New Subclass Framework and Concrete Examples of Strongly Asymmetric Public Key Agreement

Abstract

Strongly asymmetric public key agreement (SAPKA) is a class of key exchange between Alice and Bob that was introduced in 2011. The greatest difference from the standard PKA algorithms is that Bob constructs multiple public keys and Alice uses one of these to calculate her public key and her secret shared key. Therefore, the number of public keys and calculation rules for each key differ for each user. Although algorithms with high security and computational efficiency exist in this class, the relation between the parameters of SAPKA and its security and computational efficiency has not yet been fully clarified. Therefore, our main objective in this study was to classify the SAPKA algorithms according to their properties. By attempting algorithm attacks, we found that certain parameters are more strongly related to the security. On this basis, we constructed concrete algorithms and a new subclass of SAPKA, in which the responsibility of maintaining security is significantly more associated with the secret parameters of Bob than those of Alice. Moreover, we demonstrate 1. insufficient but necessary conditions for this subclass, 2. inclusion relations between the subclasses of SAPKA, and 3. concrete examples of this sub-class with reports of implementational experiments.

1. Introduction

Since Shannon proposed the concept of “perfect secrecy” in crypto-systems [1], in which he introduced a theoretically unbreakable system even against computational power, the distribution of secret keys between the sender (Alice) and receiver (Bob) via an insecure channel has been one of the greatest problems in cryptography.

The Diffie–Hellman (DH) public key agreement (PKA) protocol that was proposed in 1976 [2] and the Rivest–Shamir–Adleman (RSA) crypto-system that was presented in 1978 [3] represented the most significant works in the area of cryptography, and it was previously believed that the problem of key distribution had been resolved.

However, recent considerable developments in the computational power of eavesdroppers have introduced several potential (even if not immediate) threats against standard PKA algorithms and public key cryptographies, particularly for small key lengths [4]. To maintain security, users have been forced to select longer keys, and the increased key length has led to higher computational costs. Thus, the preparation of secure communication infrastructure, particularly for devices with limited memory and computational power, has become challenging. Furthermore, the threat of quantum computers that are currently under development and Shor’s algorithm [5] cannot be underestimated.

Considering the demand for algorithms that are resilient against any type of theoretical attack, including quantum algorithm-based attacks, the development and study of new PKA algorithms and public key cryptographies, namely post-quantum cryptography (PQC), has become widespread. PKAs and public key cryptographies based on lattice problems such as the shortest vector problem (SVP), closest vector problem, and learning with errors (LWE) are among the most well known methods. Among these, SVP-based PKA and public key cryptographies, including NTRU prime [6], NTRU-HRSS-KEM [7], and NTRU Encrypt [8], module LWE-based PKA such as CRYSTALS–Kyber [9], and ring LWE-based PKA including NewHope [10] are leading approaches in this research area and have been considered as candidates for the NIST (National Institute of Standards and Technology) standardization of PQC systems [11,12]. When the parameters are properly selected, the above algorithms are considered to be resilient against attacks that use quantum computers and sufficiently computationally efficient to be used in practice.

However, there has been substantial discussion regarding the security of such algorithms. For example, in certain LWE-based algorithms, even if sufficiently large parameters are selected, a possible weakness has been observed [13,14,15]. Moreover, the notion that the difficulty in solving ring LWE is equivalent to that of solving the LWE (the difficulty of LWE is discussed in [14,16]) has not yet been proven; thus, other cases of weakened security [9,10] may arise. Weak parameters for NTRU-type PKA algorithms and public key cryptography are also reported in [17]. Owing to these uncertainties in the parameter settings to maintain security even in an ideal situation (i.e., without assuming limited memory and computational power), the preparation of secure communication infrastructure with these new-generation algorithms for less capable devices has resulted in greater difficulty and insecurity. Although there is no doubt that these algorithms will offer significant benefits even after the post-quantum computer era, security analysis of these algorithms should continue until users can be provided with a “guide” that explains how to set parameters to ensure secure PKA and public key cryptography according to the needs and environments of users.

1.1. Research Concept and Goals

We define a function $C:\mathbb{N}\times {\mathbb{R}}^{+}\to {\mathbb{R}}^{+}$, which shows the computational costs for T calculation steps by a device with efficiency $E_D$ (calculation steps per time) as follows:

$$C(T,E_D):=T\times \frac{1}{E_D}.$$

Thus, it is given by time (s, ms, or another unit). Let $PKA$ be a set of PKA algorithms and let $T_A:PKA\times \mathbb{N}\to \mathbb{N}$ be a function that shows the calculation steps required for Alice to calculate the $N\in \mathbb{N}$ bit length of the secret shared key (SSK) of an algorithm $Alg\in PKA$, which increases monotonically for N. $T_B$ denotes the calculation steps for Bob in a similar manner.

Next, we consider $Alg\in PKA$, which has the following relation:

$$T_A(Alg,N)=T_B(Alg,N)$$

(1)

for all $N\in \mathbb{N}$. In this case, we suppose that the maximal computational cost that Bob is allowed to incur for the SSK calculation of $Alg\in PKA$, denoted by $C_{max}^B$, is $C_{max}^B=T_B(Alg,N_0)\times \frac{1}{E_B}$, which is achieved when the bit length of the SSK is some $N_0\in \mathbb{N}$, and Bob can compute their SSK for all $N\in \mathbb{N}$ to satisfy:

$$C_B(T_B(Alg,N),E_B):=T_B(Alg,N)\times \frac{1}{E_B}\le C_{max}^B:=T_B(Alg,N_0)\times \frac{1}{E_B},$$

(2)

where $E_B$ denotes the device efficiency of Bob. As $T_B$ is a monotonically increasing function for the bit size of the SSK, condition (2) is reduced to $N\le N_0$. Furthermore, if $E_B=E_A$, where $E_A$ denotes the device efficiency of Alice, the SSK can be computed for all $N\le N_0$. Thus, Alice and Bob can calculate the SSK of a bit size that is equal to or less than $N_0$ within time $C_{max}^B$.

For the same $Alg\in PKA$, we assume that $E_B>E_A$ and the maximal computational cost that Bob is allowed to incur $C_{max}^B$ is the same as (2), where $N_0$ is the smallest bit size of SSK to maintain security. Let Alice’s computational cost for calculating her SSK of $N\in \mathbb{N}$ bits be $C_A(T_A(Alg,N),E_A):=T_A(Alg,N)\times \frac{1}{E_A}$, and if Alice needs to calculate her SSK within the cost $C_{max}^B$ as well as Bob, the following relation must be satisfied:

$$C_A(T_A(Alg,N),E_A)=T_A(Alg,N)\times \frac{1}{E_A}\le C_{max}^B=T_B(Alg,N_0)\times \frac{1}{E_B},$$

where the equality holds for some $N_1\in \mathbb{N}$, but in this case, $N_1<N_0$ must be satisfied because $T_A$ is a monotonically increasing function for the bit size of the SSK and $\frac{1}{E_B}<\frac{1}{E_A}$. This observation indicates that they must either use an $N_1$-bit SSK, which is obviously less secure than when using an $N_0$-bit SSK, or let Alice incur a cost of $T_A(Alg,N_0)\times \frac{1}{E_A}$, which is larger than $C_{max}^B$. Most PKA algorithms, including the DH algorithm, satisfy (1), and there are many cases in which $E_B>E_A$ in modern society where IoT techniques are continually being developed; thus, this situation is inevitable in the near future, if not immediate.

We consider determining an algorithm denoted by $Al{g}_{A<B}\in PKA$, where

$$T_A(Al{g}_{A<B},N)<T_B(Al{g}_{A<B},N)$$

(3)

being satisfied for all $N\in \mathbb{N}$ is one solution to the above undesirable situation. We denote the maximal computational cost that Bob is allowed to incur as $C_{max,A<B}^B$, which is defined as $C_{max,A<B}^B:=T_B(Al{g}_{A<B},N_0)\times \frac{1}{E_B}$, where $N_0\in \mathbb{N}$ and it is the smallest bit size of SSK to maintain security. In addition to the above $T_A=T_B$ case, we suppose that both Bob and Alice must calculate her SSK within the maximal computational cost that Bob is allowed to incur $C_{max,A<B}^B$. In this case, Alice can calculate all N bits of the SSK to satisfy

$$C_A(T_A(Al{g}_{A<B},N),E_A)=T_A(Al{g}_{A<B},N)\times \frac{1}{E_A}\le C_{max,A<B}^B=T_B(Al{g}_{A<B},N_0)\times \frac{1}{E_B}.$$

The equality holds when $T_A(Al{g}_{A<B},N_1)\times \frac{1}{E_A}=T_B(Al{g}_{A<B},N_0)\times \frac{1}{E_B}$ holds for some $N_1\in \mathbb{N}$. In this case, it should be noted that $N_1=N_0$ is achieved; that is, Alice calculating the SSK of $N_0$ bits within time $C_{max,A<B}^B$ is possible, provided that

$$\frac{T_A(Al{g}_{A<B},N_0)}{T_B(Al{g}_{A<B},N_0)}\le \frac{E_A}{E_B}$$

(4)

holds, which is impossible when (1), because in this case, the left-hand side is equal to 1, but the right-hand side is less than 1. As $\frac{E_A}{E_B}$ is given (we may say that $\frac{E_A}{E_B}$ is a communication environment in which the algorithm is used), (4) is not always achieved for some $Al{g}_{A<B}\in PKA$ and $N_0\in \mathbb{N}$. Conversely, we can determine the minimal environment $\frac{E_A}{E_B}$ where Alice and Bob can calculate $N_0$ bits SSK within $C_{max,A<B}^B$ time using $Al{g}_{A<B}\in PKA$ by simply calculating the left-hand side of (4).

Based on the above considerations, our research goals are as follows:

• Constructions of $Al{g}_{A<B}\in PKA$.
• For $Al{g}_{A<B}\in PKA$, the determination of $T_A(Al{g}_{A<B},N_0^{\prime })$ and $T_B(Al{g}_{A<B},N_0^{\prime })$ for any $N_0^{\prime }\in \mathbb{N}$.
• The construction of the PKA class to which $Al{g}_{A<B}\in PKA$ belongs and the introduction of conditions for PKA algorithms to be members of this class.

As mentioned above, goal 2 provides a lower bound of $\frac{E_A}{E_B}$ to calculate the SSK of $N_0$ bits within time $C_{max,A<B}^B$. Goal 3 provides instructions on how to construct PKA algorithms to possess the relation (3). Thus, improving algorithms such as those of [9,10] to possess this property may be possible by attempting to fix their parameters according to the class conditions. We do not attempt to improve these algorithms in this study, but this subject is worthy of consideration and will be one of our most important future works.

We consider that these goals are achievable by fully utilizing the characteristics of the PKA framework known as strongly asymmetric public key agreement (SAPKA) [18]. The characteristics, high level of generality, and asymmetry of the key agreement process of SAPKA are explained in Section 1.2, along with its definition, and concrete methods that are derived from the characteristics are explained in Section 2.

Note that this study is not focused on how to construct secure PKA algorithms against any types of theoretical attacks; rather, it investigates how to reduce Alice’s computational complexity while maintaining the security of one given PKA algorithm. Our main theorems (in Section 5) do not provide any instructions on how to enhance the security of PKA algorithms, and resilience against attack such as man-in-the-middle (MITM) attack is not discussed in this paper (we consider that these topics should be discussed after existence of $Al{g}_{A<B}$ is proven and mentioned in Section 7.1 ).

1.2. SAPKA Framework

We provide a brief definition of SAPKA (the explicit definition is presented in Section 2.4) and its characteristics in this section.

First, Bob prepares a multiplicative semi-group $\mathcal{S}$ with 1. Subsequently, he selects five maps:

$$x_1,x_2,x_3,x_4,N_1:\mathcal{S}\to \mathcal{S},$$

where $N_1$ must be an easily invertible map. In this case, “easily” means that the calculation of $N_1^{-1}\circ N_1\left(y\right)$ for all $y\in \mathcal{S}$ can be performed in polynomial time. Furthermore, $x_1,x_2,x_3$, and $x_4$ must satisfy the following equation, which is known as the compatibility condition:

$$x_1\circ x_2\left(y\right)=x_3\circ x_4\left(y\right)$$

(5)

for all $y\in \mathcal{S}$, where ∘ denotes the map composition. Equation (5) is a condition for Alice and Bob to calculate the same SSK (see the key agreement process in Figure 1). The key agreement process of SAPKA can be described as in Figure 1, and every secret/public key is displayed in

Table 1. Complete list of key of SAPKA.

	Key	Parameter
Bob	Secret keys	$x_1,x_2,x_3,x_4,N_1:\mathcal{S}\to \mathcal{S}$
	Public keys	$y_{B,1}=N_1^{-1}\circ x_4:\mathcal{S}\to \mathcal{S}$ $y_{B,2}=x_1\circ x_2:\mathcal{S}\to \mathcal{S}$
	SSK	${\kappa }_B=x_3\circ x_4\left(x_A\right)\in \mathcal{S}$
Alice	Secret key	$x_A\in \mathcal{S}$
	Public key	$y_A=N_1^{-1}\circ x_4\left(x_A\right)\in \mathcal{S}$
	SSK	${\kappa }_A=x_1\circ x_2\left(x_A\right)\in \mathcal{S}$

.

As can be observed from Figure 1 and Table 1, Bob’s public keys are described by the map compositions and not by the element of $\mathcal{S}$. Sending a map means sending the calculation rule of the map in combination with a set of parameters, which is the domain of the map. Thus, Alice simply follows the rules of $y_{B,1}$ and $y_{B,2}$ to calculate $y_A$ and ${\kappa }_A$, and to calculate these, she must first receive $y_{B,1}$ and $y_{B,2}$ from Bob. Regardless of the $x_A$ that Alice selects (provided that $x_A\in \mathcal{S}$), the equality of ${\kappa }_A$ and ${\kappa }_B$ holds, because the compatibility condition (5) holds for all elements of $\mathcal{S}$. The generality mentioned above arises from the fact that there are only several restrictions for the secret keys of Bob, namely $x_1,x_2,x_3,x_4,N_1$, and semi-group $\mathcal{S}$. As the restrictions are only those in (5) and invertible regarding $N_1$, Bob has substantial freedom in terms of the choices of these maps and the algebraic structure. By fixing these maps and $\mathcal{S}$ concretely, various PKA algorithms can be described, including the most well known of these, namely the DH algorithm (presented in [18]). In this study, we do not attempt to describe new-generation algorithms such as [7,9,10] in the form of SAPKA. However, we are optimistic that these can be described because $\mathcal{S}$ can be selected as not only scalars but also matrices, for example, with numerous options for $x_1,x_2,x_3,x_4,N_1$.

Another notable characteristic of SAPKA is the asymmetry of the key agreement process. In this case, the asymmetry means that the number of public keys calculated by Alice and Bob differ, and thus, the two perform essentially different operations. Owing to this characteristic, an eavesdropper (Eve) must attempt attacks against a maximum of two public keys to obtain the secret information of either Bob or Alice. This may allow Alice to select her secret key from a set of small bit sizes and to reduce her computational complexity in certain cases. In Section 2, we explain Eve’s strategies for recovering the SSK from public keys, an observation from her strategies, and the research method derived from this observation.

2. Methods and Abstract of This Study

We explain the strategies for Eve to recover the SSK and the method for our research goal, which can be derived from the observation of her strategies.

2.1. Eve’s Strategies for Recovering SSK

Eve wishes to calculate ${\kappa }_A$ or ${\kappa }_B$ by determining the secret key of Alice or Bob from the public keys. She knows the two composed maps of Bob and one element of Alice, as follows:

$$y_{B,1}\left(y\right)=N_1^{-1}\circ x_4\left(y\right)(y\in \mathcal{S}),$$

(6)

$$y_{B,2}\left(y\right)=x_1\circ x_2\left(y\right)(y\in \mathcal{S}),$$

(7)

$$y_A=N_1^{-1}\circ x_4\left(x_A\right).$$

(8)

• Eve’s Strategy 1

If $x_4$ is an invertible map, $y_{B,1}$ is also invertible; thus, she attempts to determine $x_A$ from (6) and (8):

$$x_A=y_{B,1}^{-1}\left(y_A\right)=x_4^{-1}\circ N_1\circ N_1^{-1}\circ x_4\left(x_A\right).$$

(9)

Subsequently, she can calculate

$${\kappa }_A=x_1\circ x_2\left(x_A\right).$$

If $x_4$ is not an invertible map, she obtains a set $\{x_E\in \mathcal{S}:y_A=N_1^{-1}\circ x_4\left(x_E\right)\}$ instead of an element from (9). However, in this case, she can calculate the SSK as follows:

$$x_1\circ x_2\left(x_E\right)=x_3\circ x_4\left(x_E\right)=x_3\circ N_1\circ N_1^{-1}\circ x_4\left(x_E\right)=x_3\circ N_1\left(y_A\right)={\kappa }_B.$$

(10)

The second equation of (10) is obtained from the compatibility condition (5), and the final equation is obtained from the definition of ${\kappa }_B$ (see Figure 1 or Step 5 of Section 2.4).

• Eve’s Strategy 2

First, Eve attempts to obtain a map $N_1$ from (6) and then attempts to obtain a map $x_{3,E}:\mathcal{S}\to \mathcal{S}$ that satisfies

$$x_{3,E}\circ N_1\circ N_1^{-1}\circ x_4\left(y\right)=x_1\circ x_2\left(y\right)$$

(11)

for all $y\in \mathcal{S}$. Finally, she can calculate the SSK as follows:

$$x_{3,E}\circ N_1\left(y_A\right)=x_{3,E}\circ N_1\circ N_1^{-1}\circ x_4\left(x_A\right)=x_1\circ x_2\left(x_A\right)={\kappa }_A.$$

(12)

Suppose that Bob constructs $y_{B,1}$ and $y_{B,2}$ to satisfy the following two requirements:

Requirement 1.

It is difficult to calculate $x_4^{-1}\circ N_1\circ N_1^{-1}\circ x_4\left(y\right)=y$ for all $y\in \mathcal{S}$ in real time, or it is difficult to determine the invertible map of $y_{B,1}$, $x_4^{-1}\circ N_1$ in real time.

Requirement 2.

It is difficult to determine the map $N_1$ from $y_{B,1}=N_1^{-1}\circ x_4$ in real time, or it is difficult to obtain a map $x_{3,E}$ to satisfy (11) in real time.

Then, it is difficult for Eve to obtain $x_A$ from (9) and to proceed to (12) in real time; that is, Eve cannot obtain the SSK in real time. It should be noted that the secret key $x_A$ that Alice selects is not strongly related to Eve’s breaking complexity owing to Requirement 1. This means that Bob may take substantially more responsibility for maintaining security than Alice. In this case, Alice can select her secret key space as a small one in terms of the bit size, provided that an exhaustive search for $x_A$ is difficult in real time, and we expect that this will reduce Alice’s computational complexity for $y_A$ and ${\kappa }_A$.

2.2. Methods

According to this observation, the methods that can be established for the research goal can be derived as follows:

• Introduce algorithms from SAPKA (Section 3).
• Estimate the breaking complexity of these algorithms under the assumption that the secret key space of Alice is smaller than that of Bob and verify whether or not Alice’s small key space reduces the breaking complexity of the algorithms (Section 4.2 and Section 4.3).
• For algorithms for which Alice’s small key space does not reduce the breaking complexity, estimate their computational complexity to calculate the keys of both Alice and Bob (Section 4.4 and Section 4.5).
• Construct the SAPKA subclass for which the algorithms possess the relation that the complexity of Alice for her keys is smaller than that of Bob (we call this subclass the “main SAPKA subclass” until we give definition of it) and introduce the necessary conditions for the subclass by generalizing the results of 3 (Section 5.1 and Section 5.2).

In Section 6, we implement some of the algorithms in Section 3 and report the experimental results. We can concretely observe what can be offered by the algorithms of the subclass constructed in Section 5.1.

At the beginning of Section 5, we add restrictions to the SAPKA framework, particularly for the public keys of Bob, before discussing our main themes. We explain these restrictions briefly below.

2.3. Restrictions on SAPKA Framework

We have already explained the high level of generality of SAPKA. However, owing to this generality, algorithms that do not ensure secure PKA are also included in this class. We present one example as follows:

Let $\mathcal{S}$ be $\mathcal{S}:={\mathbb{Z}}_p$ for some prime number p. Bob selects the numbers $x_B,n_B\in \mathcal{S}$ and keeps them secret. Let the maps $x_1,x_2,x_3,x_4,N_1:\mathcal{S}\to \mathcal{S}$ be defined, for $y\in \mathcal{S}$, as:

• $x_1\left(y\right):=x_{B}y$
• $x_2:=id$
• $x_3\left(y\right):=x_{B}y$
• $x_4\left(y\right):=id$
• $N_1\left(y\right):=n_{B}y$.

In this case, all keys are described as in

Table 2. Complete list of key of example algorithm of SAPKA.

	Key	Parameter
Bob	Secret keys	maps $x_1,x_2,x_3,x_4,N_1:\mathcal{S}\to \mathcal{S}$ and elements $x_B,n_B\in \mathcal{S}$
	Public keys	$y_{B,1}\left(y\right)=N_1^{-1}\circ x_4\left(y\right)=n_B^{-1}y$$(y\in \mathcal{S})$ $y_{B,2}\left(y\right)=x_1\circ x_2\left(y\right)=x_{B}y$$(y\in \mathcal{S})$
	SSK	${\kappa }_B=x_3\circ x_4\left(x_A\right)=x_B{x}_A$
Alice	Secret key	$x_A\in \mathcal{S}$
	Public key	$y_A=N_1^{-1}\circ x_4\left(x_A\right)=n_B^{-1}{x}_A$
	SSK	${\kappa }_A=x_1\circ x_2\left(x_A\right)=x_B{x}_A$

.

The SSK calculations are performed as follows:

$${\kappa }_A=x_1\circ x_2\left(x_A\right)=x_B{x}_A$$

$${\kappa }_B=x_3\circ N_1\left(y_A\right)=x_3\circ N_1\circ N_1^{-1}\circ x_4\left(x_A\right)=x_B{x}_A.$$

In this case, Bob sending $y_{B,1}$ means that $n_B^{-1}$ must be a public key, although this element is supposed to be a secret; otherwise, Alice cannot calculate $y_A$. Eve can easily calculate Alice’s secret key $x_A$ with $n_B{n}_B^{-1}{x}_A=x_A$; thus, Eve can recover the SSK by calculating $y_{B,2}\left(x_A\right)=x_1\circ x_2\left(x_A\right)$. Without limiting this type of algorithm to be included in the SAPKA class, the main subclass that we attempt to construct in Section 5 can include weak algorithms. In this case, the subclass cannot be the one that we aim to construct.

To limit algorithms such as the above example, we add restrictions on the construction of Bob’s public keys using a map referred to as a “non-easily invertible map” with the following definition.

Definition 1.

The map$f_g:\mathcal{S}\to \mathcal{S}$is called as a non-easily invertible map if the calculation$f_g^{-1}\circ f_g\left(y\right)$for all$y\in \mathcal{S}$is difficult to compute in the mean of the computational complexity, and the order of complexity for computing$f_g^{-1}\circ f_g\left(y\right)(y\in \mathcal{S})$is equal to or greater than$O\left(2^{t\left(n\right)}\right)$, where n is the bit size of y and$t:\mathbb{N}\to {\mathbb{R}}^{+}$is a monotonically increasing function:

$$t\left(n\right)=an$$

for some$a\in {\mathbb{R}}^{+}\setminus \left\{0\right\}$.

O of this definition is Landau’s big-O notation (Definition 5 in Section 4.1). We limit Bob’s public keys $y_{B,1}$ and $y_{B,2}$ to be constructed as

$$y_{B,1}\left(y\right)=N_1^{-1}\circ x_4\left(y\right)=f_g\circ N_1^{\prime -1}\circ x_4^{\prime }\left(y\right)$$

$$y_{B,2}\left(y\right)=x_1\circ x_2\left(y\right)=f_g\circ x_1^{\prime }\circ x_2^{\prime }\left(y\right)$$

for certain non-easily mapped $f_g:\mathcal{S}\to \mathcal{S}$ and certain maps $x_1^{\prime },x_2^{\prime },x_4^{\prime },N_1^{\prime }:\mathcal{S}\to \mathcal{S}$. By doing so, attacks from Eve cannot be performed within a polynomial time. Furthermore, with several additional restrictions in Section 5, Requirement 2 of Section 2.1 can be achieved.

We attempt 4. of the method mentioned in Section 2.2 within this restricted SAPKA class with a non-easily invertible map (the explicit definition of this restricted SAPKA class by a non-easily invertible map is also provided Section 5).

2.4. Explicit Definition of SAPKA

We present the definition of SAPKA [18]. The SAPKA algorithms have the following common ingredients:

• a multiplicative semi-group S with 1;
• a set ${\widehat{M}}_{\mathcal{S}}$ of easily invertible maps $:\mathcal{S}\to \mathcal{S}$, known as noise space; and
• a set $M_{\mathcal{S}}$ of maps $:\mathcal{S}\to \mathcal{S}$.

In the above, S is public, and ${\widehat{M}}_{\mathcal{S}}$ and $M_{\mathcal{S}}$ belong to Bob’s secret. From the key space,

$${\mathcal{K}}_B:=M_{\mathcal{S}}\times M_{\mathcal{S}}\times M_{\mathcal{S}}\times M_{\mathcal{S}}\times \widehat{M_{\mathcal{S}}}.$$

Bob prepares the quintuple $(x_1,x_2,x_3,x_4,N_1)$ as their secret key, and $x_1,x_2,x_3,x_4$ must satisfy the following condition, which allows Alice and Bob to obtain the SSK.

Definition 2.

Let$\mathcal{S}$be a multiplicative semi-group with 1. If the functions$x_1,x_2,x_3,x_4:\mathcal{S}\to \mathcal{S}$satisfy the following condition for all$y\in \mathcal{S}$:

$$x_1\circ x_2\left(y\right)=x_3\circ x_4\left(y\right),$$

(13)

the maps$x_1,x_2,x_3,x_4$are said to be compatible, where ∘ denotes a map composition.

Definition 3.

For a multiplicative semi-group$\mathcal{S}$with 1 and the quintuple$C:=(x_1,x_2,x_3,x_4,N_1)\in {\mathcal{K}}_B$, if the maps$x_1,x_2,x_3,x_4$satisfy (13), we state that C is a member of the SAPKA class. We express this relation as:

$$C\in SAPKA.$$

The key agreement process of SAPKA is described as follows:

Step 1B

Bob prepares the maps $(x_1,x_2,x_3,x_4,N_1)\in {\mathcal{K}}_B$, of which $x_1,x_2,x_3,x_4$ satisfy (13).

In this case, each of $x_1,x_2,x_3,x_4,N_1$ is their secret key.

Step 2B

Bob constructs their public keys $y_{B,1},y_{B,2}$ as a map for each:

$$y_{B,1}:=N_1^{-1}\circ x_4$$

$$y_{B,2}:=x_1\circ x_2$$

and sends $(y_{B,1},y_{B,2})$ to Alice.

Step 1A

Alice selects her secret key $x_A$ from $\mathcal{S}$.

Step 2A

Alice calculates her public key $y_A$ as follows:

$$y_A:=y_{B,1}\left(x_A\right)=N_1^{-1}\circ x_4\left(x_A\right)$$

and sends it to Bob.

Step 3A

Alice calculates the SSK denoted by ${\kappa }_A$ as follows:

$${\kappa }_A:=y_{B,2}\left(x_A\right)=x_1\circ x_2\left(x_A\right).$$

Step 3B

Bob calculates the SSK denoted by ${\kappa }_B$ as follows:

$${\kappa }_B:=x_3\circ N_1\left(y_A\right)=x_3\circ N_1\circ N_1^{-1}\circ x_4\left(x_A\right)=x_3\circ x_4\left(x_A\right).$$

2.5. Abstract of This Study

Here, we give an outline of this study, including research goal, short abstract of each section.

• Research Goal

Construction of algorithms that possess the property that Alice’s complexity for SSK is smaller than that of Bob’s and introduction of SAPKA subclass that includes algorithms of the same property.

• Section 3: Concrete Examples of SAPKA

We show concrete examples that how Alice and Bob calculate the SSK, respectively, when the key agreement process is asymmetric. Three examples that are normal DH of SAPKA description, noise element included type DH, and matrix type DH are shown.

• Section 4: Breaking Complexity of SAPKA Algorithms

In this section, we demonstrate what problems that the algorithms of Section 3 are reduced to. Estimations of breaking complexities are done under the assumption that Alice’s secret key space is smaller than Bob’s secret key space. Here, we can see how problems algorithms reduced to are varied according to algebraic structure and SAPKA parameters. Finally, using some of SAPKA algorithms, we discuss how small Alice’s secret key space can be while maintaining security.

• Section 5: Generalization

Here, we try to construct the SAPKA subclass of property that Alice’s computational complexity for SSK is smaller than that of Bob. At first, we exclude algorithms of weak security from the subclass framework as we mentioned in Section 2.3. Without this procedure, the subclass can contain algorithms of above property but sufficiently weak security so that Eve can obtain the SSK within polynomial time. After this limitation is done, we define the subclass and introducing some conditions (only necessarily conditions for algorithms into the subclass) by expanding the results of Section 4 so that it can be applied to the SAPKA framework.

3. Concrete Examples of SAPKA

3.1. DH

As demonstrated in [18], the SAPKA class includes the DH algorithm. However, the process is symmetric because, in this case, $\mathcal{S}:={\mathbb{Z}}_p$, where p is a prime number (thus, $\mathcal{S}$ forms a finite field), $g\in \mathcal{S}$ is the public parameter, $N_1^{-1}$ is the identity map, and Alice can calculate the public key $y_A=x_4\left(x_A\right)=g^{x_A}$, even before receiving $y_{B,1}$. The process is asymmetric in the sense that Alice and Bob use different secret information, but it is symmetric in the sense that the two perform the same operations independently.

3.2. Noised DH (NDH)

The following example is a variant of the DH that does not improve its security substantially but is useful to illustrate the concept of SAPKA algorithms simply.

The components are the same as those in Section 3.1. Bob selects their secret keys $x_B,n_B\in \mathcal{S}$. The key agreement process of the NDH algorithm is described by the following steps.

Step 1B

Bob prepares the quintuple $C_{NDH}:=(x_1,x_2,x_3,x_4,N_1)\in {\mathcal{K}}_B$ as follows:

• $x_1\left(y\right):={\left(g^{x_B}\right)}^y$
• $x_2:=id$
• $x_3\left(y\right)=y^{x_B}$
• $x_4\left(y\right)=g^y$
• $N_1\left(y\right):=y^{n_B^{-1}}$,

where y is selected arbitrarily from $\mathcal{S}$.

Step 2B

Bob constructs their public keys $y_{B,1},y_{B,2}$ as a map for each

$$y_{B,1}\left(y\right):=N_1^{-1}\circ x_4\left(y\right)=N_1^{-1}\left(g^y\right)={\left(g^y\right)}^{n_B}=g^{n_{B}y}$$

$$y_{B,2}\left(y\right):=x_1\circ x_2\left(y\right)={\left(g^{x_B}\right)}^y$$

and sends $(y_{B,1},y_{B,2})$ to Alice. This is equivalent to sending $g^{n_B},g^{x_B}\in \mathcal{S}$.

Step 1A

Alice selects her secret key $x_A$ from $\mathcal{S}$.

Step 2A

Alice calculates her public key $y_A$ as follows,

$$y_A:=y_{B,1}\left(x_A\right)=N_1^{-1}\circ x_4\left(x_A\right)=g^{n_B{x}_A}$$

and sends it to Bob.

Step 3A

Alice calculates the SSK denoted by ${\kappa }_A$ as in the DH case:

$${\kappa }_A:=y_{B,2}\left(x_A\right)=x_1\circ x_2\left(x_A\right)={\left(g^{x_B}\right)}^{x_A}=g^{x_B{x}_A}.$$

Step 3B

Bob calculates the SSK denoted by ${\kappa }_B$ as follows:

$$\begin{array}{cc}\hfill {\kappa }_B& :=x_3\circ N_1\left(y_A\right)\hfill \\ \hfill & =x_3\circ N_1\circ N_1^{-1}\circ x_4\left(x_A\right)\hfill \\ \hfill & =x_3\circ N_1\left(g^{n_B{x}_A}\right)\hfill \\ \hfill & =x_3\left(g^{n_B^{-1}{n}_B{x}_A}\right)\hfill \\ \hfill & ={\left(g^{x_A}\right)}^{x_B}\hfill \\ \hfill & =g^{x_B{x}_A}.\hfill \end{array}$$

3.3. Schur Exponentiation-Based DH (SEDH)

Let $\mathcal{S}$ be the multiplicative semi-group $\mathcal{S}:=\mathcal{M}(d,{\mathbb{Z}}_p)$ of $d\times d$ matrices with entries in ${\mathbb{Z}}_p$. The algorithm introduced in this section uses Schur exponentiation; that is, element-wise matrix exponentiation. The symbol $c^{\circ M}$ is defined as follows:

$${\left(c^{\circ M}\right)}_{ij}:=\left\{\begin{array}{cc}{c}^M\hfill & \mathrm{if}M\mathrm{is}\mathrm{a}\mathrm{scalar}\hfill \\ c_{ij}^{M_{ij}}\hfill & \mathrm{if}M\mathrm{is}\mathrm{a}\mathrm{matrix}\hfill \end{array}\right.;i,j\in \{1,\cdots ,d\}.$$

The key agreement process is as follows:

Step 1B

Bob selects a matrix $x_B\in \mathcal{S}$, an invertible matrix $N_B\in \mathcal{S}$, and a primitive element g of ${\mathbb{Z}}_p$. Subsequently, he constructs the quintuple $C_{SE}:=(x_1,x_2,x_3,x_4,N_1)\in {\mathcal{K}}_B$ for all $a,b\in \{1,\cdots ,d\}$ as follows:

• $x_1{\left(y\right)}_{a,b}:={\prod }_{l\in \{1,\cdots ,d\}}{\left(g^{\circ x_B}\right)}_{a,l}^{{\left(y\right)}_{l,g}}$
• $x_2:=id$
• $x_3{\left(y\right)}_{a,b}:={\prod }_{l\in \{1,\cdots ,d\}}{\left(y\right)}_{l,b}^{{\left(x_B\right)}_{a,l}}$
• $x_4\left(y\right):=g^{\circ y}$
• $N_1{\left(y\right)}_{a,b}:={\prod }_{l\in \{1,\cdots ,d\}}{\left(y\right)}_{l,b}^{{\left(N_B^{-1}\right)}_{a,l}}$,

where $y\in \mathcal{S}$. The compatibility condition holds for all $y\in \mathcal{S}$ and $a,b\in \{1,\cdots ,d\}$:

$$x_1\circ x_2{\left(y\right)}_{a,b}=\prod _{l\in \{1,\cdots ,d\}}{\left(g^{\circ x_B}\right)}_{a,l}^{{\left(y\right)}_{l,b}}=\prod _{l\in \{1,\cdots ,d\}}{g}^{{\left(x_B\right)}_{a,l}{\left(y\right)}_{l,b}}$$

$$=g^{{\sum }_{l\in \{1,\cdots ,d\}}{\left(x_B\right)}_{a,l}{\left(y\right)}_{l,b}}=g^{{\left(x_{B}y\right)}_{a,b}}={\left(g^{\circ x_{B}y}\right)}_{a,b}$$

$$x_3\circ x_4{\left(y\right)}_{a,b}=\prod _{l\in \{1,\cdots ,d\}}{\left(g^{\circ y}\right)}_{l,b}^{{\left(x_B\right)}_{a,l}}=\prod _{l\in \{1,\cdots ,d\}}{g}^{{\left(y\right)}_{l,b}{\left(x_B\right)}_{a,l}}$$

$$=g^{{\sum }_{l\in \{1,\cdots ,d\}}{\left(x_B\right)}_{a,l}{\left(y\right)}_{l,b}}=g^{{\left(x_{B}y\right)}_{a,b}}={\left(g^{\circ x_{B}y}\right)}_{a,b}.$$

Step 2B

Bob constructs their public keys $y_{B,1},y_{B,2}$ as a map for each

$$y_{B,1}{\left(y\right)}_{a,b}:=N_1^{-1}\circ x_4{\left(y\right)}_{a,b}=\prod _{l\in \{1,\cdots ,d\}}{\left(g^{\circ y}\right)}_{l,b}^{{\left(N_B\right)}_{a,l}}$$

$$y_{B,2}{\left(y\right)}_{a,b}:=x_1\circ x_2{\left(y\right)}_{a,b}=\prod _{l\in \{1,\cdots ,d\}}{\left(g^{\circ x_B}\right)}_{a,l}^{{\left(y\right)}_{l,b}}$$

for all $a,b\in \{1,\cdots ,d\}$. In this case, $y_{B,1}{\left(y\right)}_{a,b}$ can also be expressed as follows:

$$y_{B,1}{\left(y\right)}_{a,b}=\prod _{l\in \{1,\cdots ,d\}}{\left(g^{\circ y}\right)}_{l,b}^{{\left(N_B\right)}_{a,l}}=\prod _{l\in \{1,\cdots ,d\}}{\left(g^{\circ N_B}\right)}_{a,l}^{{\left(y\right)}_{l,b}}.$$

Bob sends the maps $(y_{B,1},y_{B,2})$ to Alice. This is equivalent to sending the matrices $g^{\circ N_B},g^{\circ x_B}\in \mathcal{S}$.

Step 1A

Alice selects her secret key $x_A\in \mathcal{S}$.

Step 2A

Alice calculates her public key $y_A$ for all $a,b\in \{1,\cdots ,d\}$ as follows:

$${y_A}_{a,b}:=y_{B,1}{\left(x_A\right)}_{a,b}=N_1^{-1}\circ x_4{\left(x_A\right)}_{a,b}=\prod _{l\in \{1,\cdots ,d\}}{\left(g^{\circ N_B}\right)}_{a,l}^{{\left(x_A\right)}_{l,b}}$$

(14)

$$={\left(g^{\circ N_B{x}_A}\right)}_{a,b}$$

and sends it to Bob.

Step 3A

Alice calculates the SSK denoted by ${\kappa }_A$ for all $a,b\in \{1,\cdots ,d\}$ as follows:

$${{\kappa }_A}_{a,b}:=y_{B,2}{\left(x_A\right)}_{a,b}:=x_1\circ x_2{\left(x_A\right)}_{a,b}=\prod _{l\in \{1,\cdots ,d\}}{\left(g^{\circ x_B}\right)}_{a,l}^{{\left(x_A\right)}_{l,b}}={\left(g^{\circ x_B{x}_A}\right)}_{a,b}.$$

(15)

Step 3B

Bob calculates the SSK denoted by ${\kappa }_B$ for all $a,b\in \{1,\cdots ,d\}$ as follows:

$${{\kappa }_B}_{a,b}:=x_3\circ N_1{\left(y_A\right)}_{a,b}=x_3\circ N_1\circ N_1^{-1}\circ x_4{\left(x_A\right)}_{a,b}=x_3\circ N_1{\left(g^{\circ N_B{x}_A}\right)}_{a,b}$$

$$=\prod _{l\in \{1,\cdots ,d\}}{\left(g^{\circ N_B{x}_A}\right)}_{l,b}^{{\left(x_B{N}_B^{-1}\right)}_{a,l}}=g^{{\sum }_{l\in \{1,\cdots ,d\}}{\left(N_B{x}_A\right)}_{l,b}{\left(x_B{N}_B^{-1}\right)}_{a,l}}=g^{{\left(x_B{N}_B^{-1}{N}_B{x}_A\right)}_{a,b}}$$

$$=g^{{\left(x_B{x}_A\right)}_{a,b}}={\left(g^{\circ x_B{x}_A}\right)}_{a,b}.$$

(16)

This process is illustrated in Figure 2.

Remark 1.

Let $\mathcal{V}$ be a vector space of $\mathcal{V}:={\mathbb{Z}}_p^d$. Each of the above maps $x_1,x_2,x_3,x_4,N_1$ can also be considered as the map $\mathcal{V}\to \mathcal{V}$ and the condition

$$x_1\circ x_2{\left(y\right)}_a=\prod _{l\in \{1,\cdots ,d\}}{\left(g^{\circ x_B}\right)}_{a,l}^{{\left(y\right)}_l}={\left(g^{\circ x_{B}y}\right)}_a=\prod _{l\in \{1,\cdots ,d\}}{\left(g^{\circ y}\right)}_l^{{\left(x_B\right)}_{a,l}}=x_3\circ x_4{\left(y\right)}_a.$$

(17)

is satisfied for all $y\in \mathcal{V}$ and $a\in \{1,\cdots ,d\}$, where $x_B,N_B$ are the same as above. Thus, Alice can select her secret key $x_A$ from $\mathcal{V}$ and the computational complexity for calculating $y_A$, ${\kappa }_A$, and ${\kappa }_B$ is obviously reduced compared with the case when $x_A\in \mathcal{S}=\mathcal{M}(d,{\mathbb{Z}}_p)$. The precise breaking and computational complexities for the $C_{SE}$ of both the $x_A\in \mathcal{V}$ and $x_A\in \mathcal{S}$ cases are investigated in the following section.

4. Breaking Complexity of SAPKA Algorithms

As mentioned in Section 2.2, we estimate the breaking complexity (Section 4.2 and Section 4.3) and computational complexity (Section 4.4) of the algorithms in Section 3.2 and Section 3.3 under the assumption in Section 4.1.

4.1. Assumptions

Let n and m be numbers in $\mathbb{N}$, and $n>m$. We define two functions $|·|:\mathbb{N}\to \mathbb{N}$ and ${|·|}_{\mathcal{S}}:\mathcal{S}\to \mathbb{N}$, which represent the bit lengths of the input. The difference between the two functions is the domains. The input of the first one is from $\mathbb{N}$, and the second one is from $\mathcal{S}$. The semi-groups of the above two algorithms are constructed based on a prime number p, where $\left|p\right|=n$. In this case, we can express the bit size of the element in $\mathcal{S}$ as ${\left|y\right|}_{\mathcal{S}}\le n$ when $\mathcal{S}={\mathbb{Z}}_p$ and ${\left|y\right|}_{\mathcal{S}}\le d^{2}n$ when $\mathcal{S}=\mathcal{M}(d,{\mathbb{Z}}_p)$. We construct subsets denoted by $\underline{\mathcal{S}}$ of $\mathcal{S}$ for both the $\mathcal{S}={\mathbb{Z}}_p$ and $\mathcal{S}=\mathcal{M}(d,{\mathbb{Z}}_p)$ cases, respectively, as follows:

$$\underline{\mathcal{S}}:={\{y\in \mathcal{S}:|y|}_{\mathcal{S}}\le m\}(\mathrm{when}\mathcal{S}={\mathbb{Z}}_p\mathrm{case})$$

$$\underline{\mathcal{S}}:={\{y\in \mathcal{S}:|y|}_{\mathcal{S}}\le d^{2}m\}(\mathrm{when}\mathcal{S}=\mathcal{M}(d,{\mathbb{Z}}_p)\mathrm{case}),$$

with the aim of determining whether the complexity of the algorithms in Section 3.2 and Section 3.3 are reduced if we suppose that Alice’s secret key is selected from the small bit length set $\underline{\mathcal{S}}$.

Prior to investigating the breaking complexity of the algorithms in Section 3.2 and Section 3.3 under the assumption and a certain condition for n and m, we demonstrate that not only the complexity, but also the order of complexity (a definition of order is provided in Definition 5) to compute one discrete logarithm problem (DLP) differ between the cases when an exponent is selected from a larger bit length set and from a smaller bit length set.

The required settings are as follows:

• a prime number p, where $\left|p\right|=n$;
• a semi-group $\mathcal{S}:={\mathbb{Z}}_p$;
• a subset $\underline{\mathcal{S}}:={\{y\in \mathcal{S}:|y|}_{\mathcal{S}}\le m\}\subset \mathcal{S}$; and
• a map $x_g:\mathcal{S}\to \mathcal{S}$, $x_g\left(y\right):=g^y$, where g is a primitive element of $\mathcal{S}$.

We prove that if $n=s\left(m\right)>m$ for some monotonically increasing function $s:\mathbb{N}\to \mathbb{N}$ of not a linear and monic polynomial, the calculation of the DLP, namely

$$x_g^{-1}\circ x_g\left(y\right)={log}_g{g}^y=y,$$

is easier when $y\in \underline{\mathcal{S}}$ than when $y\in \mathcal{S}$ in terms of the complexity and order (Proposition 1). First, we name this input y of $x_g$ according to the size of set y as per the following definition:

Definition 4.

Let n and m be numbers in $\mathbb{N}$ $(n>m)$, and let n be the bit size of each element of ${\mathbb{Z}}_p$. For a given map $x_g:{\mathbb{Z}}_p\to {\mathbb{Z}}_p$, defined as

$$x_g\left(y\right):=g^y,$$

where g is an element in $\mathcal{S}$, if the set y belongs to $\underline{\mathcal{S}}$, we call this y anm-bit logarithm. If the set is $\mathcal{S}$, y is known as ann-bit logarithm.

The complexity of obtaining the n-bit logarithm refers to the complexity of calculating $x_g^{-1}\circ x_g\left(y\right)$ when $y\in \mathcal{S}$ (for the m-bit logarithm, $y\in \underline{\mathcal{S}}$).

We represent the time complexity using the function $T:\mathbb{N}\to {\mathbb{R}}^{+}$, where the input is the bit size and the output is the multiplication steps. The complexity of calculating the DLP of the m-bit logarithm is given by $T\left(m\right)=2^{\frac{m}{2}}$ [19,20]. In this case, the complexity of calculating the n-bit logarithm is $T\left(n\right)=T\left(s\left(m\right)\right)=2^{\frac{s\left(m\right)}{2}}$. Obviously, $T\left(n\right)>T\left(m\right)$ when $n=s\left(m\right)>m$; however, we should also consider how the complexity increases as m increases. We can compare the growth rate of $T\left(m\right)$ and $T\left(s\right(m\left)\right)$ using Landau’s big-O notation with the following definition:

Definition 5.

For functions $T,g:\mathbb{N}\to {\mathbb{R}}^{+}$, if there exist $c,m_0\in \mathbb{N}$ such that

$$T\left(m\right)\le cg\left(m\right)$$

(18)

is satisfied for all $m\ge m_0$, we state that $T\left(m\right)$ has an order of $g\left(m\right)$ time complexity, and we describe it as

$$T\left(m\right)\in O\left(g\right(m\left)\right).$$

(19)

Relation (19) indicates that $O\left(g\right)$ is a set defined by:

$$O\left(g\right):=\{T:\mathrm{there} \mathrm{exists}c,m_0\in \mathbb{N}\mathrm{to} \mathrm{satisfy} \left(18\right)\mathrm{for} \mathrm{all} m\ge m_0\}$$

Therefore, for two complexity functions $T,T^{\prime }:\mathbb{N}\to {\mathbb{R}}^{+}$, where $T\left(m\right)\le T^{\prime }\left(m\right)$ for all $m\in \mathbb{N}$ and $t\left(m\right)\in O\left(g\right(m\left)\right)$, $T^{\prime }\left(m\right)\in O\left(g^{\prime }\left(m\right)\right)$, if we wish to state that the growth rate of $T^{\prime }$ is higher than that of T (the order of $T^{\prime }$ is higher than T), we can simply describe it as follows:

$$O\left(g^{\prime }\left(m\right)\right)\subset O\left(g\left(m\right)\right)$$

or

$$g^{\prime }\left(m\right)>g\left(m\right)$$

for all m. In this case,

$$T^{\prime }\left(n\right)\notin O\left(g\left(n\right)\right)$$

$$T\left(n\right)\in O\left(g\left(n\right)\right),T\left(n\right)\in O\left(g^{\prime }\left(n\right)\right)$$

hold. We can prove that the growth rate of $t\left(s\left(m\right)\right)=2^{\frac{s\left(m\right)}{2}}$ is higher than $T\left(m\right)=2^{\frac{m}{2}}$ as follows:

Proposition 1.

If and only if the monotonically increasing function$s:\mathbb{N}\to \mathbb{N}$for satisfying$n=s\left(m\right)>m$is a not linear and monic polynomial, the growth rate of$T(\left(s\left(m\right)\right)=2^{\frac{s\left(m\right)}{2}}$is higher than$T\left(m\right)=2^{\frac{m}{2}}$; that is,

$$O\left(2^{\frac{s\left(m\right)}{2}}\right)\subset O\left(2^{\frac{m}{2}}\right)$$

holds.

Proof. 

Note that $T\left(s\left(m\right)\right)\in O\left(2^{\frac{s\left(m\right)}{2}}\right)$ and $T\left(m\right)\in O\left(2^{\frac{m}{2}}\right)$. Suppose that s is a one-degree but non-monic polynomial defined as:

$$n=s\left(m\right)=hm+b,$$

where $h,b\in \mathbb{N}$, $h\ne 1$. If $O\left(2^{\frac{m}{2}}\right)=O\left(2^{\frac{s\left(m\right)}{2}}\right)$ holds in this case, there must exist the constants $c,m_0\in \mathbb{N}$ such that for all $m\ge m_0$,

$$2^{\frac{s\left(m\right)}{2}}=2^{\frac{hm+b}{2}}\le c{2}^{\frac{m}{2}}$$

(20)

is satisfied. However, in this case, $2^{\frac{m(h-1)+b}{2}}\le c$ holds, so that c cannot be a constant. Thus, in this case,

$$O\left(2^{\frac{s\left(m\right)}{2}}\right)\subset O\left(2^{\frac{m}{2}}\right)$$

holds. When the case s is over a one-degree polynomial, it is obvious that there is no $c,m_0\in \mathbb{N}$ to satisfy (20) for all $m\in m_0$.

If s is a linear and monic polynomial described as

$$n=s\left(m\right)=m+b,$$

where $b\in \mathbb{N}$, we have

$$O\left(2^{\frac{s\left(m\right)}{2}}\right)=O\left(2^{\frac{m+b}{2}}\right)=O\left(2^b{2}^{\frac{m}{2}}\right)=O\left(2^{\frac{m}{2}}\right).$$

□

Therefore, if Alice and Bob attempt a key exchange using the DH algorithm, where Bob’s secret key $x_B$ is

$$x_B\in \mathcal{S}$$

and Alice’s secret key $x_A$ is

$$x_A\in \underline{\mathcal{S}},$$

Eve should attempt to obtain $x_A$, which is easier for her to obtain than $x_B$. The security of the algorithms in Section 3.2 and Section 3.3 also depends on the difficulty of the DLP, but these algorithms may not be the same as DH owing to one of Bob’s public keys $y_{B,1}$ and especially the map $N_1$. In Section 2.1, we discussed the requirement for $y_{B,1}$ to allow Alice to select her secret key from a small bit length set without reducing the breaking complexity. For both algorithms, Requirement 2 is satisfied if Bob selects $n_B$, as it is an n-bit logarithm for $x_g$ with the algorithm of Section 3.2, and similarly, $N_B$ is selected with the algorithm of Section 3.3. Of course, in this case, the number n must be sufficiently large to ensure that the calculation of the n-bit logarithm is not achieved in real time.

At this point, we focus on verifying whether the other algorithms in Section 3.2 and Section 3.3 satisfy Requirement 1. of Section 2.1. Subsequently, we attempt to determine the polynomial s; that is, how small m can be and the computational complexity of these algorithms for each key of Alice and Bob when m is selected to be as small as possible (Section 4.4).

4.2. Eve Attempts an Attack against NDH

We assume the following:

• a prime number p, where $\left|p\right|=n$;
• a semi-group $\mathcal{S}:={\mathbb{Z}}_p$;
• a subset $\underline{\mathcal{S}}:={\{y\in \mathcal{S}:|y|}_{\mathcal{S}}\le m\}\subset \mathcal{S}$;
• $x_A\in \underline{\mathcal{S}}$;
• $n_B,x_B\in \mathcal{S}$;
• a map $x_g:\mathcal{S}\to \mathcal{S}$, $x_g\left(y\right):=g^y$, where g is a primitive element of $\mathcal{S}$;
• a non-linear and monic polynomial s, where $n=s\left(m\right)>m$ for all $m\in \mathbb{N}$.

Eve’s goal is to obtain $x_A$ from the following public keys

• $y_{B,1}\left(y\right)=N_1^{-1}\circ x_4\left(y\right)=N_1^{-1}\left(g^y\right)={\left(g^y\right)}^{n_B}=g^{n_{B}y}$
• $y_{B,2}\left(y\right):=x_1\circ x_2\left(y\right)={\left(g^{x_B}\right)}^y$,

and public elements

• $g^{x_B}$
• $g^{n_B}$
• $y_A=N_1^{-1}\circ x_4\left(x_A\right)=g^{n_B{x}_A}$.

She must calculate

$$y_{B,1}^{-1}\left(y_A\right)=x_4^{-1}\circ N_1\left(y_A\right)={log}_g{\left(y_A\right)}^{n_B^{-1}}={log}_g{g}^{n_B{x}_A{n}_B^{-1}}={log}_g{g}^{x_A}=x_A.$$

(21)

As she does not know $n_B$, it appears that she must obtain the n-bit logarithm $n_B$ by calculating ${log}_g{g}^{n_B}=n_B$ before obtaining the m-bit logarithm $x_A$. However, (21) can be described as

$$y_{B,1}^{-1}\left(y_A\right)=x_4^{-1}\circ N_1\left(y_A\right)=n_B^{-1}{log}_g{y}_A=n_B^{-1}\frac{{log}_{g^{n_B}}{g}^{n_B{x}_A}}{{log}_{g^{n_B}}g}={log}_{g^{n_B}}{g}^{n_B{x}_A}=x_A.$$

Thus, when we define a map $x_{g^{\prime }}:\mathcal{S}\to \mathcal{S}$ such that

$$x_{g^{\prime }}\left(y\right):=x_{g^{n_B}}\left(y\right)={\left(g^{n_B}\right)}^y,$$

$y_{B,1}^{-1}=x_{g^{\prime }}^{-1}$, we can construct $x_{g^{\prime }}$ using only $g^{n_B}$, which is public. For this attack, Eve only needs to calculate $x_{g^{\prime }}^{-1}\left(y_A\right)=x_{g^{\prime }}^{-1}\circ x_{g^{\prime }}\left(x_A\right)$ to obtain the m-bit logarithm $x_A$. Therefore, it can be said that Alice selecting a small bit length set $\underline{\mathcal{S}}$ reduces the breaking complexity for Eve; that is, Requirement 1 of Section 2.1 is not satisfied in this case.

4.3. Eve Attempts an Attack against SEDH

We assume the following:

• a prime number p, where $\left|p\right|=n$;
• a semi-group $\mathcal{S}:=\mathcal{M}(d,{\mathbb{Z}}_p)$;
• a subset $\underline{\mathcal{S}}:={\{y\in \mathcal{S}:|y|}_{\mathcal{S}}\le d^{2}m\}\subset \mathcal{S}$;
• $x_A\in \underline{\mathcal{S}}$;
• $N_B,x_B\in \mathcal{S}$;
• a map $x_g:\mathcal{S}\to \mathcal{S}$, $x_g\left(y\right):=g^y$, where g is a primitive element of $\mathcal{S}$; and
• a not linear monic polynomial s, where $n=s\left(m\right)>m$ for all $m\in \mathbb{N}$.

Eve’s goal is to obtain $x_A$ from the following public keys:

• $y_{B,1}{\left(y\right)}_{a,b}:=N_1^{-1}\circ x_4{\left(y\right)}_{a,b}={\prod }_{l\in \{1,\cdots ,d\}}{\left(g^{\circ y}\right)}_{l,b}^{{\left(N_B\right)}_{a,l}}$
• $y_{B,2}{\left(y\right)}_{a,b}:=x_1\circ x_2{\left(y\right)}_{a,b}={\prod }_{l\in \{1,\cdots ,d\}}{\left(g^{\circ x_B}\right)}_{a,l}^{{\left(y\right)}_{l,b}}$,

where $a,b\in \{1,\cdots ,d\}$, and the following elements:

• $g^{\circ x_B}$
• $g^{\circ N_B}$
• $y_A=N_1^{-1}\circ x_4\left(x_A\right)=g^{\circ N_B{x}_A}$,

to calculate

$$y_{B,1}^{-1}{\left(y_A\right)}_{a,b}=x_4^{-1}\circ N_1{\left(g^{\circ N_B{x}_A}\right)}_{a,b}={log}_g{\left(g^{\circ N_B^{-1}{N}_B{x}_A}\right)}_{a,b}={log}_g{\left(g^{x_A}\right)}_{a,b}={\left(x_A\right)}_{a,b}$$

(22)

for all $a,b\in \{1,\cdots ,d\}$. It appears that she first needs to obtain an element $N_B$ by calculating ${log}_g{\left(g^{\circ N_B}\right)}_{a,b}$ for all $a,b\in \{1,\cdots ,d\}$, the complexity of which is equivalent to the complexity for calculating $d^2$n-bit logarithms for the map $x_g$, because she does not know $N_B$, so as to obtain $N_B^{-1}$. After obtaining $N_B$, she can proceed to the final two equalities of (22), and the complexity of calculating ${log}_g{\left(g^{x_A}\right)}_{a,b}={\left(x_A\right)}_{a,b}$ for all $a,b\in \{1,\cdots ,d\}$ is equivalent to the complexity of calculating $d^2$m-bit logarithms for the map $x_g$. We now verify that Eve really needs to calculate at least the same amount as to obtain $d^2$n-bit logarithms by calculating ${log}_g{\left(g^{\circ N_B}\right)}_{a,b}$ for all $a,b\in \{1,\cdots ,d\}$. In Attack 1, we attempt to find other descriptions for map $y_{B,1}$, as in Section 4.2. In Attack 2, we attempt an attack in which Eve avoids calculating $d^2$ DLPs for $N_B$, and we compare the breaking complexity of the attack with an exhaustive search for $x_A\in \underline{\mathcal{S}}$. In Attack 3, we attempt to determine the least complexity that Eve requires to obtain $x_A$. Hereafter, we refer to the logarithm of matrix $M\in \mathcal{M}(d,{\mathbb{Z}}_p)$ as follows:

$${log}_{g}M=\left({log}_g{M}_{a,b}\right)(g\in {\mathbb{Z}}_p)$$

$${log}_{G}M=\left({log}_{G_{a,b}}{M}_{a,b}\right)(G\in \mathcal{M}(d,{\mathbb{Z}}_p)).$$

• Attack 1

Using the known element $g^{\circ N_B}$, Eve attempts the following calculation for all $a,b\in \{1,\cdots ,d\}$:

$${log}_{g^{\circ N_B}}\left(y_A\right)={log}_{g^{\circ N_B}}{g}^{\circ N_B{x}_A}.$$

(23)

However, unlike in Section 4.2, the relation ${log}_{g^{\circ N_B}}{g}^{\circ N_B{x}_A}=x_A$ does not hold. She obtains $X\in \mathcal{S}$ instead of $x_A\in \underline{\mathcal{S}}$ from (23):

$${log}_{g^{\circ N_B}}{g}^{\circ N_B{x}_A}={log}_{g^{\circ N_B}}{\left(g^{\circ N_B}\right)}^{\circ X}=X.$$

In this case, X holds for the relation

$$N_B•X=N_B{x}_A,$$

where • denotes element-wise matrix multiplication. Obviously, $X=x_A$ does not always hold, so $N_1^{-1}\circ x_4\left(y_A\right)={log}_{g^{\circ N_B}}\left(y_A\right)$ also does not hold. Moreover, to obtain $x_A$, Eve needs to calculate ${log}_g{g}^{\circ N_B}=N_B$.

• Attack 2

We introduce an attack in which Eve does not calculate ${log}_g{g}^{\circ N_B}=N_B$. The public key of Alice $y_A$ is described as

$$y_A=\left(\begin{array}{ccc}\prod _{l\in \{1,\cdots ,d\}}{\left(g^{\circ N_B}\right)}_{1,l}^{{\left(x_A\right)}_{l,1}}& \cdots & \prod _{l\in \{1,\cdots ,d\}}{\left(g^{\circ N_B}\right)}_{1,l}^{{\left(x_A\right)}_{l,d}}\\ ⋮& \ddots & ⋮\\ \prod _{l\in \{1,\cdots ,d\}}{\left(g^{\circ N_B}\right)}_{d,l}^{{\left(x_A\right)}_{l,1}}& \cdots & \prod _{l\in \{1,\cdots ,d\}}{\left(g^{\circ N_B}\right)}_{d,l}^{{\left(x_A\right)}_{l,d}}\end{array}\right)$$

$$=\left(\begin{array}{ccc}{g}^{\circ N_B}{)}_{1,1}^{{\left(x_A\right)}_{1,1}}{\left(g^{\circ N_B}\right)}_{1,2}^{{\left(x_A\right)}_{2,1}}\cdots {\left(g^{\circ N_B}\right)}_{1,d}^{{\left(x_A\right)}_{d,1}}& \cdots & {\left(g^{\circ N_B}\right)}_{1,1}^{{\left(x_A\right)}_{1,d}}{\left(g^{\circ N_B}\right)}_{1,2}^{{\left(x_A\right)}_{2,d}}\cdots {\left(g^{\circ N_B}\right)}_{1,d}^{{\left(x_A\right)}_{d,d}}\\ ⋮& \ddots & ⋮\\ {\left(g^{\circ N_B}\right)}_{d,1}^{{\left(x_A\right)}_{1,1}}{\left(g^{\circ N_B}\right)}_{d,2}^{{\left(x_A\right)}_{2,1}}\cdots {\left(g^{\circ N_B}\right)}_{d,d}^{{\left(x_A\right)}_{d,1}}& \cdots & {\left(g^{\circ N_B}\right)}_{d,1}^{{\left(x_A\right)}_{1,d}}{\left(g^{\circ N_B}\right)}_{d,2}^{{\left(x_A\right)}_{2,d}}\cdots {\left(g^{\circ N_B}\right)}_{d,d}^{{\left(x_A\right)}_{d,d}}\end{array}\right).$$

(24)

Step 1

For row $b\in \{1,\cdots ,d\}$ of $y_A$, Eve creates a matrix $W_b=\left(w_{a,l}^{\left(b\right)}\right)\in \mathcal{M}(d,{\mathbb{Z}}_p)$ to satisfy

$$\left(\begin{array}{c}{\left(g^{\circ N_B}\right)}_{1,1}^{{\left(x_A\right)}_{1,b}}{\left(g^{\circ N_B}\right)}_{1,2}^{{\left(x_A\right)}_{2,1}}\cdots {\left(g^{\circ N_B}\right)}_{1,d}^{{\left(x_A\right)}_{d,b}}\\ ⋮\\ {\left(g^{\circ N_B}\right)}_{d,1}^{{\left(x_A\right)}_{1,b}}{\left(g^{\circ N_B}\right)}_{d,2}^{{\left(x_A\right)}_{2,1}}\cdots {\left(g^{\circ N_B}\right)}_{d,d}^{{\left(x_A\right)}_{d,b}}\end{array}\right)=\left(\begin{array}{c}{w}_{1,1}^{\left(b\right)}{w}_{1,2}^{\left(b\right)}\cdots w_{1,d}^{\left(b\right)}\\ ⋮\\ w_{d,1}^{\left(b\right)}{w}_{d,2}^{\left(b\right)}\cdots w_{d,d}^{\left(b\right)}.\end{array}\right)$$

Step 2

For all $a,l\in \{1,\cdots ,d\}$, Eve calculates

$$v_{a,l}:={log}_{{\left(g^{\circ N_B}\right)}_{a,l}}{w}_{a,l}^{\left(b\right)}.$$

(25)

Step 3

For all $l\in \{1,\cdots ,d\}$, Eve verifies whether or not

$$v_{1,l}=v_{2,l}=\cdots =v_{d,l}$$

(26)

is true.

Step 4

If (26) is true for all $l\in \{1,\cdots ,d\}$, Eve can recover row $b\in \{1,\cdots ,d\}$ of $x_A$:

$$\begin{array}{c}{\left(x_A\right)}_{1,b}=v_{1,1}=\cdots =v_{d,1}\\ {\left(x_A\right)}_{2,b}=v_{1,2}=\cdots =v_{d,2}\\ ⋮\\ {\left(x_A\right)}_{d,b}=v_{1,d}=\cdots =v_{d,d}.\end{array}$$

As $N_B$ is an invertible matrix, there exists exactly one ${(X_{1,b},X_{2,b},\cdots ,X_{d,b})}^t\in {\mathbb{Z}}_p^d$ to satisfy system (24) for a given $y_A$, $g^{\circ N_B}$ of row $b\in \{1,\cdots ,d\}$; thus, it must be ${({x_A}_{1,b},{x_A}_{2,b},\cdots ,{x_A}_{d,b})}^t$. If (26) is false in some $l\in \{1,\cdots ,d\}$, Eve returns to Step 1.

In Step 2, Eve needs to calculate at least two DLPs of m-bit logarithms; thus, she requires $2·2^{\frac{m}{2}}$ multiplications. As ${\mathbb{Z}}_p$ forms a group under multiplication, for any arbitrary element e in ${\mathbb{Z}}_p$, there exists a unique $w_{a,d}^{\left(b\right)}\in {\mathbb{Z}}_p$ such that:

$$e{w}_{a,d}^{\left(b\right)}={\left(y_A\right)}_{a,b}$$

for each $a\in \{1,\cdots ,d\}$. Thus, Eve has $2^{n(d-1)}$ choices for $(w_{a,1}^{\left(b\right)},w_{a,2}^{\left(b\right)},\cdots ,w_{a,d-1}^{\left(b\right)})$ and each $a\in \{1,\cdots ,d\}$, and therefore, Eve must repeat Steps 2 to 4 at most $2^{nd(d-1)}$ times. The total multiplications required for this attack is denoted as:

$$2^{nd(d-1)+\frac{m}{2}+1}=2^{s\left(m\right)d(d-1)+\frac{m}{2}+1},$$

which is much larger than the total multiplications required for an exhaustive search on each row of $x_A\in \underline{\mathcal{S}}$, namely:

$$m{2}^{dm}$$

• Attack 3

Suppose that Eve attempts to determine $x_A$ directly from the formula of Alice’s public key $y_A$:

$${\left(y_A\right)}_{a,b}=\prod _{l\in \{1,\cdots ,d\}}{\left(g^{\circ N_B}\right)}_{a,l}^{{\left(x_A\right)}_{l,b}}.$$

(27)

As $N_B$ is an invertible matrix, this is equivalent to solving the following system for $X\in \underline{\mathcal{S}}$:

$${\left(y_A\right)}_{a,b}=\prod _{l\in \{1,\cdots ,d\}}{\left(g^{\circ N_B}\right)}_{a,l}^{{\left(X\right)}_{l,b}}$$

(28)

for all $a,b\in \{1,\cdots ,d\}$ and given $y_A$, $g^{\circ N_B}$. The least complexity for finding X from (28) is expressed by the following theorem:

Theorem 1.

The complexity of solving (28) for $X\in \underline{\mathcal{S}}$ is equal to or greater than the complexity of obtaining $N_B$ from ${log}_g{g}^{\circ N_B}$.

Proof. 

Suppose that Eve can determine $X=x_A\in \underline{\mathcal{S}}$ from (28) for a given $g^{\circ N_B}$ and $y_A$ with a complexity denoted by the function $T:\mathbb{N}\to {\mathbb{R}}^{+}$ defined as $T\left(m\right):=p\left(m\right)$, where p is a polynomial. Under this assumption, Eve can solve system (28) even when $x_A\in \mathcal{S}$ (thus, $X\in \mathcal{S}$) because, in this case, the complexity is $T\left(s\right(m\left)\right)=p\left(s\right(m\left)\right)$, which is also a polynomial. It should be noted that solving (28) is equivalent to solving the following system for all $a,b\in \{1,\cdots ,d\}$:

$${\left(y_A\right)}_{a,b}^t=\prod _{l\in \{1,\cdots ,d\}}{{\left(g^{\circ N_B}\right)}^t}_{l,b}^{{\left(X\right)}_{a,l}^t}$$

(29)

for given matrices ${\left(g^{\circ N_B}\right)}^t$, ${\left(y_A\right)}^t$, where t denotes matrix transposition, because

$${\left(y_A\right)}_{a,b}^t=g^{\circ {\left(N_B{x}_A\right)}^t}=g^{\circ {\left(x_A\right)}^t{\left(N_B\right)}^t}=g^{{\sum }_{l\in \{1,\cdots ,d\}}{\left(x_A\right)}_{a,l}^t{\left(N_B\right)}_{l,b}^t},$$

$$=\prod _{l\in \{1,\cdots ,d\}}{{\left(g^{\circ N_B}\right)}^t}_{l,b}^{{\left(x_A\right)}_{a,l}^t}$$

for all $a,b\in \{1,\cdots ,d\}$. This emphasizes that Eve can solve the system of both variable matrices by left multiplication and right multiplication on the Schur exponent of a given matrix. Therefore, once she has obtained $X\in \mathcal{S}$ and calculates $g^{\circ X}$ within polynomial time, the following system can also be solved for an unknown $N_B\in \mathcal{S}$:

$${\left(y_A\right)}_{a,b}=\prod _{l\in \{1,\cdots ,d\}}{\left(g^{\circ X}\right)}_{l,b}^{{\left(N_B\right)}_{a,l}}$$

(30)

for all $a,b\in \{1,\cdots ,d\}$ within polynomial time. As $N_B$ is the matrix logarithm of $g^{\circ N_B}$, we can state that, if Eve can solve system (28) for X within polynomial time, she can obtain $d^2$n-bit logarithms within polynomial time. □

This theorem claims that the problem of calculating ${log}_g{g}^{\circ N_B}=N_B$ is polynomial-time-reducible to the problem of solving system (28) for $X\in \underline{\mathcal{S}}$.

4.4. Determination of n and m

We investigate how large the bit sizes n and m must be, as well as the computational complexity of calculating the public keys and SSK for Alice and Bob according to n and m. If the attacks on SEDH are only those in Section 4.3, Eve must execute an exhaustive search for each row of $x_A$ (as the attack is performed by each row, Eve requires d times exhaustive searches within a vector space of size $2^{dm}$) or must obtain $N_B$, the difficulty of which is equivalent to obtaining $d^2$n-bit logarithms, as in the above attacks. We assume that attacks against SEDH are only those described in Section 4.3, and we determine the sizes of n and m. Considering that the difficulty for Eve to obtain $N_B$ depends on the difficulty of the DLP and that of obtaining $x_A$ directly from (24) by an exhaustive search depends on the vector space of size $2^{dm}$, n and m must satisfy the requirements in

Table 3. Requirements for n and m.

	Requirements
n	Sufficiently large for one DLP
m	$2^{dm}$ must be sufficiently large for an exhaustive search

.

As mentioned in Section 4, the complexity of one n-bit logarithm denoted by the function

$$T:\mathbb{N}\to {\mathbb{R}}^{+}$$

is $T\left(n\right)=T\left(s\left(m\right)\right)=2^{\frac{s\left(m\right)}{2}}$, and the complexity of an exhaustive search for $x_A$ of each row denoted by the function $T^{\prime }:\mathbb{N}\to {\mathbb{R}}^{+}$ is $T^{\prime }\left(m\right)=2^{dm}$. (In fact, Eve must solve $d^2$ DLPs or d exhaustive searches for a vector space ${\mathbb{Z}}_{2^m}^d$, but $d^2$ and d are so trivial for exponential functions that we consider these complexities for only one number.) If Alice and Bob would like the breaking complexity for one DLP and that for an exhaustive search for one row of $x_A$ to be equalized, the polynomial $s:\mathbb{N}\to \mathbb{N}$ mentioned at the beginning of Section 4.3; that is, the relation between n and m, is obtained by the following theorem:

Theorem 2.

If the time complexity for obtaining one n-bit logarithm is equal to the complexity of an exhaustive search within a vector space of size$2^{dm}$, the polynomial$s:\mathbb{N}\to \mathbb{N}$ for $m\in \mathbb{N}$ is obtained by

$$s\left(m\right)=2dm.$$

Proof. 

We obtain

$$T\left(n\right)=T\left(s\left(m\right)\right)=T^{\prime }\left(m\right)\iff \frac{s\left(m\right)}{2}=dm.$$

(31)

□

With this relation, what does the computational complexity for Alice and Bob become?

4.5. Computational Complexity of SEDH for Alice and Bob

For a given $d\in \mathbb{N}$, approximately $dm$ multiplications are required if the bit size of the exponent is n to calculate one scalar exponentiation. Furthermore, approximately m multiplications are required if the bit size of the exponent is m. Thus, the calculation

$$g^{\circ X}$$

(32)

requires approximately $d^{2}s\left(m\right)=2d^{3}m$ multiplications if $X\in \mathcal{S}$. If $X\in \underline{\mathcal{S}}$, it requires approximately $d^{2}m$ multiplications. Moreover, the calculation

$$\prod _{l\in \{1,\cdots ,d\}}{\left(Y_{a,l}\right)}^{{\left(X\right)}_{l,b}}$$

(33)

requires $ds\left(m\right)=2d^{2}m$ multiplications if $X\in \mathcal{S}$ and $dm$ multiplications if $X\in \underline{\mathcal{S}}$ for each $a,b\in \{1,\cdots ,d\}$. Thus, according to (14) and (15), the computational complexities required by Alice for $y_A$ and her SSK denoted by the functions $T_{y_A},T_{{\kappa }_A}:\mathbb{N}\to {\mathbb{R}}^{+}$ of m are

$$T_{y_A}\left(m\right):=d^{3}m$$

(34)

$$T_{{\kappa }_A}\left(m\right):=d^{3}m.$$

(35)

From the calculations of $g^{\circ x_B}$, $g^{\circ N_B}$, and (16), Bob’s computational complexities for $y_{B,1}$, $y_{B,2}$, and their SSK, denoted by the functions $T_{y_{B,1}},T_{y_{B,2}},T_{{\kappa }_B}:\mathbb{N}\to {\mathbb{R}}^{+}$ of n, become

$$T_{y_{B,1}}\left(n\right):=d^{2}n$$

(36)

$$T_{y_{B,2}}\left(n\right):=d^{2}n$$

(37)

$$T_{{\kappa }_B}\left(n\right):=d^{3}n$$

(38)

As $n=s\left(m\right)=2dm$, $T_{y_{B,1}}$, $T_{y_{B,2}}$, and $T_{y_{{\kappa }_B}}$ can be described as functions of m as follows:

$$T_{y_{B,1}}\left(n\right)=T_{y_{B,1}}\left(s\left(m\right)\right)=d^{2}s\left(m\right)=2d^{3}m$$

$$T_{y_{B,2}}\left(n\right)=T_{y_{B,2}}\left(s\left(m\right)\right)=d^{2}s\left(m\right)=2d^{3}m$$

$$T_{{\kappa }_B}\left(n\right)=T_{{\kappa }_B}\left(s\left(m\right)\right)=d^{3}s\left(m\right)=2d^{4}m.$$

Thus, the total complexity for Alice and Bob can be compared:

$$T_{y_A}\left(m\right)+T_{{\kappa }_A}\left(m\right)=2d^{3}m<4d^{3}m+2d^{4}m=T_{y_{B,1}}\left(s\left(m\right)\right)+T_{y_{B,2}}\left(s\left(m\right)\right)+T_{{\kappa }_B}\left(s\left(m\right)\right).$$

(39)

When d is given, $T_{y_A}\left(m\right)+T_{{\kappa }_A}\left(m\right)$ and $T_{y_{B,1}}\left(s\left(m\right)\right)+T_{y_{B,2}}\left(s\left(m\right)\right)+T_{{\kappa }_B}\left(s\left(m\right)\right)$ have the same order of complexity. $2d^4$ and $2d^3$ are considered as coefficients.

Of course, we can consider the total complexity for Alice and Bob by the functions $T_A^{\prime },T_B^{\prime }:\mathbb{N}\to {\mathbb{R}}^{+}$ of d, which are defined as

$$T_A^{\prime }\left(d\right):=2m{d}^3$$

$$T_B^{\prime }\left(d\right):=4m{d}^3+2m{d}^4$$

for a given m. In this case, $T_A^{\prime }\left(d\right)\in O\left(d^3\right)$, $T_B^{\prime }\left(d\right)\in O\left(d^4\right)$, and $O\left(d^4\right)\subset O\left(d^3\right)$ are obvious. Which values of m and d should be given and which should be the input of the functions can be determined the environment in which the algorithm is used, such as the computational resources and communication infrastructure.

Remark 2.

As mentioned in Remark 1, Alice can select her secret key$x_A$not only as a matrix, but also as a vector, whereas$x_B$ and $N_B$ are selected as matrices. Let $\mathcal{V}$ be a vector space of $\mathcal{V}:={\mathbb{Z}}_p^d$, where $\left|y\right|\le dn$ $(y\in \mathcal{V})$ and a subset $\underline{\mathcal{V}}$ of $\underline{\mathcal{V}}:=\{y\in \mathcal{V}:|y|\le dm\}\subset \mathcal{V}$, and suppose that $x_A$ is selected from $\underline{\mathcal{V}}$. In this case, the breaking strategy against this algorithm for Eve is as follows:

• solving$d^2$DLPs for$N_B$and d DLPs for$x_A$, and
• an exhaustive attack for$x_A$within$\underline{\mathcal{V}}$, the size of which is$2^{sm}$.

That is, the breaking complexity is equivalent to the case when$x_A\in \underline{\mathcal{S}}$in terms of the order of complexity. Thus, there is also no problem in selecting n and m from the relation of Theorem 2 in this case. The computational complexities for$y_A$, ${\kappa }_A$, and ${\kappa }_B$, which are denoted by the functions$T_{y_A,vec},T_{{\kappa }_A,vec}$, and$T_{{\kappa }_B,vec}:\mathbb{N}\to {\mathbb{R}}^{+}$, are

$$T_{y_A,vec}\left(m\right):=d^{2}m$$

$$T_{{\kappa }_A,vec}\left(m\right):=d^{2}m$$

$$T_{{\kappa }_B,vec}\left(n\right):=d^{2}n$$

for a given d. It can be observed that the complexities are reduced from (34), (35), and (38). Moreover, the calculation of (33) is independent for each element $a\in \{1,\cdots ,d\}$, and thus, it can be computed in parallel. The calculation is also parallelized for each $l\in \{1,\cdots ,d\}$. In Section 6, we report the results of the implementational experiments of SEDH in the case of $x_A\in \underline{\mathcal{V}}$. To determine how rapidly the calculation is performed, particularly for Alice, we compare the calculation speed with that of the usual DH algorithm.

5. Generalization

In this section, all investigations are conducted under the following assumptions:

• the numbers $n,m\in \mathbb{N}$ and a not linear and monic polynomial s, where $n=s\left(m\right)>m$ for all $m\in \mathbb{N}$;
• a number p, where $\left|p\right|=n$;
• a semi-group $\mathcal{S}$, where ${\left|y\right|}_{\mathcal{S}}\le kn$ $(y\in \mathcal{S},k\in \mathbb{N})$;
• a subset $\underline{\mathcal{S}}:={\{y\in \mathcal{S}:|y|}_{\mathcal{S}}\le km\}\subset \mathcal{S}$; and
• $x_A\in \underline{\mathcal{S}}$.

In the above, ${|·|}_{\mathcal{S}}$ is the same notation as that in Section 4.1. Furthermore, the constant k is uniquely determined by the properties of $\mathcal{S}$, such as the dimensions of the matrices and vectors. For example, $k=1$ when $\mathcal{S}={\mathbb{Z}}_p$ and $k=d^2$ when $\mathcal{S}=\mathcal{M}(d,{\mathbb{Z}}_p)$.

As mentioned in Section 2.3, we first construct a SAPKA subclass, in which the security of each algorithm is ensured by a non-easily invertible map (Definition 1). Thereafter, we attempt to construct the main SAPKA subclass mentioned in Section 2.2. We introduce inclusion relations between other subclasses and necessary conditions for algorithms to belong to the main subclass in Section 5.2.

We present the definition of the subclass based on the non-easily invertible map.

Definition 6.

For a multiplicative semi-group $\mathcal{S}$ and the quintuple $C:=(x_1,x_2,x_3,x_4,N_1)$, where the maps $x_1,x_2,x_3,x_4$ satisfy (13) and $N_1$ is an easily invertible map of $N_1:\mathcal{S}\to \mathcal{S}$, if maps $x_1^{\prime },x_2^{\prime },x_3^{\prime },x_4^{\prime },N_1^{\prime }:\mathcal{S}\to \mathcal{S}$ exist, where $N_1^{\prime }$ is easily invertible and a non-easily invertible map $f_g:\mathcal{S}\to \mathcal{S}$ exists such that the following equations:

$$x_1^{\prime }\circ x_2^{\prime }\left(y\right)=x_3^{\prime }\circ x_4^{\prime }\left(y\right)$$

(40)

$$x_1\circ x_2\left(y\right)=f_g\circ x_1^{\prime }\circ x_2^{\prime }\left(y\right)$$

(41)

$$N_1^{-1}\circ x_4\left(y\right)=f_g\circ N_1^{\prime -1}\circ x_4^{\prime }\left(y\right)$$

(42)

$$x_1^{\prime }\circ x_2^{\prime }\left(e\right)\notin \underline{\mathcal{S}}\vee N_1^{\prime -1}\circ x_4^{\prime }\left(e\right)\notin \underline{\mathcal{S}}$$

(43)

are satisfied for all $y\in \mathcal{S}$, where e is an identity element of $\mathcal{S}$, the quintuple C is a member of the $SAPK{A}_{f_g}$ class, and we express this relation as

$$C\in SAPK{A}_{f_g}.$$

From (40) and (41), and the compatibility condition of (13), the equation

$$x_1\circ x_2\left(y\right)=f_g\circ x_1^{\prime }\circ x_2^{\prime }\left(y\right)=f_g\circ x_3^{\prime }\circ x_4^{\prime }\left(y\right)=x_3\circ x_4\left(y\right)$$

(44)

for all $y\in \mathcal{S}$ is automatically satisfied. Using (42), the equation

$$f_g\circ x_3^{\prime }\circ N_1^{\prime }\circ N_1^{\prime -1}\circ x_4^{\prime }\left(y\right)=f_g\circ x_3^{\prime }\circ x_4^{\prime }\left(y\right)$$

$$=x_3\circ x_4\left(y\right)=x_3\circ N_1\circ N_1^{-1}\circ x_4\left(y\right)=x_3\circ N_1\circ f_g\circ N_1^{\prime -1}\circ x_4^{\prime }\left(y\right)$$

(45)

holds for all $y\in \mathcal{S}$. Thus, the public keys and SSK of Alice and Bob for the algorithms in this class can be described as

Table 4. Public keys and SSK of Alice and Bob for $SAPK{A}_{f_g}$ class.

	Key	Parameter
Bob	Public keys	$y_{B,1}\left(y\right)=N_1^{-1}\circ x_4\left(y\right)=f_g\circ N_1^{\prime -1}\circ x_4^{\prime }\left(y\right)$$(y\in \mathcal{S})$, $y_{B,2}\left(y\right)=x_1\circ x_2\left(y\right)=f_g\circ x_1^{\prime }\circ x_2^{\prime }\left(y\right)$$(y\in \mathcal{S})$
	SSK	${\kappa }_B=x_3\circ N_1\left(y_A\right)=f_g\circ x_3^{\prime }\circ N_1^{\prime }\circ N_1^{\prime -1}\circ x_4^{\prime }\left(x_A\right)$$\because \left(44\right)$
Alice	Public key	$y_A=N_1^{-1}\circ x_4\left(x_A\right)=f_g\circ N_1^{\prime -1}\circ x_4^{\prime }\left(x_A\right)$
	SSK	${\kappa }_A=x_1\circ x_2\left(x_A\right)=f_g\circ x_1^{\prime }\circ x_2^{\prime }\left(x_A\right)$

.

Moreover, (41) and (42) ensure that the maps $x_1^{\prime }\circ x_2^{\prime }$ and $N_1^{\prime -1}\circ x_4^{\prime }$ and thus the element $x_A$, cannot be disclosed by Eve within polynomial time. If $x_1^{\prime }\circ x_2^{\prime }\left(e\right)\in \underline{\mathcal{S}}$ and $N_1^{\prime -1}\circ x_4^{\prime }\left(e\right)\in \underline{\mathcal{S}}$, the complexities for calculating

$$f_g^{-1}\circ f_g\circ x_1^{\prime }\circ x_2^{\prime }\left(e\right)=x_1^{\prime }\circ x_2^{\prime }\left(e\right)$$

$$f_g^{-1}\circ f_g\circ N_1^{\prime -1}\circ x_4^{\prime }\left(e\right)=N_1^{\prime -1}\circ x_4^{\prime }\left(e\right)$$

are reduced compared to the case when (43) holds (see Remark 3 in Section 5.1). If $x_1^{\prime },x_2^{\prime },x_3^{\prime },x_4^{\prime },N_1^{\prime }$ are linear maps, for example, Eve can obtain a linear map $x_{3,E}^{\prime }\circ N_{1,E}^{\prime }:\mathcal{S}\to \mathcal{S}$ to satisfy:

$$x_{3,E}^{\prime }\circ N_{1,E}^{\prime }\circ N_1^{\prime -1}\circ x_4^{\prime }\left(e\right)=x_1^{\prime }\circ x_2^{\prime }\left(e\right)$$

(46)

by matrix multiplication, because $x_1^{\prime }\circ x_2^{\prime }\left(e\right)$ is described as a matrix. Moreover, as $\mathcal{S}$ is a multiplicative semi-group, $x_1^{\prime }\circ x_2^{\prime }\left(y\right)$ for any $y\in \mathcal{S}$ can be expressed as $x_1^{\prime }\circ x_2^{\prime }\left(ye\right)$ and either of the equations

$$x_1^{\prime }\circ x_2^{\prime }\left(ye\right)=y{x}_1^{\prime }\circ x_2^{\prime }\left(e\right)=y{x}_{3,E}^{\prime }\circ N_{1,E}^{\prime }\circ N_1^{\prime -1}\circ x_4^{\prime }\left(e\right)=x_{3,E}^{\prime }\circ N_{1,E}^{\prime }\circ N_1^{\prime -1}\circ x_4^{\prime }\left(ye\right)$$

or

$$x_1^{\prime }\circ x_2^{\prime }\left(ye\right)=x_1^{\prime }\circ x_2^{\prime }\left(e\right)y=x_{3,E}^{\prime }\circ N_{1,E}^{\prime }\circ N_1^{\prime -1}\circ x_4^{\prime }\left(e\right)y=x_{3,E}^{\prime }\circ N_{1,E}^{\prime }\circ N_1^{\prime -1}\circ x_4^{\prime }\left(ye\right)$$

holds for all $y\in \mathcal{S}$. Thus, only if Eve knows the calculation rule of map $x_3\circ N_1$ can she obtain a map $x_{3,E}\circ N_{1,E}$ to satisfy

$$x_{3,E}\circ N_{1,E}\circ f_g\circ N_1^{\prime -1}\circ x_4^{\prime }\left(y\right)=f_g\circ x_{3,E}^{\prime }\circ N_{1,E}^{\prime }\circ N_1^{\prime -1}\circ x_4^{\prime }\left(y\right)=f_g\circ x_1^{\prime }\circ x_2^{\prime }\left(y\right)$$

for all $y\in \mathcal{S}$. Finally, she can calculate the SSK as follows:

$$x_{3,E}\circ N_{1,E}\left(y_A\right)=x_{3,E}\circ N_{1,E}\circ f_g\circ N_1^{\prime -1}\circ x_4^{\prime }\left(x_A\right)=f_g\circ x_1^{\prime }\circ x_2^{\prime }\left(x_A\right)={\kappa }_A.$$

Of course, if the maps $x_1^{\prime },x_2^{\prime },x_3^{\prime },x_4^{\prime },N_1^{\prime }$ are not linear, this attack may be impossible, but if (43) holds and n is sufficiently large to make the calculation of $f_g^{-1}\circ f_g\left(y\right)$ $(y\notin \underline{\mathcal{S}})$ difficult in real time, Eve cannot proceed to (46). Thus, Requirement 2 of Section 2.1 is achieved for all algorithms in the $SAPK{A}_{f_g}$ class.

• Algorithms of $SAPK{A}_{f_g}$ Class

It can be proven that $C_{NDH}$ in Section 3.2 and $C_{SE}$ in Section 3.3 belong to the $SAPK{A}_{f_g}$ class. For $C_{NDH}$, if $\mathcal{S}:={\mathbb{Z}}_p$ and Bob defines $x_1^{\prime },x_2^{\prime },x_3^{\prime },x_4^{\prime },N_1^{\prime },f_g$ as

• $x_1^{\prime }\left(y\right):=x_{B}y$
• $x_2^{\prime }:=id$
• $x_3^{\prime }\left(y\right):=x_{B}y$
• $x_4^{\prime }\left(y\right):=id$
• $N_1^{\prime }:=n_B^{-1}y$
• $f_g\left(y\right):=g^y$,

then (40) holds, and (41) and (42) are satisfied according to the descriptions of the public keys of Bob in

Table 5. Public keys of Bob for $C_{NDH}$.

Public keys of Bob	$y_{B,1}\left(y\right)=N_1^{-1}\circ x_4\left(y\right)=g^{n_{B}y}=f_g\circ N_1^{\prime -1}\circ x_4^{\prime }\left(y\right)$$(y\in \mathcal{S})$,
	$y_{B,2}\left(y\right)=x_1\circ x_2\left(y\right)=g^{x_{B}y}=f_g\circ x_1^{\prime }\circ x_2^{\prime }\left(y\right)$$(y\in \mathcal{S})$

.

For $C_{SE}$, if $\mathcal{S}:=\mathcal{M}(d,{\mathbb{Z}}_p)$ and Bob defines $x_1^{\prime },x_2^{\prime },x_3^{\prime },x_4^{\prime },N_1^{\prime },f_g$ as

• $x_1^{\prime }\left(y\right):=x_{B}y$
• $x_2^{\prime }:=id$
• $x_3^{\prime }\left(y\right):=x_{B}y$
• $x_4^{\prime }\left(y\right):=id$
• $N_1^{\prime }:=N_B^{-1}y$
• $f_g\left(y\right):=g^{\circ y}$,

(40) holds, and (41) and (42) are satisfied according to

Table 6. Public keys of Bob for $C_{SE}$.

Public keys of Bob	$y_{B,1}\left(y\right)=N_1^{-1}\circ x_4\left(y\right)=g^{\circ N_{B}y}=f_g\circ N_1^{\prime -1}\circ x_4^{\prime }\left(y\right)$$(y\in \mathcal{S})$,
	$y_{B,2}\left(y\right)=x_1\circ x_2\left(y\right)=g^{\circ x_{B}y}=f_g\circ x_1^{\prime }\circ x_2^{\prime }\left(y\right)$$(y\in \mathcal{S})$

.

At this point, we construct a $SAPK{A}_{f_g}$ subclass, the algorithms of which possess the same property as the SEDH that was investigated in Section 4.3 and Section 4.4, namely biased computational complexity to Bob (see Section 5.1). We mainly focus on this class in this study.

5.1. Notations and Definitions

Prior to constructing the main subclass (Definition 9), we present several definitions and notations below. Definition 7 provides one $SAPK{A}_{f_g}$ subclass in which the algorithms are symmetric and include DH. In Section 5.2, we investigate how this subclass relates to the main subclass of Definition 9. Definition 8 provides the name for the input y of a given map $f_g^{\prime }:\mathcal{S}\to \mathcal{S}$ according to the set of y. We use this definition to emphasize the difference in complexity for calculating $f_g^{\prime -1}\circ f_g^{\prime }\left(y\right)$ of a given map $f_g^{\prime }$ when $y\in \underline{\mathcal{S}}$ and when $y\in \mathcal{S}$. The notations directly below Definition 8 are functions that demonstrate the complexity for calculating each key. As these notations and Definition 8 allow us to express the breaking and computational complexity for each key quantitatively, the main subclass can be defined by equalities and inequalities.

Definition 7.

For the quintuple C such that $C\in SAPK{A}_{f_g}$, if $N_1^{\prime }=x_4^{\prime }=id$, we state that C is a member of the symmetric $SAPK{A}_{f_g}$ class, and we express this relation as

$$C\in SAPK{A}_{f_g,symmetry}.$$

If $C\in SAPK{A}_{f_g,symmetry}$, one of the public keys of Bob $y_{B,1}$ is described as

$$y_{B,1}\left(y\right)=N_1^{-1}\circ x_4\left(y\right)=f_g\circ N_1^{\prime -1}\circ x_4^{\prime }\left(y\right)=f_g\left(y\right),$$

where $y\in \mathcal{S}$. This means that Bob sending $y_{B,1}$ is equivalent to simply informing Alice of the construction rule of $y_A$. Alice can calculate $y_A$ without any secret/public information from Bob. Symmetry means that the number of public keys that both Alice and Bob construct is essentially one, and they can construct their public keys without any public/secret information from the other.

For $C_{NDH}$ in Section 3.2, if the parameter $n_B$ is equal to 1, $C_{NDH}$ describes the usual DH. We denote this case of $C_{NDH}$ as $C_{DH}$, and we obtain

$$C_{DH}\in SAPK{A}_{f_g,symmetry}.$$

Moreover, $C_{SE}$ in the case of $N_B=E$, denoted by $C_{SE,(N_B=E)}$, is

$$C_{SE,(N_B=E)}\in SAPK{A}_{f_g,symmetry}.$$

Definition 8.

For a given non-easily invertible map $f_g^{\prime }:\mathcal{S}\to \mathcal{S}$, if the set to which the input y belongs is $\underline{\mathcal{S}}$, we refer to the input y as a$km$-bit $f_g^{\prime -1}$ element. If the set to which the input y belongs is $\mathcal{S}$, we refer to the input y as a$kn$-bit $f_g^{\prime -1}$ element

The complexity of obtaining the $kn$-bit $f_g^{\prime -1}$ element means the complexity of calculating $f_g^{\prime -1}\circ f_g\left(y\right)$ when $y\in \mathcal{S}$ (for the $km$-bit $f_g^{\prime -1}$ element, $y\in \underline{\mathcal{S}}$).

We define the following functions of bit size that demonstrate the complexity of calculating each public key and SSK as well as the complexity for Eve to obtain a certain key:

• $T_{y_{B,1}}:\mathbb{N}\to {\mathbb{R}}^{+}$: the complexity required for Bob to construct $y_{B,1}$;
• $T_{y_{B,2}}:\mathbb{N}\to {\mathbb{R}}^{+}$: the complexity required for Bob to construct $y_{B,2}$;
• $T_{y_A}:\mathbb{N}\to {\mathbb{R}}^{+}$: the complexity required for Alice to calculate $y_A$;
• $T_{{\kappa }_A}:\mathbb{N}\to {\mathbb{R}}^{+}$: the complexity required for Alice to calculate her SSK ${\kappa }_A$;
• $T_{{\kappa }_B}:\mathbb{N}\to {\mathbb{R}}^{+}$: the complexity required for Bob to calculate their SSK ${\kappa }_B$;
• $T_{Eve{x}_A}:\mathbb{N}\to {\mathbb{R}}^{+}$: the least complexity required for Eve to obtain Alice’s secret key $x_A$ from public informations, where the input of $T_{Eve{x}_A}$ is m; and
• $T_{f_g^{\prime -1}}:\mathbb{N}\to {\mathbb{R}}^{+}$: the complexity required to compute $f_g^{\prime -1}\circ f_g^{\prime }\left(y\right)$ for map $f_g^{\prime }$, where the input of $T_{f_g^{\prime -1}}$ is m if $y\in \underline{\mathcal{S}}$ and n if $y\in \mathcal{S}$.

Furthermore, for $T_{Eve{x}_A},T_{f_g^{\prime -1}}$, we define the following functions to describe their order:

• $h_{Eve{x}_A}:\mathbb{N}\to {\mathbb{R}}^{+}$ to obtain the relation $T_{Eve{x}_A}\in O\left(h_{Eve{x}_A}\right)$, and
• $h_{f_g^{\prime -1}}:\mathbb{N}\to {\mathbb{R}}^{+}$ to obtain the relation $T_{f_g^{\prime -1}}\in O\left(h_{f_g^{\prime -1}}\right)$.

Example 1.

• If $T_{y_{B,1}}$, $T_{y_{B,2}}$, and $T_{{\kappa }_B}$ are defined as functions of n, $T_{y_A}$ and $T_{{\kappa }_A}$ are defined as functions of m, and the polynomial s is concretely determined, we can compare the total computational complexity for Alice and Bob as per Section 4.5.
• The least complexity for Eve to obtain $x_A$ in Section 3.3 is determined as

  $$T_{Eve{x}_A}\left(m\right)\ge d^2{2}^{\frac{s\left(m\right)}{2}}.$$
• The complexity of obtaining the $d^{2}n$-bit $f_g^{-1}$ element, where $f_g$ is the non-easily invertible map of $C_{SE}$ as defined in Table 6, is expressed as

  $$T_{f_g^{-1}}\left(n\right)=T_{f_g^{-1}}\left(s\left(m\right)\right)=d^2{2}^{\frac{s\left(m\right)}{2}}.$$
• The complexity of obtaining the $d^{2}m$-bit $f_g^{-1}$ element is determined as

  $$T_{f_g^{-1}}\left(m\right)=d^2{2}^{\frac{m}{2}}.$$

In general, the complexity of obtaining the $kn$-bit $f_g^{\prime -1}$ element for a given non-easily invertible map $f_g^{\prime }:\mathcal{S}\to \mathcal{S}$ is described by $T_{f_g^{\prime -1}}\left(n\right)=T_{f_g^{\prime -1}}\left(s\left(m\right)\right)$, and that of the $km$-bit $f_g^{\prime -1}$ element is $T_{f_g^{\prime -1}}\left(m\right)$. We can compare not only the complexity but also the order of complexity of the two using the map $h_{f_g^{\prime -1}}$ defined above, as per the following Remark 3.

Remark 3.

When the order of complexity for computing the $km$-bit $f_g^{\prime -1}$ element for map $f_g^{\prime }$ is equal to $O\left(2^{am}\right)$, where $a\in {\mathbb{R}}^{+}\setminus \left\{0\right\}$:

$$T_{f_g^{\prime -1}}\left(s\left(m\right)\right)\in O\left(h_{f_g^{\prime -1}}\left(s\left(m\right)\right)\right)=O\left(2^{as\left(m\right)}\right)\subseteq O\left(2^{am}\right)=O\left(h_{f_g^{\prime -1}}\left(m\right)\right)\ni T_{f_g^{\prime -1}}\left(m\right)$$

(47)

holds, and the equality holds if and only if s is a linear monic polynomial for some $t\in \mathbb{N}$:

$$n=s\left(m\right)=m+t.$$

This can be proven in a similar manner to Proposition 1, and in this case, s is restricted as a non-linear and monic polynomial, so the equality never holds.

When the order of complexity for computing the $km$-bit $f_g^{\prime -1}$ element is greater than $O\left(2^{am}\right)$, although the sufficient and necessary condition of s for the equality of (47) may not be the same,

$$O\left(h_{f_g^{\prime -1}}\left(s\left(m\right)\right)\right)=O\left(2^{as\left(m\right)}\right)\subset O\left(2^{am}\right)=O\left(h_{f_g^{\prime -1}}\left(m\right)\right)$$

(48)

holds because, for all m, the ratio $\frac{h_{f_g^{\prime -1}}\left(s\left(m\right)\right)}{h_{f_g^{\prime -1}}\left(m\right)}$ is much larger and cannot be a constant in this case. This means that when s is a not linear and monic polynomial, the problem of obtaining the $kn$-bit $f_g^{\prime -1}$ element by computing $f_g^{\prime -1}\circ f_g^{\prime }\left(y\right)(y\in \mathcal{S})$ and the problem of obtaining the $km$-bit $f_g^{\prime -1}$ element by computing $f_g^{\prime -1}\circ f_g^{\prime }\left(y\right)(y\in \underline{\mathcal{S}})$ belong to different orders of complexity classes. Furthermore, needless to say, $T_{f_g^{\prime -1}}\left(s\left(m\right)\right)>T_{f_g^{\prime -1}}\left(m\right)$ holds.

Definition 9.

For the quintuple C of $C\in SAPK{A}_{f_g}$, if the following relations hold:

$$T_{Eve{x}_A}\left(m\right)\ge T_{f_g^{-1}}\left(s\left(m\right)\right)$$

(49)

$$T_{y_{B,1}}\left(s\left(m\right)\right)+T_{y_{B,2}}\left(s\left(m\right)\right)+T_{{\kappa }_B}\left(s\left(m\right)\right)>T_{y_A}\left(m\right)+T_{{\kappa }_A}\left(m\right),$$

(50)

we state that C is a member of the class that is computationally biased to Bob $SAPK{A}_{f_g}$, and we write this relation as

$$C\in SAPK{A}_{f_g,A<B}.$$

If the relation

$$T_{Eve{x}_A}\left(m\right)\le T_{f_g^{-1}}\left(m\right)$$

(51)

holds, C is a member of the computationally unbiased $SAPK{A}_{f_g}$ class, and we write this relation as

$$C\in SAPK{A}_{f_g,A=B}.$$

Relation (49) indicates that the breaking complexity of an algorithm that is constructed from $C\in SAPK{A}_{f_g,A<B}$ is equal to or greater than the complexity that is required to obtain the $kn$-bit $f_g^{-1}$ element, even if $x_A$ is selected from $\underline{\mathcal{S}}$. Furthermore, (51) indicates that when $C\in SAPK{A}_{f_g,A=B}$, the breaking complexity is equal to or less than that of obtaining the $km$-bit $f_g^{-1}$ element. As noted in Remark 3, not only does $T_{f_g^{-1}}\left(s\left(m\right)\right)>T_{f_g^{-1}}\left(m\right)$ hold, but the orders of complexity are also different, so there cannot exist a $C^{\prime }$ such that $C^{\prime }\in SAPK{A}_{f_g,A<B}\cap SAPK{A}_{f_g,A=B}$. Thus, we obtain Lemma 1 in Section 5.2.

5.2. Inclusion Relations between Subclasses of SAPKA and Necessity Condition

Lemma 1.

For $SAPK{A}_{f_g,A<B}\subset SAPK{A}_{f_g}$ and $SAPK{A}_{f_g,A=B}\subset SAPK{A}_{f_g}$, the following relation holds:

$$SAPK{A}_{f_g,A<B}\cap SAPK{A}_{f_g,A=B}=\varnothing .$$

According to the attack introduced in Section 4.3, we obtain the following results.

Theorem 3.

For $C_{SE}$ in Section 3.3, if Attack 2 of Section 4.3 and the exhaustive attack for $x_A\in \underline{\mathcal{S}}$ are only attacks without calculating ${log}_g{g}^{\circ N_B}=N_B$ or there exist other attacks but the order of complexity is equal to or greater than $O\left(2^{dm}\right)$,

$$C_{SE}\in SAPK{A}_{f_g,A<B}.$$

Proof. 

According to Attack 3 in Section 4.3 and the descriptions of $T_{Eve{x}_A}\left(m\right)$ and $T_{f_g^{-1}}\left(s\left(m\right)\right)$ in Example 1, we obtain

$$T_{Eve{x}_A}\left(m\right)\ge d^2{2}^{\frac{s\left(m\right)}{2}}=T_{f_g^{-1}}\left(s\left(m\right)\right).$$

Under this assumption, $n=s\left(m\right)=2dm$ holds, and thus, we obtain

$$T_{y_{B,1}}\left(s\left(m\right)\right)+T_{y_{B,2}}\left(s\left(m\right)\right)+T_{{\kappa }_B}\left(s\left(m\right)\right)=4m{d}^3+2m{d}^4>T_{y_A}\left(m\right)+T_{{\kappa }_A}\left(m\right)=2m{d}^3$$

from Section 4.5. □

We introduce two necessary conditions for the $SAPK{A}_{f_g,A<B}$ class.

Theorem 4

(Necessary Condition 1). If the quintuple $C:=(x_1,x_2,x_3,x_4,N_1)\in SAPK{A}_{f_g,A<B}$, the relation

$$C\notin SAPK{A}_{f_g,symmetry}$$

(52)

holds.

Proof. 

We prove the contrapositive. If $C\in SAPK{A}_{f_g,symmetry}$, Alice’s public key $y_A$ is described as:

$$y_A=N_1^{-1}\circ x_4\left(x_A\right)=f_g\circ N_1^{\prime -1}\circ x_4^{\prime }\left(x_A\right)$$

according to (40), but $N_1^{\prime }$ and $x_4^{\prime }$ are identities; thus, $y_A$ becomes

$$y_A=f_g\left(x_A\right).$$

Because $x_A\in \underline{\mathcal{S}}$, $x_A$ is a $km$-bit $f_g^{-1}$ element for map $f_g$, and we obtain

$$T_{Eve{x}_A}\left(m\right)=T_{f_g^{-1}}\left(m\right).$$

Thus, $C\in SAPK{A}_{f_g,A=B}$. Moreover, Lemma 1 indicates that $C\notin SAPK{A}_{f_g,A<B}$. □

Corollary 1.

The quintuple $C_{DH}$ of the usual DH is

$$C_{DH}\in SAPK{A}_{f_g,A=B},$$

and $C_{SE,(N_B=E)}$ defined in Section 5.1 is

$$C_{SE,(N_B=E)}\in SAPK{A}_{f_g,A=B}.$$

Theorem 5

(Necessary Condition 2). If the quintuple $C:=(x_1,x_2,x_3,x_4,N_1)\in SAPK{A}_{f_g,A<B}$, then there does’t exist a map $f_g^{\prime }:\mathcal{S}\to \mathcal{S}$ such that to satisfy

$$f_g\circ N_1^{\prime -1}\circ x_4^{\prime }\left(y\right)=f_g^{\prime }\left(y\right)\wedge T_{f_g^{\prime -1}}\left(m\right)\le T_{f_g^{-1}}\left(m\right)$$

(53)

for all $y\in \mathcal{S}$, $m\in \mathbb{N}$.

Proof. 

We prove the contrapositive. We assume that for $C\in SAPK{A}_{f_g,A<B}$, there exists a map $f_g^{\prime }:\mathcal{S}\to \mathcal{S}$ to satisfy

$$f_g\circ N_1^{\prime -1}\circ x_4^{\prime }\left(y\right)=f_g^{\prime }\left(y\right)$$

(54)

$$T_{f_g^{\prime -1}}\le T_{f_g^{-1}}$$

(55)

for all $y\in \mathcal{S}$. According to (54), $y_A$ can be described as

$$y_A=f_g\circ N_1^{\prime -1}\circ x_4^{\prime }\left(x_A\right)=f_g^{\prime }\left(x_A\right).$$

This indicates that $x_A$ is a $km$-bit $f_g^{\prime -1}$ element for a map $f_g^{\prime }$. In combination with (55), the relation

$$T_{Eve{x}_A}\left(m\right)=T_{f_g^{\prime -1}}\left(m\right)\le T_{f_g^{-1}}\left(m\right)$$

holds. Thus, $C\in SAPK{A}_{f_g,A=B}$; that is, $C\notin SAPK{A}_{f_g,A<B}$ is proven. □

Corollary 2.

$$C_{NDH}\in SAPK{A}_{f_g,A=B}$$

Proof. 

The attack of Section 4.2 indicates that

$$y_A=f_g\circ N_1^{\prime -1}\circ x_4^{\prime }\left(x_A\right)=g^{n_B{x}_A}={\left(g^{n_B}\right)}^{x_A}=f_g^{\prime }\left(x_A\right),$$

where $f_g^{\prime }\left(y\right):=f_{f_g(N_1^{\prime -1}\circ x_4^{\prime }\left(1\right))}\left(y\right)=f_{g^{n_B}}\left(y\right)$, and (53) is satisfied. □

Remark 4.

Theorem 1 of Section 4.3 implies that there does not exist a map $f_g^{\prime }$ to satisfy $f_g^{\prime }\left(y\right)=f_g\circ N_1^{\prime -1}\circ x_4^{\prime }\left(y\right)$ with $T_{f_g^{\prime -1}}\le T_{f_g^{-1}}$ as for algorithm of $C_{SE}$.

According to the proof of Theorem 4 and Corollary 2, we obtain the following inclusion relation:

Corollary 3.

$$SAPK{A}_{f_g,symmetry}\subset SAPK{A}_{f_g,A=B}.$$

Proof. 

From the proof of Theorem 4,

$$C\in SAPK{A}_{f_g,symmetry}\Rightarrow C\in SAPK{A}_{f_g,A=B}$$

is obtained. Thus, we obtain

$$SAPK{A}_{f_g,symmetry}\subseteq SAPK{A}_{f_g,A=B}.$$

Moreover, $C_{NDH}$ is related to $C_{NDH}\notin SAPK{A}_{f_g,symmetry}$, but $C_{NDH}\in SAPK{A}_{f_g,A=B}$ according to Corollary 2. Thus, $SAPK{A}_{f_g,symmetry}\subset SAPK{A}_{f_g,A=B}$ is obtained. □

Figure 3 presents the inclusion relations between the subclasses of SAPKA.

Remark 5.

The proposition

$$SAPK{A}_{f_g,A<B}\cup SAPK{A}_{f_g,A=B}=SAPK{A}_{f_g}.$$

as well as the necessary conditions (52) and (53) as sufficient conditions for the $SAPK{A}_{f_g,A<B}$ class have not yet been confirmed. These will be investigated in our subsequent paper.

6. Implementational Experiments

In this section, we report the simple experimental results. All experiments were performed in the following environment:

• OS: Windows 10 Pro
• Processor: 2.90 GHz Intel Core i7-10700
• RAM: 8 GB
• Language: JAVA

Table 7. Calculation time (ms) for Alice and Bob when $n=1024$.

d	m	Bob (ms)	Alice (ms)
2	256	7.69307551	1.89631633
4	128	16.7975061	3.39046122
6	85	25.310163	5.37513889

,

Table 8. Calculation times (ms) for Alice and Bob when $n=3072$.

d	m	Bob (ms)	Alice (ms)
2	768	131.792466	17.612742
4	384	272.971624	16.480546
6	256	472.95086	28.988962

and

Table 9. Calculation times (ms) for Alice and Bob when $n=5120$.

d	m	Bob (ms)	Alice (ms)
2	1280	528.017186	65.886198
4	640	1164.85195	57.475974
6	426	1942.06485	108.263714

indicate the computational complexity for Alice ($y_A,{\kappa }_A$) and Bob ($y_{B,1},y_{B,2},{\kappa }_B$) according to d and m while n was fixed as 1024, 3072, and 5120 bits. As can be observed from Table 7, Table 8 and Table 9, the calculation time for Bob increased as d increased. This is because the calculation complexities of (32) and (33) were dependent only on d, whereas n was fixed. For Alice’s computation, there were cases in which the calculation time decreased as d increased (Table 8 and Table 9). This can be explained by (32) and (33) for each $a\in \{1,\cdots ,d\}$, being independent, and an increase in d resulted in a decrease in m. Therefore, these values can be computed in parallel with a smaller m when d increases. When $d>4$, the calculation time will increase despite the decrease in the size of m owing to a shortage in processors for efficient parallel computing.

Moreover, the difference in the order of complexity for Alice and Bob can be observed from Figure 4, where m was fixed as 128 bits and d increased from 2 to 16.

We verified how rapidly the calculation of Alice could be achieved by comparing the speed with that of the usual DH.

Table 10. Comparison of calculation times (ms) for Alice with DH.

Security (n)	(m)	(d)	DH (ms)	SEDH (ms)
1024	256	2	2.727202	1.896316327
2048	512	2	15.514816	6.451664815
3072	384	4	51.776748	16.480546
4096	1024	2	111.332034	32.10356
5120	640	4	202.806142	57.475974
6144	768	4	335.208752	94.12185
7168	896	4	535.273036	144.93926

and Figure 5 compare the calculation times of SEDH and DH for $y_A$ and ${\kappa }_A$ for the same security level (n) from 1024 to 7168 bits. The calculation speeds in the following table and figure are the averages of 50 calculations.

7. Conclusions

In this study, we have estimated the breaking complexity and computational complexity of two SAPKA class algorithms. One of these potentially possesses the property whereby the security is less dependent on the secret key space of Alice than that of Bob. This property allows Alice to calculate her SSK with less complexity than Bob in the algorithm.

Moreover, we generalized these algorithms and constructed SAPKA subclasses according to the security/efficiency properties. We constructed several subclass algorithms in which the above property holds. We expect that algorithms in this class will aid in constructing secure communication infrastructures, even with a small capability of devices for one side (Alice’s computational asymmetry). The necessary conditions for this class and inclusion relations with other SAPKA subclasses were also investigated.

In the following Future Work section, we provide several unclear points, which include new problems obtained from this study (indicated by •) and problems not discussed in this paper but that must be investigated for practical use of presented algorithms and frameworks (indicated by ∘).

Future Works

●

Is it true that $SAPK{A}_{f_g,A<B}\cup SAPK{A}_{f_g,A=B}=SAPK{A}_{f_g}$? (Remark 5)

●

Is it true that if the relations (52) and (53) hold for $C\in SAPK{A}_{f_g}$, C is a member of the $SAPK{A}_{f_g,A<B}$ class? That is, are (52) and (53) also sufficient conditions for the $SAPK{A}_{f_g,A<B}$ class? As mentioned in Section 2.2, this paper does not provide how to construct secure PKA algorithms resilient to any types of theoretical attacks. However, if sufficient conditions for the $SAPK{A}_{f_g,A<B}$ class are found, algorithms that cannot be broken at least within polynomial time can be easily constructed because those are protected thanks to non-easily mappable $f_g$ (page 23). Of course, conditions might differ depending on required security level, but considering the sufficient conditions surely helps us provide how to construct secure PKA algorithms.

●

Does $\mathcal{S}$ need to be selected as a multiplicative semi-group/group? For example, the algorithms in Section 3.3 are effective even in vector space, which forms an additive group (Remark 1). We should investigate how we can construct PKA algorithms on algebraic structures other than multiplicative semi-groups and then compare the breaking and computational complexities with the original one.

∘

We should attempt to describe algorithms such as LWE-based or NTRU-type algorithms with the SAPKA parameters and verify whether these algorithms belong to the $SAPK{A}_{f_g,A<B}$ class. Otherwise, would it be possible to modify these to belong to the $SAPK{A}_{fg,A<B}$ class?

∘

It is well known that key agreement algorithms are vulnerable against man-in-the-middle (MITM) attack. Obviously, also algorithms in SAPKA are also not exceptional without any measures. Moreover, the number of public keys especially for Bob is larger than symmetric type algorithms, so they way to manage public keys for SAPKA algorithms must be discussed more. Adaptability with techniques such as digital signature [21,22] and public key certifications [23] must be well discussed.

∘

As mentioned in [1], the SSKs that Alice and Bob calculate should be ephemeral, and each key must have enough randomness. To practically use algorithms introduced in this paper, if public keys and SSK are sufficiently random to protect Eve from deducing SSK must be investigated.