES.
1
Introduction
1.1
PKC Proposals Based on Combinatorial Group Theory
The theoretical foundations for the current generation of cryptosystems lie in the
intractability of problems close to number theory [10] and therefore prone to quantum
attacks. This was the main reason to develop PQC. It is noteworthy that besides a couple of
described solutions [1], there remain overlooked solutions belonging to non-commutative
(NCC) and non-associative (NAC) algebraic cryptography [10]. The general structure of
these solutions relies on protocols defining one-way trapdoor functions (OWTF) extracted
from the combinatorial group theory [11].
1.2
The motivation of the present work
In this paper, we apply our algebraic patch [2]to the well-known Burmester-Desmedt
(B-D) conference key distribution [7]. In essence, it is a generalization of Diffie-Hellman two
parties protocol [12] to an undefined number of entities while maintaining the number of
interchanges constant. That protocol has the virtue of presenting a proved semantic secure

systems attaining IND-CPA2 level as long computational Diffie-Hellman and discrete log
problems hold. The main target is to make that protocol quantum resistant.
Essentially R-propping consists of replacing all numerical field operations (arithmetic
sum and multiplication), a typical scalar proposal, by algebraic operations using the AES
field, a vectorial proposal [2]. This scales up operations complexity foiling classical
linearization attacks, like AES [13] does and at the same time quantum ones. This is a solid
way to achieve the best of two worlds, both pointing to cryptographic security. As side
benefits, we get rid of big number libraries and step away from the critical dependency of
pseudo-random generators.
The R-propping solution is described as an Algebraic Extension Ring (AER) [2]. For
background knowledge about algebraic solutions, we refer to the Myasnikov NCC treatise
[11] which contributes to exhaustive knowledge of the cryptographic application of the
combinatorial field theory.
2
Preliminaries
Definition 1 (Security levels).
Currently, there are several types of attack models for
public-key encryption, namely the chosen-plaintext attack (CPA), non-adaptive chosen-
ciphertext attacks (CCA1), and adaptive chosen-ciphertext attacks (CPA2, CCA2). Security
levels are usually defined by pairing each goal (2: adaptative version, OW: one-way, IND:
indistinguishability, NM: non-malleability) with an attack model (CPA, CCA1 or CPA2,
CCA2); i.e., OW-CPA, OW-CCA1, OW-CCA2; IND-CPA, IND-CPA2, IND-CCA1 and IND-CCA2 [8,
9].
Definition 2 (Algebraic Extension Ring - AER).
The Algebraic Extension Ring
(AER) framework includes the following structures:


: a.k.a
. GF
[2
8
], the AES field [6]
Primitive polynomial:
1+x+x
3
+x
4
+x
8
with <
1+x
> as the multiplicative subgroup
(


∗
)
generator:
M[

d] d-dimensional square matrix of field elements. (bytes). Therefore, a d-
dimensional square matrix is equivalent to a rank-3 Boolean tensor.
The AER platform has two substructures:
(M[

, d], ⨁, O)
Abelian group using field sum as operation and null matrix
(tensor) as the identity element.
(M[

∗
, d], ⨀, I)
Non-commutative monoid using field product as operation and
identity matrix (tensor) as the identity element.
From here on, when referring to field elements (bytes) we call them simply as
elements, and when we refer to any d-dimensional matrix of the AER we will use the
term d-dim tensor.
Detailed information on AER could be read at [2].
Definition 3 (One-Way Trapdoor Functions – OWTF)
: these are the core of the
canonical protocols for asymmetric cryptography based on the combinatorial group theory.
They are based on hard problems, traditionally using commutative numeric fields, but the
same problem definitions could be applied to non-commutative monoids (as in AER) :
–
Computational Diffie-Hellman Problem
(CDHP): Given (z1, z2)
e
Z
2
and x
e
AER, c
ompute x
z1z2
= x
z2z1
for given x, x
z1
, and x
z2
.

–
Discrete Logarithm Problem
(DLP): Given z
e
Z
and x
e
AER, c
ompute z for given
x and x
z
.
For general non-commutative structure like the multiplicative monoid of AER, the
above problems are difficult enough to be cryptographic assumptions, meaning that there
does not exist a probabilistic polynomial-time algorithm that can solve all instances of them
with non-negligible accuracy concerning the problem scale, i.e., the number of input bits of
the problem).
3
Burmester-Desmedt (B-D) distributed the conference key.
Burmester and Desmedt protocol is carried out by c omposing n-participants in a ring
structure. An example of four entities is performed through the stages of Table 1.
ALICE BOB CHARLIE DAVID
Public
prime p, generator
<g>
Private a,
g
a

to D, to B
Private b,
g
b

to A, to C
Private c,
g
c

to B, to D
Private d,
g
d

to C, to A
Public Xa
=
(g
b
/g
d
)
a
Private Za=g
ad
Public Xb
=
(g
c
/g
a
)
b
Private Zb=g
ab
Public Xc
=
(g
d
/g
b
)
c
Private Zc=g
bc
Public Xd
=
(g
a
/g
c
)
d
Private Zd=g
cd
Private Ka=
Za
4
Xa
3
Xb
2
Xc
Private Kb=
Zb
4
Xb
3
Xc
2
Xd
Private Kc=
Zc
4
Xc
3
Xd
2
Xa
Private Kd=
Zd
4
Xd
3
Xa
2
Xb
Ka=Kb=Kc=Kd
Table 1.
A schematic view of the original Burmester-Desme dt confere nce key distribution
protoc ol for a sma ll ring of n=4 entities. This protocol involves a double pass exchange. T he session
key is a cyclic but not symme tric functio n of degre e two.
4
R-Propped B-D distributed conference key.
The differences between the original and the R-Propped version are:
1.
Instead of a cyclic (commutative) multiplicative group structure Z*
p
in a numeric
field, we work over the non-commutative multiplicative monoid of the algebraic
extension ring (AER) defined at point 2. Preliminaries.
2.
The elements of AER are d-dimensional square matrices (referred to as tensors) of
F
256
field elements. Sums and products of tensors are field operations.
3.
The generator <G> is a predefined non-singular tensor G. The period |<G>| of the
cyclic subgroup is empirically obtained through computational simulation.
4.
Inverses of tensors are obtained through exponentiation using the period |<G>|
minus one. The |<G>| power of each generator is the identity matrix.
5
The cryptographic security of R-propped B-D protocol
The security of the protocol relies on the intractability of CDHP and DLP problems.
Using R-Propping we design private keys (exponents) of certain public tensors for which
this approach is unfeasible.

The proposed public generators are:
Table 2.
Predefined tensors <G> and corresponding multipli cative orders to be used for the B-D
protocol.

Classical and quantum security levels are as follows:
Tensor
dimension
<G>
proposed
generator
Period |<G>| Classical
Security (bits)
[Grover]
Quantum
Security
(bits)
3
G3
2
24
=16777216
24
12
4 G4 2
32
= 4294967296 32 16
7 G7 2
96
= 7.92
x
10
28
96 48
10 G10 2
112
= 5.19
x
10
33
112 56
12 G12 2
160
= 1.46
x
10
48
160 80
Table 3.
Expected security of increasing size of private keys subject to classical and quantum attacks.
Depen ding on the particular situati on, it should be ch osen security parameters like G7 or ab ove.
The IND-CPA2 semantic security is assured as members of the <G> set are
indistinguishable from random tensors of the same size. Statistic evidence of tensor
structures is provided at [4].
As this protocol is susceptible to a MITM attack, it is convenient to include an
authentication step including public key certificates or HMAC of session keys with public
ID values.
6
Step-By-Step Example
To follow procedures, we show a dim=3 toy program written for Mathematica 12
interpreted language. Detailed code with the newly defined functions is available upon
request to the author. Running as-is on an Intel®Core™i5-5200U CPU 2.20 GHz the
registered mean session time was 4.40 s.

And the corresponding output is:

7
Conclusions
We present a PQC class solution to the distributed conference key necessity. Practical
parameters are presented, and they solve the central question with different security levels.
Other works of the author covering this field can be found at [14].
References
1.
D. J. Bernstein, T. Lange, “Post-Quantum Cryptography”, Nature, 549:188-194, 2017
2.
P. Hecht, Algebraic Extension Ring Framework for Non-Commutative Asymmetric
Cryptography, https://arxiv.org/ftp/arxiv/papers/2002/2002.08343.pdf 1.2, 2020
3.
P. Hecht, R-Propping of HK17: Upgrade for a Detached Proposal of NIST PQC First
Round Survey, https://eprint.iacr.org/2020/1217, 2020
4.
P. Hecht, PQC: R-Propping of Public-Key Cryptosystems Using Polynomials over Non-
commutative Algebraic Extension Rings, https://eprint.iacr.org/2020/1102, 2020
5.
A. Ben Zvi, A. Kalka, B. Tsaban, Cryptanalysis via algebraic spans, CRYPTO 2018,
Lecture Notes in Computer Science 10991 255-274. https://doi.org/10.1007/978-3-
319-96884-1_9, 2018
6.
V. Roman’kov, Cryptanalysis of a combinatorial public key crypto-system, DeGruyter,
Groups Complex. Cryptology. 2017.
7.
M. Burmester and Y. Desmedt, A Secure and Efficient Conference Key Distribution
System. In A. De Santis, editor, Advances in Cryptology, EUROCRYPT’94, volume 950
of Lecture Notes in Computer Science, pages 275–286. Springer, 1995
8.
E. Kiltz, J. Malone-Lee, A General Construction of IND-CCA2 Secure Public Key
Encryption, ruhr-uni-bochum.de/Eike.Kiltz/papers/general_cca2.ps
9.
S. Goldwasser, S. Micali, “Probabilistic Encryption”, Journal of Computer and System
Sciences, 28: 270-299, 1984.
10.
A. Menezes, P. van Oorschot and S.Vanstone, ”Handbook of Applied Cryptography”,
CRC Press, 1997
11.
A. Myasnikov, V. Shpilrain, A. Ushakov, Non-commutative Cryptography and
Complexity of Group-theoretic Problems, Mathematical Surveys and Monographs,
AMS Volume 177, 2011
12.
W. Diffie and M.E. Hellman, New directions in cryptography, IEEE Transactions on
Information Theory 22 (1976), 644-654. 1.1, 4.3
13.
FIPS PUB 197: the official AES standard,
https://web.archive.org/web/20150407153905/http://csrc.nist.gov/publications/
fips/fips197/fips-197.pdf
14.
https://arxiv.org/a/hecht_p_1.html