Content uploaded by Juan Pedro Hecht

Author content

All content in this area was uploaded by Juan Pedro Hecht on Jan 12, 2021

Content may be subject to copyright.

PQC: R-Propping of Burmester-Desmedt

Conference Key Distribution System

Pedro Hecht

Information Security Master, School of Economic Sciences,

School of Exact and Natural Sciences and Engineering School (ENAP-FCE),

University of Buenos Aires, Av. Cordoba 2122 2

nd

Floor,

CABA C1120AAP, República Argentina

phecht@dc.uba.ar

Abstract.

Post-quantum cryptography (PQC) is a trend that has a deserved NIST

status, and which aims to be resistant to quantum computer attacks like Shor a nd

Grover a lgorithms. NIST is currently leading the third-r ound search of a viable set of

standards, all based on traditional approaches as code-based, lattice -based, multi

quadratic-based, or hash-based cryptographic protocols [1]. We choose to follow an

alternative way of replacing

all numer ic field arithmetic with GF(2

8

) field

operati ons [2]. By do

ing so, it is easy to implement R-propped

asym metric systems

as the pres ent paper shows [3,4]. Here R stands for Rijndael as we work over the

AES fi eld. This approach yields secure

post-quantum protocols since the res ulting

multiplicative monoid is immune against quantum algorithm s and resist clas sical

linearization attacks like Tsaban’s Algebrai c Span [5] or Roman’k ov linearization

attacks [6]. The Burmester-Desmedt (B-D) conference key distri bution protocol [7]

has been proved to be secure against passive adversarie s if the computational Diffie-

Hellman problem remains hard. T he authors refer that the proposed scheme could

also be secure against active adversaries under the same assumpti ons as before if an

authentication step i s i ncluded to foil attacks like M ITM (man in the middle). Also,

this protocol proved to be se man tical secure against adaptative IND-CPA2 [8, 9] if

the discrete log problem is intractable. We discuss the features of our present work

and a practical way to include an authentication step. Classical and quantum security

levels are also discussed. Finally, we present a numerical example of the prop osed R-

Propped protocol.

Keywords: Post-quantum cryptography, conference key distribution, finite

fields, combinatorial group theory, R-propping, public-key cryptography,

non-commutative cryptography, AES.

1

Introduction

1.1

PKC Proposals Based on Combinatorial Group Theory

The theoretical foundations for the current generation of cryptosystems lie in the

intractability of problems close to number theory [10] and therefore prone to quantum

attacks. This was the main reason to develop PQC. It is noteworthy that besides a couple of

described solutions [1], there remain overlooked solutions belonging to non-commutative

(NCC) and non-associative (NAC) algebraic cryptography [10]. The general structure of

these solutions relies on protocols defining one-way trapdoor functions (OWTF) extracted

from the combinatorial group theory [11].

1.2

The motivation of the present work

In this paper, we apply our algebraic patch [2]to the well-known Burmester-Desmedt

(B-D) conference key distribution [7]. In essence, it is a generalization of Diffie-Hellman two

parties protocol [12] to an undefined number of entities while maintaining the number of

interchanges constant. That protocol has the virtue of presenting a proved semantic secure

systems attaining IND-CPA2 level as long computational Diffie-Hellman and discrete log

problems hold. The main target is to make that protocol quantum resistant.

Essentially R-propping consists of replacing all numerical field operations (arithmetic

sum and multiplication), a typical scalar proposal, by algebraic operations using the AES

field, a vectorial proposal [2]. This scales up operations complexity foiling classical

linearization attacks, like AES [13] does and at the same time quantum ones. This is a solid

way to achieve the best of two worlds, both pointing to cryptographic security. As side

benefits, we get rid of big number libraries and step away from the critical dependency of

pseudo-random generators.

The R-propping solution is described as an Algebraic Extension Ring (AER) [2]. For

background knowledge about algebraic solutions, we refer to the Myasnikov NCC treatise

[11] which contributes to exhaustive knowledge of the cryptographic application of the

combinatorial field theory.

2

Preliminaries

Definition 1 (Security levels).

Currently, there are several types of attack models for

public-key encryption, namely the chosen-plaintext attack (CPA), non-adaptive chosen-

ciphertext attacks (CCA1), and adaptive chosen-ciphertext attacks (CPA2, CCA2). Security

levels are usually defined by pairing each goal (2: adaptative version, OW: one-way, IND:

indistinguishability, NM: non-malleability) with an attack model (CPA, CCA1 or CPA2,

CCA2); i.e., OW-CPA, OW-CCA1, OW-CCA2; IND-CPA, IND-CPA2, IND-CCA1 and IND-CCA2 [8,

9].

Definition 2 (Algebraic Extension Ring - AER).

The Algebraic Extension Ring

(AER) framework includes the following structures:

: a.k.a

. GF

[2

8

], the AES field [6]

Primitive polynomial:

1+x+x

3

+x

4

+x

8

with <

1+x

> as the multiplicative subgroup

(

∗

)

generator:

M[

d] d-dimensional square matrix of field elements. (bytes). Therefore, a d-

dimensional square matrix is equivalent to a rank-3 Boolean tensor.

The AER platform has two substructures:

(M[

, d], ⨁, O)

Abelian group using field sum as operation and null matrix

(tensor) as the identity element.

(M[

∗

, d], ⨀, I)

Non-commutative monoid using field product as operation and

identity matrix (tensor) as the identity element.

From here on, when referring to field elements (bytes) we call them simply as

elements, and when we refer to any d-dimensional matrix of the AER we will use the

term d-dim tensor.

Detailed information on AER could be read at [2].

Definition 3 (One-Way Trapdoor Functions – OWTF)

: these are the core of the

canonical protocols for asymmetric cryptography based on the combinatorial group theory.

They are based on hard problems, traditionally using commutative numeric fields, but the

same problem definitions could be applied to non-commutative monoids (as in AER) :

–

Computational Diffie-Hellman Problem

(CDHP): Given (z1, z2)

e

Z

2

and x

e

AER, c

ompute x

z1z2

= x

z2z1

for given x, x

z1

, and x

z2

.

–

Discrete Logarithm Problem

(DLP): Given z

e

Z

and x

e

AER, c

ompute z for given

x and x

z

.

For general non-commutative structure like the multiplicative monoid of AER, the

above problems are difficult enough to be cryptographic assumptions, meaning that there

does not exist a probabilistic polynomial-time algorithm that can solve all instances of them

with non-negligible accuracy concerning the problem scale, i.e., the number of input bits of

the problem).

3

Burmester-Desmedt (B-D) distributed the conference key.

Burmester and Desmedt protocol is carried out by c omposing n-participants in a ring

structure. An example of four entities is performed through the stages of Table 1.

ALICE BOB CHARLIE DAVID

Public

prime p, generator

<g>

Private a,

g

a

to D, to B

Private b,

g

b

to A, to C

Private c,

g

c

to B, to D

Private d,

g

d

to C, to A

Public Xa

=

(g

b

/g

d

)

a

Private Za=g

ad

Public Xb

=

(g

c

/g

a

)

b

Private Zb=g

ab

Public Xc

=

(g

d

/g

b

)

c

Private Zc=g

bc

Public Xd

=

(g

a

/g

c

)

d

Private Zd=g

cd

Private Ka=

Za

4

Xa

3

Xb

2

Xc

Private Kb=

Zb

4

Xb

3

Xc

2

Xd

Private Kc=

Zc

4

Xc

3

Xd

2

Xa

Private Kd=

Zd

4

Xd

3

Xa

2

Xb

Ka=Kb=Kc=Kd

Table 1.

A schematic view of the original Burmester-Desme dt confere nce key distribution

protoc ol for a sma ll ring of n=4 entities. This protocol involves a double pass exchange. T he session

key is a cyclic but not symme tric functio n of degre e two.

4

R-Propped B-D distributed conference key.

The differences between the original and the R-Propped version are:

1.

Instead of a cyclic (commutative) multiplicative group structure Z*

p

in a numeric

field, we work over the non-commutative multiplicative monoid of the algebraic

extension ring (AER) defined at point 2. Preliminaries.

2.

The elements of AER are d-dimensional square matrices (referred to as tensors) of

F

256

field elements. Sums and products of tensors are field operations.

3.

The generator <G> is a predefined non-singular tensor G. The period |<G>| of the

cyclic subgroup is empirically obtained through computational simulation.

4.

Inverses of tensors are obtained through exponentiation using the period |<G>|

minus one. The |<G>| power of each generator is the identity matrix.

5

The cryptographic security of R-propped B-D protocol

The security of the protocol relies on the intractability of CDHP and DLP problems.

Using R-Propping we design private keys (exponents) of certain public tensors for which

this approach is unfeasible.

The proposed public generators are:

Table 2.

Predefined tensors <G> and corresponding multipli cative orders to be used for the B-D

protocol.

Classical and quantum security levels are as follows:

Tensor

dimension

<G>

proposed

generator

Period |<G>| Classical

Security (bits)

[Grover]

Quantum

Security

(bits)

3

G3

2

24

=16777216

24

12

4 G4 2

32

= 4294967296 32 16

7 G7 2

96

= 7.92

x

10

28

96 48

10 G10 2

112

= 5.19

x

10

33

112 56

12 G12 2

160

= 1.46

x

10

48

160 80

Table 3.

Expected security of increasing size of private keys subject to classical and quantum attacks.

Depen ding on the particular situati on, it should be ch osen security parameters like G7 or ab ove.

The IND-CPA2 semantic security is assured as members of the <G> set are

indistinguishable from random tensors of the same size. Statistic evidence of tensor

structures is provided at [4].

As this protocol is susceptible to a MITM attack, it is convenient to include an

authentication step including public key certificates or HMAC of session keys with public

ID values.

6

Step-By-Step Example

To follow procedures, we show a dim=3 toy program written for Mathematica 12

interpreted language. Detailed code with the newly defined functions is available upon

request to the author. Running as-is on an Intel®Core™i5-5200U CPU 2.20 GHz the

registered mean session time was 4.40 s.

And the corresponding output is:

7

Conclusions

We present a PQC class solution to the distributed conference key necessity. Practical

parameters are presented, and they solve the central question with different security levels.

Other works of the author covering this field can be found at [14].

References

1.

D. J. Bernstein, T. Lange, “Post-Quantum Cryptography”, Nature, 549:188-194, 2017

2.

P. Hecht, Algebraic Extension Ring Framework for Non-Commutative Asymmetric

Cryptography, https://arxiv.org/ftp/arxiv/papers/2002/2002.08343.pdf 1.2, 2020

3.

P. Hecht, R-Propping of HK17: Upgrade for a Detached Proposal of NIST PQC First

Round Survey, https://eprint.iacr.org/2020/1217, 2020

4.

P. Hecht, PQC: R-Propping of Public-Key Cryptosystems Using Polynomials over Non-

commutative Algebraic Extension Rings, https://eprint.iacr.org/2020/1102, 2020

5.

A. Ben Zvi, A. Kalka, B. Tsaban, Cryptanalysis via algebraic spans, CRYPTO 2018,

Lecture Notes in Computer Science 10991 255-274. https://doi.org/10.1007/978-3-

319-96884-1_9, 2018

6.

V. Roman’kov, Cryptanalysis of a combinatorial public key crypto-system, DeGruyter,

Groups Complex. Cryptology. 2017.

7.

M. Burmester and Y. Desmedt, A Secure and Efficient Conference Key Distribution

System. In A. De Santis, editor, Advances in Cryptology, EUROCRYPT’94, volume 950

of Lecture Notes in Computer Science, pages 275–286. Springer, 1995

8.

E. Kiltz, J. Malone-Lee, A General Construction of IND-CCA2 Secure Public Key

Encryption, ruhr-uni-bochum.de/Eike.Kiltz/papers/general_cca2.ps

9.

S. Goldwasser, S. Micali, “Probabilistic Encryption”, Journal of Computer and System

Sciences, 28: 270-299, 1984.

10.

A. Menezes, P. van Oorschot and S.Vanstone, ”Handbook of Applied Cryptography”,

CRC Press, 1997

11.

A. Myasnikov, V. Shpilrain, A. Ushakov, Non-commutative Cryptography and

Complexity of Group-theoretic Problems, Mathematical Surveys and Monographs,

AMS Volume 177, 2011

12.

W. Diffie and M.E. Hellman, New directions in cryptography, IEEE Transactions on

Information Theory 22 (1976), 644-654. 1.1, 4.3

13.

FIPS PUB 197: the official AES standard,

https://web.archive.org/web/20150407153905/http://csrc.nist.gov/publications/

fips/fips197/fips-197.pdf

14.

https://arxiv.org/a/hecht_p_1.html