Microprocessor Realization of Key Agreement Protocol based on Matrix Power Function

Key agreement protocol (KAP) using Burau braid groups representation and matrix power function (MPF) is presented. MPF is based on matrix semigroup action on some matrix set. All matrices are defined over finite field or ring. These functions pretend to be one-way functions since they are linked with multivariate quadratic (MQ) problems over some field. It is known that MQ problems are NP-complete over any field. We show that cryptanalysis of equations of our KAP is not less complex than those of MQ problem and moreover they seem far more complex. The one of advantages of proposed KAP is its effective realization in restricted computational environments by avoiding arithmetic operations with big integers. Bibl. 23, tabl. 2 (in English; abstracts in English and Lithuanian).DOI: http://dx.doi.org/10.5755/j01.eee.117.1.1049


Introduction
Nowadays the Internet has expanded and encompasses not only regular PCs, but also a large number of small devices ranging from PDAs and cell phones to appliances and network sensors.Conventionally these systems are called embedded systems.In this connection information security becomes a very important issue [1].Symmetric cryptography achieves information confidentiality goals.However it requires pre-distribution of secret keys, which can be done with the help of publickey cryptography.Traditional key agreement protocols (KAP) requires a significant amount of computation [2], but in restricted computational environment we are limited in computational power and memory size.
In this paper we propose a new KAP based on NPcomplete problem and hence having a property of provable security.Proposed KAP can be used in low-cost systems and it should work efficiently even on 8-bit microprocessors with no dedicated cryptographic coprocessors.We also compare the realization of our KAP with classical KAPs.

Key agreement protocols
KAPs are one of the basic cryptographic protocols.KAP allows two or more parties negotiate a common secret key using insecure communications.First KAP was presented by [3] which caused a rapid development of asymmetric cryptography.Its realization in restricted computational environments is time consuming since it requires arithmetical operations with big integers.
In 1985 [4,5] independently suggested elliptic curve cryptography.Based on that elliptic curve Diffie-Hellman (ECDH) KAP was developed.Because of the smaller key size its realization is significantly faster then that of original Diffie-Hellman (DH) protocol.
In 1993 new ideas appeared in asymmetric cryptography [6] -using known hard computational problems in infinite non-commutative groups instead of hard number theory problems such as discrete logarithm or integer factorization problems.These ideas were realized in [7,8,9].
Nevertheless, [10] showed that conjugator search problem in braid groups does not produce sufficient security level.Moreover, authors noticed that the main problem for construction of cryptographic primitives in infinite non-commutative groups is to reliably hide the factors in group word.
The idea to use non-commutative infinitive group (e.g.braid group) representation was also used to construct other candidate one-way function as a background of both digital signature scheme and key agreement protocol [11,12].The (semi)group representation level allows us to avoid a significant problem of hiding the factors in the publicly available group word when using its presentation level.Since this problem is solved in a very natural way.However, the original hard problems, such as conjugator search or decomposition problems in (semi)group presentation level are weakened when they are transformed into the representation level.Therefore using representation level these problems must be considerably strengthened by simultaneously adding the other additional hard problems.One of solution is to use matrix power function (MPF) [12].
The idea of this article is to create a new KAP based on the centralizer's application in braid groups presentation level, Burau representation and MPF and having effective realization in 8-bits microprocessors.KAP based on braid groups as platform groups in presentation level using centralizers is also presented in [9] Proposed KAP is using matrix power function which is some matrix (semi)group S action on a matrix set M. The set M is not specified as a closed set with respect to some internal operation.Both S and M are defined over two different algebraic structures.S is defined over some finite field F and M over some finite non-cyclic group G.We will show that inversion of so defined MPF has some indications to be NP-complete.Hence the security of presented KAP relies on the complexity conjectured of NP-complete problem and its realization is based on the candidate one-way function (OWF).

Mathematical background
We consider general Artin braid group [13] as our infinite non-commutative group.Given an integer n ≥ 2, the braid group on n strands, n B , is defined by following presentation Given a group n B , the centralizer of an element is the subgroup of n B consisting of all elements which commute with x.We denote   the know set of generators of the centralizer of an element x.An algorithm how to compute a generating set for the centralizer of an element in braid group and more generally in Garside group is presented by [14].We claim that 2  k .
Our protocol is based on braid group reduced Burau representation [15].To transform braid groups to matrix groups we denoted representation by where the -t in the middle of the 3 We can define left matrix X on matrix Q action yielding the matrix Q A X  .All matrices are of the m-th order and formula relating the elements of these matrices Analogously, we can define right matrix Y on matrix Q action which is matrix and there elements satisfy equation These left and right actions are called matrix power functions.To illustrate them let us assume that matrices A, B, Q, X and Y are of the 2-nd order.Then m = 2 and (3), ( 4) can be can be written: x x X q q q q q q q q q q q q Q A , ( 5) Matrix power function is explained in more detail by [16,17].There is also shown that following equations are correct:

Proposed protocol
Now we propose the following key agreement protocol for two parties -Alice and Bob.

Preliminary security analysis
To compromise the secret key K one must find any matrices X, V in (10) or U, Y in (11) for given instances Q, a K and Q, b K correspondingly.Let us consider the case of finding any matrices X, V in (10).Let the elements of X, V, Q and and } { ij a correspondingly.For more clarity the matrix equation (10) we will write in a form of system of equations for the matrices of 2-nd order, i.e. when 3  n : a q q q q a q q q q a q q q q a q q q q (13) At the first sight it seems that the problem of finding any can be performed by applying a discrete logarithm function to all equations in (13).This is known as discrete logarithm problem (DLP).
If it is the case then due to Fermat's theorem we obtain a system of multivariate quadratic (MQ) equations over the ring.As it is known [18,19] the solution of MQ system is NP-complete over any field.We can assume that MQ system solution over the ring is no less complex since the arithmetic operations in the ring are more complex since not all elements have their inverses.But, since MPF system is defined over non-cyclic group, there are no generators in this group and hence to apply a discrete logarithm is impossible.So we must deal with a system (13) as it is.
Then the problem how to find mutually commuting matrices in another way remains open.We don't know yet how to formulate this new problem to try to find matrices X, V (or U, Y) in the set of images of Burau representation of braid groups.To solve this problem, we must know how to recover the braid word having its Burau image.So far we don't know any means on how to solve this problem.

Implementation and determination values
As we said before matrix set M is over some finite Z is considered because all its elements can be encoded with 3 bits and using almost all possible bit combinations.We perform secure key values determination using the analogy with MQ problem.According to our conjecture cryptanalysis of equations of proposed KAP is not less complex that of the MQ problem represented by similar number of equations and variables.Moreover it seems a far more complex problem according to consideration presented in previous section.
In [20] it is stated that it is impossible to solve MQ problem of equally defined equations with more than 80 variables.In our case if the DLP would be solved one would obtain under-defined MQ problem which is considered even harder to solve.Keeping  Further investigations are required to determine the length of braid words used in 1-st step of the protocol.
We consider the protocol's implementation in ordinary 8-bits microprocessor.
Implementing the protocol for operations in group * 21 Z and field 7 Z variables of 8 bits are more then enough.To speed up the algorithm we can pre-compute tables of values of multiplication and exponentiation and store them in memory [21].To look-up the values in these tables the algorithm implemented in assembly requires to perform only simple multiplications used to compute the locations in tables.Total count of multiplications is 5994.
To compare our KAP to classical algorithms of DH and ECDH we used data from [22].There elliptic curve cryptography (ECC) is compared to RSA on 8-bit Atmel ATmega128 processor clocked at 8 MHz.ECC is implemented with 160, 192 and 224 bit keys.ECC-160 provides comparable security to RSA-1024 and ECC-224 provides comparable security to RSA-2048 and DH-2048.By recommendations of [23] the suggested exponent of DH-2048 is 320 bits.Assuming exponentiations time is linear to exponents bit size and knowing RSA-2048 execution time with public key 1 2 16  (17 bits) we say that DH-2048 should take at least about 19 times longer.After evaluating operations in our KAP when calculating keys using MPF we expect that on the stated processor execution time would be about 7ms.Detailed comparison date is shown in Table 2.

Conclusions
In this paper we present new KAP using matrix power function which is some matrix (semi)group S action on a matrix set M. We showed that inversion of so defined MPF has some indications to be NP-complete.Hence the security of presented KAP relies on the complexity conjectured of NP-complete problem.
The comparison results with known KAPs are presented and show a considerable computation time reduction in about 100 times compared to DH and ECDH.It shows that our KAP can be effectively realized in lowcost restricted computational environments such as microprocessors and embedded systems, e.g. in 8-bits microcontrollers.
It is a set of congruence classes relatively prime to modulus m under multiplication.It is also called the group of primitive residue classes modulo m.
[15]d the finite field F that it is defined over is p Z .Regular Burau representation[15]can also be used.As non-cyclic group G we consider non-cyclic multiplicative group * m Z of integers modulo m.

Table 1 .
this in mind we choose 10  n in which case matrices would be of the 9-th order and obtainable MQ problem would have 81 equations.Private keys used by two parties are 243 bit long.Public key lengths depend on the number of generators of the centralizer what we are able to find.Public key lenghts and are presented in Table 1.Public key lengths

Table 2 .
Comparison of KAPs execution times