Informally speaking, we define a function of two numbers modulo p, p
prime. That function is f(a,b)=(ab+1)/(b-a), operated mod p. This
function is not commutative and is not associative. To make this clearer
lets use another notation, a*b is f(a,b). Now, we have a property that's
that (a*b)*(c*d)=(a*c)*(b*d). We can exchange b and c in the formula and
get the same result. With this a public key criptosystem can be built,
the proof is in the link in the more formal description bellow. Now we
define a fibonacci exponentiation that's the same procedure as the
ordinary exponentiation by squaring but the element i of the table of
squares, that will be t[i]=t[i-1]^2, we use two initial values in t[0]=a
and t[1]=b and the next elements in the table are t[i]=t[i-2]*t[i], were
* is the function already defined. So we can call this fibonacci
exponentiation as mixf(a,b,k) or with another notation (a,b)^k. Now, the
operation allowed is that ((a,b)^k1,(c,d)^k1)^k2=((a,c)^k2,(b,d)^k2)^k1.
Now, mixf in respect to the k is not additive. mixf produces an erratic
sequence of results mod p with some series but no constant period at
all. There's not a workable g(k) such that (a,b)^k=(a,b)^g(k) for every
(a,b). In particular f(k) is not f(k)=k+c, c constant. So no quantum
algorithm based on hidden abelian subgroups works. More work must be
done in criptoanalysis and quantum computer considerations, so I need
help... Unrhu?
daniel...@gmail.com
Now the more formal description:
Our working numbers will be positive integers modulo a prime p, this is
in the range [0..p-1]. Next we need to define a function of two such
values, a and b, so:
f(a,b)=(ab+1)/(b-a) (mod p)
This function takes two values as parameters and produce a result value,
and inverse modulo p should be computed. The property needed for the
system work is that (see demonstration here
https://danielnbl.files.wordpress.com/2016/09/key_demonstration.pdf),
for every a,b,c and d:
f(f(a,b),f(c,d))=f(f(a,c),f(b,d))
So from left part of the equality to right we have interchanged b and c.
In order to make calculations faster we can work with fractions num/den
and when a value is needed convert they to num/1 by calculating the
inverse of the denominaton. A zero denominator is possible with very
small probability, but can be handled anyway.
Now a mixing function is needed, let's call it mixf, that takes two
values mod p, and a bit string key as parameters:
r=mixf(a,b,k)
Let's construct a table of values enough to fit the size of k:
t[0]=a
t[1]=b
t[i]=f(t[i-2],t[i-1])
...
Now let's set r to the element in t[i] corresponding to the index of the
first 1 in k. From there on and in increasing order we operate
r=f(r,t[j])
for each k[j]=1 until the key is exhausted. This is similar to the
procedure used for exponentiation by squaring, but in a fibbonacci form.
Hard Problem:
Given r=mixf(a,b,k), where a and k are known and b is secret, finding b
is hard, as hard of the bit size of the prime p. The signature and
intermediate values in key agreement are t-sized being t the security
threshold. So, for example, for a p of 96 bits we have 96 bits of
security and a 96 bits signature.
Scheme to build a criptosystem:
Let's focus on the following representation:
a---b---------->i1
| | k2 |
c---d---------->i2
| | |
| | |
|k1 | |k1
| | |
v v k2 v
i3--i4--------->r
i1=mixf(a,b,k1)
i2=mixf(c,d,k2)
i3=mixf(a,c,k2)
i4=mixf(b,d,k2)
r=mixf(i1,i2,k1)=mixf(i3,i4,k2)
r=mixf(mifx(a,b,k2),mixf(c,d,k2),k1)=mixf(mixf(a,c,k1),mixf(b,d,k1),k2)
Signature:
The signer public credentials with and agreed prime p are:
a,b,c,k2,i1,i2
d is keep secret. Now the hash to sign is k1 and the signature value is i4.
The verifier can compute itself i3 and check that r is coherent by both
possible paths, that's mixf(i1,i2,h)=mixf(mixf(a,c,h),i4,k2).
Secret value agreement:
First beside choosing a common prime p, some public a and d must be
agreed. Then one partner choses a path and the other gets the alternate
path to r.
Partner one publishes k2 and i1. Keeps b secret. Partner two publishes
k1 and i3 and keeps c secret.
Both can now arrive to r that's the agreed secret value.
On the periodicity of mixf and it's post-quantum candidature:
mixf function is virtually unperiodical. Iterating keys in
r=mixf(a,b,ki) now and then the result will be r=b for some ki, but in
an non-periodic behavior. Furthermore, experiments show that these
coincidences depend on b, intended to be secret, so no feasible attacks
on the order should work. In particular Pollard's Rho, Shor, Index
Calculus and so on. Even a meet-in-the-middle cannot be build as with
one result the table Ti cannot be recalculated, and one base parameter
is unknown.