Non-Commutative Key Exchange Protocol

We introduce a novel key exchange protocol based on non-commutative matrix multiplication defined in $\mathbb{Z}_p^{n \times n}$. The security of our method does not rely on computational problems as integer factorization or discrete logarithm whose difficulty is conjectured. We claim that the unique eavesdropper's opportunity to get the secret/private key is by means of an exhaustive search which is equivalent to the unsorted database search problem. Furthermore, we show that the secret/private keys become indistinguishable to the eavesdropper. Remarkably, to achieve a 512-bit security level, the keys (public/private) are of the same size when matrix multiplication is done over a reduced 8-bit size modulo. Also, we discuss how to achieve key certification and Perfect Forward Secrecy (PFS). Therefore, Lizama's algorithm becomes a promising candidate to establish shared keys and secret communication between (IoT) devices in the quantum era.


Introduction
In 2017 the National Institute of Standards and Technology (NIST) initiated a process to evaluate the cryptographic algorithms that will be used to support security in the quantum era. Unfortunately, most of the cryptosystems used today will become obsolete in the foreseeable future because they would be broken by quantum computers [1]. Shor's algorithm [2] solves the mathematical problems on which cryptography is supported: integer factorization and discrete logarithm. Although quantum principles have threatened the security of major cryptographic systems, they have raised a new technology known as quantum key distribution (QKD) that allows remote secret key establishment [3,4,5,6].
Post-quantum crypto-systems under evaluation for public-key quantum-resistant [7] include cryptography based on lattices, multi-variate-based, hash-based [8,9] and code-based [10]. After the third evaluation round, NIST has selected seven algorithms (and eight alternative candidates), four of them are public key encryption (and key-establishment) systems and three correspond to digital signature algorithms. In the first category, CRYSTALS-KYBER, NTRU-HPS, SABER are lattice-based while Classic McEliece is a code-based public key encryption system. Regarding digital signature schemes, CRYSTALS-DILITHIUM and FALCON are lattice-based and Rainbow is a multivariate-based algorithm [11,12,13]. According to the criteria defined by NIST, quantum algorithms must be resistant against classical and quantum adversaries, their security level must be comparable to the security of SHA-385 and AES-256. Issues to be considered are the size of the keys and the required computing resources and facility of implementation (in hardware and software). Versatility of the algorithm will be evaluated because of its ability to encrypt messages, perform digital signatures and/or allow key exchange.
As discussed in [14], Lizama's certification method is scalable and interoperable and can be exploited in the pre-quantum and quantum era because the protocol exhibits indistinguishability of the integers used in the public key and ciphertexts. Moreover, public keys size in Lizama's protocol has the smallest size: 0.256 kilobytes and 0.384 kilobytes for public key and certified key, respectively [14].
In this work, we will introduce a new key exchange algorithm based in non-invertible matrix multiplication that can be useful for secret communication in the pre-quantum but also in the quantum era. The article is organized as follows: in Section 2 we discuss some related protocols which include Lizama's non-invertible connectionless and the reduced version of this protocol. In Section 3 we introduce our Non-Commutative Key Exchange Protocol to later introduce in Section 4, a method to certificate the public keys. Finally, Section 5 describe our PFS method that guarantee secrecy of the new session keys.

Shamir-Rivest-Adleman three-pass protocol
The Shamir-Rivest-Adleman protocol allows two remote parties to exchange a secret message without sharing any initial secret as described in [15]. The protocol has the desired commutative property since m ab mod p = m ba mod p, where the exponents a and b satisfy the relation e −1 · e ≡ 1 mod p − 1 (see Fig. 1). If x ≡ y mod p − 1, then a x ≡ a y mod p because according to Fermat's Little Theorem a p−1 = 1 since p does not divide a. Unfortunately, this protocol is supported on Diffie-Hellman assumption [16] which makes it vulnerable to Shor's algorithm running in a quantum computer [2].

Non commutative cryptography
Stickel's key exchange protocol was motivated by the Diffie-Hellman protocol [17]. In the original formulation, the group used in the protocol was the group of invertible matrices over a finite field [18,19]. Let G be a public non-abelian finite group. Let a, b ∈ G be public elements such that ab = ba. Let the orders of a and b be N and M respectively: 1. Alice chooses two random natural numbers n < N , m < M and sends u = a n b m to Bob. 2. Bob picks two random natural numbers r < N , s < M and sends v = a r b s to Alice. 3. Alice derives the key as K A = a n vb m = a n+r b m+s . 4. Bob computes K B = a r ub s = a n+r b m+s .
Unfortunately a linear algebra attack to this protocol has been published [20,19]. It is sufficient for the adversary to find matrices x and y such that xa = ax, yb = by, and xu = y, because x corresponds to a −n , while y equals b m [21].

Lizama's non-invertible connectionless protocol
Lizama's non-invertible key exchange protocol was introduced in [22]. In this section, we will enhance it to enable the secret key establishment when remote users (Alice and Bob) are not allowed to directly connect each other. We assume that the connection between users is later turned on to enable secret communication. As stated by the protocol, the public key of user i (a for Alice, b for Bob) has two components (P i , Q i ) where P i ≡ p 2xi k i mod n and Q i ≡ q yi k i mod n where n is the publicly known modulo n computed as n = p q r so that p, q are small prime integers while r is a large prime integer and the symbol ≡ represents the congruence relation. In the original formulation of the protocol is stated that x i + y i = φ(n) + 1 where x i is chosen randomly and y i is derived from this relation. However, in this new approach, we will substitute it with x i + y i = φ(n). The private key of user i consists in the pair (x i , k i ) where k i is an invertible integer in Z n . Users upload their public keys (P i , Q i ) to the cloud service where the public keys are stored. The next steps are described below: 1. Alice and Bob download each other's public key. Then, they perform exponentiation and multiplication mod n, as indicated in Table 1.
The key that each user derives k si has been written at the right hand of Table 1, both are equal because x i + y i = φ(n), thus according to Euler's theorem written in Equation 1 we

Reduced Lizama's key exchange
In the original formulation of the protocol, user i sends k s k j mod n to user j over the public channel, where k s = p 2xixj q yiyj mod n and k j is the private key of j who derives k s multiplying by k j −1 . The same is valid in the opposite direction from j to i. If k s mod n were an invertible integer in Z n , user j could compute k s −1 but previously she has computed k s k i mod n, thus she could obtain k i , the private key of the remote user. This is the reason why k s is chosen to be non-invertible in Z n .
Preprints (www.preprints.org) | NOT PEER-REVIEWED | Posted: 30 March 2021 doi:10.20944/preprints202103.0716.v1 However, as described in the previous section, Lizama's connectionless protocol does not require the public exchange of k s k i mod n neither k s k j mod n. On this new basis, let us introduce the reduced Lizama's non-invertible protocol. In this scheme the public key of user i is (P i , Q i ) where P i = a 2xi k i mod n and Q i = a xi k i mod n where a = 2, n = 2p and p is a large prime integer. The private key of user i is (x i , k i ) where x i is a random integer and k i is a random invertible integer in Z n . The protocol behaves according to the following steps: 1. Using the web service, Alice and Bob obtain a copy of their public keys each other. Then, they perform the operations indicated in Table 2. Table 2: Operations performed by users over the public keys. The modulo n is computed as 2p.

User
Operation Unfortunately, this version of the protocol is insecure in the quantum era because an attacker can interact with Alice applying x e = 1, thus getting a xa mod n and changing the unsorted database problem to the discrete logarithm problem [23,24].

Non-Commutative Key Exchange Protocol
In [22,14] it has been proposed the following parameters for Lizama's non-invertible key exchange protocol: | p | ∼ 1024, k i ∼ 1024, x i ∼ 256 which gives a public key size | P i | + | Q i | ∼ 2048 and a private key size | k i | + | x i | = 1280. Although Lizama's keys size have the smallest when is compared against NIST Round 3 finalists [13] we will demonstrate that the required keys size and the modulo size can be reduced even more in order to operate IoT certificates in the quantum era.
Just to compare the keys size (in bits), let us considerate the reduced Lizama's key exchange. If we take | p | as 256 then | k i | = 256 and | a 2xi | = 256 because x i and k i are kept secret. The size of the public key (P i , Q i ) gives 2·256 = 512. The private key achieves | x i |+| k i | = 256+256 = 512. Therefore, the secret key k si reaches 256 bits. Computation of the secret key requires raising a to an exponent whose size is 256 over a 256-bit modulo. Now, we proceed to introduce the non-commutative Key Exchange Protocol (nc-KEP) which is based on classical non-commutative matrix algebra. The public key [P i ] of user i is computed as where matrix multiplication is represented by the symbol ·, which is performed using a publicly known prime modulo p. Exponentiation can be done since is known that and [u] are random invertible square matrices. The exponent x i is a random integer number, so the private key of a user i is the pair (x i , [k i ]). The protocol behaves according the following steps: 1. Alice and Bob obtain a copy of their public keys from the web service. Then, they perform the operations indicated in Table 3 Furthermore, to compute the public key

mod p is sent to the other user who applies the convenient multiplication (left and right hand sides) to get the shared key [k s ] ≡ [u]
xixj mod p as depicted in Figure 2. Since not every possible matrix is an invertible matrix, users must restart the protocol when they derive a non-invertible matrix. It is known that the Hill cipher is vulnerable to a knownplaintext attack, so we will demonstrate in Section 5 how to safely generate a new secret key from the current one. [

Security Analysis
The  Table 6. We claim that our algorithm is post-quantum because the unique opportunity for the eavesdropper, in order to get the private key (x i , [k i ]), is mounting an exhaustive search among those elements, which is equivalent to searching an unsorted database problem. which is the Alice's private key thus impersonating her. We would suggest that the size of x a must be increased to 256 bits, but this attack has changed the unsorted database problem to a hardest version of the discrete logarithm problem based on matrices [23,24]. To avoid this attack we will introduce a generalized non-commutative KEP. Here, each user i has two public matrices ([P i ], [Q i ]) as they are shown in Table 5. Thus, the secret key between i and j is deduced to be [u] xixj · [w] yiyj mod p scaling the complexity problem to the generalized case [e 1 ] xa · [e 2 ] ya mod p.

Generalized non-commutative KEP
Indistinguishably of the secret key. Now, we want to demonstrate that the pair (x a , y a ) is indistinguishable from other pairs, symbolically [ ya 2 mod p, then for t = 1, 2: x et x at and y t = y et y at for t = 1, 2. In order to be indistinguishable, we must establish (x 1 , y 1 ) = (x 2 , y 2 Provided |x 1 | = 256, we can separate into several factors each equation's term. By separating them, we directly find (x 1 , y 1 ) and (x 2 , y 2 ) and private numbers (x i , y i ) become indistinguishable. In this scenario, the size of the public key yields | (P i , Q i ) | = 512, the private key | (x i , y i , k i ) | = 512 and the secret key raises its security level from 256 to 512 bits. As it can be concluded from this discussion, the generalized nc-KEP can be directly upgraded from its previous particular case. In the next sections we will use the non-generalized nc-KEP, so that a better explanation could be provided.

Certificated Keys
An indispensable property of public keys is to be authenticated by a Certification Authority (CA). The keys of the non-commutative Key Exchange Protocol (nc-KEP) can be certified if a CA raises the keys to her private key number x ca as indicated in Table 6. Alice and Bob obtain a copy of their public certified keys from the web service. Then, they perform the usual exponentiation [u] xixca xj mod p. The secret shared key is derived as [u] xixcaxj mod p.

Conclusions
We introduced the non-commutative key exchange protocol (nc-KEP) which allows the secret key establishment between two remote parties to perform private communication. Lizama's nc-KEP does not rely on computational problems as integer factorization or discrete logarithm such that the security can be properly evaluated using ordinary rules of matrix multiplication without complex theoretical background. We have analyzed that in order to establish a 256-bit secret key the size of the public key takes 256 bits while the private key does require 384 bits. Remarkably, matrix multiplications can be done over a reduced 4-bit size modulo.
In addition, we have presented a generalized version of the protocol that guarantees that the eavesdropper must face the unsorted database problem because private numbers become indistinguishable. This enhanced version just requires that public and private keys be increased to 512 bits with same security level. Moreover, a method to achieve Perfect Forward Secrecy has been demonstrated.
Therefore, Lizama's nc-KEP enables secret communication between restricted computational IoT devices in the quantum era. The algorithm would be further optimized in hardware/software since it only requires matrix-multiplication.