A Group Law on the Projective Plane with Applications in Public Key Cryptography †

: In the context of new threats to Public Key Cryptography arising from a growing computational power both in classic and in quantum worlds, we present a new group law deﬁned on a subset of the projective plane F P 2 over an arbitrary ﬁeld F , which lends itself to applications in Public Key Cryptography and turns out to be more efﬁcient in terms of computational resources. In particular, we give explicitly the number of base ﬁeld operations needed to perform the mentioned group law. Based on it, we present a Difﬁe-Hellman-like key agreement protocol. We analyze the computational difﬁculty of solving the mathematical problem underlying the proposed Abelian group law and we prove that the security of our proposal is equivalent to the discrete logarithm problem in the multiplicative group of the cubic extension of the ﬁnite ﬁeld considered. We present an experimental setup in order to show real computation times along a comparison with the group operation in the group of points of an elliptic curve. Based on current state-of-the-art algorithms, we provide parameter ranges suitable for real world applications. Finally, we present a promising variant of the proposed group law, by moving from the base ﬁeld F to the ring Z / pq Z , and we explain how the security becomes enhanced, though at the cost of a longer key length.


Introduction and Related Work
Neal Koblitz [1] and Victor Miller [2] presented independently but simultaneously proposals that made use of the multiplicative group of a finite field in order to implement certain asymmetric cryptosystems. Koblitz presented an implementation of Diffie-Hellman key-agreement protocol [3] based on the use of elliptic curves. On his part, Miller offered a proposal more on the theoretical side, avoiding comparisons with existing implementations. In all those cases, the security is based on the infeasibility of the discrete logarithm problem over elliptic curves (ECDLP), which is to this day considered as difficult as the integer factorization problem (IFP), upon which RSA [4] cryptosystem is based, or the discrete logarithm problem (DLP) employed in ElGamal cryptosystem [5].
Diffie-Hellman key-agreement protocol for elliptic curves (ECDH) consists essentially in mapping the operations customarily carried out in the multiplicative group Z * p to the set of points of an elliptic curve, endowed with an additive group operation. However, this protocol painfully succumbs in the face of a plain man-in-the-middle attack and, for this reason, Menezes, Qu, and Vanstone IEEE 1363 [19], and FIPS 186-4 [20], issued by the National Institute of Standards and Technology (NIST) of the USA. However, in practice, such standards lack precision and clarity when it comes to selecting seeds for random generation, or prime numbers, thus limiting the ability of serving really practical purposes.
For these reasons, several initiatives have ripened, such as Brainpool [21], considered to be the first international proposal to provide clear and transparent procedures in order to generate the parameters of elliptic curves for cryptographic purposes. Under the Brainpool initiative, several elliptic curves, presented in reduced Weierstrass format, have been considered safe beyond any doubt by many experts.
Later on, researchers Daniel Bernstein and Tania Lange [22] reviewed the elliptic curve generation procedures, including those in Brainpool. In particular, they scrutinized 20 curves from several sources under a number of security requirements that they considered a must. The result was that just only Edwards and Montgomery curves [23] satisfied those requirements. In view of this outcome, the experts decided to propose a new set of curves, known as SafeCurves that really met the set of safety requirements [22]. Moreover, Baignères [24] proposed a new Edwards elliptic curve (the so-called million dollar curve) by means of a new technique that insists in the randomness of the input parameters to the generation process.
In spite of those efforts, the currently most deployed elliptic curves, both in hardware and software implementations, are those presented in the reduced Weierstrass format, whereas Edwards or Montgomery curves are seldom used, maybe because the additional security provided by them is not worth their lower computation efficiency (multiplications with scalars). A performance comparison among the three types of curves cited above can be found in [25]. In the latter, the authors resorted to the examples provided by the initiative SafeCurves, together with a Java implementation developed by them. Koyama et al. proposed in [26] the use of elliptic curves over the ring Z n , where n is an odd composite square-free integer. In particular, n is the product of two large primes, as in the RSA cryptosystem. The security of the cryptosystem of Koyama et al.'s is based upon IFP, though the authors did not prove whether solving the IFP was equivalent to breaking their cryptosystem. Later on, Meyer and Müller proved in [27] that breaking a modified version of Koyama's cryptosystem was indeed equivalent to factorizing n. In addition, they proposed a digital signature scheme based on elliptic curves defined over Z n .
Another interesting question is the ever growing necessity of implementing elliptic curve cryptography on ubiquitous portable devices (smartphones, smart cards, pen-drives, and the like), which gives rise to new challenges. Actually, these devices normally present severe limitations regarding storage capacity or processing power, as compared with ordinary desktop computers. Elliptic curve cryptography is amenable to these devices since key sizes are much smaller than in other cryptosystems (for example, RSA) for similar security levels.
It is very common nowadays to find elliptic curve cryptography on such devices, and hence implementations of multiplication operations. These operations, in turn, are threatened by the ever more powerful side channel and fault injection attacks. For example, Reference [28] documents recent developments on those side channel attacks to ECC implementations. It is completely necessary to implement the multiplication algorithms in such a way that they do not leak any information to possible attackers. Reference [29] describes some options to avoid such attacks when implementing scalar multiplications for elliptic curves.
It is also very well known that the advent of a universal quantum computer with sufficient computation power could break the most commonly used asymmetric cryptosystems. In fact, Shor's algorithm [30], proposed in 1997, is known to solve IFP and DLP (or ECDLP) in polynomial time if such quantum computer does exist; however, there is no agreement as to how many qubits would be required to execute Shor's or other quantum algorithms, but some estimations point to a number of qubits several orders of magnitude larger than the number of qubits available in currently existing quantum computers [31]. Should such number of qubits be available, IFP or DLP could be solved in a bunch of hours. For example, a personal computer needs, roughly speaking, O 2 3 √ log n bit operations to factor a number n, whereas a quantum computer executing Shor's algorithm could perform such factorization with only O log 3 n bit operations and using O(log n) bit storage.
Though it seems that a quantum computer with the required computation power will not be available any time soon, the new source of attacks coming from quantum world and the need to ensure that the information protected by current asymmetric systems continues to be accessible forced the NIST to launch an international call [32] for new cryptographic algorithms resilient to the power leveraged by quantum computation: the so-called quantum-resistant algorithms. These are expected to cover at least proposals for new asymmetric encryption schemes, digital signature schemes, and key encapsulation mechanisms (KEM). The main quantum-resistant proposals include difficult problems stemming from coding theory, lattices, hash functions, and isogenies over elliptic curves, to mention just a few. In January 2019, the NIST published the list of submitted algorithms that have passed on to the second round of the call [33]. Among them, there stands the proposal SIKE as a key encapsulation mechanism that is based on isogenies over elliptic curves.
The previous paragraphs summarize the current state of affairs regarding classic and quantum cryptography and make it clear that there is much to be done in both classic and quantum worlds. Taking that current context into account, this work presents a new group law defined on a subset of the projective plane FP 2 over an arbitrary field F, which lends itself to applications in public key cryptography. Apart from the mathematical novelty implied, this new group law presents several features worth public key cryptosystems, such as: • a Diffie-Hellman-like key agreement, since such protocol remains a basic piece for any hybrid cryptosystem, as commented above. • an extension to the ring Z pq providing enhanced security, following the same vein as the one followed by [26,27]. • no side channel attacks known to date, given the recentness of this proposal and due to the particular group law defined. • gives rise to new research lines, such as defining isogenies over the group structure, thus opening the path to a possibly new quantum-resistant problem.
In a nutshell, the main contribution of this paper is to propose a new group law, defined on the complement of a projective cubic plane curve, prove its properties, and consider the possibility of using it as a building block for cryptographic applications in the field of Public Key Cryptography (PKC).
The paper is organized as follows: Section 2 presents the group law and its main characteristics and properties. In particular, we define the mathematical problem associated with the considered group law, and we give the explicit formulas to compute the group operation of any two elements of the group. These formulas, which involve coefficients from the base field, are applicable to any pair of elements of the group with no exception whatsoever, which is advantageous in view of possible cryptographic applications, since this feature helps, for example, to withstand side channel attacks.
As an application of the defined group law to PKC, a cryptographic protocol, in particular, a Diffie-Hellman-like key agreement protocol, is defined in Section 3. We also analyze the computational difficulty of solving the mathematical problem underlying the defined group law, and we prove that the hardness of our problem is equivalent to that of the discrete logarithm problem on the multiplicative group of the cubic extension of the finite field considered.
In Section 4, we consider an entirely analogous system, but shifting the general base field to the ring Z/pqZ. We make it clear that this last proposal enhances the security of the system, since it now depends not only on DLP but also on the factorization problem, though at the price of doubling the key length.
The last section is devoted to the conclusions.

The Group Law Defined
Our purpose in this section is to search for a particular (finite) group endowed with an internal operation that makes it cyclic provided that certain conditions hold. In the latter case, we define yet another (discrete) logarithm operation, which, if found to be difficult to carry out, may give rise to cryptographic applications.
We will work with three-dimensional vector spaces and their associated two-dimensional projective spaces, defined over finite fields. We will consider certain cubic curve defined over this ambient projective space, so that the set over which we will define our new group operation is precisely the set of points of the projective space that do not belong to that cubic curve.
We will show the conditions under which the cubic curve has no points in the projective space, which means that the group embraces the the full projective space. We will provide the explicit formulas to compute the group law in the base field and the good piece of news is that these formulas are the same for any of the elements in the group, a feature much cherished in cryptographic settings.
Let F be a field and let us consider a linear endomorphism A : Q is homogeneous of degree 3, and does not depend on A, but only on the characteristic polynomial χ(X) of A.
A new group law is proposed ⊕ : V × V → V. Let the multiplicative group F * act on V by the diagonal action, i.e., λ · (x 1 , x 2 , x 3 ) = (λx 1 , λx 2 , λx 3 ), and let FP 2 denote the projective plane, namely FP 2 = (V \ {(0, 0, 0)})/F * . Then, the proposed group law induces an Abelian group law on If the characteristic polynomial χ(X) is irreducible in F[X], then Q −1 (0) = {(0, 0, 0)}, and therefore the group law extends to the whole projective plane FP 2 ; moreover, if the base field is a finite field F q , with characteristic different from 2 or 3, then the group G = (F q P 2 , ⊕) is proved to be cyclic.
The latter property permits us to apply the notion of discrete logarithm to the group G. If we fix a generator g ∈ F q P 2 , then any element h of the group is the addition of g with itself a finite number of times, say n, so that h = g ⊕ g ⊕ (n) · · · ⊕ g = [n]g. The number n is the logarithm of h to the base g. Given any element h ∈ G, and a generator g of the group, the discrete logarithm problem (DLP) consists of finding the smallest integer n, such that h = [n]g. In this work, we prove that the DLP over G with a proper choice of the generator is equivalent to the DLP over the multiplicative group (F q 3 ) * .
Popular current cryptosystems are based on the discrete logarithm problem over different groups, such as the group of invertible elements in a finite field, or the group of points of an elliptic curve with the addition of points as group operation. Our proposal could fit perfectly well in the same niche.
As is the case for analogous public key protocols, the users of the present proposal agree to a single base field F q and an (irreducible) polynomial: The public system parameters include the base field F q , coefficients c 1 , c 2 , c 3 ∈ F q , and a generator g.
Next, we prove that the polynomial Q does not depend on A, but only on the characteristic polynomial χ(X) of A. Lemma 1. Let F be a field and let V be the vector space F 3 . If A : V → V is a linear map such that the endomorphisms I, A, A 2 are linearly independent, then the homogeneous cubic polynomial Q(x) = det(x 1 I + x 2 A + x 3 A 2 ) does not depend on the matrix A but only on the coefficients c 1 , c 2 , c 3 of its characteristic polynomial Proof. LetF be the algebraic closure of F. As the endomorphisms I, A, A 2 are linearly independent, the annihilator polynomial of A coincides with χ(X) by virtue of the Cayley-Hamilton theorem.
Hence, there exists a basis ofF 3 such that the matrix of A in this basis equals one of the following three matrices: and, from a simple calculation, we obtain for every i = 1, 2, 3.

Theorem 1. Every linear map
by the following formula: If C denotes the projective cubic curve defined by Q(x) = 0, then the group law ⊕ also induces a group law from the formula in (3), it follows: (4) In matrix notation, these formulas can equivalently be written as and as a simple computation shows, the determinant of the linear system above is equal to Q(x), where Q is defined by the formula (2). Hence, The commutativity of ⊕ is a direct consequence of the invariance of the formula (4) under the substitutions Moreover, formula (3) can also be written as follows: From the associativity of the composition law of endomorphisms, we deduce Hence, From Equation (4), it follows that the unit element is the point (1, 0, 0), which does not belong to By taking determinants in Equation (3), we obtain Therefore, the opposite element y of x exists and it is given by the following formulas: Finally, if x, y are replaced by λx, µy, respectively, with λ, µ ∈ F * , then z transforms into λµz, thus proving that the group law projects onto FP 2 \ C. (4), allowing one to compute the ⊕ group operation in terms of the coefficients in the ground field, are applicable to any element of the group, with no exception at all.

Remark 1. Note that the Equations
, and, from the very definition of the norm, we have N(β) = det E β . As a computation shows, we obtain N(β) = Q(β 0 , β 1 , β 2 ), thus proving the first part of the statement.
Moreover, χ is irreducible if and only if F[α] is a field, and then the only element with norm 0 is in fact 0 ∈ F[α]. To see this, assume on the contrary that N(x) = 0, with x = 0 and x ∈ F[α]. Since the norm is a group homomorphism, we can write which is a contradiction. Consequently, the curve C has no point in FP 2 .
Conversely, if χ is irreducible in F[X], then, according to the second part of Proposition 1, the only solution to the cubic equation Q(x) = 0 is x = 0. Hence, Q must be irreducible, as a reducible cubic admits non-trivial solutions in the ground field. (2), we obtain a cubicQ, which is in Weierstrass form (see [34] [ §2.1]) if and only if the coefficients a, b, and c of the terms (x 3 ) 3 , (x 1 ) 2 x 2 , and x 1 (x 2 ) 2 , respectively, vanish. As a computation shows, we have a =Q(λ 31 , λ 32 , λ 33 ), and we can conclude by applying Proposition 1.

Cyclicity
Theorem 2. If F q is a finite field of characteristic different from 2 or 3 and the polynomial Proof. Since char F q = 2, 3, the polynomial χ is separable and in its splitting field F q we have χ(X) = (X − α 1 )(X − α 2 )(X − α 3 ), the roots α 1 , α 2 , α 3 being pairwise distinct, and in a certain basis of F q ⊗ F q V the matrix of A is given by the formula (1). As the Galois group G(F q /F q ) acts transitively on the roots of χ, there exist two automorphisms such that σ 2 (α 1 ) = α 2 and σ 3 ( then, for every positive integer n, we have Consequently, if β is a generator of the multiplicative group (F q 3 ) * , then the vector (β 1 , β 2 , β 3 ) generates the group ((F q ) 3 \ {(0, 0, 0)}, ⊕) and its corresponding projective point [β 1 , β 2 ,

Remark 3.
It is important to keep in mind that the implication in Theorem 2 works only in the way in which it is worded. If one selects a generator of the group G, it will in general be a generator of only a subgroup of the whole (F q 3 ) * group. Consequently, when choosing a generator for G, it is convenient to pick it from the set of generators in (F q 3 ) * and, after that, project it onto F q P 2 .

Remark 4.
As the order of the group G = (F q P 2 , ⊕) is q 2 + q + 1, the statement of Theorem 2 means that there exists an element β ∈ G of order q 2 + q + 1. According to the proof of Theorem 2, this is equivalent to saying that the matrix A in (1) is of order q 2 + q + 1 in the linear group GL(F q , 3). A classical result (see [35] [Theorem, p. 379]) states that such a collineation always exists, but we need a direct proof of this fact to be able to apply it below in Section 3.1; see also [36] [Proposition 2.1].

Remark 5.
When the polynomial χ is reducible, experimental tests carried out in the prime field F p show that the projective cubic curve C defined as Q(x) = 0 has a number of points from the set {p + 2, 2p + 1, 3p, p + 1} only.
Since the projective space F p P 2 has a total of p 2 + p + 1 points, the group (F p P 2 \ C, ⊕) is left, respectively, If the number of points of C is either p + 2 or 2p + 1, then the group (F p P 2 \ C, ⊕) is still cyclic, and has the expected number of generators, namely, either ϕ(p 2 − 1) or ϕ(p 2 − p), respectively, where ϕ is Euler's totient function.
However, none of the other two possibilities give rise to a cyclic group. Rather, for the case where C has 3p points, there appears a number of cyclic groups, whose cardinalities are the divisors of p − 1; it is important to remark that the total number of points left for the group is precisely (p − 1) 2 . Thus, the group (F p P 2 \ C, ⊕) can be decomposed as a direct sum of a number of cyclic groups such that the product of their cardinalities is (p − 1) 2 .
As for the case when C has p + 1 points, the group (F p P 2 \ C, ⊕) is not cyclic either and can be decomposed as a direct sum of 2 cyclic groups with p points each. Remark that now the total number of points left for the group is p 2 , so again the numbers of points of the cyclic groups of this case match the divisors of p.

A Cryptographic Protocol
We have presented the group G = (F q P 2 , ⊕) and the conditions under which it is cyclic. In this section, we will show how this group can be profited as a basic building block for cryptographic applications, and we will assess its cryptographic security level.
We resort to current state-of-the-art algorithms deployed to attack the discrete logarithm problem. Among them, index-calculus algorithm stands out since it displays a subexponential expected running time.
Equipped with these tools, we will show how this group permits us to set up a basic, à la Diffie-Hellman, key-exchange protocol, and what cryptographic security is to be expected from it. Actually, we will present the range in which the protocol setup parameters should lie in order to achieve a certain security level.
We also provide an experimental setup that we have carried out in order to obtain computation times for the new group operation on a real setting, along with a comparison with computation times required to sum points on elliptic curves.
First of all, we establish the computational security of the mathematical problem defined over the cyclic group considered. Later on, as an example of cryptographic protocol, we present a Diffie-Hellman-like key agreement protocol.
3.1. Equivalence of DLP in G and (F q 3 ) * Proposition 2. Let F q be a finite field of characteristic = 2 or 3. Assume the polynomial χ(X) = X 3 − c 1 X 2 − c 2 X − c 3 in Lemma 1 is irreducible in F q [X], and let α ∈ F q 3 be a root of χ.
Proof. Letting α = α 1 , the statement follows from the matrix formula in the proof of Theorem 2 taking the very definition of the group law ⊕ by formula (3) into account.
In the present case, Proposition 2 states the "equivalence" because the reduction of problems (see, for example, [38] [p. 5], [39] [Ch. 8]) works both ways, namely, DLP in the group ((F q ) 3 \ {(0, 0, 0)}, ⊕) reduces to the DLP in (F q 3 ) * and the other way around. Hence, Proposition 2 proves that the use of the group G = (F q P 2 , ⊕) is safe for standard implementations in PKC (e.g., see [34] [ §1.6]), since the security it provides is equivalent to that of DLP in (F q 3 ) * , as long as the caveat stated in Remark 3 is taken into account.
In terms of cryptanalysis, logarithms in G can be computed using "generic" algorithms, i.e., those that assume no particular structure in (or extra knowledge of) the group. The most popular ones are Pohlig-Hellman (which reduces the computation in the whole group to the computation of the logarithm in all subgroups of prime order of G), Shank's Baby Step/Giant Step, and Pollard's Rho algorithm. All of them need an exponential computation time.
However, there exists the so-called index-calculus algorithm, which is much faster as it is able to compute discrete logarithms in the multiplicative group of a finite field in subexponential time (see, e.g., [40]). Since the operations in the proposed group G = (F q P 2 , ⊕) can be efficiently transferred to those in (F q 3 ) * , it follows that index-calculus algorithm can be applied to the multiplicative group of the latter. This fact does not render the group operation automatically useless in the face of possible cryptographic applications, as long as proper key lengths are utilized.
For general finite fields, such as the proposed one, with a multiplicative group of size N, current state-of-the-art algorithms (including index-calculus) report computation times of where α and c are parameters in the ranges 0 < α < 1 and c > 0 (sometimes c is omitted and we default to L N (α)). Actually, α drives the transition from an exponential-time algorithm (when α approaches 1) to a pure polynomial-time algorithm (as α tends to 0). The first subexponential algorithms had complexity L N (1/2) and applied only to prime fields. Soon L N (1/3) was achieved for any finite field, with values for c ranging from (64/3) 1/3 for fields with high characteristic to (128/9) 1/3 for medium characteristic. When dealing with small characteristic fields, recent research brought down the complexity to L N (1/4) [41] and even to quasi-polynomial time [42,43]. If the group size is N = p n , and we write p = L p n (l p ), then the characteristic is considered "small", "medium-sized" or "large" depending on whether l p ≤ 1/3, 1/3 < l p < 2/3, or l p ≥ 2/3, respectively.
In any case, the previous results have been applied in practice and several cryptanalysis have been successfully carried out (see [44,45]), so it seems sensible to avoid using small characteristics and also extensions of moderate characteristic included in the range threatened by recent cryptanalytic techniques [42,43,46]. However, these algorithms are heuristic and are proved to work only for certain particular cases, not difficult to circumvent: for example, if one has N = p n , it suffices to choose both p and n to be prime in order to thwart both [42,43]. For a detailed account of history and current status, see [47] (in particular §4.2), and [48].
Our proposal is to use a group G of prime order n = q 2 + q + 1, over a ground field F q . Using formula (5), we can compute how many elements in G provide a given security level. Since the number of elements is roughly the square of the value of q, it follows that q can be represented with only one half of the bits needed for n. This has a direct impact on the computation time of the ⊕ operation in G, since it is performed in F q (see Equation (4) and cost analysis in Section 3.4).

System Setup and System Parameters for a Key Agreement Protocol
The group G = (F q P 2 , ⊕) lends readily itself as a building block for standard cryptographic applications to be constructed upon it. One of such applications is a Diffie-Hellman-like key agreement protocol, which will be described in the following sections.
In the sequel, we provide the necessary steps to set up the system. Moreover, the users also need to fix some system parameters.
Defining the projection π in this way is convenient, since it automatically gives rise to a generator in F q P 2 with a unitary norm, which means that all the elements generated by it will enjoy also a unitary norm.
Remark en passant that the previous device works only if 3 is invertible in Z q−1 . Fortunately, this is always the case since otherwise the following implications hold: 3|(q − 1) ⇒ q ≡ 1 (mod 3) ⇒ = q 2 + q + 1 ≡ 0 (mod 3) and the latter equation would contradict the fact that we chose as a prime.

Remark 7.
In order to save space, we can always find an irreducible χ such that c 1 = 0. Obviously, c 3 cannot be 0, but we may wonder whether we could in addition take c 2 = 0. However, this is not possible according to [49] (Lemma 7). The latter reference studies the number of irreducible binomials X t − a ∈ F q [X], with a ∈ F * q , and concludes that the number of such irreducible binomials N t (q) is otherwise.
Accordingly, we conclude that c 1 and c 2 cannot be simultaneously taken as 0.

System Parameters
The system parameters are defined by the set S = {F q , [β 1 , β 2 , β 3 ], c 1 , c 2 , c 3 }, following the notation and conditions explained above.

The Key Agreement Protocol
The key agreement follows the well-known Diffie-Hellman paradigm. Any two users A, B, willing to agree on a common value, which remains secret, set up a system and agree on its parameters, as stated previously.
The protocol runs as follows: 1. User A selects n A ∈ Z uniformly at random, with = q 2 + q + 1, computes and sends it to user B. 2. User B selects n B ∈ Z uniformly at random, computes and sends it to user A.

User
According to the definitions, the following equalities clearly hold: Hence, the properties of the operation ⊕ in G ensure that actually k A = k B , which is the common value expected as the output of the protocol.

Cost of the ⊕ Operation in G
Let S and P be the number of field operations in order to perform an addition and a multiplication respectively in F q . From the formula (4), it follows that the total number of operations for computing x ⊕ y is equal to 10S + 15P, once the 2S + 3P precomputations of c 1 c 3 , c 1 c 2 + c 3 , and (c 1 ) 2 + c 2 are assumed.

A Toy Example
We provide hereafter an example of computing a discrete logarithm by brute-force search. In general, this algorithm is, of course, infeasible, but we choose very small parameters in order to illustrate the operation of the group G.
Observe that indeed Q(16, 106, 23) = 1. We choose a target point y = (86, 120, 1) and performing a similar computation we get Y = [15,91,87]. The problem is to find the discrete logarithm of Y to the base X, i.e., find the integer n such that Y = ⊕ n X. Iterating the operation, we carry out an exhaustive search: [16,106,23]  Eventually, we come up with the target point. Since the operation has been iterated ten times, we conclude Y = ⊕ 10 X for this particular pair, so that log X Y = 10. Remark that, to perform each step, it suffices to follow the formula (4).

Experimental Results
We have conducted several experiments in order to assess the computation time of the ⊕ operation in G. The basic setup consists of selecting prime fields, F p , over which the ⊕ operation will be tested. Observe that, according to formula (4), performing the operation boils down to a number of additions and multiplications over the base field; hence, the expected computation time will depend on the size of its elements; informally, size (also known as bit length) means the number of bits in the binary representation of such elements. The selected prime fields, F p , will have increasing values for the size of p, i.e., increasing bit lengths in the representation of their elements.
Taking the previous considerations into account the experiment is conducted as follows: we take increasing values of p and, for each value, we perform all the required computations to add two random points in G, following formula (4). We repeat the experiment a large number of times for distinct points and record the mean computation time for each value of p.
In order to compare computation times, we repeated the same experiment for the point addition in elliptic curves over F p , using the same range of bit lengths. As before, the idea is selecting random points and adding them using, in particular, projective coordinates according to the formulas given in [50] [ §13.2.1.b]. Repeating the computation a large number of times, we record the mean computation time for each value of p. Choosing the point addition operation in elliptic curves as the term of comparison with the ⊕ operation seems sensible since both operations share a relatively large number of basic operations (namely, additions, multiplications, and inversions) in the ground field.
We implemented the experiments using Java SE Runtime Environment version 1.8.0_171-b11 and the execution was carried out on an Intel Core i7-4790 platform (Santa Clara, CA, USA) running at 3.60 GHz. We performed the experiment in the range 32-512 bits in steps of 32 bits.
The experiments yielded the results shown in Table 1. In each line, the first column represents the number of bits of the binary representation of the elements in F p , the ground field. The second and third columns represent the mean computation time needed to perform the addition of two points in the group G via the operation ⊕, and in an elliptic curve over F p , respectively. All the computation times are measured in microseconds. Having a visual idea of the results reported in Table 1 is best achieved by depicting them in a combined graph. To this end, we show in Figure 1 the graphical representation of the computation times for both operations, as reported in Table 1. Both graphs are conveniently labeled so that one of them depicts the computation time for the ⊕ operation in G, and the other one depicts the computation time for the point addition in elliptic curves over F p . The x-axis represents the bit length of p common for both operations.  The graph pushes to the foreground some interesting remarks: • The computation times shown in Figure 1 for both settings show a essentially linear growth, which is convenient in view of practical applications. • Though the point addition in elliptic curves is slightly slower than the ⊕ operation in G for the same bit length over the ground field, they keep a rather constant ratio between them, which is roughly equal to 0.7.

Real World Parameters
In order to assess the size for real world parameters, we resort to the recommendations issued by NIST [51]. These recommendations are based on the knowledge of the execution time of the best algorithms solving any particular problem. We will reproduce here an excerpt of Table 2 in that reference, which summarizes the bit sizes for the relevant parameters applicable to our proposal. We explain hereafter the meaning of the columns. To begin with, Security strength represents the binary logarithm of the estimated time taken by the best known algorithm for solving the problem (which is proportional to the number of cryptographic operations), thus breaking the cryptosystem. The center column, labeled as Group order, is related to the group where the cryptosystem is defined; in our case, it is the projective space F q P 2 where F q is the base field. In particular, each line in this column represents the binary logarithm of the number of elements in the projective space needed to achieve the security strength indicated in the leftmost column.
Since we propose that the number of points in the projective space is n = q 2 + q + 1, the base field size (namely, the binary logarithm of q) is half the size of n, as represented in the rightmost column. Remark that this is a nice feature, since the multiplication cost in the base field is intimately related to the size of the latter.
Finally, the public key consists of one projective point. Since we chose unitary norm for such point, it can be represented with just two elements of the base field. Therefore, public key size is twice as much as the base field size (it needs twice as many bits).

A More Robust System
The security of the cryptosystem proposed in the previous sections can be increased by extending the theory developed for a field to the case of a unitary commutative ring R.
Essentially, we will stick to the ring Z/mZ, where m = pq is an integer, the product of two primes of similar size, p and q. We will strain ourselves in order to apply all the concepts developed in the previous sections to this new setting in an attempt to improve the security and efficiency of the proposed scheme.
We will manage to obtain the definition of a group law acting over the direct product of two projective spaces, F p P 2 × F q P 2 . In this new setting, the security is reinforced since an attacker is forced to sequentially solve an instance of the integer factorization problem and an instance (actually two instances, but they can be parallelized) of the discrete logarithm problem.
In fact, let M be a free R-module of finite rank and let A : M → M be an R-linear map with characteristic polynomial χ A (X) = det(XI − Λ), X being an indeterminate, I the identity matrix of order r = rank M, and Λ the matrix of A in an arbitrary basis for M. According to [52] [III, §8, 11.Proposition 20], the Cayley-Hamilton Theorem holds in this setting, namely χ A (A) = 0. Hence As above, we can define a degree-3 homogeneous polynomial in R[x 1 , x 2 , x 3 ] by setting As a computation shows, we have thus proving that Lemma 1 still holds in this case; i.e., Q depends on χ A only, but not on the matrix Λ.
The projective plane over R is then defined as follows: RP 2 = (R 3 \ {0})/R * , where R * denotes the multiplicative group of invertible elements in R and R * acts on R 3 \ {0} by Proceeding as in the previous sections, a composition law ⊕ : x 3 ), y = (y 1 , y 2 , y 3 ), z = (z 1 , z 2 , z 3 ), can be defined by the formula and similarly we deduce The determinant of the matrix of (6) is equal to Q(x 1 , x 2 , x 3 ). Hence, ⊕ induces a composition law ⊕ : Q −1 (R * ) × Q −1 (R * ) → Q −1 (R * ). If C denotes the set of classes modulo R * of points x ∈ R 3 such that Q(x) ∈ R\R * , then ⊕ also induces a composition law ⊕ : The same proof given in the case of a field shows that the composition law ⊕ is associative, commutative, and admits an identity element, which is the vector (1, 0, 0).
If m = pq with p = q prime integers, then from Chinese Remainder Theorem there is a ring isomorphism between Z/mZ and the product ring F p × F q . Hence, each vector x ∈ R 3 can be assigned a pair (x , x ) in (F p ) 3 × (F q ) 3 and the group (Z/mZ) * = (F p ) * × (F q ) * acts on R 3 in the same way as (F p ) * acts on (F p ) 3 and (F q ) * does on (F q ) 3 .

Remark 9.
It is clear that the group (PQ −1 (R * ), ⊕) is also amenable as a building block for a key-agreement protocol by choosing R = Z m , with m composite. Observe that its security is enhanced with respect to its counterpart F q , q a prime power, since the algorithms known to be efficient to compute discrete logarithms only work in the multiplicative group of a field. This means that one is forced to factorize m in order to apply such algorithms to the present case, thus increasing the time complexity and the security of the system, though at the price of doubling the key length.

Conclusions
In this work, we have defined a group law, ⊕, over the set F q P 2 , and considered the discrete logarithm problem associated with them. We have analyzed their properties and stated the security of the problem considered. Moreover, based on it, we have defined a cryptographic key agreement protocol as one possible application of this problem to public key cryptography. Finally, we shift the system to the group (PQ −1 (R * ), ⊕) over the ring Z/pqZ, which turns out to be completely analogous to the previous one and offers an enhanced security, though at the cost of some extra key length.
As future work, we think that it is possible to extend this discrete logarithm problem in order to define new cryptographic protocols for encryption/decryption and digital signatures, among others, in a similar way as ElGamal or elliptic curve cryptosystems were defined from the Diffie-Hellman key agreement protocol.

Conflicts of Interest:
The authors declare no conflict of interest.