Non-invertible key exchange protocol

We investigate a cryptosystem through what we call non-invertible cryptography. As a result of a continuous refinement process, we present a new key exchange method to establish a secret key between two remote parties. Non-invertible KEP is supported by Euler’s theorem as RSA, it uses exponentiation to exchange a secret key as Diffie–Hellman, and it encrypts/decrypts through invertible multiplication as ElGamal. This method is public key; it allows secret key exchange and performs secret communication. Most remarkably, since it does not rely on computational problems as integer factorization or discrete logarithm whose difficulty is conjectured, non-invertible KEP becomes a promising candidate to protect communication in the quantum era. By contrast, the algorithm is supported on indistinguishability of public key and ciphertext so it achieves perfect secrecy. The protocol demonstrates minimum required time for encryption/decryption processes when is compared with the main public key algorithms as Diffie–Hellman, ElGamal or RSA.


Introduction
Since its origin at the end of the 1970s, public key cryptography has become the main mechanism to support digital signatures and electronic internet services. By means of public/private keys, users and data can be authenticated during web transactions. In addition, users can verify the authenticity of web servers, and reciprocally, the service can approve or reject a transaction from an electronic payment card. A new software version can be verified before it is updated on a computer, mobile phone, or automobile system. Other capabilities include verification of electronic documents and issuance of digital receipts.
RSA and ECC are the most prominent algorithms used to implement electronic signature services. However, due to the advent of quantum computers, the security of such methods has been threatened by Shor's algorithm that solves, at least in theory, the computational problems on which are based those algorithms: integer factorization and discrete logarithm, respectively. As fact, most of the public key cryptosystems used today will become obsolete in the foreseeable future because they would be broken by quantum computers [1].
In view of the above, the National Institute of Standards and Technology (NIST) has initiated a process to evaluate cryptographic algorithms that could be used to achieve confidentiality and authentication services in the quantum era. Currently, the evaluation of candidate algorithms is in the second evaluation round. According to the criteria defined by NIST, algorithms must be resistant against classical and quantum adversaries, and their security level must be comparable to the security of SHA-385 and AES256. The size of the keys must be acceptable, as well as the required computing resources. Other criteria include facility of implementation (in hardware and software), whether it is an enhanced algorithm or a new one. The flexibility of the algorithm will be evaluated because of its ability to encrypt messages, perform digital signatures and/or allow key exchange. Even so, it is possible to continue using the algorithms RSA, ECDSA and DH, since their properties has been studied over the past years. The downside to this approach is that it can lead to increase the size of the keys to an impractical level in the quantum era. However, although quantum principles have threatened the security of major cryptographic systems, they have raised a new technology known as quantum key distribution (qkd) that allows remote secret key establishment [2,3]. Post-quantum cryptosystems under evaluation for public-key quantumresistant [4] include cryptography based on lattices, multivariate-based, hash-based [5,6] or code-based [7]. We will describe them in the next section, for now let us briefly summarize some of the main algebraic cryptosystems used today which are based on integer factoring and discrete logarithm computational problems: 1. The key exchange protocol introduced by Diffie and Hellman [8]. The asymmetric key encryption algorithm for public-key cryptography of Taher ElGamal [9]. Both of them are based on the Diffie-Hellman assumption. 2. Cryptosystems that rely on the difficulty of the integer factorization problem: the RSA method for obtaining digital signatures by Ronald L. Rivest, Adi Shamir, and Leonard M. Adleman [10]. Also, it can be cited the digitalized signatures by Rabin, Michael O Rabin [11]. 3. Schemes based on the discrete logarithm with elliptic curve groups known as ECC developed by Miller and Koblitz [12,13].
Just to make a simple comparison about their performance, Diffie-Hellman and El Gamal algorithms have similar temporal complexity. According to [14], RSA algorithm is the slowest one. In all cases, the computational speed is around 10 6 -10 8 ms 1 .
In this work, we will introduce a new key exchange method based in non-invertible cryptography that can be useful for secret communication in the quantum era. In Appendix, we include some definitions about modular arithmetic that we used to design the non-invertible key exchange protocol (KEP). We used a refinement design methodology so that at each stage we evaluated the security of the method against integer factorization. We describe KEP at three stages: multiplication-based, exponent-based and non-invertible KEP. In the first and second stages, the protocol is intended to pass secretly an integer number from Alice to Bob. However, we should note that they fail when trying to transmit securely an integer number from Alice to Bob. At the final stage, the non-invertible KEP behaves as a secret key exchange algorithm and it achieves the security goal. Before we develop our protocols, let us briefly mention the current cryptosystems intended to allow secret key establishment. Also, in the next section we will describe some closely related protocols.

Quantum cryptography
A new approach has emerged for the quantum era which is based in quantum physics principles; it is called quantum key distribution and is useful for secret key establishment [2]. Quantum key distribution exploits the principle that an eavesdropper cannot alter quantum communication without producing a detectable noise. The technique has been enhanced to resist quantum attacks [15,16].

Post-quantum cryptography
Some cryptographic protocols and key exchange methods have been conceived in the field of post-quantum cryptography for the quantum era. Let us introduce briefly some of the main cryptosystems [17,18].

Code-based cryptography
Code-based cryptography was originally proposed by McEliece [19] in 1978, who described an asymmetric key cryptographic system based on the difficulty of decoding a generic linear code, which is an NP-difficult problem. A linear code is essentially a form of error correction code. The private key is a code C, which has the ability to correct t errors. When sending a message, the sender will encode the message with the public key and include t errors within the encoding; then, the ciphertext is obtained by adding an error vector to each codeword. The receiver with code C will be able to decode the message while accurately correcting the errors. Some properties of this system are high confidence, fast encryption but larger public keys. Some key exchange algorithms are BIKE, Classic McEliece, HQC, NTS-KEM, RQC [20].

Lattice-based key exchange
Wang et al. [21] proposed in 2014 a key exchange protocol which has no longer dependent on conventional computational problems. The key exchange protocol is based in what is named lattice-based cryptography [22]. The techniques are generally used in modern cryptography as a complex security in comparison with the conventional cryptographic techniques. Some of the notable attributes of lattice KEM algorithms generate short ciphertext and keys, short signatures, good performance, but sometimes complex. Examples of KEM systems are Fro-doKEM, NewHope, NTRU, FALCON and qTESLA.

Supersingular elliptic curve isogeny cryptography
Jao and De Feo [23] introduced an elliptic curve-based alternative to elliptic curve Diffie-Hellman (ECDH) which is not vulnerable to Shor's quantum attack [24] called supersingular isogeny Diffie-Hellman (SIDH) key exchange protocol which is based in the difficulty of finding isogenies between supersingular elliptic curves. Isogeny computations constitute an algebraic map between elliptic curves, which appear to be resistant to quantum attacks. SIDH produces very small key sizes, but it shows slower performance. The representative algorithm is the Supersingular Isogeny Key Encapsulation (SIKE).

Hash-based cryptography
Cryptographic services have been conceived over the basis of hash functions. Lamport first introduced hashbased digital signature (OTS) in 1979 [25]. The signature is based on the difficulty of inverting a hash function. Unfortunately, signatures are ephemeral and a new public key must be computed for each signature. There have been some improvements to Lamport's signature through variations in the use of Merkle trees [26] and Lizama's hashbased methods [5,6].

Zero knowledge
Zero knowledge proofs have their origin in a method by which the prover can demonstrate to the verifier that a mathematical statement is true, without revealing anything other than the truth of the statement. It was first introduced in 1985 [27]. Zero knowledge interactive proofs like ZK-STARKs (Zero-Knowledge Scalable Transparent ARguments of Knowledge) are post-quantum secure, which have application in voting systems, blockchain's transactions and proving identity information [28].

Multivariate cryptography
Solving systems of multivariate polynomial equations is proven to be NP-complete. That is why multivariate cryptography is often considered to be post-quantum secure. The basic objects of multivariate cryptography are systems of nonlinear (usually quadratic) polynomial equations in several variables over a finite field. The problem is proven to be NP hard.
When performing the digital signature, the set of equations is the public key. A signature will be valid if at least a number of equations are satisfied so that a valid authentication value or a valid signature. The verifier can apply to verify that the output of the equations corresponds to the hash of the message that is signed.

Related protocols
Some criptographic protocols have significant mathematical properties closely related to our interests, specifically: modular invertible multiplication and modular exponentiation as well as Euler's theorem in number theory. Let us explain succinctly such protocols.

Linear ciphers
Some ciphers have been conceived to exploit the invertible numbers in ℤ n . For example, a linear cipher encrypts a message M according to the operation E(M) = k ⋅ M (mod 26) , where k is relatively prime to 26. In a linear cipher, as the affine cipher, the encryption algorithm specifies multiplication of the plaintext by the key. Decryption involves multiplication by the multiplicative inverse of the key [29]. However, an opponent can derive the plaintext of two enciphered characters applying frequency analysis or a brute force attack.

Exponential ciphers
In an exponential cipher, a message is encrypted with an exponent k, so that C = M k (mod n) . The decryption process is M = C k −1 (mod n) because k and k −1 are multiplicative inverses in (n) , that is k ⋅ k −1 ≡ 1 mod (n) . The most remarkably exponential cipher is the Rivest-Shamir-Adleman (RSA) cryptosystem.

RSA cryptosystem
A ring ℤ n is defined with n = p ⋅ q where p and q are kept as secret prime numbers [10]. A second ring is prepared taking (n) as the module. Inside this ring, two invertible numbers e and d are chosen, so that e ⋅ d ≡ 1 mod (n) . To encrypt a message, the following operation is executed C = M e mod n . To recover the message is computed M = C d mod n . The correctness of the algorithm relays in Euler's theorem since (M e mod n) d mod n = M ed mod n but ⋅ M 1 mod n which reduces to M when M < n . The security of the protocol relays as mentioned at the beginning, in the difficulty of the integer factorization problem. RSA is an asymmetric system, thus allowing remote user authentication.

Diffie-Hellman key exchange
Another public algorithm broadly used today that uses exponential computation is Diffie-Hellman (DH) cipher [8]. In this case, a ring ℤ p is used and two integers are publicly shared: the module p and the generator g which is primitive root in ℤ p . Alice chooses randomly an exponent x a sending k a = g x a mod p to Bob. Similarly, Bob computes and responds to Alice with k b = g x b mod p . Each one performs the exponentiation again using the received number, such that at Alice's side Both results are equal since modular exponentiation obeys all of the normal rules of ordinary exponentiation. Unlike RSA, in the Diffie-Hellman algorithm there is no need to kept secret the prime number p. The security of the shared key depends on the difficulty that given g, k a and k b it is computationally intractable to compute the value of g x a x b mod p.

ElGamal cipher
ElGamal cipher is based in the Diffie-Hellman key exchange algorithm. Suppose k a and k b are shared publicly, to send an encrypted message to Bob, Alice obtains k = g x b mod p . Now, she chooses a random x a to get a onetime key k s = g x a x b mod p . Alice computes C 1 = g x a mod p and encrypts the message as C 2 = M ⋅ k s mod p . Then she sends (C 1 , C 2 ) to Bob who uses C 1 to compute k s = g x a x b mod p . Finally, Bob obtains the multiplicative inverse of k s to retrieve the original message, so M = M ⋅ k s ⋅ k s −1 mod p.

Discussion
Several key exchange methods have been proposed to establish a secret integer between two remote parties [30][31][32]. Unfortunately, such protocols are supported on factorization problem and DH problem, which are known to be vulnerable to quantum computers [24]. Previously, we described RSA, DH and ElGamal because as we will discuss next, KEP is closely related to them. Non-invertible KEP is supported by Euler's theorem as RSA, it uses exponentiation to exchange a secret key as DH, and it encrypts/decrypts through invertible multiplication as ElGamal. However, we have taken advantage of the main properties of each of them to achieve a post-quantum cryptosystem whose security does not rely on the integer factorization or the discrete logarithm problem.

Multiplication-based protocol
As stated in the previous section, in a ring with unity over ℤ n , an integer may or may not have a multiplicative inverse. The great majority of cryptographic systems based in number theory have not been interested in noninvertible integers. In contrast, we are not just interested in invertible but also in non-invertible (multiplicative) integers.
The multiplication-based protocol, is supported by the basic properties of modular multiplication. To simplify the explanation of this and subsequent protocols, we have omitted the operation symbol mod n in text and figures (see Table 1).

The multiplication of an invertible integer denoted
as k (the multiplicative inverse is written as k −1 ) and a non-invertible number called v (which means that v −1 does not exist in ℤ n ) gives a non-invertible integer, say w (therefore w −1 would not exist in ℤ n ). To see that however, we have chosen v as a non-invertible number, so v does not meet a multiplicative integer that yields unity. Thus, we arrived to a contradiction that suggests w is a non-invertible integer in ℤ n . Following the same argumentation, we arrive to the next statements: 2. The multiplication of an invertible integer k i and another invertible one k j gives an invertible integer. 3. The multiplication of a non-invertible integer v and another non-invertible integer w gives a non-invertible integer.
The product of an invertible by a non-invertible integer gives a non-invertible integer The product of an invertible integer by its inverse produces unity From the previous statements, we can explain the multiplication-based protocol. The protocol is aimed to transfer a secret value generated by Alice, say v a , to the remote side called Bob through a public channel in the presence of an eavesdropper named Eve. To initialize the protocol, Alice and Bob must generate the integer values listed in Table 2.
The general idea of the protocol can be described in the following words: Alice multiplies v a with a integer key k a to hide it; then, she sends the result to Bob who "encrypts" the input with his integer key k b returning the resulting number to Alice. Now, she removes her key k a using k −1 a and sending the result to Bob. Finally, Bob removes his integer key from the input applying k −1 b . At this point, Bob has obtained v a . The protocol is illustrated in Fig. 1 and described in Table 1 where Alice transmits v a to Bob. We remark that v a ⋅ k a does not have a corresponding inverse, that is (v a ⋅ k a ) −1 does not exist, otherwise the attacker could factorize the second message v a ⋅ k a ⋅ k b , that is Similarly, the attacker could not factorize it using the third message v a ⋅ k b .

Security analysis
Eve could capture the message across the public channel v a k a , v a k a k b , v a k b , then she proceeds as described by the following strategy: 1. Eve multiplies v a k a k b by each invertible integer in ℤ n until she gets v a k a or v a k b . 2. If she obtains v a k a is because she has found k b 3. If she obtains v a k b implies she has found k a −1 . Then she computes v a k a ⋅ k a −1 to get v a .
In this strategy, Eve must find a matching integer in a search space whose size is proportional to the length of (n) . However, Eve would decide to apply a better strategy than exhaustive search, but before we examine it let us recall some important points: From modular arithmetic, it must be considered, that in a field, denoted as ℤ p , where p is a prime number, all integers are invertibles. Also, the division property in ℤ n is written in Eq. (1).
The relation can be applied inversely; thus after multiplying the right hand of the equation by p, we recover p ⋅ x i mod pq . Using those properties, Eve can attack the Invertible integer Alice v a k a Bob -k b Fig. 1 Multiplication-based protocol. All computations in the protocol are performed mod pq . The prime numbers p and q are known publicly Table 3 The attacker applies p division to compute the multiplicative inverses of the public numbers to derive the secret value px a mod pq Message p division First factorization Second factorization p multiplication px a k a mod pq x a k a mod q px a k a k b mod pq (x a k a )k b mod q k b mod q px a k b mod pq x a k b mod q x a mod q px a mod pq multiplication-based protocol as indicated in Table 3 to derive the secret value p ⋅ x a mod pq.

Exponent-based protocol
We have indicated in Sect. 3 that after multiplying an integer number (invertible or not) by another non-invertible integer in ℤ n always results a non-invertible number. Similarly, the multiplication of an invertible integer by another invertible integer always yields an invertible number. As a consequence, the integer number that results after exponentiation say p x a gives always a non-invertible integer.
The exponent-based protocol is presented in Table 4 and Fig. 2.
The exponent-based protocol is intended to pass securely p x a from Alice to Bob. Unfortunately for this version of the protocol, as it occurred in the multiplicationbased, Eve can use the division property to find the secret number p x a mod pq . The steps are indicated in Table 5.

Non-invertible KEP
We must emphasize that the protocols discussed so far (multiplication and exponent-based) fail when trying to pass secretly an integer number from Alice to Bob over a public channel. To overcome the limitations described before we will introduce the Euler's theorem to the exponent-based protocol, what we call non-invertible KEP. By contrast to secret transfer, this protocol is a key exchange protocol (KEP). The non-invertible KEP is described in Table 6 and Fig. 3. As used before, the numbers {p x a k a , q y a k a , n} and {p x b k b , q y b k b , n} along with the prime numbers p, q and r are publicly known by Alice and Bob. On the other hand, {x i , k i } constitutes the private key of Alice (or Bob, respectively). Now, let us detail the steps of the protocol.
1. Alice and Bob agree to use a module n, so they compute the integers represented in Table 7. Now, they exchange them through a public channel.

The power of a non-invertible integer is a noninvertible integer
The product of an invertible by a non-invertible integer gives a non-invertible integer The product of an invertible integer by its inverse produces unity B ∶ p x a k b k b −1 = p x a Fig. 2 The exponent-based protocol. All computations in the protocol are performed mod pq . The non-invertible number p x a is multiplied by the invertible k a before it is sent to Bob Table 5 The division attack over the exponent-based protocol The attacker computes the multiplicative inverse of every public integer to get p x a mod pq Message p division First factorization Second factorization p multiplication p x a k a mod pq p x a −1 k a mod q p x a k a k b mod pq (p x a −1 k a )k b mod q k b mod q p x a k b mod pq (p x a −1 )k b mod q p x a −1 mod q p x a mod pq 2. Alice and Bob perform two operations over the numbers received: exponentiation and multiplication as indicated in Table 8. Table 8 require us to apply the Euler's theorem defined in ℤ n , which is written in

A secret number is established between Alice and Bob using non-invertible power and Euler's identity
A → B ∶ p x a k a , q y a k a x a + y a = (n) + 1, (p x a k a ) x b (q y a k a ) y b = p x a x b p y a y b k a A ∶ p x a x b p y a y b k a k a −1 = p x a x b p y a y b The product of an invertible integer by its inverse produces unity B ∶ p x a x b p y a y b k b k b −1 = p x a x b p y a y b Fig. 3 Non-invertible KEP. All computations in the protocol are performed mod pqr . Here, k s represents the shared secret key. The sum x i + y i is equivalent to (n) + 1 Table 7 The modulo n is computed as pqr, n and the prime numbers p, q and r are publicly known. The private key is ( x, k i ) where i = a, b

User Public Key
Alice {P ap = p x a ⋅ k a mod n , P aq = q y a ⋅ k a mod n} Eq. (2). Here, k and n are relative prime each other. Then, for correctness of the algorithm, x i and y i must sum up (n) + 1 . Thus, according to Eq.(2), we have k (n)+1 = k (n) ⋅ k 1 = k because k is an invertible integer in ℤ n .
4. Alice sends to Bob the resulting value p x b x a q y b y a ⋅ k b mod n who applies k b −1 to derive the number p x b x a q y b y a mod n . Similarly, Bob sends p x a x b q y a y b ⋅ k a mod n to Alice who uses k a −1 to get the shared secret k s = p x a x b q y a y b mod n.

Cipher system
In Fig. 3, the number k s is a non-invertible integer in ℤ n ; thus, a convenient method to achieve a cipher system and secret communication is to divide the shared number k s = p x a x b q y a y b mod pqr by pq, so k r = p x a x b −1 q y a y b −1 mod r . Now, it can be computed its multiplicative inverse k r −1 . The enciphered message is obtained as c = m ⋅ k r mod r and the original plaintext is recovered through the relation m = c ⋅ k r −1 mod r because m = m ⋅ k r k r −1 mod r . To send a message number, the integer m must be less than r.
6 Security analysis

Indistinguishability of the public key
To achieve indistinguishability of the public key (so it can be derived from every message in the ring, for details about indistinguishability see [33]), we need that p and q be primitive roots of r. Since the prime integers with primitive roots take the form as 2, 4, p t , and 2p t , where p is any prime and t is a positive integer [34]. We must redefine our prime numbers as it follows: n = p ⋅ q ⋅ r , but making p = q = 2 n = 4 ⋅ r where r is a large prime number such that 2 is a primitive root of r and it can be chosen as a usual (2) k (n) ≡ 1 mod n safe prime. Therefore, the components of the public key (Alice or Bob) are: P p = 2 x k mod 4r, P q = 2 y k mod 4r

Multiplication-based attack
The selection for the prime integers as explained previously makes the protocol vulnerable to a multiplication attack. This attack occurs when p = q , thus n = p 2 r but (p k r) = p k−1 (r − 1) , now the eavesdropper performs the product of the components P p and P q of the public key. If p = q = 2 , then (4r) = 2r − 2 , so: From here, Eve can derive the private key k. To avoid such attack, we must introduce the following change to the first component of the public key P p : Now, Eve cannot compute the multiplicative inverse of 2 x because she does not know x. Thus, she cannot obtain k.
The relation between the secret key and the private components x i ( i = a, b ) can be written as: To prove that indistinguishability is present in the first component of a user's public key P p = 2 2x k mod 4r , we suggest the following procedure: 1. Derive the set of valid messages for P p , say M p . Consider m ⋅ k mod 4r where m is computed as m = 2 2x mod 4r and x is an integer taken from X p = {0, 1, 2, … , r − 1} . Multiplying m by 2 −1 we get m � = 2 2x−2 mod r . Now, since 2 is a primitive root of r, the number of valid messages is |M p | = (r − 1)∕2 because the exponent 2x − 2 yields just even numbers. That is, M p = {2 2 mod 4r, 2 4 mod 4r, 2 6 mod 4r, … 2 r−1 mod 4r} s o |M p | = (r − 1)∕2. 2. Pick up a message m a from M p . Then compute c a from the relation m a ⋅ k a mod 4r = c a where k a is an invertible integer in ℤ 4r .
Bob (p x a ⋅ k a mod n) x b ⋅ (q y a ⋅ k a mod n) y b = p x a x b q y a y b ⋅ k a mod n 3. To determine whether c a can be derived from every message in the set M , consider the r e l a t i o n m i ⋅ k i mod 4r = c a w h e r e m i ∈ M and k i is an invertible integer in ℤ 4r . Since m i = 2 2x i mod 4r , t h e n 2 2x i ⋅ k i mod 4r = c a . T h e r e f o r e 2 2x i −2 ⋅ k � i mod r = c a ⋅ 2 −2 , t h e n k � i = c a ⋅ 2 −2 ⋅ (2 2x i −2 ) −1 mod r and k i = 4k � i mod 4r . The multiplicative inverse of 2 2x i −2 always exists because in ℤ r all the integers are invertibles.
From the last discussion, we realize that given a ciphertext it can be derived from every valid message in M p . In addition, we have |M p | = |C p | = (r − 1)∕2 . An equivalent formulation of indistinguishability is demonstrated that given two or more messages from M the distribution over the ciphertext they produce is the same [33]. In other words, for every message in M p it can be derived the set of integers in C p . Symbolically, we must prove that given m a ∈ M p it holds that m a ⋅ k i mod 4r = c i for every c i ∈ C p . Since k i is an invertible integer in ℤ 4r thus we have m a = c i ⋅ k i −1 mod 4r.
As an example, consider p = q = 2 , r = 13 (2 is a primitive root of 13), thus n = 4r = 52 , |k i | = (4r) = 24 , so there are 24 invertible integers and 52 − 24 = 28 noninvertible integers in ℤ 52 . From a given ciphertext c a , it can be obtained every message m i in ℤ 52 . Conversely, given a message m a it can be obtained every ciphertext c i in ℤ 52 . Now, let us apply the same procedure to the second component of the public key P q = 2 2r−1−x k mod 4r : 1. Let M q be the set of valid messages for P q . If we take m ⋅ k mod 4r , m = 2 2r−1−x mod 4r such that x < 2r − 1 . From here m � = 2 2r−3−x mod r . Once again, since 2 is a primitive root of r and taking x from {2r − 1, 2r − 2, … , r} we get that the set of valid messages is M q = {2 2r−1 mod 4r, 2 2r−2 mod 4r, 2 2r−3 mod 4r, … 2 r mod 4r} s o |M q | = r − 1.

Indistinguishability of the ciphertext
As stated before, the ciphersystem works under the following relations: where m and k r are integers in ℤ r . It can be written m ∈ ℤ r where ℤ r = {0, 1, … , r − 1} . However, the multiplication c = m ⋅ k r mod r produces a permutation of the integers in ℤ r because r is an integer prime, and hence, we have c ∈ ℤ r . As a result, we get that

Non-invertibility
We discuss if a message could be factored from any other message revealed by the protocol. After the public keys have been published, the key exchange protocol (KEP) requires the exchange of just two messages (in contrast to previous protocols discussed in Sects. 2 and 3 which require three messages Figs. 1 and 2). As a consequence, the protocol makes infeasible to perform factorization, because no message is a prefix of the other. It implies, symbolically, that p x a x b q y a y b k a is not a prefix of p x a x b q y a y b k b or vice versa. The integers exchanged across the public channel are: T ab = p x a x b q y a y b k b mod pqr T ba = p x a x b q y a y b k a mod pqr If T ab were an inver tible integer Alice could o b t a i n T ab −1 t h a t i s {p x a x b q y a y b } −1 k b −1 mod pqr , from here she could multiply T ab −1 with T ba that is she would obtain Bob's private key k b . However, the last procedure cannot be executed since T ab is a non-invertible integer in ℤ n . Moreover T ba and the public keys are all of them non-invertible integers.

Performance
In the non-invertible KEP, we define p = q = 2 to guarantee indistinguishability of the ciphertext and public key. This is so because the prime integer r is chosen such that 2 is a primitive root of r. Fortunately, the condition p = q = 2 produces acceptable lengths of the public and private keys. Since the number of invertible integers in ℤ 4r is 2r − 2 because p = q = 2 while the number of non-invertible integers is 4r − (2r − 2) = 2r + 2 . So, the quantity of invertible and non-invertible integers inside ℤ 4r is of the same size order around 2r. Let 2 2x ⋅ k mod 4r be Alice's public key. The length of x can be computed using the relation 2 2x mod 4r . Therefore, the length of x is around a half of the prime size, that is |x| ∼ |r| 2 , where the symbol | | denotes the length of the integer in bits. Similarly, using k mod 4r we get that |k| is around |r|.
To achieve secrecy in the quantum era, we would consider |x| ≥ 256 and |k| ≥ 256 to resist an attack by exhaustive search by means of the quantum Grover algorithm [35]. A more realistic example using a safe big prime [36] is shown in "Appendix 2. " Time to generate keys is around a millisecond.

Comparison
Results using Sagemath [37] demonstrate that encryption and decryption of the non-invertible KEP are faster compared to RSA and ElGamal. Here, the prime number generation process is avoided using a fixed safe prime integer. In addition, Table 9 shows a comparison of Lizama's protocol and main cryptosystems used today. To compare them, we used the following criteria: The prime integers are publicly known, the system is allowed to perform encryption/ decryption, and the computational problem is supported on prime factorization or discrete logarithm. Then due to Shor's quantum algorithm, we have that DH-ElGamal and RSA are not suitable for the quantum era.
We argue that the KEP protocol achieves perfect secrecy because public keys can be derived from any valid message in ℤ n . Thus, the non-invertible KEP seems to be resistant to quantum computing.

Conclusions
We introduced the non-invertible key exchange protocol (KEP). This protocol shows some important properties: is public key, allows secret key establishment and performs secret communication between two remote parties. Most remarkably, since it does not rely on computational problems as integer factorization or discrete logarithm, noninvertible KEP becomes a promising candidate for the quantum era.
Lizama's protocol shows indistinguishability of the public keys and encrypted texts. It requires minimum time for encryption/decryption when is compared with the main public key algorithms as DH-ElGamal or RSA. Another advantage of this system is the well understood theoretical basis when it is compared with other algorithms for the quantum era.

Compliance with ethical standards
Conflict of interest The authors declared that they have no conflicts of interest to this work.
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creat iveco mmons .org/licen ses/by/4.0/.

Multiplicative inverse
If is a ring, there may be elements in which have a multiplicative inverse. Such elements are said to be invertible [38].
In the set ℝ of the real numbers, every nonzero element is invertible. However, in ℤ only 1 and −1 are invertibles. Zero is never and invertible number. The integer k a in ℤ n has a multiplicative inverse if and only if gcd(k a , n) ≡ 1 mod n . The extended Euclidean algorithm is often used to compute the multiplicative inverse of e in ℤ n provided the inverse exists. We can write the multiplicative inverse of k a as k −1 a so that k a k −1 a = 1 in the modulo n. For example, 7 is the inverse of 3 because 3 ⋅ 7 = 1 in the modulo 10. We must remark that provided the inverse of an integer exists in ℤ n then such inverse is unique.

Euler's totient function
In number theory, Euler's totient function (n) gives the number of invertible integers in ℤ n , that is, the integers in ℤ n which are relatively prime to n. We would like to emphasize here is that if n is a not prime number some integers in ℤ n are invertibles and others are not. As an example take n = 10 , in ℤ 10 we have the invertible integers {1, 3, 7, 9} and the noninvertibles numbers {0, 2, 4, 5, 6, 8} , so in this case (10) = 4.
The Euler's function counts the number of integers with multiplicative inverses. It is known by Euler's theorem that if a is a unit in ℤ n , then a (n) ≡ 1 (mod n) and a (n)-1 (mod n) returns the multiplicative inverse of a in ℤ n [39].

Perfect security
According to [33], an encryption scheme (Gen, Enc, Dec) over a message space M is perfectly secret if for every probability distribution over M , every message m ∈ M , and every ciphertext c ∈ C for which Pr[C = c] > 0 it is true that

Perfect indistinguishability
Another equivalent formulation of perfect secrecy [33] formalizes that the ciphertext contains no information about the plaintext, that is, the probability distribution over C is independent of the plaintext. Symbolically, for every m 0 , m 1 ∈ M , the distributions C(m 0 ) and C(m 1 ) are identical.