Public Key Protocols over Skew Dihedral Group Rings

Abstract

This paper introduces skew dihedral group rings and their applications for public-key cryptography. We present a specific skew group ring that is the underlying algebraic platform for our cryptographic constructions. We then build a two-party key exchange protocol and present an analysis of its security. We then exploit it to derive a group key agreement protocol, a probabilistic public-key scheme, and a key encapsulation mechanism. In addition to the security analysis of our cryptographic constructions, we present a proof-of-concept implementation.

1. Introduction

The availability of quantum computers in the forthcoming future will make current public-key schemes insecure. Therefore, there is a need to devise quantum-secure cryptographic public-key primitives to replace the current public-key algorithms. This need undoubtedly has propelled research towards creating quantum-secure public-key schemes. There have been many proposed candidates thus far, most classified into five families. These families are lattice-based cryptography, multivariate cryptography, hash-based cryptography, code-based cryptography, and supersingular elliptic curve isogeny cryptography. The last round of the post-quantum cryptography standardization process run by the National Institute of Standards and Technology (NIST) includes various candidates in each of the mentioned families [1].

However, recently, a new promising family of cryptographic constructions, believed to be quantum-secure and based on variations of group rings [2,3,4], has been introduced. In particular, the recent works in [2,3,4] exploit the structure of dihedral twisted group rings to introduce cryptographic constructions. The work in [3] introduces a 2-cocycle $\beta$ to construct a dihedral twisted group algebra ${\mathbb{F}}_q^{\beta }{D}_{2n}$. Over ${\mathbb{F}}_q^{\beta }{D}_{2n}$, the authors introduce a two-party key-exchange protocol and a probabilistic public-key scheme. Following an alternative approach, the authors of [2] propose a key exchange protocol, a probabilistic public-key scheme, and a key encapsulation mechanism. They also introduce a 2-cocycle ${\alpha }_{\lambda }$ to form the resulting twisted algebra ${\mathbb{F}}_q^{{\alpha }_{\lambda }}{D}_{2n}$ non-equivalent to ${\mathbb{F}}_q^{\beta }{D}_{2n}$ for a non-square $\lambda$ in the field ${\mathbb{F}}_q$. They explore its properties and exploit them to enhance the introduced key exchange protocol.

In other related works, the authors in [5] investigate right ideals as codes in twisted group rings. In particular, they characterize all linear codes that are twisted group codes in terms of their automorphism group.

Our work takes an alternative path by introducing a skew dihedral group ring which is the main tool for constructing a group key exchange protocol, a probabilistic public-key scheme, and a derived key encapsulation mechanism. We first formally define the notion of a skew group ring and explore some of its properties. We then study skew dihedral group rings and later construct a specific skew dihedral group ring by defining the group homomorphism ${\theta }_{\sigma }:D_{2n}\to \mathrm{Gal}({\mathbb{F}}_{q^2},{\mathbb{F}}_q)$ stated in Lemma 4. In particular, given the presentation $G=D_{2n}=\langle x,y:x^n=y^2=1,yx{y}^{-1}=x^{-1}\rangle$ of the dihedral group, the map ${\theta }_{\sigma }\left(g\right)=\sigma$, where $\sigma \left(a\right)=a^q$ for all $a\in {\mathbb{F}}_{q^2}$, for $g=x^{i}y$, $i\in \{0,\dots ,n-1\}$, and ${\theta }_{\sigma }\left(g\right)=1$ otherwise is a group homomorphism. Over the resulting skew dihedral group ring ${\mathbb{F}}_{q^2}^{{\theta }_{\sigma }}{D}_{2n}$, we realize our cryptographic constructions and analyze their security. Finally, we present a proof-of-concept implementation of our cryptographic constructions.

The outline of the paper is as follows. In Section 2, we show the basic definitions and results we need, whereas, in Section 3, we show the concrete presentation of the dihedral group ring we use. Section 4 presents the proposed key exchange protocol and analyzes its intractability assumptions. Section 5 introduces a group key agreement protocol that generalizes the two-party key agreement protocol presented in Section 4. Section 6 presents a probabilistic public-key encryption scheme, and Section 7 introduces a key encapsulation mechanism using the ideas from the previous sections. Section 8 presents the pseudo-codes of a proof-of-concept Python implementation for our cryptographic constructions. Finally, Section 9 concludes our work and presents future research directions.

2. Preliminaries

Let ${\mathbb{F}}_q$ be the finite field with $q=p^m$ elements where p is a prime number and let $\mathrm{Aut}\left({\mathbb{F}}_q\right)$ be the automorphism group of ${\mathbb{F}}_q$. Recall that any automorphism $\mathsf{\Theta }\in \mathrm{Aut}\left({\mathbb{F}}_q\right)$ of the finite field ${\mathbb{F}}_q$ is of the type $\mathsf{\Theta }\left(x\right)=x^{p^j}$. Denote by $\mathrm{Gal}({\mathbb{F}}_{q^k},{\mathbb{F}}_q)$ the Galois group of ${\mathbb{F}}_{q^k}$ over ${\mathbb{F}}_q$, i.e., the set of all automorphisms of ${\mathbb{F}}_{q^k}$ that fix the subfield ${\mathbb{F}}_q$. It holds that $\mathrm{Aut}\left({\mathbb{F}}_{q^k}\right)=\mathrm{Gal}({\mathbb{F}}_{q^k},{\mathbb{F}}_q)\times \mathrm{Aut}\left({\mathbb{F}}_q\right)$, in particular $\mathrm{Aut}\left({\mathbb{F}}_q\right)=\mathrm{Gal}({\mathbb{F}}_q,{\mathbb{F}}_p)$. It is well-known that $\mathrm{Gal}({\mathbb{F}}_{q^k},{\mathbb{F}}_q)$ is a cyclic group of order k generated by the Frobenius automorphism $\sigma$ of ${\mathbb{F}}_{q^k}$ over ${\mathbb{F}}_q$ defined as $\sigma \left(a\right)=a^q$ for all $a\in {\mathbb{F}}_{q^k}$. Furthermore, we denote $\mathrm{Hom}(G,\mathrm{Aut}\left({\mathbb{F}}_{q^k}\right))$ and $\mathrm{Hom}(G,\mathrm{Gal}({\mathbb{F}}_{q^k},{\mathbb{F}}_q))$ as the set of homomorphisms from G to $\mathrm{Aut}\left({\mathbb{F}}_{q^k}\right)$ and $\mathrm{Gal}({\mathbb{F}}_{q^k},{\mathbb{F}}_q)$, respectively. Note that $\mathrm{Hom}(G,\mathrm{Gal}({\mathbb{F}}_{q^k},{\mathbb{F}}_q))\le \mathrm{Hom}(G,\mathrm{Aut}\left({\mathbb{F}}_{q^k}\right)).$

In the following paragraphs, we summarize the definitions and properties we need on skew group rings.

Definition 1.

Let G be a finite multiplicative group and let $\theta \in \mathrm{Hom}(G,\mathrm{Aut}\left({\mathbb{F}}_q\right))$ be a group homomorphism. The skew group ring ${\mathbb{F}}_q^{\theta }G$ is the set of all formal sums ${\sum }_{g\in G}{a}_{g}g$, where $a_g\in {\mathbb{F}}_q$, with the following skew multiplication

$$a_{g}g·b_{h}h=a_g\left(\theta \left(g\right)\left(b_h\right)\right)gh.$$

Note that at ${\mathbb{F}}_q$-vector space the skew group ring ${\mathbb{F}}_q^{\theta }G$ coincides with the group ring ${\mathbb{F}}_{q}G$. However, rings not only may not coincide, but in general they are non-isomorphic. More precisely, we have the following result.

Lemma 1.

Let $\theta ,\beta \in \mathrm{Hom}(G,\mathrm{Aut}\left({\mathbb{F}}_q\right))$ be homomorphisms. There is an ${\mathbb{F}}_q$-linear ring isomorphism ${\mathbb{F}}_q^{\theta }G\cong {\mathbb{F}}_q^{\beta }G$ mapping $a_{g}g$ to $a_g\delta \left(g\right)$ for some $\delta \left(g\right)\in G$ if and only $\delta :G\to G$ is a group isomorphism such that $\theta \left(g\right)=\beta \left(\delta \right(g\left)\right)$ for all $g\in G$.

Proof. 

Denote by $a_{g}g·b_{h}h$ the product in ${\mathbb{F}}_q^{\theta }G$ and denote $a_{g}g\ast b_{h}h$ the product in ${\mathbb{F}}_q^{\beta }G$. The image of $a_{g}g·b_{h}h=a_g\theta \left(g\right)\left(b_h\right)gh$ in ${\mathbb{F}}_q^{\theta }G$ is $a_g\theta \left(g\right)\left(b_h\right)\delta \left(gh\right)$. The product in ${\mathbb{F}}_q^{\beta }G$ of the images of $a_{g}g$ and $b_{h}h$ are $a_g\beta \left(\delta \left(g\right)\right)\left(b_h\right)\delta \left(g\right)\delta \left(h\right)=a_g\beta \left(\delta \left(g\right)\right)\left(b_h\right)\delta \left(gh\right).$ The two elements coincide if and only if $\theta \left(g\right)=\beta \left(\delta \right(g\left)\right)$ for all $g\in G$. □

Remark 1.

Note that in general $\left(\lambda a_{g}g\right)\left(b_{h}h\right)=\lambda a_g\theta \left(g\right)\left(b_h\right)gh\ne a_g\theta \left(g\right)\left(\lambda b_h\right)gh=\left(a_{g}g\right)\left(\lambda b_{h}h\right)$ for $\lambda \in {\mathbb{F}}_q$ and $a_{g}g,b_{h}h\in {\mathbb{F}}_q^{\theta }G$; therefore, ${\mathbb{F}}_q^{\theta }G$ may not be an algebra.

Lemma 2.

The map $\phi :{\mathbb{F}}_q^{\theta }G\to {\mathbb{F}}_q^{\theta }G$, ${\sum }_{g\in G}{a}_{g}g\mapsto {\sum }_{g\in G}\theta \left(g^{-1}\right)\left(a_g\right)g^{-1}$ is a ring anti-isomorphism of ${\mathbb{F}}_q^{\theta }G$.

Proof. 

Let $a_{g}g,b_{h}h\in {\mathbb{F}}_q^{\theta }G$. Then, we have

$$\begin{array}{cc}\hfill \phi (a_{g}g·b_{h}h)& =\phi \left(a_g\theta \left(g\right)\left(b_h\right)gh\right)=\theta \left(h^{-1}{g}^{-1}\right)\left(a_g\theta \left(g\right)\left(b_h\right)\right)h^{-1}{g}^{-1}\hfill \\ & =\theta \left(h^{-1}\right)\theta \left(g^{-1}\right)\left(a_g\theta \left(g\right)\left(b_h\right)\right)h^{-1}{g}^{-1}=\theta \left(h^{-1}\right)\theta \left(g^{-1}\right)\left(a_g\right)\theta \left(h^{-1}\right)\left(b_h\right)h^{-1}{g}^{-1}\hfill \\ & =\theta \left(h^{-1}\right)\left(b_h\right)\theta \left(h^{-1}\right)\theta \left(g^{-1}\right)\left(a_g\right)h^{-1}{g}^{-1}=\theta \left(h^{-1}\right)\left(b_h\right)h^{-1}·\theta \left(g^{-1}\right)\left(a_g\right)g^{-1}\hfill \\ & =\phi \left(b_{h}h\right)\phi \left(a_{g}g\right).\hfill \end{array}$$

□

Definition 2.

For an element $a={\sum }_{g\in G}{a}_{g}g\in {\mathbb{F}}_q^{\theta }G$, we define its adjunct as

$$\widehat{a}:=\phi \left(a\right)=\sum _{g\in G}\theta \left(g^{-1}\right)\left(a_g\right)g^{-1}.$$

3. A Skew Dihedral Group Ring

Let $G=D_{2n}=\langle x,y:x^n=y^2=1,yx{y}^{-1}=x^{-1}\rangle$ be a presentation of the dihedral group of order $2n$.

Lemma 3.

Let $C_n=\langle x\rangle$ be the cyclic subgroup of $D_{2n}$ generated by x. Then, we have

1. 

${\mathbb{F}}_q^{\theta }{D}_{2n}$ is a free ${\mathbb{F}}_q^{\theta }{C}_n$-module with basis $\{1,y\}$. Therefore, ${\mathbb{F}}_q^{\theta }{D}_{2n}={\mathbb{F}}_q^{\theta }{C}_n\oplus {\mathbb{F}}_q^{\theta }{C}_{n}y$ as direct sum of ${\mathbb{F}}_q$-vector spaces.

2. 

${\mathbb{F}}_q^{\theta }{C}_{n}y\cong {\mathbb{F}}_q^{\theta }{C}_n$ as ${\mathbb{F}}_q^{\theta }{C}_n$-modules.

3. 

For $a\in {\mathbb{F}}_q^{\theta }{C}_{n}y$, $ab\in {\mathbb{F}}_q^{\theta }{C}_n$ if $b\in {\mathbb{F}}_q^{\theta }{C}_{n}y$ or $ab\in {\mathbb{F}}_q^{\theta }{C}_{n}y$ if $b\in {\mathbb{F}}_q^{\theta }{C}_n$.

4. 

If $a\in {\mathbb{F}}_q^{\theta }{C}_n$, then $\widehat{a}\in {\mathbb{F}}_q^{\theta }{C}_n$.

5. 

If $a\in {\mathbb{F}}_q^{\theta }{C}_{n}y$, then $\widehat{a}\in {\mathbb{F}}_q^{\theta }{C}_{n}y$.

Proof. 

In what follows, the symbol ${\left[k\right]}_n$ for $k\in \mathbb{Z}$ denotes $k\equiv {\left[k\right]}_{n}modn$.

• Since $\{1,y\}$ is a transversal for $C_n$ in $D_{2n}$, then $D_{2n}=C_n\cup C_{n}y$, and the assertion follows.
• Since $x^i·x^j=x^{{[i+j]}_n}$ and $x^i·x^{j}y=x^{{[i+j]}_n}y$ for all $i,j\in \{0,\dots ,n-1\}$, the assertions follow.
• Since $x^{i}y·x^{j}y=x^{{[i-j]}_n}$ and $x^{i}y·x^j=x^{{[i-j]}_n}y$ for all $i,j\in \{0,\dots ,n-1\}$, the assertions follow.
• Since $x^i·x^{n-i}=1$ for all $i\in \{0,\dots ,n-1\}$, then the assertion follows.
• Since ${\left(x^{i}y\right)}^2=1$ for all $i\in \{0,\dots ,n-1\}$, then the assertion follows.

□

Definition 3.

We define the θ-reversible subspace of ${\mathbb{F}}_q^{\theta }{C}_{n}y$ as the vector subspace

$${\mathsf{\Gamma }}_{\theta }=\{a=\sum _{i=0}^{n-1}{a}_i{x}^{i}y\in {\mathbb{F}}_q^{\theta }{C}_{n}y\mid a_i=a_{n-i}\mathrm{for}i=1,\dots ,n-1\}.$$

The following lemma introduces the group homomorphism ${\theta }_{\sigma }\in \mathrm{Hom}(D_{2n},\mathrm{Aut}\left({\mathbb{F}}_{q^2}\right)),$ which depends on the Frobenius automorphism $\sigma$, where ${\mathbb{F}}_{q^2}$ is a quadratic extension of ${\mathbb{F}}_q$. Note that since $\mathrm{Gal}({\mathbb{F}}_{q^2},{\mathbb{F}}_q)\le \mathrm{Aut}\left({\mathbb{F}}_{q^2}\right)$, then ${\theta }_{\sigma }\in \mathrm{Hom}(D_{2n},\mathrm{Gal}({\mathbb{F}}_{q^2},{\mathbb{F}}_q)).$ Furthermore, from here on, we only consider a quadratic extension of ${\mathbb{F}}_q$ due to the ambient space over which we define our cryptographic constructions as the skew group ring ${\mathbb{F}}_{q^2}^{{\theta }_{\sigma }}{D}_{2n}$.

Lemma 4.

Let $\sigma \in \mathrm{Gal}({\mathbb{F}}_{q^2},{\mathbb{F}}_q))$ be the Frobenius automorphism of ${\mathbb{F}}_{q^2}$ over ${\mathbb{F}}_q$. Then, the map ${\theta }_{\sigma }:G=D_{2n}\to \mathrm{Gal}({\mathbb{F}}_{q^2},{\mathbb{F}}_q)$ defined by ${\theta }_{\sigma }\left(g\right)=\sigma$ for $g=x^{i}y$, $i\in \{0,\dots ,n-1\}$ and ${\theta }_{\sigma }\left(g\right)=1$ otherwise is a group homomorphism.

Proof. 

This assertion follows straightforwardly.    □

Lemma 5.

Let ${\theta }_{\sigma }\in \mathrm{Hom}(D_{2n},\mathrm{Gal}({\mathbb{F}}_{q^2},{\mathbb{F}}_q))$ be the group homomorphism defined in Lemma 4. Then, we have $a\widehat{b}=b\widehat{a}$ for $a,b\in {\mathsf{\Gamma }}_{{\theta }_{\sigma }}$.

Proof. 

Let $a={\sum }_{i=0}^{n-1}{a}_i{x}^{i}y\in {\mathsf{\Gamma }}_{{\theta }_{\sigma }}$ and $b={\sum }_{i=0}^{n-1}{b}_i{x}^{i}y\in {\mathsf{\Gamma }}_{{\theta }_{\sigma }}.$ Then

$$a\widehat{b}=\sum _{i=0}^{n-1}{a}_i{x}^{i}y\sum _{j=0}^{n-1}{\theta }_{\sigma }\left(x^{j}y\right)\left(b_j\right)x^{j}y=\sum _{j=0}^{n-1}\left(\sum _{i=0}^{n-1}{a}_i{\theta }_{\sigma }\left(x^j\right)\left(b_{{[i-j]}_n}\right)\right)x^j$$

(1)

and

$$b\widehat{a}=\sum _{i=0}^{n-1}{b}_i{x}^{i}y\sum _{j=0}^{n-1}{\theta }_{\sigma }\left(x^{j}y\right)\left(a_j\right)x^{j}y=\sum _{j=0}^{n-1}\left(\sum _{i=0}^{n-1}{b}_i{\theta }_{\sigma }\left(x^j\right)\left(a_{{[i-j]}_n}\right)\right)x^j.$$

(2)

The first sum of Equations (1) and (2) follows from the definitions. The second sum of Equations (1) and (2) follows from ${\theta }_{\sigma }$ being a homomorphism, and thus ${\theta }_{\sigma }\left(x^{i}y\right)\left({\theta }_{\sigma }\left(x^{j}y\right)\left(a\right)\right)={\theta }_{\sigma }\left(x^{{[i-j]}_n}\right)\left(a\right)$ for $a\in {\mathbb{F}}_{q^2}$.

Since $a,b\in {\mathsf{\Gamma }}_{{\theta }_{\sigma }}$, then $a_i=a_{{[-i]}_n}$ and $b_{{[j-i]}_n}=b_{{[i-j]}_n}$ for $i\in \{0,\dots ,n-1\}$, then ${\theta }_{\sigma }\left(x^j\right)\left(a_{{[-i]}_n}\right)=a_{{[-i]}_n}=a_i$ and ${\theta }_{\sigma }\left(x^j\right)\left(b_{{[i-j]}_n}\right)=b_{{[i-j]}_n}=b_{{[j-i]}_n}$ (since ${\theta }_{\sigma }\left(x^j\right)=1$ by construction). Therefore, the i-th term $a_i{b}_{{[j-i]}_n}$ of ${\sum }_{i=0}^{n-1}{a}_i{\theta }_{\sigma }\left(x^j\right)\left(b_{{[i-j]}_n}\right)$ in (1) coincides with the ${[j-i]}_n$-th term $b_{{[j-i]}_n}{a}_i$ of ${\sum }_{i=0}^{n-1}{b}_i{\theta }_{\sigma }\left(x^j\right)\left(a_{{[i-j]}_n}\right)$ in (2), which implies that ${\sum }_{i=0}^{n-1}{a}_i{\theta }_{\sigma }\left(x^j\right)\left(b_{{[i-j]}_n}\right)={\sum }_{i=0}^{n-1}{b}_i{\theta }_{\sigma }\left(x^j\right)\left(a_{{[i-j]}_n}\right)$ for all $j\in \{0,\dots ,n-1\}$. □

4. A Key Exchange Protocol

This section presents a two-party key exchange protocol based on two-sided multiplications over a skew dihedral group ring. We remark that other works have considered two-sided semi-group actions or matrices over group rings for key exchange [2,3,4,6,7,8,9]. However, we follow an alternative approach. Recent papers [2,3,4] propose two-party key exchange protocols using two-sided multiplications over dihedral twisted group rings. Following their constructions, we introduce a two-party key exchange protocol over the skew group ring ${\mathbb{F}}_{q^2}^{{\theta }_{\sigma }}{D}_{2n}$.

Remark 2.

Since ${\mathbb{F}}_{q^2}^{{\theta }_{\sigma }}{D}_{2n}$ is not an algebra, our protocol works over a different algebraic structure than that of [2,3,4].

4.1. The Construction

We start by setting up our key exchange protocol’s public parameters.

• Choose $m,n\in \mathbb{N}$ and a prime number p such that p divides n. We then set $q=p^m$ and the finite field ${\mathbb{F}}_{q^2}$.
• Choose the map ${\theta }_{\sigma }:D_{2n}\to \mathrm{Gal}({\mathbb{F}}_{q^2},{\mathbb{F}}_q)$ as it was defined in Lemma 4. We remark that for $g=x^{i}y$ with $i\in \{0,\dots ,n-1\}$, ${\theta }_{\sigma }\left(g\right)=\sigma$, where $\sigma \left(a\right)=a^q$ for all $a\in {\mathbb{F}}_{q^2}$, and ${\theta }_{\sigma }\left(g\right)=1$ otherwise.
• Choose a random non-zero element ${\mathrm{h}}_1\in {\mathbb{F}}_{q^2}^{{\theta }_{\sigma }}{C}_n$ and a random non-zero element ${\mathrm{h}}_2\in {\mathbb{F}}_{q^2}^{{\theta }_{\sigma }}{C}_{n}y$. Set $\mathrm{h}={\mathrm{h}}_1+{\mathrm{h}}_2$ and make $\mathrm{h}$ public.
• Let $\mathcal{SK}={\mathbb{F}}_{q^2}^{{\theta }_{\sigma }}{C}_{2n}\times {\mathsf{\Gamma }}_{{\theta }_{\sigma }}$ be the secret key space, and $\mathrm{sk}=(\mathrm{a},\gamma )\in \mathcal{SK}$ be a secret key; we define $\widehat{\mathrm{sk}}$ as $(\mathrm{a},\widehat{\gamma })$. Furthermore, let us define the function $\psi :\mathcal{SK}\times {\mathbb{F}}_{q^2}^{{\theta }_{\sigma }}{D}_{2n}⟶{\mathbb{F}}_{q^2}^{{\theta }_{\sigma }}{D}_{2n}$ as $\psi (\mathrm{sk},h)=\mathrm{a}h\gamma$ and $\mathcal{ID}$ as a set of identifiers.

Let $P_i$ and $P_j$ be two parties and s be a bit-string that identifies a session. Let us denote as ${\mathrm{ID}}_i\in \mathcal{ID}$ the identifier of the party $P_i$. The key exchange protocol between $P_i$ and $P_j$ runs as shown by Algorithm 1.

Algorithm 1 Two-party key exchange protocol

1: The initiator $P_i$, on input $({\mathrm{ID}}_i,{\mathrm{ID}}_j,s)$, chooses a secret pair ${\mathrm{sk}}_i=({\mathrm{a}}_i,{\gamma }_i)\stackrel{R}{\leftarrow }\mathcal{SK}$ and sends $({\mathrm{ID}}_i,s,{\mathrm{pk}}_i=\psi ({\mathrm{sk}}_i,\mathrm{h})$ to $P_j$. 2: Upon receipt of $({\mathrm{ID}}_i,s,{\mathrm{pk}}_i)$, $P_j$ chooses a secret pair ${\mathrm{sk}}_j=({\mathrm{a}}_j,{\gamma }_j)\stackrel{R}{\leftarrow }\mathcal{SK}$ and sends $({\mathrm{ID}}_j,s,{\mathrm{pk}}_j=\psi ({\mathrm{sk}}_j,\mathrm{h})$ to $P_i$, computes ${\mathrm{k}}_j=\psi (\widehat{{\mathrm{sk}}_j},{\mathrm{pk}}_i)$, erases $({\mathrm{a}}_j,{\gamma }_j)$, and outputs the key ${\mathrm{k}}_j$ under the session-id s. 3: Upon receipt of $({\mathrm{ID}}_j,s,{\mathrm{pk}}_j)$, $P_i$ computes ${\mathrm{k}}_i=\psi (\widehat{{\mathrm{sk}}_i},{\mathrm{pk}}_j)$, erases $({\mathrm{a}}_i,{\gamma }_i)$, and outputs the key ${\mathrm{k}}_i$ under the session-id s.

We remark that if both $P_i$ and $P_j$ are uncorrupted during the exchange of the key and complete the protocol for session-id s, they then establish the same key. Because of the choice of ${\theta }_{\sigma }$, by Lemma 5, it follows

$${\mathrm{k}}_i={\mathrm{a}}_i{\mathrm{pk}}_j\widehat{{\gamma }_i}={\mathrm{a}}_i{\mathrm{a}}_j\mathrm{h}{\gamma }_j\widehat{{\gamma }_i}={\mathrm{a}}_j{\mathrm{a}}_i\mathrm{h}{\gamma }_i\widehat{{\gamma }_j}={\mathrm{a}}_j{\mathrm{pk}}_i\widehat{{\gamma }_j}={\mathrm{k}}_j$$

4.2. Intractability Assumptions

With the notation above, let $\mathrm{h}={\mathrm{h}}_1+{\mathrm{h}}_2$ be a public element in ${\mathbb{F}}_{q^2}^{{\theta }_{\sigma }}{D}_{2n}$, where ${\mathrm{h}}_1$ is a random non-zero element from ${\mathbb{F}}_{q^2}^{{\theta }_{\sigma }}{C}_n$ and ${\mathrm{h}}_2$ is a random non-zero element from ${\mathbb{F}}_{q^2}^{{\theta }_{\sigma }}{C}_{n}y$. We now present attack games [10,11] for algebraic problems related to the security of our key exchange protocol.

Game 1

(Skew Dihedral Product Decomposition). For a given adversary $\mathcal{A}$, we define the following attack game:

• The challenger computes

  1: 

  $(\mathrm{a},\gamma )\stackrel{R}{\leftarrow }\mathcal{SK}$;

  2: 

  $\mathit{pk}\leftarrow ah\gamma$;

  and gives $\mathit{pk}$ to the adversary.
• The adversary outputs $(\tilde{a},\tilde{\gamma })\in \mathcal{SK}.$

We define $\mathcal{A}$’s advantage in solving the Skew Dihedral Product Decomposition Problem for ${\mathbb{F}}_{q^2}^{{\theta }_{\sigma }}{D}_{2n}$, denoted $\mathit{SDPDadv}[\mathcal{A},{\mathbb{F}}_{q^2}^{{\theta }_{\sigma }}{D}_{2n}]$, as the probability that $\tilde{a}h\tilde{\gamma }=ah\gamma$.

Definition 4

(Skew Dihedral Product Decomposition Assumption). We say that the Skew Dihedral Product Decomposition (SDPD) assumption holds for ${\mathbb{F}}_{q^2}^{{\theta }_{\sigma }}{D}_{2n}$ if for all efficient adversaries $\mathcal{A}$ the quantity $\mathit{SDPDadv}[\mathcal{A},{\mathbb{F}}_{q^2}^{{\theta }_{\sigma }}{D}_{2n}]$ is negligible.

Game 2

(Computational Skew Dihedral Product). For a given adversary $\mathcal{A}$, we define the following attack game:

• The challenger computes

  1: 

  $(a_1,{\gamma }_1)\stackrel{R}{\leftarrow }\mathcal{SK};$

  2: 

  $(a_2,{\gamma }_2)\stackrel{R}{\leftarrow }\mathcal{SK};$

  3: 

  ${\mathit{pk}}_1\leftarrow a_{1}h{\gamma }_1;$

  4: 

  ${\mathit{pk}}_2\leftarrow a_{2}h{\gamma }_2;$

  5: 

  $k\leftarrow a_2{\mathit{pk}}_1{\widehat{\gamma }}_2;$

  and gives both ${\mathit{pk}}_1$ and ${\mathit{pk}}_2$ to the adversary.
• The adversary outputs some $\tilde{k}\in {\mathbb{F}}_{q^2}^{{\theta }_{\sigma }}{D}_{2n}$.

We define $\mathcal{A}$’s advantage in solving the Computational Skew Dihedral Product (CSDP) Problem for ${\mathbb{F}}_{q^2}^{{\theta }_{\sigma }}{D}_{2n}$, denoted $\mathit{CSDPadv}[\mathcal{A},{\mathbb{F}}_{q^2}^{{\theta }_{\sigma }}{D}_{2n}]$, as the probability that $\tilde{k}=k$.

Definition 5

(Computational Skew Dihedral Product Assumption). We say that the Computational Skew Dihedral Product (CSDP) assumption holds for ${\mathbb{F}}_{q^2}^{{\theta }_{\sigma }}{D}_{2n}$ if for all efficient adversaries $\mathcal{A}$ the quantity $\mathit{CSDPadv}[\mathcal{A},{\mathbb{F}}_{q^2}^{{\theta }_{\sigma }}{D}_{2n}]$ is negligible.

Lemma 6.

If the SDPD assumption does not hold for ${\mathbb{F}}_{q^2}^{{\theta }_{\sigma }}{D}_{2n}$, then the CSDP assumption does not hold for ${\mathbb{F}}_{q^2}^{{\theta }_{\sigma }}{D}_{2n}$.

Proof. 

This assertion follows straightforwardly. □

Game 3

(Decisional Skew Dihedral Product). For a given adversary $\mathcal{A}$, we define two experiments:

• Experiment $b$

• The challenger computes

  1: 

  $(a_1,{\gamma }_1)\stackrel{R}{\leftarrow }\mathcal{SK};$

  2: 

  $(a_2,{\gamma }_2)\stackrel{R}{\leftarrow }\mathcal{SK};$

  3: 

  $(a_3,{\gamma }_3)\stackrel{R}{\leftarrow }\mathcal{SK};$

  4: 

  ${\mathit{pk}}_1\leftarrow a_{1}h{\gamma }_1$; ${\mathit{pk}}_2\leftarrow a_{2}h{\gamma }_2;$

  5: 

  $k_0\leftarrow a_2{\mathit{pk}}_1{\widehat{\gamma }}_2;k_1\leftarrow a_{3}h{\gamma }_3;$

  and gives the triple $({\mathrm{pk}}_1,{\mathrm{pk}}_2,k_b)$ to the adversary.
• The adversary outputs a bit $\tilde{b}\in \{0,1\}$.

Let $W_b$ be the event that $\mathcal{A}$ outputs 1 in experiment $b$. We define $\mathcal{A}$’s advantage in solving the Decisional Skew Dihedral Product Problem for ${\mathbb{F}}_{q^2}^{{\theta }_{\sigma }}{D}_{2n}$ as

$$\mathit{DSDPadv}[\mathcal{A},{\mathbb{F}}_{q^2}^{{\theta }_{\sigma }}{D}_{2n}]=|\mathit{Pr}\left[W_0\right]-\mathit{Pr}\left[W_1\right]|.$$

Definition 6

(Decisional Skew Dihedral Product Assumption). We say that the Decisional Skew Dihedral Product (DSDP) assumption holds for ${\mathbb{F}}_{q^2}^{{\theta }_{\sigma }}{D}_{2n}$ if for all efficient adversaries $\mathcal{A}$ the quantity $\mathit{DSDPadv}[\mathcal{A},{\mathbb{F}}_{q^2}^{{\theta }_{\sigma }}{D}_{2n}]$ is negligible.

Note that $\mathrm{h}$ is chosen as $\mathrm{h}={\mathrm{h}}_1+{\mathrm{h}}_2$, with ${\mathrm{h}}_1$ being a random non-zero element from ${\mathbb{F}}_{q^2}^{{\theta }_{\sigma }}{C}_n$ and ${\mathrm{h}}_2$ being a random non-zero element from ${\mathbb{F}}_{q^2}^{{\theta }_{\sigma }}{C}_{n}y$, to not let the attacker win the DSDP Game trivially. Indeed, if $\mathrm{h}$ is chosen as $\mathrm{h}={\mathrm{h}}_1+\mathrm{0}$ with ${\mathrm{h}}_1\in {\mathbb{F}}_{q^2}^{{\theta }_{\sigma }}{C}_n$, then ${\mathrm{k}}_0\in {\mathbb{F}}_{q^2}^{{\theta }_{\sigma }}{C}_n$ and ${\mathrm{k}}_1\in {\mathbb{F}}_{q^2}^{{\theta }_{\sigma }}{C}_{n}y$ by Lemma 3. Similarly, if $\mathrm{h}$ is chosen as $\mathrm{h}=\mathrm{0}+{\mathrm{h}}_2$ with ${\mathrm{h}}_2\in {\mathbb{F}}_{q^2}^{{\theta }_{\sigma }}{C}_{n}y$, then ${\mathrm{k}}_0\in {\mathbb{F}}_{q^2}^{{\theta }_{\sigma }}{C}_{n}y$ and ${\mathrm{k}}_1\in {\mathbb{F}}_{q^2}^{{\theta }_{\sigma }}{C}_n$ by Lemma 3. Therefore, the attacker can win the DSDP Game for both cases with non-negligible probability. Additionally, we have the following:

Lemma 7.

If the CSDP assumption does not hold for ${\mathbb{F}}_{q^2}^{{\theta }_{\sigma }}{D}_{2n}$, then DSDP assumption does not hold for ${\mathbb{F}}_{q^2}^{{\theta }_{\sigma }}{D}_{2n}$.

Proof. 

This assertion follows straightforwardly. □

4.3. The Hardness of the SDPD Problem

The SDPD problem is similar to the Dihedral Product Decomposition (DPD) Problem introduced in [3], then formalized in [2], and extended in [4]. In [2], the authors provide an algorithmic and algebraic analysis of their DPD problem, which is the underlying computational problem associated with the security of their cryptographic constructions. In particular, they define the twisted dihedral group algebra ${\mathbb{F}}_q^{{\alpha }_{\lambda }}{D}_{2n}$, where the 2-cocycle ${\alpha }_{\lambda }:D_{2n}\times D_{2n}⟶{\mathbb{F}}_q^{*}$ is defined by ${\alpha }_{\lambda }(g,h)=\lambda$ (a non-square in ${\mathbb{F}}_q$) for $g=x^{i}y$, $h=x^{j}y$ with $i,j\in \{0,\dots ,n-1\}$ and ${\alpha }_{\lambda }(g,h)=1$ otherwise. Furthermore, [2] demonstrates that ${\mathbb{F}}_q^{{\alpha }_{\lambda }}{D}_{2n}={\mathbb{F}}_q^{{\alpha }_{\lambda }}{C}_n\oplus {\mathbb{F}}_q^{{\alpha }_{\lambda }}{C}_{n}y$ as a direct sum of $\mathbb{F}$-vector spaces and also defines ${\mathsf{\Gamma }}_{{\alpha }_{\lambda }}\subseteq {\mathbb{F}}_q^{{\alpha }_{\lambda }}{C}_{n}y$ in a similar way.

In [2], the DPD attack game is defined as follows. Let $\mathrm{h}={\mathrm{h}}_1+{\mathrm{h}}_2$ be a public element in ${\mathbb{F}}_q^{{\alpha }_{\lambda }}{D}_{2n}$, where ${\mathrm{h}}_1$ is a random non-zero element from ${\mathbb{F}}_q^{{\alpha }_{\lambda }}{C}_n$ and ${\mathrm{h}}_2$ is a random non-zero element from ${\mathbb{F}}_q^{{\alpha }_{\lambda }}{C}_{n}y$. For a given adversary $\mathcal{A}$,

• The challenger computes

  1:

  $(\mathrm{a},\gamma )\stackrel{R}{\leftarrow }{\mathbb{F}}_q^{{\alpha }_{\lambda }}{C}_n\times {\mathsf{\Gamma }}_{{\alpha }_{\lambda }}$;

  2:

  $\mathrm{pk}\leftarrow \mathrm{a}\mathrm{h}\gamma$;

  and gives $\mathrm{pk}$ to the adversary.
• The adversary outputs $(\tilde{\mathrm{a}},\tilde{\gamma })\in {\mathbb{F}}_q^{{\alpha }_{\lambda }}{C}_n\times {\mathsf{\Gamma }}_{{\alpha }_{\lambda }}.$

The $\mathcal{A}$’s advantage in solving the Dihedral Product Decomposition Problem for ${\mathbb{F}}_q^{{\alpha }_{\lambda }}{D}_{2n}$ is defined as the probability that $\tilde{\mathrm{a}}\mathrm{h}\tilde{\gamma }=\mathrm{a}\mathrm{h}\gamma$.

The authors of [2] analyze how an adversary may try to solve their DPD problem by exploiting quantum algorithms [12,13] or algebraic techniques [14]. We remark that since the DPD problem and SDPD problem are alike, such an algebraic and algorithmic analysis for the DPD problem presented in [2] may be adapted easily to the SDPD problem. However, we remark that adjusting such an analysis to the SDPD problem does not mean that both the DPD and SDPD problems are computationally equivalent. It is indeed an open question to prove whether the DPD problem (or any of its variants) and SDPD problem are computationally equivalent or not.

4.4. Security Analysis in the Authenticated-Links Adversarial Model

This subsection is devoted to further analyzing our two-party key exchange protocol in an appropriate security model [15,16,17]. In particular, we aim to prove that our protocol is session-key secure in the authenticated-links adversarial model (AM) of Canetti and Krawczyk [17], assuming the DSDP assumption holds for ${\mathbb{F}}_{q^2}^{{\theta }_{\sigma }}$. The definition of session-key security in the authenticated-links adversarial model of Canetti and Krawczyk is introduced in [17]. We add a description of it as follows:

• Let $P=\{P_1,P_2,\dots ,P_n\}$ be a finite set of parties.
• Let $\mathcal{A}$ be an adversary that controls all communication between two parties, however,
  • $\mathcal{A}$ is not allowed to inject or modify messages, except for messages sent by corrupted parties or sessions.
  • $\mathcal{A}$ may choose not to forward a message at all. However, if $\mathcal{A}$ decides to forward a message m, then $\mathcal{A}$ has to send it to the correct destination for m only once and without modifying m.
  • Parties give outgoing messages to $\mathcal{A}$, who has control over their delivery via the Send query. $\mathcal{A}$ can activate a party $P_i$ by Send queries, i.e., the adversary has control over the creation of protocol sessions, which takes place within each party. Two sessions $s_1$ and $s_0$ are matching if the outgoing messages of one are the incoming messages of the other and vice versa. Additionally, $\mathcal{A}$ is allowed to query the oracles SessionStateReveal, SessionKeyReveal, and Corrupt.

    -

    If $\mathcal{A}$ queries the SessionStateReveal oracle for a specified session-id s within some party $P_i$, then $\mathcal{A}$ obtains the contents of the specified session-id s within $P_i$, including any secret information. This event is noted and produces no further output.

    -

    If $\mathcal{A}$ queries the SessionKeyReveal for a specified session-id s, then $\mathcal{A}$ obtains the session key for the specified session s, assuming that s has an associated session.

    -

    If $\mathcal{A}$ queries the Corrupt oracle for a specified party $P_i$, then $\mathcal{A}$ takes over the party $P_i$, i.e., $\mathcal{A}$ has access to all information in $P_i$’s memory, including long-lived keys and any session-specific information still stored. A corrupted party produces no further output.

  • Finally, $\mathcal{A}$ receives access to the test oracle, which can be queried once and at any stage to a completed, fresh, and unexpired session-id s. On input s, the test oracle chooses $b\stackrel{R}{\leftarrow }\{0,1\}$, then it outputs the session key for the specified session-id s if $b=0$. Otherwise, it returns a random value in the key space. Moreover, $\mathcal{A}$ can issue subsequent queries as desired, but it cannot expose the test session. At any point, the adversary can try to guess b. Let $\mathrm{Guess}[\mathcal{A},{\mathbb{F}}_{q^2}^{{\theta }_{\sigma }}{D}_{2n}]$ be the event that $\mathcal{A}$ correctly guesses b, and define the advantage $\mathrm{SKAdv}[\mathcal{A},{\mathbb{F}}_{q^2}^{{\theta }_{\sigma }}{D}_{2n}]=|\mathrm{Guess}[\mathcal{A},{\mathbb{F}}_{q^2}^{{\theta }_{\sigma }}{D}_{2n}]-1/2|$.

Theorem 4.

If the DSDP assumption holds for ${\mathbb{F}}_{q^2}^{{\theta }_{\sigma }}{D}_{2n}$, then our key exchange protocol is session-key secure in the the authenticated-links adversarial model, i.e., for any $\mathcal{A}$ in the authenticated-links adversarial model (AM), then the following holds:

1. 

The key-exchange protocol satisfies the property that if two uncorrupted parties complete matching sessions, they both output the same key.

2. 

$\mathit{SKAdv}[\mathcal{A},{\mathbb{F}}_{q^2}^{{\theta }_{\sigma }}{D}_{2n}]$ is negligible.

Proof. 

The proof is an adaptation of the proof for the key-exchange protocol over a twisted dihedral group algebra ${\mathbb{F}}_q^{{\alpha }_{\lambda }}{D}_{2n}$ given in [2].

• The proof of the first statement is given at the end of the Section 4.1.
• To prove this statement, we proceed by contradiction. Let us suppose that there is an adversary $\mathcal{A}$ in the authentication-links model against our protocol that has a non-negligible advantage $ϵ$ in guessing the bit b chosen by the test oracle (when queried). Let l be an upper bound on the number of sessions invoked by $\mathcal{A}$ in any interaction. We now present a distinguisher $\mathcal{D}$ (Algorithm 2) for the DSDP problem.

  Algorithm 2 A distinguisher for the DSDP problem

  1: function$\mathcal{D}$($h,{\mathbb{F}}_{q^2}^{{\theta }_{\sigma }}{D}_{2n},{\mathrm{pk}}_1,{\mathrm{pk}}_2,\mathrm{k}$) 2:     $r\stackrel{R}{\leftarrow }\{1,\dots ,l\}$; 3:     Invoke $\mathcal{A}$ on a simulated interaction in the AM with parties $P_1,\dots ,P_n$ with identifiers ${\mathrm{ID}}_1,\dots ,{\mathrm{ID}}_n$, except for the $r_{th}$ session; 4:     For the r-th session, let $P_i$ send $({\mathrm{ID}}_i,s,{\mathrm{pk}}_i={\mathrm{a}}_i\mathrm{h}{\gamma }_i)$ to $P_j$ and let $P_j$ send $({\mathrm{ID}}_j,s,{\mathrm{pk}}_j={\mathrm{a}}_j\mathrm{h}{\gamma }_j)$ to $P_i$; 5:     if the r-th session is selected by $\mathcal{A}$ as the test session then 6:       Give $\mathrm{k}$ to $\mathcal{A}$ as the answer to his query; 7:       $d\leftarrow \mathcal{A}\left(\mathrm{k}\right)$; 8:     else 9:       $d\stackrel{R}{\leftarrow }\{0,1\}$; 10:     end if 11:     return d 12: end function

  On the one hand, let us suppose that $\mathcal{A}$ picks the r-th as the test session, then $\mathcal{A}$ is provided with either ${\mathrm{k}}_{\mathrm{0}}$ or ${\mathrm{k}}_{\mathrm{1}}$, since the DSDP challenger gives either of the two keys to $\mathcal{D}$. Therefore, the probability that $\mathcal{A}$ correctly distinguishes is $1/2+ϵ$ with non-negligible $ϵ$ (by assumption). On the other hand, assume that $\mathcal{A}$ does not choose the r-th as the test session, then $\mathcal{D}$ always returns a random bit, and the distinguishing probability for the input is $1/2$.
  Note that the probability that the test session and the r-th session coincide is $1/l$. So, these do not coincide with probability $1-1/l$. Hence, the overall probability for $\mathcal{D}$ to win the DSDP Game is $1/\left(2l\right)+ϵ/l+1/2-1/\left(2l\right)=1/2+ϵ/l$, which is non-negligible.

□

5. Group Key Agreement

Here, we introduce a group key agreement protocol that generalizes the interactive two-party key agreement protocol presented in Section 4.1. Let us assume there are $o>1$ participants with distinct identifiers ${\mathrm{ID}}_1,{\mathrm{ID}}_2,{\mathrm{ID}}_3,{\mathrm{ID}}_4,\dots ,{\mathrm{ID}}_o$. Algorithm 3 shows our group key agreement, and it runs as follows:

Algorithm 3 Group key exchange protocol
Participant ${\mathrm{ID}}_1$		Participant ${\mathrm{ID}}_2$
${\mathrm{sk}}_1\stackrel{R}{\leftarrow }\mathcal{SK}$
computes ${\mathcal{M}}_1$	$\stackrel{{\mathcal{M}}_1}{\to }$
	⋮
	⋮
Participant ${\mathrm{ID}}_i$		Participant ${\mathrm{ID}}_{i+1}$
${\mathrm{sk}}_i\stackrel{R}{\leftarrow }\mathcal{SK}$
computes ${\mathcal{M}}_i$	$\stackrel{{\mathcal{M}}_i}{\to }$
	⋮
	⋮
Participant ${\mathrm{ID}}_o$
${\mathrm{sk}}_o\stackrel{R}{\leftarrow }\mathcal{SK}$
computes $\mathrm{k}$ and ${\mathcal{M}}_o$	$\stackrel{\mathrm{Broadcasts}{\mathcal{M}}_o}{\to }$	Each participant
		computes $\mathrm{k}$ from ${\mathcal{M}}_o$

• The participant ${\mathrm{ID}}_1$ randomly selects a secret pair ${\mathrm{sk}}_1=({\mathrm{a}}_1,{\gamma }_1)\in \mathcal{SK}$ and then sends the list of messages ${\mathcal{M}}_1$ to the participant ${\mathrm{ID}}_2$, where

  $${\mathcal{M}}_1=[m_1^1=h,m_1^2=\psi ({\mathrm{sk}}_1,h)={\mathrm{a}}_{1}h{\gamma }_1]$$
• For $i\in \{2,\dots ,o-1\}$, the participant ${\mathrm{ID}}_i$ randomly selects a secret pair ${\mathrm{sk}}_i=({\mathrm{a}}_i,{\gamma }_i)\in \mathcal{SK}$ and then sends the list of messages ${\mathcal{M}}_i$ to the participant ${\mathrm{ID}}_{i+1}$, where ${\mathcal{M}}_i$ contains

  (a)

  $[m_i^1=\psi ({\mathrm{sk}}_i,m_{i-1}^1),m_i^2=\psi ({\mathrm{sk}}_i,m_{i-1}^2),\dots ,m_i^{i-1}=\psi ({\mathrm{sk}}_i,m_{i-1}^{i-1}),m_i^i=m_{i-1}^i,$

  $m_i^{i+1}=\psi ({\widehat{\mathrm{sk}}}_i,m_{i-1}^i)]$ when i is even.

  (b)

  $[m_i^1=\psi ({\widehat{\mathrm{sk}}}_i,m_{i-1}^1),m_i^2=\psi ({\widehat{\mathrm{sk}}}_i,m_{i-1}^2),\dots ,m_i^{i-1}=\psi ({\widehat{\mathrm{sk}}}_i,m_{i-1}^{i-1}),m_i^i=m_{i-1}^i,$

  $m_i^{i+1}=\psi ({\mathrm{sk}}_i,m_{i-1}^i)]$ when i is odd.

• The participant ${\mathrm{ID}}_o$ randomly selects a secret pair ${\mathrm{sk}}_i=({\mathrm{a}}_i,{\gamma }_i)\in \mathcal{SK}$ and then computes ${\mathcal{M}}_o$ containing

  (a)

  $[m_o^1=\psi ({\mathrm{sk}}_o,m_{o-1}^1),m_o^2=\psi ({\mathrm{sk}}_o,m_{o-1}^2),\dots ,m_o^{o-1}=\psi ({\mathrm{sk}}_o,m_{o-1}^{o-1}),m_o^o=m_{o-1}^o,$

  $m_o^{o+1}=\psi ({\widehat{\mathrm{sk}}}_o,m_{o-1}^o)]$ when o is even.

  (b)

  $[m_o^1=\psi ({\widehat{\mathrm{sk}}}_o,m_{o-1}^1),m_o^2=\psi ({\widehat{\mathrm{sk}}}_o,m_{o-1}^2),\dots ,m_o^{o-1}=\psi ({\widehat{\mathrm{sk}}}_o,m_{o-1}^{o-1}),m_o^o=m_{o-1}^o,$

  $m_o^{o+1}=\psi ({\mathrm{sk}}_o,m_{o-1}^o)]$ when o is odd.

  and then sets $\mathrm{k}=m_o^{o+1}$ as the shared key, and finally broadcasts $[m_o^1,m_o^2,\dots ,m_{o-1}^{o-1}]$ to all other participants.
• For $i\in \{1,\dots ,o-1\}$, the participant ${\mathrm{ID}}_i$ computes $\mathrm{k}=\psi ({\mathrm{sk}}_i,m_o^i)$ when o is odd or $\mathrm{k}=\psi ({\widehat{\mathrm{sk}}}_i,m_o^i)$ when o is even and sets $\mathrm{k}$ as the shared key.

Lemma 8.

After a complete run of the above protocol, the participants ${\mathit{ID}}_1,\dots ,{\mathit{ID}}_o$ agree on a common key $k$.

Proof. 

We prove the previous statement by induction on the number of participants o.

Base Case

When o is 2, we obtain the two-party key agreement protocol.

Inductive Case

We now proceed with two cases:

• Assume that the number of participants is o (odd) and that after running the protocol with o participants, the participant ${\mathrm{ID}}_i\mathrm{with}i\in \{1,2,\dots ,o-1\}$ obtains the shared key via computing ${\mathrm{k}}_o=\psi ({\mathrm{sk}}_i,m_o^i)$, while the participant o obtains the shared key via computing ${\mathrm{k}}_o=\psi ({\mathrm{sk}}_o,m_{o-1}^o)$.
  Suppose that there are $o+1$ (even) participants. We show that after running the protocol with $o+1$ participants, the participant ${\mathrm{ID}}_i\mathrm{with}i\in \{1,2,\dots ,o\}$ obtains the shared key via computing ${\mathrm{k}}_{o+1}=\psi ({\widehat{\mathrm{sk}}}_i,m_{o+1}^i)$, while the participant o obtains the shared key via computing ${\mathrm{k}}_{o+1}=\psi ({\widehat{\mathrm{sk}}}_{o+1},m_o^{o+1})$.
  On the one hand, note that

  $$\begin{array}{c}{\mathrm{k}}_{o+1}=\psi ({\widehat{\mathrm{sk}}}_i,m_{o+1}^i)={\mathrm{a}}_i{m}_{o+1}^i{\widehat{\gamma }}_i=\hfill \\ {\mathrm{a}}_i\psi ({\mathrm{sk}}_{o+1},m_o^i){\widehat{\gamma }}_i={\mathrm{a}}_i{\mathrm{a}}_{o+1}{m}_o^i{\gamma }_{o+1}{\widehat{\gamma }}_i={\mathrm{a}}_{o+1}{\mathrm{a}}_i{m}_o^i{\gamma }_i{\widehat{\gamma }}_{o+1}=\hfill \\ {\mathrm{a}}_{o+1}\psi ({\mathrm{sk}}_i,m_o^i){\widehat{\gamma }}_{o+1}={\mathrm{a}}_{o+1}{\mathrm{k}}_o{\widehat{\gamma }}_{o+1}\hfill \end{array}$$

  for $i\in \{1,2,\dots ,o\}$. On the other hand,

  $$\begin{array}{c}{\mathrm{k}}_{o+1}=\psi ({\widehat{\mathrm{sk}}}_{o+1},m_o^{o+1})=\hfill \\ {\mathrm{a}}_{o+1}{m}_o^{o+1}{\widehat{\gamma }}_{o+1}={\mathrm{a}}_{o+1}\psi ({\mathrm{sk}}_o,m_{o-1}^o){\widehat{\gamma }}_{o+1}={\mathrm{a}}_{o+1}{\mathrm{k}}_o{\widehat{\gamma }}_{o+1}.\hfill \end{array}$$
• Assume now that the number of participants is o (even) and that after running the protocol with o participants, the participant ${\mathrm{ID}}_i\mathrm{with}i\in \{1,2,\dots ,o-1\}$ obtains the shared key via computing ${\mathrm{k}}_o=\psi (\widehat{{\mathrm{sk}}_i},m_o^i)$ and the participant o obtains the shared key via computing ${\mathrm{k}}_o=\psi (\widehat{{\mathrm{sk}}_o},m_{o-1}^o)$.
  Suppose that there are $o+1$ (odd) participants. We show that after running the protocol with $o+1$ participants, the participant ${\mathrm{ID}}_i\mathrm{with}i\in \{1,2,\dots ,o\}$ obtains the shared key via computing ${\mathrm{k}}_{o+1}=\psi ({\mathrm{sk}}_i,m_{o+1}^i)$, while the participant o obtains the shared key via computing ${\mathrm{k}}_{o+1}=\psi ({\mathrm{sk}}_{o+1},m_o^{o+1})$.
  On the one hand, note that

  $$\begin{array}{c}{\mathrm{k}}_{o+1}=\psi ({\mathrm{sk}}_i,m_{o+1}^i)={\mathrm{a}}_i{m}_{o+1}^i{\gamma }_i=\hfill \\ {\mathrm{a}}_i\psi ({\widehat{\mathrm{sk}}}_{o+1},m_o^i){\gamma }_i={\mathrm{a}}_i{\mathrm{a}}_{o+1}{m}_o^i{\widehat{\gamma }}_{o+1}{\gamma }_i={\mathrm{a}}_{o+1}{\mathrm{a}}_i{m}_o^i{\widehat{\gamma }}_i{\gamma }_{o+1}=\hfill \\ {\mathrm{a}}_{o+1}\psi ({\widehat{\mathrm{sk}}}_i,m_o^i){\gamma }_{o+1}={\mathrm{a}}_{o+1}{\mathrm{k}}_o{\widehat{\gamma }}_{o+1}\hfill \end{array}$$

  for $i\in \{1,2,\dots ,o\}$. On the other hand,

  $$\begin{array}{c}{\mathrm{k}}_{o+1}=\psi ({\mathrm{sk}}_{o+1},m_o^{o+1})=\hfill \\ {\mathrm{a}}_{o+1}{m}_o^{o+1}{\gamma }_{o+1}={\mathrm{a}}_{o+1}\psi ({\widehat{\mathrm{sk}}}_o,m_{o-1}^o){\gamma }_{o+1}={\mathrm{a}}_{o+1}{\mathrm{k}}_o{\widehat{\gamma }}_{o+1}.\hfill \end{array}$$

□

Security Analysis

Since our group key exchange protocol follows a similar idea as that of a group key exchange protocol over twisted group rings introduced in [3,4], we can adapt the analysis of its security presented in [4] to this setting. Specifically, based on the idea of [18], the authors of [4] prove that if their Decisional Dihedral Product Assumption holds, then their group key management verifies that an adversary cannot distinguish the shared group key from an arbitrary element (see Theorem 1 from [4]).

Theorem 5.

If the DSDP assumption holds for ${\mathbb{F}}_{q^2}^{{\theta }_{\sigma }}{D}_{2n}$, then our group key exchange protocol verifies that an adversary cannot distinguish the shared group key from an arbitrary element.

Proof. 

The proof of Theorem 1 in [4] can be easily adapted to this setting. □

6. Probabilistic Public Key Encryption

We now derive a probabilistic public key encryption from the key exchange protocol introduced in Section 4, in much the same way that the Elgamal encryption follows from the Diffie–Hellman protocol. This approach is used, for example, in [2,3,11,19].

Following the notation above,

• Let $\mathcal{PK}={\mathbb{F}}_{q^2}^{{\theta }_{\sigma }}{D}_{2n}$ be the public key space, $\mathcal{M}={\mathbb{F}}_{q^2}^{{\theta }_{\sigma }}{D}_{2n}$ be the message space, and $\mathcal{C}={\mathbb{F}}_{q^2}^{{\theta }_{\sigma }}{D}_{2n}$ the cipher-text space.
• Choose a random non-zero element ${\mathrm{h}}_1\in {\mathbb{F}}_{q^2}^{{\theta }_{\sigma }}{C}_n$ and a random non-zero element ${\mathrm{h}}_2\in {\mathbb{F}}_{q^2}^{{\theta }_{\sigma }}{C}_{n}y$. Set $\mathrm{h}={\mathrm{h}}_1+{\mathrm{h}}_2$ and make $\mathrm{h}$ public.

We now define the public key encryption scheme $\mathcal{E}=(\mathrm{Gen},\mathrm{Enc},\mathrm{Dec})$, where Gen is shown by Algorithm 4, Enc is shown by Algorithm 5 and Dec is shown by Algorithm 6.

Algorithm 4 Generates a key pair

1: functionGen($\mathrm{h}\in {\mathbb{F}}_{q^2}^{{\theta }_{\sigma }}{D}_{2n}$) 2:     $({\mathrm{a}}_1,{\gamma }_1)\stackrel{R}{\leftarrow }\mathcal{SK};$ 3:     $\mathrm{pk}\leftarrow {\mathrm{a}}_1\mathrm{h}{\gamma }_1;$ 4:     $\mathrm{sk}\leftarrow ({\mathrm{a}}_1,{\gamma }_1);$ 5:     return $\mathrm{pk},\mathrm{sk};$ 6: end function

Algorithm 5 Encrypts a plaintext

1: functionEnc($\mathrm{m}\in \mathcal{M},\mathrm{pk}\in \mathcal{PK},{\mathrm{r}}_2\in \mathcal{SK},\mathrm{h}\in {\mathbb{F}}_{q^2}^{{\theta }_{\sigma }}{D}_{2n}$) 2:     $({\mathrm{a}}_2,{\gamma }_2)\leftarrow {\mathrm{r}}_2;$ 3:     ${\mathrm{c}}_1\leftarrow {\mathrm{a}}_2\mathrm{h}{\gamma }_2;$ 4:     ${\mathrm{c}}_2\leftarrow \mathrm{m}+{\mathrm{a}}_2\mathrm{pk}{\widehat{\gamma }}_2;$ 5:     $\mathrm{c}\leftarrow ({\mathrm{c}}_1,{\mathrm{c}}_2);$ 6:     return $\mathrm{c};$ 7: end function

Algorithm 6 Decrypts a ciphertext

1: functionDec($\mathrm{c}\in \mathcal{C},\mathrm{sk}\in \mathcal{SK}$) 2:     $({\mathrm{a}}_1,{\gamma }_1)\leftarrow \mathrm{sk};$ 3:     $({\mathrm{c}}_1,{\mathrm{c}}_2)\leftarrow \mathrm{c};$ 4:     $\mathrm{k}\leftarrow {\mathrm{a}}_1{\mathrm{c}}_1{\widehat{\gamma }}_1;$ 5:     $\mathrm{m}\leftarrow {\mathrm{c}}_2-\mathrm{k};$ 6:     return $\mathrm{m};$ 7: end function

Lemma 9

(Correctness). Let h be a public element in ${\mathbb{F}}_{q^2}^{{\theta }_{\sigma }}{D}_{2n}$. Consider the encryption scheme $\mathcal{E}$ constructed above. For any message $m\in \mathcal{M}$, $r_2\stackrel{R}{\leftarrow }\mathcal{SK}$ and $(\mathit{pk},\mathit{sk})\leftarrow \mathit{Gen}\left(h\right),$ it holds that $m\leftarrow \mathit{Dec}(\mathit{Enc}(m,\mathit{pk},r_2,h),\mathit{sk})$

Proof. 

Since

$$({\mathrm{c}}_1={\mathrm{a}}_2\mathrm{h}{\gamma }_2,{\mathrm{c}}_2=\mathrm{m}+{\mathrm{a}}_2\mathrm{pk}{\widehat{\gamma }}_2)\leftarrow \mathrm{Enc}(\mathrm{m},\mathrm{pk},{\mathrm{r}}_2,\mathrm{h})$$

and $\mathrm{sk}=({\mathrm{a}}_1,{\gamma }_1)$, then

$$\mathrm{k}={\mathrm{a}}_1{\mathrm{c}}_1{\widehat{\gamma }}_1={\mathrm{a}}_1{\mathrm{a}}_2\mathrm{h}{\gamma }_2{\widehat{\gamma }}_1={\mathrm{a}}_2{\mathrm{a}}_1\mathrm{h}{\gamma }_1{\widehat{\gamma }}_2={\mathrm{a}}_2\mathrm{pk}{\widehat{\gamma }}_2,$$

and therefore

$${\mathrm{c}}_2-\mathrm{k}=\mathrm{m}+{\mathrm{a}}_2\mathrm{pk}{\widehat{\gamma }}_2-{\mathrm{a}}_2\mathrm{pk}{\widehat{\gamma }}_2=\mathrm{m}$$

□

Remark 3.

$r_2\in \mathcal{SK}$ must be randomly chosen each time $\mathit{Enc}$ (Algorithm 5) is called to guarantee it to be probabilistic.

Theorem 6.

If the DSDP assumption holds for ${\mathbb{F}}_{q^2}^{{\theta }_{\sigma }}{D}_{2n}$, then $\mathcal{E}$ is semantically secure.

Proof. 

The proof of Theorem $5.2$ in [2] can be easily adapted to this setting. □

7. A Key Encapsulation Mechanism

By applying a generic transformation of Hofheinz, Hövelmanns, and Kiltz [20] to $\mathcal{E}$, we introduce a CCA-secure key encapsulation mechanism. Let $\mathcal{K}={\{0,1\}}^{l_1}$ be the key space and $\mathrm{rep}\left(x\right)$ be a function that simply returns the binary representation of x. Additionally, we construct the following two functions:

• ${\mathcal{H}}_1:{\{0,1\}}^{*}⟶\mathcal{SK}$ is a hash function that takes in a bit-string, say $\mathrm{x}$, and then uses a cryptographic hash function, e.g., ${\mathrm{SHAKE}}_{256}$, to compute a key in the keyspace from it. Following the notation of [21], ${\mathcal{H}}_1\left(\mathrm{x}\right)={\mathrm{SHAKE}}_{256}(\mathrm{x},\mathrm{o})$, where $\mathrm{o}=\lceil {log}_2\left(p\right)\rceil 2m(n+\lceil \frac{n+1}{2}\rceil )$ is the bit length of the output. From this bit-string, the corresponding pair $(\mathrm{a},\gamma )\in \mathcal{SK}$ can be obtained easily.
• ${\mathcal{H}}_2:{\{0,1\}}^{*}⟶\mathcal{K}$ is a hash function that applies a cryptographic hash function, e.g., ${\mathrm{SHAKE}}_{256}$, to the input. Specifically, ${\mathcal{H}}_2\left(\mathrm{x}\right)={\mathrm{SHAKE}}_{256}({\mathrm{p}}_1\left|\right|\mathrm{x},l_1)$, where ${\mathrm{p}}_1$ is a pre-pended fixed bit-string to make it different from ${\mathcal{H}}_1$.
  Applying the generic transformation ${\mathrm{U}}^{\neg \perp }[\mathrm{T}[\mathcal{E},{\mathcal{H}}_2],{\mathcal{H}}_1]$ from [20], we obtain

  $$\mathrm{KEM}=(\mathrm{KeyGen},\mathrm{Encaps},\mathrm{Decaps}),$$

  where KeyGen is shown by Algorithm 7, Encaps is shown by Algorithm 8 and Decaps is shown by Algorithm 9.

Algorithm 7 Generates a key pair

1: functionKeyGen($\mathrm{h}$) 2:     $(\mathrm{pk},\mathrm{sk})\leftarrow \mathrm{Gen}\left(\mathrm{h}\right);$ 3:     $\mathrm{s}\stackrel{R}{\leftarrow }\mathcal{M};$ 4:     return $(\mathrm{s},\mathrm{sk},\mathrm{pk});$ 5: end function

Algorithm 8 Encapsulates a key

1: functionEncaps($\mathrm{pk},\mathrm{h}$) 2:     $\mathrm{m}\stackrel{R}{\leftarrow }\mathcal{M};$ 3:     $\mathrm{r}\leftarrow {\mathcal{H}}_1\left(\mathrm{rep}\left(\mathrm{m}\right)\right|\left|\mathrm{rep}\left(\mathrm{pk}\right)\right);$ 4:     $\mathrm{c}\leftarrow \mathrm{Enc}(\mathrm{m},\mathrm{pk},\mathrm{r},\mathrm{h});$ 5:     $\mathrm{K}\leftarrow {\mathcal{H}}_2\left(\mathrm{rep}\left(\mathrm{m}\right)\right|\left|\mathrm{rep}\left(\mathrm{c}\right)\right);$ 6:     return $(\mathrm{c},\mathrm{K});$ 7: end function

Algorithm 9 Decapsulates a key

1: functionDecaps($(\mathrm{s},\mathrm{pk},\mathrm{sk}),\mathrm{c},\mathrm{h}$) 2:     $\mathrm{m}\leftarrow \mathrm{Dec}(\mathrm{c},\mathrm{sk});$ 3:     $\mathrm{r}\leftarrow {\mathcal{H}}_1\left(\mathrm{rep}\left(\mathrm{m}\right)\right|\left|\mathrm{rep}\left(\mathrm{pk}\right)\right);$ 4:     if $\mathrm{c}=\mathrm{Enc}(\mathrm{m},\mathrm{pk},\mathrm{r},\mathrm{h})$ then 5:       $\mathrm{K}\leftarrow {\mathcal{H}}_2\left(\mathrm{rep}\left(\mathrm{m}\right)\right|\left|\mathrm{rep}\left(\mathrm{c}\right)\right);$ 6:       return $\mathrm{K};$ 7:     else 8:       return ${\mathcal{H}}_2\left(\mathrm{rep}\left(\mathrm{s}\right)\right|\left|\mathrm{rep}\left(\mathrm{c}\right)\right);$ 9:     end if 10: end function

Remark 4.

We refer the reader to [20] to see a proof of why this generic construction is CCA-secure.

8. Implementation

We implemented our proposed public-key encryption scheme and key encapsulation mechanism as proof-of-concept in Python. The interested reader can see it on Google Colaboratory [22].

8.1. Dihedral Group

To implement a dihedral group of order $2n$, we simply represent a dihedral group element $g=x^{i_1}{y}^{j_1}$ as the integer $k_1=j_1·n+i_1$. Moreover, we compute a $2n\times 2n$ integer array table such that the row $\mathrm{table}\left[k_1\right]$, $0\le k_1<2n$ stores a $2n$ array with the integer representations of $g,gx,g{x}^2,\dots g{x}^{n-1},gy,\dots ,g{x}^{n-1}y$. To compute the operation of two given group elements, $g=x^{i_1}{y}^{j_1}$ and $h=x^{i_2}{y}^{j_2}$, we simply return $\mathrm{table}\left[k_1\right]\left[k_2\right]$, where $k_1=j_1·n+i_1$ and $k_2=j_2·n+i_2$. To compute the multiplicative inverse of a given group element $g=x^{i_1}{y}^{j_1}$, the function $\mathrm{inverse}\left(k_1\right)$ returns 0 if $k_1=0$, or $n-k_1$ if $1\le k_1<n$, or $k_1$ if $n\le k_1<2n$.

8.2. Homomorphism ${\theta }_{\sigma }$

The homomorphism ${\theta }_{\sigma }$ is implemented as described next. Given $k_1$ and $k_2$, two representations of two group elements, then the function $\mathrm{homomorphism}(k_1,k_2)$ returns a pointer to the function $\sigma$ (shown by Algorithm 10) if $n\le k_1<2n$ and $n\le k_2<2n$. Otherwise, it returns a pointer to the function identity $\mathrm{I}$ (shown by Algorithm 11).

Algorithm 10 Computes the Frobenius automorphism

1: function$\sigma$($a\in {\mathbb{F}}_{q^2}$) 2:     $[b_s,b_{s-1},\dots ,b_0]\leftarrow \mathrm{getBinaryReprepresation}\left(q\right);$ 3:     $r\leftarrow \mathrm{getOneFromQuadraticField}\left(\right);$ 4:     for $i\leftarrow sto0$ do 5:       $r\leftarrow r·r$ 6:       if $b_i=1$ then 7:         $r\leftarrow r·a$ 8:       end if 9:     end for 10:     return r 11: end function

Algorithm 11 Computes the identity function

1: function$\mathrm{I}$($a\in {\mathbb{F}}_{q^2}$) 2:     return a 3: end function

8.2.1. The Skew Dihedral Group Ring ${\mathbb{F}}_{q^2}^{{\theta }_{\sigma }}{D}_{2n}$

An element $a={\sum }_{i=0}^{n-1}{a}_i{x}^i+{\sum }_{i=0}^{n-1}{a}_{n+i}{x}^{i}y$ in the group ring ${\mathbb{F}}_{q^2}^{{\theta }_{\sigma }}{D}_{2n}$ is represented as an array of $2n$ field elements $\mathrm{a}=[{\mathrm{a}}_0,{\mathrm{a}}_1,{\mathrm{a}}_2,\dots ,{\mathrm{a}}_{2n-1}]$, where ${\mathrm{a}}_i$ is the representation of the field element $a_i\in {\mathbb{F}}_{q^2}$. Algorithm 12 shows the addition of two ring elements, and Algorithm 13 shows the product of two ring elements.

Algorithm 12 Computes the addition of two ring elements

1: functionaddition($\mathrm{a},\mathrm{b}$) 2:     $\mathrm{c}\leftarrow [\mathrm{0},\cdots ,\mathrm{0}]$ 3:     for $(i\leftarrow 0;i<2n;i\leftarrow i+1)$ do 4:       $\mathrm{c}\left[i\right]\leftarrow \mathrm{a}\left[i\right]+\mathrm{b}\left[i\right]$; 5:   end for 6:   return c 7: end function

Algorithm 13 Computes the product of two ring elements

1: functionproduct($\mathrm{a},\mathrm{b}$) 2:     $\mathrm{c}\leftarrow [\mathrm{0},\cdots ,\mathrm{0}]$ 3:     for $(i\leftarrow 0;i<2n;i\leftarrow i+1)$ do 4:       for $(j\leftarrow 0;j<2n;j\leftarrow j+1)$ do 5:         $k\leftarrow \mathrm{table}[i,j]$; 6:         $\mathrm{fe}\leftarrow \mathrm{a}\left[i\right]·\left(\mathrm{homomorphism}\right(i\left)\right(b\left[j\right]\left)\right)$; 7:         $\mathrm{c}\left[k\right]\leftarrow \mathrm{c}\left[k\right]+\mathrm{fe}$; 8:       end for 9:     end for 10:     return c 11: end function

On the one hand, the addition function has a cost of $2n$ field additions to compute a ring element $\mathrm{c}$. On the other hand, the product function has a cost of $4n^2$ field additions and $4n^2·(1+f)$ field multiplications, where f is the number of field multiplication to compute $\mathrm{homomorphism}\left(i\right)\left(b\right[j\left]\right)$. Furthermore, Algorithm 14 computes the adjunct of a ring element, and its cost is $2n·f$ multiplications.

We also implement some helper functions. In particular, $\mathrm{getRandomFieldElement}\left(\right)$ denotes a function that returns a random element in ${\mathbb{F}}_{q^2}$. Furthermore, Algorithms 15–18 show functions to compute random elements from ${\mathsf{\Gamma }}_{{\theta }_{\sigma }}$, ${\mathbb{F}}_{q^2}^{{\theta }_{\sigma }}{D}_{2n}$, ${\mathbb{F}}_{q^2}^{{\theta }_{\sigma }}{C}_n$, and ${\mathbb{F}}_{q^2}^{{\theta }_{\sigma }}{C}_{n}y$ respectively. Finally, Algorithm 19 shows a function to compute a random public element h.

Algorithm 14 Computes the adjunct of a ring element

1: functionadjunct($\mathrm{a}$) 2:     $\mathrm{c}\leftarrow [\mathrm{0},\cdots ,\mathrm{0}]$ 3:     for $(i\leftarrow 0;i<2n;i\leftarrow i+1)$ do 4:       $j\leftarrow \mathrm{inverse}\left(i\right)$ 5:       $\mathrm{c}\left[j\right]\leftarrow \mathrm{homomorphism}\left(j\right)\left(a\right[i\left]\right)$ 6:     end for 7:     return c 8: end function

Algorithm 15 Computes a random element from ${\mathsf{\Gamma }}_{{\theta }_{\sigma }}$

1: function$\mathrm{getRandomfromT}$() 2:     $\mathrm{c}\leftarrow [\mathrm{0},\cdots ,\mathrm{0}]$ 3:     $\mathrm{c}\left[n\right]\leftarrow \mathrm{getRandomFieldElement}\left(\right)$ 4:     $n_1\leftarrow \lfloor n/2\rfloor$ 5:     for $(i\leftarrow 1;i\le n_1;i\leftarrow i+1)$ do 6:       $\mathrm{c}[i+n]\leftarrow \mathrm{getRandomFieldElement}\left(\right)$ 7:       $\mathrm{c}[n+(n-i\left)\mathrm{mod}n\right]\leftarrow \mathrm{c}[i+n]$ 8:     end for 9:     return c 10: end function

Algorithm 16 Computes a random element from ${\mathbb{F}}_{q^2}^{{\theta }_{\sigma }}{D}_{2n}$

1: function$\mathrm{getRandomFD}\mathrm{2}\mathrm{n}$() 2:     $\mathrm{c}\leftarrow [\mathrm{0},\cdots ,\mathrm{0}]$ 3:     for $(i\leftarrow 0;i<2n;i\leftarrow i+1)$ do 4:       $\mathrm{c}\left[i\right]\leftarrow \mathrm{getRandomFieldElement}\left(\right)$ 5:     end for 6:     return c 7: end function

Algorithm 17 Computes a random element from ${\mathbb{F}}_{q^2}^{{\theta }_{\sigma }}{C}_n$

1: function$\mathrm{getRandomFCn}$() 2:     $\mathrm{c}\leftarrow [\mathrm{0},\cdots ,\mathrm{0}]$ 3:     for $(i\leftarrow 0;i<n;i\leftarrow i+1)$ do 4:       $\mathrm{c}\left[i\right]\leftarrow \mathrm{getRandomFieldElement}\left(\right)$ 5:     end for 6:     return c 7: end function

Algorithm 18 Computes a random element from ${\mathbb{F}}_{q^2}^{{\theta }_{\sigma }}{C}_{n}y$

1: function$\mathrm{getRandomFCny}$() 2:     $\mathrm{c}\leftarrow [\mathrm{0},\cdots ,\mathrm{0}]$ 3:     for $(i\leftarrow n;i<2n;i\leftarrow i+1)$ do 4:       $\mathrm{c}\left[i\right]\leftarrow \mathrm{getRandomFieldElement}\left(\right)$ 5:     end for 6:     return c 7: end function

Algorithm 19 Computes a random public element h

1: function$\mathrm{getPublicElement}$() 2:     ${\mathrm{sw}}_1\leftarrow \mathbf{False}$ 3:     while $\mathrm{not}{\mathrm{sw}}_1$ do 4:       $\mathrm{a}\leftarrow \mathrm{getRandomFD}\mathrm{2}\mathrm{n}\left(\right)$ 5:       $i\leftarrow 0$ 6:       ${\mathrm{sw}}_2\leftarrow \mathbf{False}$ 7:       while $i<n\mathrm{and}\mathrm{not}{\mathrm{sw}}_2$ do 8:         if $\mathrm{a}\left[i\right]\ne \mathrm{0}$ then 9:           ${\mathrm{sw}}_2\leftarrow \mathbf{True}$ 10:         end if 11:         $i\leftarrow i+1$ 12:       end while 13:       $i\leftarrow n$ 14:       ${\mathrm{sw}}_3\leftarrow \mathbf{False}$ 15:       while $i<2n\mathrm{and}\mathrm{not}{\mathrm{sw}}_3$ do 16:         if $\mathrm{a}\left[i\right]\ne \mathrm{0}$ then 17:           ${\mathrm{sw}}_3\leftarrow \mathbf{True}$ 18:         end if 19:         $i\leftarrow i+1$ 20:       end while 21:       ${\mathrm{sw}}_1\leftarrow {\mathrm{sw}}_2\mathrm{and}{\mathrm{sw}}_3$ 22:     end while 23:     return a 24: end function

8.2.2. Parameters Choice

For our key encapsulation mechanism, we propose to use the parameters shown by

Table 1. Proposed parameters.

p	m	n	${\mathit{l}}_1$ (Bits)	Level of Security in Bits
19	1	19	$\{128,192,256\}$	124
23	1	23	$\{128,192,256\}$	149
31	1	31	$\{128,192,256\}$	200
41	1	41	$\{128,192,256\}$	264

, which provide varying degrees of security.

Table 1 shows four sets of parameters providing various degrees of security, where $l_1\in \{128,192,256\}$ refers to the length of the output key. We calculated the values in the level of security column as proposed in [2]. To see the code of our implementation, please see [22].

9. Conclusions

In this paper, we introduced skew dihedral group rings and constructed a specific skew dihedral group ring by defining the group homomorphism ${\theta }_{\sigma }:D_{2n}\to \mathrm{Gal}({\mathbb{F}}_{q^2},{\mathbb{F}}_q)$ stated in Lemma 4. Over the resulting skew dihedral group ring ${\mathbb{F}}_{q^2}^{{\theta }_{\sigma }}{D}_{2n}$, we built our cryptographic protocols and analyzed their security. Finally, we presented a proof-of-concept implementation of our cryptographic constructions.

As a future research direction, it may be interesting to explore the design of other cryptographic protocols over skew group rings, e.g., password-authenticated key exchange or sigma protocols.