Public Key Protocols over Twisted Dihedral Group Rings

Abstract

Key management is a central problem in information security. The development of quantum computation could make the protocols we currently use unsecure. Because of that, new structures and hard problems are being proposed. In this work, we give a proposal for a key exchange in the context of NIST recommendations. Our protocol has a twisted group ring as setting, jointly with the so-called decomposition problem, and we provide a security and complexity analysis of the protocol. A computationally equivalent cryptosystem is also proposed.

1. Introduction

In recent years, intense research has been made in cryptography, especially in relation to new public key protocols. In August 2015, the USA’s National Security Agency (NSA) announced plans to upgrade security standards. Improvements in quantum computation make it necessary to replace current protocols with secure quantum ones. In a NIST report [1], there are six proposals to be quantum safe: lattice-based, code-based, multivariate-based, hash-based, isogeny-based, and group-based cryptographic schemes.

In this work, we make a proposal for a quantum-safe public key protocol. In the context of group-based proposals, it is believed that problems such as the conjugate search problem (CSP) are not solvable using quantum computers. We propose the so-called decomposition problem (DP), which is a generalization of the CSP, and the multiplicative monoid of a twisted group ring as a setting in our aim to find a quantum-safe key exchange in the context of group-based cryptography.

Decomposition Problem. Given $(x,y)\in G^2$ and $S\subset G$, the problem is to find $z_1,z_2\in S$ such that $y=z_{1}x{z}_2$.

Note that the CSP is a special case of this problem where $z_2=z_1^{-1}$, and that for the DP we do not need invertible elements.

The idea is that even in asymmetric cryptography (more usually called public key cryptography), characterized by having both a secret and public key to encrypt and decrypt (in contrast with symmetric cryptography, which uses the same key for both procedures), the first and last steps in the algorithm use the same key, which is the secret key, i.e., both generation of the public key and computation of the shared key. In terms of Diffie–Hellman key exchange generalization using semigroup actions [2], this would be the following.

Let S be a finite set, G be an abelian semigroup, and $\varphi$ a G-action on S, and a public element $h\in S$. The extended Diffie–Hellman key exchange in $(G,S,\varphi )$ is the following protocol:

• Alice chooses $a\in G$ and computes $\varphi (a,h)$. Alice’s private key is a, and her public key is $p_A=\varphi (a,h)$.
• Bob chooses $b\in G$ and computes $\varphi (b,h)$. Bob’s private key is b, and his public key is $p_B=\varphi (b,h)$.
• Their common secret key is then

  $$\varphi (a,p_B)=\varphi (a,\varphi (b,h)=\varphi (ab,h)=\varphi (ba,h)=\varphi (b,\varphi (a,h)=\varphi (b,p_A).$$

So we can see that both Alice and Bob use their secret key in the first and last steps of the algorithm. In contrast, our purpose would work as follows.

Let S be a finite set, G be a non-abelian semigroup, and $\varphi$ a G-action on S, and a public element $h\in S$. The extended Diffie–Hellman key exchange in $(G,S,\varphi )$ is the following protocol:

• Alice chooses $a\in G$ and computes $\varphi (a,h)$. Alice’s private key is a, and her public key is $p_A=\varphi (a,h)$.
• Bob chooses $b\in G$ and computes $\varphi (b,h)$. Bob’s private key is b, and his public key is $p_B=\varphi (b,h)$.
• Their common secret key is then

  $$\varphi (a^{*},p_B)=\varphi (a^{*},\varphi (b,h)=\varphi (a^{*}b,h)=\varphi (b^{*}a,h)=\varphi (b^{*},\varphi (a,h)=\varphi (b^{*},p_A),$$

  where $a^{*},b^{*}$ depend on $a,b$ and also on the algebraic setting, in our case, in the cocycle of the twisted group ring. In this way, the symmetry that we found using the secret key twice during the key exchange does not occur, and we can show that this is an advantage, for example, when facing attacks like the decomposition attack [3].

The rest of this paper is organized as follows: In Section 2, we give an algebraic setting of twisted group rings. In Section 3, we provide our proposed key exchange and a security analysis of this protocol. Section 4 shows a computationally equivalent cryptosystem. In Section 5, we extend our proposal for n users, where we can observe clearly that there is a lack of symmetry concerning the action of every user. Finally, conclusions are presented in Section 6.

2. Algebraic Setting

In this section, twisted group rings are defined, and we also show some properties that make the key exchange possible. Firstly, we recall the definition of 2-cocycles, which will allow us to define the twisted multiplication.

Definition 1.

Let G be a group and A be an abelian group. An application

$$\alpha :G\times G\to A$$

is a 2-cocycle if

1. 

$\alpha (g,1)=\alpha (1,g)=1$, for all $g\in G,$

2. 

$\alpha (g,h)\alpha (gh,k)=\alpha (g,hk)\alpha (h,k)$, for all $g,h,k\in G$.

Now we define twisted group rings as follows.

Definition 2.

Let K be a ring, G be a multiplicative group, and α be a cocycle in $U\left(K\right)$. The group ring $K^{\alpha }G$ is defined to be the set of all finite sums of the form

$$\sum _{g_i\in G}{r}_i{g}_i,$$

where $r_i\in K$ and all but a finite number of $r_i$ are zero.

The sum of two elements in $K^{\alpha }G$ is given by

$$\begin{array}{c}\hfill \left(\sum _{g_i\in G}{r}_i{g}_i\right)+\left(\sum _{g_i\in G}{s}_i{g}_i\right)=\sum _{g_i\in G}(r_i+s_i)g_i.\end{array}$$

(1)

And multiplication, which is twisted by a cocycle, is given by

$$\left(\sum _{g_i\in G}{r}_i{g}_i\right)·\left(\sum _{g_i\in G}{s}_i{g}_i\right)=\sum _{g_i\in G}\left(\sum _{g_j{g}_k=g_i}{r}_j{s}_k\alpha (g_j,g_k)\right)g_i.$$

When the cocycle $\alpha$ is trivial, $R^{\alpha }G$ is the classical group ring $R\left[G\right]$.

As an example, consider the field K, its primitive root of unity t, and the dihedral group of $2m$ elements, $D_{2m}=<x,y:x^m=y^2=1,y{x}^a=x^{m-a}y>$. The group ring $R=K^{\alpha }{D}_{2m}$, where $\alpha$ is

$$\alpha :D_{2m}\times D_{2m}\to K$$

with $\alpha (x^i,x^j{y}^k)=1$ and $\alpha (x^{i}y,x^j{y}^k)=t^j$$i,j=1,\dots ,2m-1$, is a twisted group ring.

This example is our concrete proposal for the key exchange, the twisted dihedral group ring $K^{\alpha }{D}_{2m}$, where K is a finite field of characteristic p such that $p|2m$. This is required in order to R is not a semisimple ring, which has its consequence in the security analysis.

Once we have defined our setting, we establish some useful properties that will allow us to make our key exchange possible.

Definition 3.

Let $R=K^{\alpha }{D}_{2m}$, where t is the primitive root of unity that generates K and α is the cocycle defined above. Given $h\in R$,

$$h=\sum _{\begin{array}{c}0\le i\le m-1\\ k=0,1\end{array}}{r}_i{x}^i{y}^k,$$

where $r_i\in K$ and $x,y\in D_{2m}$. We define $h^{*}\in K^{\alpha }{D}_{2m}$:

$$h^{*}=\sum _{\begin{array}{c}0\le i\le m-1\\ k=0,1\end{array}}{r}_i{t}^{-i}{x}^i{y}^k,$$

where $r_i\in K$ and $x,y\in D_m$.

Note that $R=K^{\alpha }{D}_{2m}$ can be written as

$$R=R_1\oplus R_2,$$

where $R_1=K{C}_m$ and $R_2=K^{\alpha }{C}_{m}y$, and $C_m$ is a cyclic group of order m. In this context, we can define $A_j\le R_j$ as

$$A_j=\left\{\sum _{i=0}^{m-1}{r}_i{x}^i{y}^k\in R_j:r_i=r_{m-i}\right\}.$$

Proposition 1.

Given $h_1,h_2\in R$,

• If $h_1,h_2\in R_1$, then $h_1{h}_2=h_2{h}_1$;
• If $h_1,h_2\in A_2$, then $h_1{h}_2^{*}=h_2{h}_1^{*}$, and $h_1^{*}{h}_2=h_2^{*}{h}_1$;
• If $h_1\in A_1,h_2\in A_2$, then $h_1{h}_2=h_2{h}_1^{*}$.

The proof can be seen in Appendix A.

3. Twisted Key Exchange Protocol

In this section, we explain the key exchange proposed, over the twisted group ring $R=K^{\alpha }{D}_{2m}$, and discuss the security and complexity of the protocol.

Let $h\in R$ be a random public element. The key exchange between Alice and Bob is as follows:

• Alice selects a secret pair $s_A=(g_1,k_1)$, where $g_1\in R_1,k_1\in A_2\le R_2$.
• Bob selects a secret pair $s_B=(g_2,k_2)$, where $g_2\in R_1,k_2\in A_2\le R_2$.
• Alice sends Bob $p_A=g_{1}h{k}_1$, and Bob sends Alice $p_B=g_{2}h{k}_2$.
• Alice computes $K_A=g_1{p}_B{k}_1^{*}$, and Bob computes $K_B=g_2{p}_A{k}_2^{*}$, and they get the same secret shared key.

We can easily check that they get the same shared key, computing

$$K_A=g_1{p}_B{k}_1^{*}=g_1{g}_{2}h{k}_2{k}_1^{*}=g_2{g}_{1}h{k}_1{k}_2^{*}=g_2{p}_A{k}_2^{*}=K_B,$$

since we had $g_1{g}_2=g_2{g}_1$ and $k_1{k}_2^{*}=k_2{k}_1^{*}$ by Proposition 1.

Security Analysis of the Protocol

Security of the protocol described above is based on the assumption that the following problem is computationally hard:

Given $R=K^{\alpha }{D}_{2m}=R_1\oplus R_2$, $A_2\le R_2$, and the public elements $h,y\in R$, and the map $*:R\to R$, find $a\in R_1$, $b\in A_2\le R_2$ such that $ah{b}^{*}=y$.

The stronger decisional version of this assumption would be:

Given $R=K^{\alpha }{D}_{2m}=R_1\oplus R_2$, $A_2\le R_2$, and the public elements $h,y\in R$, and the map $*:R\to R$, it is hard to distinguish $a\in R_1$, $b\in A_2\le R_2$ such that $ah{b}^{*}=y$ from a random element of the form $ghk$, where $g\in R_1$ and $k\in R_2$.

Now we discuss the security of our protocol against various types of attacks in the literature. The first attack given by [4] takes advantage of the algebraic setting; the second one, from [3], involves the underlying computational problem; the third attack is a variation on our case, and finally, we check the brute force attack.

1.

Attacks using decomposition of group rings. Our proposed protocol over $K^{\alpha }{D}_{2m}$ is not susceptible to this kind of attack because in our case, $char\left(K\right)=p|2m=|D_{2m}|$, so our group ring is never semisimple.

2.

Decomposition attack (Roman’kov). This attack by Roman’kov cannot be applied directly since secret keys in our case are not selected in that way. But we propose the necessary changes for it to be applicable (mainly, where the secret key belongs). Our proposal is robust against this attack, as can be observed in the following example.

Example 1.

Let $R=GF{\left(2^2\right)}^{\alpha }{D}_6$, the public element $h=t+(t+1)x+x^2+ty+xy+x^{2}y$, and the secret keys

$$s_A=(1+tx+t{x}^2,y+(t+1)xy+(t+1)x^{2}y),$$

$$s_B=(t+(t+1)x+(t+1)x^2,(t+1)y+xy+x^{2}y).$$

Then Alice and Bob obtain their public keys

$$p_A=t+tx+(t+1)x^2+ty+xy+(t+1)x^{2}y,p_B=t+x+t{x}^2+(t+1)y+txy+x^{2}y,$$

and the shared key

$$K=(t+1)+x+t{x}^2+ty+(t+1)xy+(t+1)x^{2}y.$$

A passive eavesdropper, Eve, might obtain a basis B of $R_{1}h{R}_2\ni p_A$,

$$B=\{1+tx,1+x+x^2,(t+1)x+x+t{x}^2,y+(t+1)xy+t{x}^{2}y\}.$$

So she can see $p_A$ as

$$p_A=\sum {\beta }_i{a}_{i}h{b}_i,$$

where

$$a_1=1+tx,a_2=1+x+x^2,a_3=1,a4=1+tx+(t+1)x^2,$$

and

$$b_1=x^{2}y,b_2=x^{2}y,b3=y+xy+x^{2}y,b4=y+xy$$

if she applies the attack, obtains

$$\sum _{i=1}^3{\alpha }_i{a}_i{p}_B{b}_i=t+(t+1)x+x^2+(t+1)y+(t+1)xy\ne K.$$

We can see that this attack would not work since our shared key K cannot be expressed in terms of the basis B.

3.

Decomposition as 1-side multiplication. This decomposition is not always possible, and if that is the case, it does not necessarily imply breaking our protocol. We show it by using the following example.

Example 2.

Let us consider $R,h,s_A,s_B$ as in the preceding example. A passive eavesdropper, Eve, would try to recover K from $p_A$ and $p_B$. Let us assume that she can find γ such that

$$\gamma ·h=p_A.$$

In this case, Eve finds $\gamma =y$. But applying this γ to $p_B$ is helpless,

$$\gamma ·p_B=(t+1)+(t+1)x+(t+1)x^2+ty+txy+x^y\ne K,$$

$$p_B·\gamma =(t+1)+x+t{x}^2+ty+txy+x^y\ne K.$$

4.

Brute force attack. The complexity of our algorithm is $\mathcal{O}\left(p^{\frac{3}{4}k}\right)$ for a k-bits long key.

Complexity can be obtained by computing the number of possible keys. Given h public, we have that the set of private keys is $R_{1}h{A}_2$ and the set of shared keys is $R_{1}h{A}_1$. Recall that $R_1=K{C}_m$, $R_2=K^{\alpha }{C}_{m}y$, and $A_j=\left\{{\sum }_{i=0}^{m-1}{r}_i{x}^i{y}^k\in R_j:r_i=r_{m-i}\right\}$. In both cases, we have

$$|R_1|={\left(p^n\right)}^m\left|A_j\right|={\left(p^n\right)}^{\frac{m}{2}},$$

so an eavesdropper would have to try ${\left(p^n\right)}^m·{\left(p^n\right)}^{\frac{m}{2}}=p^{\frac{3}{2}nm}$ for an $nm$-bits long key, i.e., $p^{\frac{3}{4}k}$ possibilities for a k-bits long key. In the example proposed in Appendix B, $GF{\left(2^4\right)}^{\alpha }{D}_{32}$, for a 128-bits long key, we obtain a security of $\mathcal{O}\left(2^{96}\right)$.

In terms of complexity, we could say that our protocol is not as good as other protocols in group rings, such as the key exchange proposed in [5] (in our case, the key should be larger for the same security against a brute force attack), but it is still competitive, and it is resistant against attacks such as [4], which breaks the proposal in [5].

Finally, note that we have studied passive attacks, but in case of an active attack, such as a man-in-the-middle attack, we would need extra security in our protocol. It could be solved by using an authenticated channel, with digital signatures.

4. A Public Key Cryptosystem

In this section, we show a computationally equivalent cryptosystem.

Let $R=K^{\alpha }{D}_{2m}$ be a twisted group ring by the 2-cocycle $\alpha$, and recall $R=R_1\oplus R_2$. We consider the following Elgamal-type cryptosystem for encryption and decryption. Suppose Bob wants to send a message to Alice. We have R, and a random element $h\in R$, both public. Alice establishes her public key as follows: she selects $g_1\in R_1$ and $k_1\in R_2$, and computes $p_A=g_{1}h{k}_1$.

Encryption. 

To encrypt a message, Bob executes the following steps:

1. 

Bob selects two secret elements $g_2\in R_1$ and $k_2\in R_2$ and computes $x_1=g_{2}h{k}_2$.

2. 

Bob represents the message as an element $m\in R$.

3. 

Bob computes $x_2=m+g_2{p}_A{k}_2^{*}$ and sends $(x_1,x_2)$ to Alice.

Decryption. 

Alice decrypts the message m by calculating

$$m=x_2+g_1{x}_1{k}_1^{*}=m+g_2\left(g_{1}h{k}_1\right)k_2^{*}-g_1\left(g_{2}h{k}_2\right)k_1^{*},$$

given that $g_1{g}_2=g_2{g}_1$ and $k_1{k}_2^{*}=k_2{k}_1^{*}$ by Proposition 1.

Proposition 2.

Breaking the cryptosystem above is equivalent to breaking the key exchange proposed.

Proof. 

Assume that an eavesdropper, Eve, can solve the key exchange, and she wants to get m from the pair

$$(x_1,x_2)=(g_{2}h{k}_2,m+g_2{p}_a{k}_2^{*}).$$

Since she is able to break the key exchange, knowing Alice’s public key $g_{1}h{k}_1$ and Bob’s $g_{2}h{k}_2$ allows her to get $g_2{g}_{1}h{k}_1{k}_2^{*}$ (the shared key). So she can recover the message

$$m=x_2-g_2{p}_A{k}_2^{*}=m+g_2{g}_{1}h{k}_1{k}_2^{*}-g_2{g}_{2}h{k}_1{k}_2^{*}.$$

Now, assume that Eve can solve the cryptosystem. Then she can obtain any message m if she knows $h,g_{1}h{k}_1,g_{2}h{k}_2,m+g_2{g}_{1}h{k}_1{k}_2^{*}$. Eve encrypts a message m using $g_{2}h{k}_2$, obtaining

$$(x_1,x_2)=(g_{2}h{k}_2,m+g_2{g}_{1}h{k}_1{k}_2^{*}).$$

Since she can break the cryptosystem, she recovers m,

$$m=x_2-g_2{g}_{1}h{k}_1{k}_2^{*},$$

and obtains the shared key by computing

$$K=g_2{g}_{1}h{k}_1{k}_2^{*}=m-x_2.$$

 □

5. Group Key Management

In this section, we present a key exchange protocol for n users. As stated before, we observe very clearly the lack of symmetry concerning the action of every user. We also discuss the rekeying process.

Let $h\in R=R_1\oplus R_2$, described above. For $i=1,\dots ,n$, user $U_i$ has a secret pair $s_i=(g_i,k_i)$, where $g_i\in R_1$ and $k_i\in A_2\le R_2$. Let $\varphi (s_i,h)=g_{i}h{k}_i$, 2-sided multiplication. We will denote $s_i^{*}=(g_i,k_i^{*})$.

• For $i=1,\dots ,n$, user $U_i$ sends to user $U_{i+1}$ the message

  $$\{C_i^1,C_i^2,\dots ,C_i^{i+1}\},$$

  where $C_1^1=h$, $C_1^2=g_{1}h{k}_1$ and
  • for $i>1$ even, $C_i^j=\varphi (s_i,C_{i-1}^j)$, when $j<i$, $C_i^i=C_{i-1}^i$, $C_i^{i+1}=\varphi (s_i^{*},C_{i-1}^i)$,
  • for $i>1$ odd, $C_i^j=\varphi (s_i^{*},C_{i-1}^j)$, when $j<i$, $C_i^i=C_{i-1}^i$, $C_i^{i+1}=\varphi (s_i,C_{i-1}^i)$.
• User $U_n$ computes $\varphi (s_n,C_{n-1}^n)$ if n is odd and $\varphi (s_n^{*},C_{n-1}^n)$ if n is even.
• User $U_n$ broadcasts

  $$\{C_n^1,C_n^2,\dots ,C_n^n\}.$$
• User $U_i$ computes $\varphi (s_i,C_n^i)$ if n is odd or $\varphi (s_i^{*},C_n^i)$ if n is even, and gets the shared key.

Proposition 3.

After this protocol, users $U_1,\dots ,U_n$ agree on a common key.

Proof. 

Users $U_1,\dots U_n$ agree on a common key. Now we prove it for an even or odd n number of users.

Firstly, we consider n odd. Let us show that users $U_1,\dots U_{n-1}$ get the same key and that this is equal to $U_n$ key. To do so, we will prove by induction that

$$\varphi (s_i,C_n^i)=\varphi (s_j,C_n^j)$$

for $i\ne j$, $i,j\in \{1,\dots ,n-1\}$. And this also equals $U_n$ key, $\varphi (s_n,C_{n-1}^n)$. For $s=3$,

$$\begin{array}{ccc}\hfill \varphi (s_1,C_3^1)& =& \varphi (s_1,g_3{g}_{2}h{k}_2{k}_3^{*})\hfill \\ & =& g_1{g}_3{g}_{2}h{k}_2{k}_3^{*}{k}_1\hfill \\ & =& g_2{g}_3{g}_{1}h{k}_1{k}_3^{*}{k}_2\hfill \\ & =& \varphi (s_2,g_3{g}_{1}h{k}_1{k}_3^{*})\hfill \\ & =& \varphi (s_2,C_3^2)\hfill \end{array}$$

using the commutativity rules given by Proposition 1,

$$k_2{k}_3^{*}{k}_1=k_2{k}_1^{*}{k}_3=k_1{k}_2^{*}{k}_3=k_1{k}_3^{*}{k}_2.$$

Moreover, $\varphi (s_3,C_2^3)=g_3{g}_2{g}_{1}h{k}_1{k}_2^{*}{k}_3=g_2{g}_3{g}_{1}h{k}_1{k}_3^{*}{k}_2=\varphi (s_2,C_3^2)$.

Now, suppose that

$$\varphi (s_i,C_n^i)=\varphi (s_j,C_n^j).$$

Then we have

$$\begin{array}{ccc}\hfill \varphi (s_i^{*},C_{n+1}^i)& =& \varphi (s_i^{*},\varphi (s_{n+1},C_n^i))\hfill \\ & =& \varphi (s_i^{*}{s}_{n+1},C_n^i)\hfill \\ & =& \varphi (s_{n+1}^{*}{s}_i,C_n^i)\hfill \\ & =& \varphi (s_{n+1}^{*},\varphi (s_i,C_n^i))\hfill \\ & =& \varphi (s_{n+1}^{*},\varphi (s_j,C_n^j))\hfill \\ & =& \varphi (s_{n+1}^{*}{s}_j,C_n^j)\hfill \\ & =& \varphi (s_j^{*}{s}_{n+1},C_n^j)\hfill \\ & =& \varphi (s_j^{*},\varphi (s_{n+1},C_n^j))\hfill \\ & =& \varphi (s_j^{*},C_{n+1})\hfill \end{array}$$

and

$$\begin{gathered} \varphi (s_n,C_{n-1}^n)=\varphi (s_n,\varphi (s_{n-1}^{*},C_{n-1}^{n-2})=\varphi (s_n{s}_{n-1}^{*},C_{n-1}^{n-2})=\varphi (s_{n-1}{s}_n^{*},C_{n-1}^{n-1}) \\ =\varphi (s_{n-1},\varphi (s_n^{*},C_{n-1}^{n-1})=\varphi (s_{n-1},C_n^{n-1}). \end{gathered}$$

So all users $U_1,\dots ,U_n$ get the same key for n odd.

Secondly, we show that this also works for n even. We prove by induction that

$$\varphi (s_i^{*},C_n^i)=\varphi (s_j^{*},C_n^j)$$

for $i\ne j$, $i,j\in \{1,\dots ,n-1\}$. And this also equals $U_n$ key, $\varphi (s_n,C_{n-1}^n)$. For $s=4$,

$$\begin{array}{ccc}\hfill \varphi (s_1^{*},\varphi (s_4,C_3^1))& =& \varphi (s_1^{*},g_4{g}_3{g}_{2}h{k}_2{k}_3^{*}{k}_4)\hfill \\ & =& g_1{g}_4{g}_3{g}_{2}h{k}_2{k}_3^{*}{k}_4{k}_1^{*}\hfill \\ & =& g_2{g}_4{g}_3{g}_{1}h{k}_1{k}_3^{*}{k}_4{k}_2^{*}\hfill \\ & =& \varphi (s_2^{*},g_4{g}_3{g}_{1}h{k}_1{k}_3^{*}{k}_4)\hfill \\ & =& \varphi (s_2^{*},\varphi (s_4,C_3^2)),\hfill \end{array}$$

$$\begin{array}{ccc}\hfill \varphi (s_1^{*},\varphi (s_4,C_3^1))& =& \varphi (s_1^{*},g_4{g}_3{g}_{2}h{k}_2{k}_3^{*}{k}_4)\hfill \\ & =& g_1{g}_4{g}_3{g}_{2}h{k}_2{k}_3^{*}{k}_4{k}_1^{*}\hfill \\ & =& g_3{g}_4{g}_2{g}_{1}h{k}_1{k}_2^{*}{k}_4{k}_3^{*}\hfill \\ & =& \varphi (s_3^{*},g_4{g}_2{g}_{1}h{k}_1{k}_2^{*}{k}_4)\hfill \\ & =& \varphi (s_3^{*},\varphi (s_4,C_3^3))\hfill \end{array}$$

using that $g_i\in R_1$ commute and

$$\begin{gathered} k_2{k}_3^{*}{k}_4{k}_1^{*}=k_3{k}_2^{*}{k}_4{k}_1^{*}=k_3{k}_4^{*}{k}_2{k}_1^{*}=k_3{k}_4^{*}{k}_1{k}_2^{*}=k_3{k}_1^{*}{k}_4{k}_2^{*}=k_1{k}_3^{*}{k}_4{k}_2^{*}, \\ {k}_2{k}_3^{*}{k}_4{k}_1^{*}=k_2{k}_4^{*}{k}_1{k}_3^{*}=k_2{k}_1^{*}{k}_4{k}_3^{*}=k_1{k}_2^{*}{k}_4{k}_3^{*}. \end{gathered}$$

In addition, $\varphi (s_4^{*},C_3^4)=g_4{g}_3{g}_2{g}_{1}h{k}_1{k}_2^{*}{k}_3{k}_4^{*}=g_3{g}_4{k}_2{k}_{1}h{k}_1{k}_2^{*}{k}_4{k}_3^{*}=\varphi (s_3^{*},\varphi (s_4,C_3^3))$.

Suppose now that

$$\varphi \left(s_i^{*},C_n^i\right)=\varphi \left(s_j^{*},C_n^j\right).$$

Then we have

$$\begin{array}{ccc}\hfill \varphi (s_i,C_{n+1}^i)& =& \varphi \left(s_i,\varphi (s_{n+1}^{*},C_n^i)\right)\hfill \\ & =& \varphi \left(s_i,\varphi (s_{n+1}^{*},C_n^i)\right)\hfill \\ & =& \varphi \left(s_i{s}_{n+1}^{*},C_n^i)\right)\hfill \\ & =& \varphi \left(s_{n+1}{s}_i^{*},C_n^i)\right)\hfill \\ & =& \varphi \left(s_{n+1},\varphi (s_i^{*},C_n^i)\right)\hfill \\ & =& \varphi \left(s_{n+1},\varphi (s_j^{*},C_n^j)\right)\hfill \\ & =& \varphi \left(s_{n+1}{s}_j^{*},C_n^j)\right)\hfill \\ & =& \varphi \left(s_j{s}_{n+1}^{*},C_n^j\right)\hfill \\ & =& \varphi \left(s_j,\varphi (s_{n+1}^{*},C_n^j)\right)\hfill \\ & =& \varphi (s_j,C_{n+1}^j).\hfill \end{array}$$

So the shared key $\varphi \left(s_i,\varphi (s_{n+1}^{*},C_n^i)\right)$ is the same for every $i\in \{1,\dots ,n-1\}$, and also,

$$\begin{gathered} \varphi (s_n^{*},C_{n-1}^n)=\varphi (s_n^{*},\varphi (s_{n-1},C_{n-1}^{n-2})=\varphi (s_n^{*}{s}_{n-1},C_{n-1}^{n-2})=\varphi (s_{n-1}^{*}{s}_n,C_{n-1}^{n-1}) \\ =\varphi (s_{n-1}^{*},\varphi (s_n,C_{n-1}^{n-1})=\varphi (s_{n-1}^{*},C_n^{n-1}), \end{gathered}$$

and all users $U_1,\dots ,U_n$ have the same shared key, and we are done. □

An important issue in group key management is rekeying after the initial key agreement. There exist three situations: the first is due to key caducity, and the members of the group are the same; the second is when a user leaves the group, and the third is when a new user joins it. We describe these procedures in the following lines.

Let us consider the first situation. Every user $U_i$ has the information $C_n^i$ received from the user $U_n$. The rekeying process can be carried out by any of them, as is suggested in [6]. We call this user $U_c$. He chooses a new element $s_{c^{\prime }}=(g_{c^{\prime }},k_{c^{\prime }})$, where $g_{c^{\prime }}\in R_1$ and $k_{c^{\prime }}\in A_2$. If n is odd, he changes his private key to $s_{c^{\prime }}^{*}{s}_c$ and broadcasts the message

$$\{\varphi (s_{c^{\prime }}^{*},C_n^1),\varphi (s_{c^{\prime }}^{*},C_n^2),\dots ,\varphi (s_{c^{\prime }}^{*},C_n^{c-1}),C_n^c,\varphi (s_{c^{\prime }}^{*},C_n^{c+1}),\dots ,\varphi (s_{c^{\prime }}^{*},C_n^n)\}.$$

If n is even, he changes his private key to $s_{c^{\prime }}{s}_c^{*}$ and broadcasts the message

$$\{\varphi (s_{c^{\prime }},C_n^1),\varphi (s_{c^{\prime }},C_n^2),\dots ,\varphi (s_{c^{\prime }},C_n^{c-1}),C_n^c,\varphi (s_{c^{\prime }},C_n^{c+1}),\dots ,\varphi (s_{c^{\prime }},C_n^n)\}.$$

Then every user recovers the common key using the private key $s_i$ if n is even, and $s_i^{*}$ if n is odd.

We can easily check that this shared key is the same for every user. Recall that we proved that $\varphi (s_i,C_n^i)=\varphi (s_j,C_n^j)$ for $i,j=1,\dots ,n-1$ and odd n. Now we have

$$\begin{array}{ccc}\hfill \varphi (s_i^{*},\varphi (s_{c^{\prime }},C_n^i)& =& \varphi (s_i^{*}{s}_{c^{\prime }},C_n^i))\hfill \\ & =& \varphi (s_{c^{\prime }}^{*}{s}_i,C_n^i)\hfill \\ & =& \varphi (s_{c^{\prime }}^{*},\varphi (s_i,C_n^i)\hfill \\ & =& \varphi (s_{c^{\prime }}^{*},\varphi (s_j,C_n^j)\hfill \\ & =& \varphi (s_{c^{\prime }}^{*}{s}_j,C_n^j)\hfill \\ & =& \varphi (s_j^{*}{s}_{c^{\prime }},C_n^j))\hfill \\ & =& \varphi (s_j^{*},\varphi (s_{c^{\prime }},C_n^j),\hfill \end{array}$$

and $\varphi (s_n,C_{n-1}^n)=\varphi (s_{n-1},C_n^{n-1})$ implies that

$$\begin{array}{ccc}\hfill \varphi (s_n^{*},\varphi (s_{c^{\prime }},C_n^n)& =& \varphi (s_n^{*}{s}_{c^{\prime }},C_n^n))\hfill \\ & =& \varphi (s_{c^{\prime }}^{*}{s}_n,C_n^n)\hfill \\ & =& \varphi (s_{c^{\prime }}^{*},\varphi (s_n,C_n^n))\hfill \\ & =& \varphi (s_{c^{\prime }}^{*},\varphi (s_n,C_{n-1}^n))\hfill \\ & =& \varphi (s_{c^{\prime }}^{*},\varphi (s_{n-1},C_n^{n-1}))\hfill \\ & =& \varphi (s_{c^{\prime }}^{*}{s}_{n-1},C_n^{n-1})\hfill \\ & =& \varphi (s_{n-1}^{*}{s}_{c^{\prime }},C_n^{n-1}))\hfill \\ & =& \varphi (s_{n-1}^{*},\varphi (s_{c^{\prime }},C_n^{n-1})),\hfill \end{array}$$

so all users get the same shared key. This can be proved analogously for odd n. Note that every time we rekey, we need to consider that a new user has been added to the key agreement (just to decide if we use the procedure for odd or even n), so the second time we rekey we will consider that they are $n+1$ users, and so on.

In the second case, when some user leaves the group, the corresponding position in the rekeying message is omitted.

In the last case, when a new user $U_{n+1}$ joins the group, if n is odd, then $U_c$ adds the element $\varphi (s_{c^{\prime }},C_n^n)$ and sends the following to the new user:

$$\{\varphi (s_{c^{\prime }},C_n^1),\varphi (s_{c^{\prime }},C_n^2),\dots ,\varphi (s_{c^{\prime }},C_n^{c-1}),C_n^c,\varphi (s_{c^{\prime }},C_n^{c+1}),\dots ,\varphi (s_{c^{\prime }},C_n^{n-1}),\varphi (s_{c^{\prime }},C_n^n)\}.$$

If n is even, $U_c$ adds the element $\varphi (s_{c^{\prime }}^{*},C_n^n)$ and sends to $U_{n+1}$ the following:

$$\{\varphi (s_{c^{\prime }}^{*},C_n^1),\varphi (s_{c^{\prime }}^{*},C_n^2),\dots ,\varphi (s_{c^{\prime }}^{*},C_n^{c-1}),C_n^c,\varphi (s_{c^{\prime }}^{*},C_n^{c+1}),\dots ,\varphi (s_{c^{\prime }}^{*},C_n^{n-1}),\varphi (s_{c^{\prime }}^{*},C_n^n)\}.$$

Finally, user $U_{n+1}$ proceeds to step 3 of the group key protocol and sends the other users the information to obtain the shared key using their private keys.

Our next objective is showing that the security of this protocol for n users is equivalent to the security of the key exchange in the case of two users, as is the case of [6] and any other similar proposal such as [7] or more recently, [8], among many others.

6. Conclusions

Our contribution is proposing twisted group rings as interesting structures for key management, combined with the decomposition problem, since they seem to be quantum-safe for the time being. More specifically, we have introduced a key exchange protocol using the group ring $K^{\alpha }\left[D_{2m}\right]$ and have shown a security and complexity analysis. We have also proposed an Elgamal cryptosystem and discussed its security. Finally, we have extended this protocol for several users.