Microprocessor Implementation of Key Agreement Protocol over the Ring of Multivariate Polynomials

Nowadays more and more day-by-day works and problems move to electronic and mobile environment, more and more services we can access on internet with various small devices, such as cell phones. Using these devices and applications, we faced to user authentication, data integrity and data confidentiality problems. Various cryptographic algorithms can be used to solve them. Traditional asymmetric cryptography algorithms, used for data integrity or key distribution, require high computational resources and thus, they are not suitable for small electronic devices wherein no specialized coprocessors installed. In this case, low-cost cryptographic algorithms are needed. Another aspect of cryptographic algorithms implementations in embedded systems is reduction of energy consumption. Such analyses were made in [1, 2]. Key agreement protocols (KAP) are one of the basic asymmetric cryptography algorithms. KAP allows two or more parties negotiate a common secret key using insecure communications. The most widely used KAP algorithms are based on hard number theory problems such as discrete logarithm or integer factorization problems. These algorithms perform operations with large integers (for example 1024-bit integers) and such algorithm implementation request specialized co-processors to speed up computations. On the other hand, a polynomial time algorithm for integer factorization and computation of discrete logarithm presented in 1999 [3]. This algorithm can be realised on quantum computers and thus these computers will create a potential thread to existing cryptographic algorithms in future. In this paper, we present the implementation analysis of a KAP in computational resources restricted microprocessor’s. This algorithm was proposed in [4]. The problem of effective realization of different cryptographic protocols is actual in embedded systems based on microprocessors. Moreover, algorithm is based on solution of multivariate quadratic equations (MQ) system and it is believed that the solution of randomly generated MQ system is hopeless when system consists of n ≥ 80 equations with s ≥ 80 variables [5]. Moreover, it is proved that MQ system’s solution is NP-Complete problem over any field.


Introduction
Key agreement protocol is one of the basic cryptographic protocols.KAP allows two or more parties negotiate a common secret key using insecure communications.
The first KAP was presented by Diffie and Hellman [5].This algorithm caused rapid development of asymmetric cryptography.
In 1993 new ideas appeared in asymmetric cryptography [14] using known hard computational problems in infinite non-Abelian groups instead of hard number theory problems such as discrete logarithm or integer factorization problems to construct one-way functions.
These ideas were realized in [1] where KAP was constructed using conjugator search problem and membership problem in Braid groups.The similar result was presented in [9].
Later, in [13] it was showed that conjugator search problem in braid groups does not produce sufficient security level.
The idea to use non-commutative infinite group e.g.braid group representation was used for the oneway functions construction as a background of KAP in [11].The other approach of hypothetical one-way function construction applied for the digital signature scheme using infinite non-commutative group representation in finite field was presented in [10].
In this paper we present KAP using matrices over the ring of multivariate polynomials.This function pretends to be a one-way function since its inversion is related with a solution of multivariate quadratic (MQ) system of equations over finite field.

Key agreement protocol
Now we propose the following two parties key agreement protocol.
1. Parties agree on publicly available matrices Q, L, R of order m over the multivariate polynomials ring Z 2 [t 1 , …, t p ].The set of these matrices is a noncommutative matrix ring which we denote by M or more formally by M(m, Z 2 [t 1 , …, t p ]).Let M L and M R are the subsets in M consisting of commuting matrices.This means that for any L 1 , L 2 ∈M L and R 1 , R 2 ∈M R the following commuting condition holds Let L∈M L and R∈M R are the publicly known parameters.
2. Alice randomly generates two secret matrix polynomials represented by the randomly chosen bit sequences {b xi }, {b yi }, i = 0, 1, …, k and computes Then 3. Analogously, Bob randomly generates two randomly chosen secret bit sequences {b ui }, {b vi }, i = 0, 1, …, k and computes After these precomputations ∈ U M L and ∈ V M R and XU = UX; YV = VY. (5) 4. Alice computes intermediate value K A and sends result to Bob: 5. Bob computes intermediate value K B and sends result to Alice: 6. Since matrices X, U and Y, V are commuting, both parties compute common secret key The public key of the proposed KAP consists of matrices Q, L and R.

KAP compromisation
If adversary (Eve) could find any X ′ , Y ′ , satisfying commutating conditions (5) and relation then he (she) can determine the common secret key K in the following way By denoting the product QY 0 = T, we obtain the following linear matrix equation which can be easily solved with respect to the unknown matrix X ′ .But nevertheless there is no guarantee that solution X ′ of matrix equation ( 10) is in subring M L (m, Z 2 [t 1 , …, t p ]), i.e. the commuting equation does not necessary hold even if solution X ′ exists.Hence to break the system, an adversary must solve the initial equation ( 9) with two unknown matrices X ′ and Y ′ .The same compromisation equation holds for the relation (7).
Hence the security of the proposed KAP relies on the complexity of the solution of ( 9).This problem can be formulated in the following way: for instances Q and K A find any matrices X ′ and Y ′ , satisfying commutation conditions (5).If the functions ( 6), ( 7) and ( 9) are one-way, then the proposed KAP is secure.According to intuitive definition, the function is reckoned as one-way function (OWF) if the calculation of its value is easy but the calculation of its inverse values is not.More specifically a function can be treated as one-way if the effective polynomial time algorithm for its inversion is not known.We use this methodology in our investigation below to confirm our conjecture.In our case the calculation of inverse value is to find any X ′ and Y ′ in (9) satisfying commutation conditions (5).
We are making a conjecture that the function related to ( 6), ( 7) and ( 9) equations is one-way.We present the analysis confirming in some sense our conjecture below.

One-way function analysis
We rewrite the proposed candidate for OWF in a more convenient form For investigation of the function f(X, Q, Y) to be OWF we use known theorem which states that: Theorem 1 ( [8]).Pseudorandom number generators (PRNG) exist, if and only if one-way functions exist .
This result can be used to test if the proposed function is one-way.Then on the basis of this function the PRNG must be constructed and the tests for randomness must be performed.Then if the obtained PRNG output passes pseudo random bit tests, this function can be a good candidate to be an OWF.If PRNG output fails pseudo random bit tests, it will be an indication that the investigated function is not a one-way function.
One-way function used in the proposed key agreement protocol is a function of three parameters X, Q, Y, i.e. f(X, Q, Y) = XQY.Two of them (matrices X and Y) are chosen at random and are assumed to be fixed in our PRNG construction.Some matrix Q 0 must be chosen to define the initial value.Then the PRNG corresponding to this function can be expressed by the formula: where initial value Q 0 = Q is required for the generator initialization.
To test PRNG output, we have used monobit, poker, runs and long runs pseudo random bits tests described in [12].
To perform a modelling, we selected some toy example of PRNG by choosing multivariate polynomials rings Z 2 [t 1 , t 2 , t 3 ] and Z 2 [t 1 , t 2 , t 3 , t 4 ] with matrices of dimensions ranging from 3 to 20.
Modelling results are presented in Table 1 and showed that PRNG output fits the tests with matrices dimension equal to or higher than 12. Hence we can make a conjecture that for the bigger multivariate polynomials rings results will be similar and, referencing to Theorem 1, the function f(X, Q, Y) = XQY pretends to be a one-way function.The further step to investigate the one-wayness of the proposed function is to perform its security analysis based on the function inversion.

Security analysis
We define the following security parameters: matrix dimension d, number of variables p in polynomials ring and secret length k of sequences in ( 1) -( 4).They must be large enough to prevent brute force attack.To compromise the key K, the adversary must solve the (9) type of matrix equations to find any matrices Then commutation conditions (5) will be satisfied.
To determine the matrices X and Y from (6) it is required to find the unknown binary sequences b x0 , …, b xk and b y0 , …, b yk in (1), (2).Hence, equation ( 6) can be rewritten as follows: where L, Q, R and A are known matrices over the multivariate polynomial ring.Then the system of equations ( 12) will be a MQ system of equations over the field Z 2 with respect to the unknown binary variables b x0 , …, b xk and b y0 , …, b yk .It is known that MQ problem over any field is NPcomplete [6].Moreover, it is believed that this problem is NP-Hard not only in worst case but in average case as well [15].
The general method for the MQ problem solution is the Grobner basis algorithm and its modifications.In the case of overdefined sparse system of equations the special ad hock methods are introduced such as XL, XSL and others [2], [4].
In our case we can obtain an underdefined or overdefined MQ problem near to the equaldefined case by choosing suitable parameters m, p, k.
As we see from (12), in general case when the order of matrices is m, the system consists of m 2 polynomial equations and can be rewritten to m 2 2 p multivariate quadratic equations with 2(k+1) unknown variables.Depending on parameters m, p, k we will obtain different cases: underdefined (m 2 2 p < 2k+2), overdefined (m 2 2 p > 2k+2) or equaldefined systems (m 2 2 p = 2k+2).
In all cases when parameters {b xi } and {b yj } are chosen at random in (1), ( 2), the constructed MQ system of type ( 12) is not sparse and has a general form.Hence, so far no special methods except the Grobner bases algorithm can be applied.
The complexity of Grobner bases algorithm can vary from the polynomial time algorithm with respect to p up to double exponential algorithm, e.g.O ( ) Recall that the polynomial time algorithms can be applied in very special cases [3].
Hence we can make a conjecture that the complexity of our general MQ problem is at least an exponential time since it has no special structure.
As we see, the number of MQ equations depends exponentially with respect to the number of variables t 1 , …, t p .The greater number of equations the harder is the solution of obtained MQ system of equations.
According to this investigation, we can define the following security parameters: m, p and k.It is believed that the solution of randomly generated MQ system is hopeless when system consists of n ≥ 80 equations with s ≥ 80 variables [7] when the system is near to equaldefined case.Hence, the values of security parameters can be chosen according to these figures.We propose the security parameters values to be m = 4, p = 5, k = 255.Then we obtain the MQ system with 512 equations and 512 variables.In this case, the total scan area consists of 2 256 elements and hence the brute force attack is prevented.Then the bit length of public key matrices Q, L and R is of 512 bits each, and the total public key length is of 1536 bits.

Conclusions
• The new KAP over the ring of multivariate polynomials is presented.• According to the preliminary investigations, based on mathematical modelling, we can make a conjecture that KAP based on constructed matrix function over multivariate polynomial ring pretends to be a one-way function.• The compromisation of the proposed KAP relies on the solution of system of multivariate quadratic (MQ) polynomial equations, which is an NPcomplete problem over any field.• The security parameters are defined and their values are presented.

Table 1 .
Percentage of "bad" bit blocks in PRNG output