An Authenticated Key Agreement Scheme Based on Cyclic Automorphism Subgroups of Random Orders

Group-based cryptography is viewed as a modern cryptographic candidate solution to blocking quantum computer attacks, and key exchange protocols on the Internet are one of the primitives to ensure the security of communication. In 2016 Habeeb et al proposed a "textbook" key exchange protocol based on the semidirect product of two groups, which is insecure for use in real-world applications. In this paper, after discarding the unnecessary disguising notion of semidirect product in the protocol, we establish a simplified yet enhanced authenticated key agreement scheme based on cyclic automorphism subgroups of random orders by making hybrid use of certificates and symmetric-key encryption as challenge-and-responses in the public-key setting. Its passive security is formally analyzed, which is relative to the cryptographic hardness assumption of a computational number-theoretic problem. Cryptanalysis of this scheme shows that it is secure against the intruder-in-the-middle attack even in the worst case of compromising the signatures, and provides explicit key confirmation to both parties.


Introduction
Cryptographic techniques are an essential tool to guarantee the security of communication in modern society.Today, the security of nearly all of the cryptographic schemes used in practice is based on number theoretic problems [1,2,3] .However, schemes like these will become insecure as soon as large enough quantum computers arrive.The reason for this is Shor's algorithm [4] , which solves number theoretic problems like integer factorization and discrete logarithms in polynomial time on a quantum computer.Therefore, one needs alternatives to those classical public key schemes which are based on mathematical problems not affected by quantum computer attacks.
Group-based cryptography is one of the main candidates for this [3,5,6] .
In 2016, using semidirect product of two groups, Habeeb et al [7] proposed a key exchange protocol (the HKKS protocol) based on the work of [8, 9].Unlike all the operating principles of the existing Diffie-Hellmanlike protocols, its basic passive security is based on a stronger computational group-theoretic assumption than the current assumptions of hardness of discrete logarithm problems.
However, the HKKS protocol is still a "textbook" key exchange protocol which is actually not suitable for use in real-world applications due to its lack of any oracle interaction among users (public key owners) and an attacker [10] .In this paper, having discarded the unnecessary disguising notion of semidirect product in the HKKS protocol, we will establish a simplified yet enhanced authenticated key agreement scheme (denoted by the HYZ scheme) based on cyclic automorphism subgroups of random orders, which includes mutual identification of Alice and Bob.Our contributions are: 1) The passive security of the HYZ scheme, which is relative to the cryptographic hardness assumption of a computational number-theoretic problem, is analyzed in terms of formal security terminology.Additionally, selection of protocol parameters for passive security is analyzed.
2) To guarantee its active security, we utilize the "encryption-then-signature" mode to protect twofold for the protocol messages.We show that the HYZ scheme is secure against the intruder-in-the-middle attack even in the worst case of compromising the signatures, and obtains the highest level of assurance regarding key agreement, i.e., explicit key confirmation to both parties [11]   : A is assured that B has computed the shared symmetric key , and no one other than B can compute .
The organization of the paper is as follows.In Section 2, the HYZ scheme is proposed.In Section 3, the shared key formula is proven and its passive and active security properties are discussed.Conclusions are given in Section 4.
In this section, we describe the HYZ scheme utilizing a kind of public-key infrastructure (PKI) [11,12] .Our strategy is to make hybrid use of certificates which are signed by a TA (Trusted Authority) and symmetric-key encryption as challenge-and-responses in the public-key setting.Each user U has a digital signature function with verification algorithm .The TA also has a signature scheme with a public verification algorithm .The verification algorithms are compiled and made public by the TA , who certifies that is actually the verification algorithm for U and not for any malicious attacker Mallory.Each user U has a certificate where ID(U) is certain identification information for U.The public domain parameters consist of a group ( ) ⋅ , a given element ∈ with order > and a given element . Suppose that Alice and Bob want to establish a symmetric key to use in an encryption function .
∈ means [10] sampling element is taken uniformly random in set .

5) Submitting
( ) to TA, Alice asks TA to verify that is Bob's verification algorithm.
6) Alice uses to verify Bob's signature in Step 4).If the signature is not valid, then she "rejects" and quits.Otherwise, she "accepts", computes and sends the following to Bob: 8) Submitting ( ) to TA, Bob asks TA to verify that is Alice's verification algorithm.Finally, Bob uses to verify Alice's signature in Step 7).If the signature is not valid, then he "rejects" and quits.Otherwise, he "accepts".

Proof of the Shared Key
Theorem 1 : Alice and Bob share the same symmetric key , i.
, by the definition in [13], one has

=
. This completes the proof.

The Passive Security Properties of the HYZ Scheme
Taking ( ) φ = , we see that the standard Diffie-Hellman protocol is a special case of the HYZ scheme, and so it provides a heuristic evidence of the basic security of the HYZ scheme.
From the random numbers ∏ would be limited (we call this phenomenon "falsely big data").
The basic security of the HYZ scheme is based on the cryptographic hardness assumption of the following computational number-theoretic problem: Given φ , and , it is computationally infeasible to compute .More specifically, consider the following experiment for a pair of group-generation algorithms ( ) provides for mutual identification of A and B. This in turn thwarts the intruder-in-the-middle attack.Next, we shall show that the HYZ scheme provides explicit key confirmation [11].
The HYZ scheme is established involving mutual identification in the public-key setting.So, if an adversary is active, he will be detected by the honest participants in the session.
Using ) .Now, assuming that B executed the scheme according to its specifications, and the signature is valid in step 6), A can infer that B has computed the value of The analysis from the point of view of B is similar.Summarizing the discussion above, we have established the following theorem.
Theorem 2: The HYZ scheme is an authenticated key agreement scheme that provides explicit key confirmation to both parties, assuming that the problem is intractable.

Conclusion
Based on the HKKS protocol and cyclic automorphism subgroups of random orders, we proposed the HYZ scheme and proved its shared key formula.Two necessary conditions for its passive security are analyzed: the order of automorphism ( ) φ ∈ and the period of φ with respect to should be chosen large enough to thwart exhaustive key search and avoid the phenomenonof "falsely big data", respectively.Furthermore, we conducted the ( ) A G experiment, defined the problem and depicted the assumption in terms of formal security terminology.To guarantee its active security, we utilized twofold protections for the protocol messages.It was showed that the HYZ scheme is secure against the intruder-in-the-middle attack even in the worst case of compromising the signatures, and is an authenticated key agreement scheme that provides explicit key confirmation to both parties, assuming that the problem is intractable.
Compared with the HKKS protocol, the security of the HYZ scheme has been improved in a number of aspects.Future work includes cryptanalysis of the HYZ scheme resistance to the "linear algebra attack" mounted by Romank'ov [14] .

1 ) 2 )
Alice chooses a random number ∈ { } − .Then she computes and sends the following to Bob: Bob chooses a random number ∈ { } − .Then he computes and sends the following to Alice: the necessary conditions for passive security of the HYZ scheme is that the order should be chosen large enough to thwart exhaustive key search.The two cyclic automorphism subgroups of ( ) of random orders involved in the HYZ scheme are φ element of group ).Another necessary condition for passive security of the HYZ scheme is that the period should be chosen large enough; otherwise, whenever ≥ , we have ( )