A Novel Secure Session Key Agreement Protocol Based on Multivariate Polynomials

The SKAP proposed is demonstrated using the following parameters.

S=Set of multivariate polynomials in n variables

Let:

-$f, g \in S$,

-$\alpha=\left\{\alpha_i\right\}_{i=1,2, \ldots, n}, \beta=\left\{\beta_i\right\}_{i=1,2, \ldots, n}$, where $\alpha_i s, \beta_i s \in \mathbb{N}$,

-$[a, b]=\left[a_i, b_i\right]_{i=1,2, \ldots, n},[c, d]=\left[c_i, d_i\right]_{i=1,2, \ldots, n}$, where $a_i s, b_i s, c_i s, d_i s \in \mathbb{N}$.

Define a non-commutative linear operator $T$ on $\mathrm{S}$ where the inverse of $T$ is $T^{-1}$.

Let:

-$h=T_{\lceil a, b\rceil}(f), l=T_{\lceil c, d\rceil}(g)$,

-$u=l(\alpha), v=h(\beta)$,

-$f(\beta)=T_{[a, b]}^{-1}(v), g(\alpha)=T_{[c, d]}^{-1}(u)$.

The final key value, $K=f(\beta) * g(\alpha)$.

11.png

Figure 1. Methodology of SKAP proposed

The methodological approach adopted to agree on a key K by two communicating parties A and B is depicted in the Figure 1.

The methodological approach to agree on a session key demonstrated above is cryptographically implemented applying modulo congruence and an Affine operator over multivariate polynomials. The multivariate polynomials involved are polynomials in n variables over the ring of polynomials $\mathrm{Z}\left[\mathrm{x}_1, \mathrm{x}_2, \ldots, \mathrm{x}_{\mathrm{n}}\right]$.  The Affine operator involved in the process of key exchange is:

For a multivariate polynomial function ‘ f ’ define.

$\mathrm{T}_{\{\mathrm{a}, \mathrm{b}\}}(\mathrm{f})=(\mathrm{a} * \mathrm{f}+\mathrm{b}) \bmod \mathrm{p}$ where gcd $(\mathrm{a}, \mathrm{p})=1, \mathrm{~b}<p$           (6)

$\mathrm{T}_{\{\mathrm{a}, \mathrm{b}\}}{ }^{-1}(\mathrm{f})=\left((\mathrm{f}-\mathrm{b}) * \mathrm{a}^{-1}\right) \bmod \mathrm{p}$ where $\mathrm{a} * \mathrm{a}^{-1} \equiv 1(\bmod \mathrm{p})$           (7)

Here, $\bmod p$ is performed over the coefficients and constant term of the polynomial.

Suppose that the communicating parties are A and B. Parameters those are public: Prime number (p).

Step 1: Public key and private key generation by A.

-Select a set of integers $\left\{\alpha_i\right\}_{i=1,2, \ldots, n}, \alpha_i \in Z$ and $\left[a_i, b_i\right]_{i=1,2, \ldots, r}$, $r \in N$.

-$\begin{array}{llll}\text { Select } & \text { a } & \text { multivariate } & \text { polynomial }\end{array}$ $f\left(x_1, x_2, \ldots, x_n\right)$ over the ring $Z\left[x_1, x_2, \ldots, x_n\right]$.

-Compute $\quad \mathrm{T}_{\left[\mathrm{a}_1, \mathrm{~b}_1\right]} \mathrm{T}_{\left[\mathrm{a}_2, \mathrm{~b}_2\right] \ldots} \mathrm{T}_{\left[\mathrm{a}_{\mathrm{r}}, \mathrm{b}_{\mathrm{r}}\right]}\left(\mathrm{f}\left(\mathrm{x}_1, \mathrm{x}_2, \ldots \mathrm{x}_{\mathrm{n}}\right)\right)=$ $h\left(x_1, x_2, \ldots, x_n\right)$.

-Public key of A: $\left(\mathrm{f}\left(\mathrm{x}_1, \mathrm{x}_2, \ldots, \mathrm{x}_{\mathrm{n}}\right), \mathrm{h}\left(\mathrm{x}_1, \mathrm{x}_2, \ldots, \mathrm{x}_{\mathrm{n}}\right)\right)$.

-Private key of $\mathrm{A}:\left(\left\{\alpha_{\mathrm{i}}\right\}_{\mathrm{i}=1,2, \ldots, \mathrm{n}},\left[\mathrm{a}_{\mathrm{i}}, \mathrm{b}_{\mathrm{i}}\right]_{\mathrm{i}=1,2, \ldots, \mathrm{r}}\right)$.

Step 2: Public key and private key generation by B.

-Select a set of integers $\left\{\beta_{\mathrm{i}}\right\}_{\mathrm{i}=1,2, \ldots, \mathrm{n}}, \beta_{\mathrm{i}} \in \mathrm{Z}$ and $\left[\mathrm{c}_{\mathrm{i}}, \mathrm{d}_{\mathrm{i}}\right]_{\mathrm{i}=1,2, \ldots, \mathrm{s}}$, $s \in N$.

-Select $\quad$ a $\quad$ multivariate $\quad$ polynomial $\mathrm{g}\left(\mathrm{x}_1, \mathrm{x}_2, \ldots, \mathrm{x}_{\mathrm{n}}\right)$ over the ring $\mathrm{Z}\left[\mathrm{x}_1, \mathrm{x}_2, \ldots, \mathrm{x}_{\mathrm{n}}\right]$.

-Compute $\quad \mathrm{T}_{\left[\mathrm{c}_1, \mathrm{~d}_1\right]} \mathrm{T}_{\left[\mathrm{c}_2, \mathrm{~d}_2\right]} \ldots \mathrm{T}_{\left[\mathrm{c}_{\mathrm{s}}, \mathrm{d}_{\mathrm{s}}\right]}\left(\mathrm{g}\left(\mathrm{x}_1, \mathrm{x}_2, \ldots \mathrm{x}_{\mathrm{n}}\right)\right)=l\left(x_1, x_2, \ldots, x_n\right)$.

-Public key of $B:\left(g\left(x_1, x_2, \ldots, x_n\right), l\left(x_1, x_2, \ldots, x_n\right)\right)$.

-Private key of B: $\left(\left\{\beta_i\right\}_{i=1,2, \ldots, n},\left[c_i, d_i\right]_{i=1,2, \ldots, s}\right)$.

Step 3: Key exchange.

-A computes $l\left(\alpha_1, \alpha_2, \ldots, \alpha_n\right) \bmod p=u$ and sends it to $B$. Similarly, $B$ computes $h\left(\beta_1, \beta_2, \ldots, \beta_n\right) \bmod p=v$ and sends it to $\mathrm{A}$.

-A computes $\mathrm{f}\left(\beta_1, \beta_2, \ldots, \beta_{\mathrm{n}}\right) \bmod \mathrm{p}=\mathrm{T}_{\left[\mathrm{ar}_{\mathrm{r}}, \mathrm{b}_{\mathrm{r}}\right]}^{-1} \ldots \mathrm{T}_{\left[\mathrm{a}_1, \mathrm{~b}_1\right]}{ }^{-1} \mathrm{~T}_{\left[\mathrm{a}_1, \mathrm{~b}_1\right]} \ldots \mathrm{T}_{\left[\mathrm{ar}_{\mathrm{r}}, \mathrm{b}_{\mathrm{r}}\right]}^{-1}(\mathrm{v})=\mathrm{y} \quad$ and $\mathrm{g}\left(\alpha_1, \alpha_2, \ldots, \alpha_{\mathrm{n}}\right) \bmod \mathrm{p}=\mathrm{z}$.

-B computes $\mathrm{g}\left(\alpha_1, \alpha_2, \ldots, \alpha_{\mathrm{n}}\right) \bmod \mathrm{p}=\mathrm{T}_{\left[\mathrm{c}_{\mathrm{s}}, \mathrm{d}_{\mathrm{s}}\right]}{ }^{-1} \ldots \mathrm{T}_{\left[\mathrm{c}_1, \mathrm{~d}_1\right]}{ }^{-1} \mathrm{~T}_{\left[\mathrm{c}_1, \mathrm{~d}_1\right]} \ldots \mathrm{T}_{\left[\mathrm{c}_{\mathrm{s}}, \mathrm{d}_{\mathrm{s}}\right]}(\mathrm{u})=\mathrm{z} \quad$ and $\mathrm{f}\left(\beta_1, \beta_2, \ldots, \beta_n\right) \bmod \mathrm{p}=\mathrm{y}$.

-Finally, A and B agree on the key: $\mathrm{y} * \mathrm{z}$.

The proposed methodology is explained through Figure 2.

-$\mathrm{P}_{\mathrm{A}}(\mathrm{f})=\mathrm{T}_{\left[\mathrm{a}_1, \mathrm{~b}_1\right]} \mathrm{T}_{\left[\mathrm{a}_2, \mathrm{~b}_2\right]} \ldots \mathrm{T}_{\left[\mathrm{a}_{\mathrm{r}}, \mathrm{b}_{\mathrm{r}}\right]}\left(\mathrm{f}\left(\mathrm{x}_1, \mathrm{x}_2, \ldots \mathrm{x}_{\mathrm{n}}\right)\right)$,

-$\mathrm{P}_{\mathrm{B}}(\mathrm{g})=\mathrm{T}_{\left[\mathrm{c}_1, \mathrm{~d}_1\right]} \mathrm{T}_{\left[\mathrm{c}_2, \mathrm{~d}_2\right]} \ldots \mathrm{T}_{\left[\mathrm{c}_{\mathrm{s}}, \mathrm{d}_{\mathrm{s}}\right]}\left(\mathrm{g}\left(\mathrm{x}_1, \mathrm{x}_2, \ldots \mathrm{x}_{\mathrm{n}}\right)\right)$,

-$\mathrm{P}_{\mathrm{A}}^{-1}\left(\mathrm{~h}\left(\beta_1, \beta_2, \ldots, \beta_{\mathrm{n}}\right)\right)=\mathrm{T}_{\left[\mathrm{a}_{\mathrm{r}}, \mathrm{b}_{\mathrm{r}}\right]}{ }^{-1} \ldots \mathrm{T}_{\left[\mathrm{a}_1, \mathrm{~b}_1\right]}{ }^{-1}\left(\mathrm{~h}\left(\beta_1, \beta_2, \ldots, \beta_{\mathrm{n}}\right)\right)=\mathrm{f}\left(\beta_1, \beta_2, \ldots, \beta_n\right)$,

-$\mathrm{P}_{\mathrm{B}}^{-1}\left(\mathrm{l}\left(\alpha_1, \alpha_2, \ldots, \alpha_n\right)\right)=\mathrm{T}_{\left[\mathrm{c}_{\mathrm{s}}, \mathrm{d}_{\mathrm{s}}\right]}{ }^{-1} \ldots \mathrm{T}_{\left[\mathrm{c}_1, \mathrm{~d}_1\right]}{ }^{-1}\left(\mathrm{l}\left(\alpha_1, \alpha_2, \ldots, \alpha_{\mathrm{n}}\right)\right)=g\left(\alpha_1, \alpha_2, \ldots, \alpha_n\right)$.

2.png

Figure 2. Key exchange process: (a) Public and private key generation of A and B; (b) Exchange of information by both A and B to retrieve the key; (c) Deducing the exchanged key

The application of a non-commutative invertible linear operator in the proposed protocol is a necessary condition for retaining the security and efficiency of the protocol. If the operator is commutative, then it is easy for an intruder to deduce the key. This is explained below:

$T$ is commutative $\Rightarrow T_{[a, b]} T_{[c, d]}(u)=T_{[c, d]} T_{[a, b]}(u)=$ $T_{[e, f]}(u)$ for some $e, f$.

The values of $[a, b],[c, d]$ are private to the party but it is computationally feasible to trace $e, f$ values and therefore $T_{[e, f]}^{-1}(u)$ could be calculated to retrieve $g(\alpha)$. Similarly, $f(\beta)$ could be retrieved. Whereas if $T$ is non-commutative then the intruder needs access to $[a, b],[c, d]$ and the order of applying the transformations $T_{[a, b]}, T_{[c, d]}$ to reach $g(\alpha)$. Therefore, non-commutative nature of the operator plays a major role in retaining the security of the protocol.

If the operator is non-invertible, it is impossible for the communicating parties to retrieve f(β) and g(α). Thus, the operator needs to be invertible.

Public keys of A and B assist the communicating parties to send signals to each other to initiate the process of key agreement. Private keys of A and B permit the parties to access the key confidentially.

Affine transformation is invertible, non-commutative, and easy to comprehend and implement thus making it the best fit for the protocol. The prime number $p$ chosen increases the number of possibilities for the $a_i s$ and $c_i s$ as $\operatorname{gcd}\left(a_i, p\right)=1$ and $\operatorname{gcd}\left(c_i, p\right)=1$ is required. All the computations in the protocol are performed over modulo $p$ thus the parameter $p$ is declared publicly.

The rest of the paper is organized as follows: Section 3 illustrates the proposed method with an Example. Section 4 displays a comparative analysis of the proposed SKAP with studies [10, 11, 13]. Section 5 presents a mathematical model of the proposed SKAP in Telemedicine. Section 6 concludes the presented work in the paper, and the future scope of the work is presented in Section 7.

The proposed SKAP is analyzed on the following security aspects and is compared with some existing methods [10, 11, 13] of safeguarding the cryptographic key:

4.1 Methodological approach

Diophantine equations serve as the building block of the protocol in studies [10, 13]. In study [11], Elliptic Curve Cryptography (ECC) is applied to design the protocol. The methodology adopted in designing the SKAP proposed applies two multivariate polynomials, f and g, and Affine transformation T. The non-commutative and invertible nature of the Affine operator serves as the base for the working of the protocol.

4.2 Number of secure rounds in a single session

This section demonstrates the maximum number of times the protocol is secure with the same choice of public and private keys chosen by the communicating parties. In short, it discovers the number of times a generated key through the SKAP could be used to encrypt data demonstrated in the Figure 3.

In the study [13], a Linear Diophantine equation:

$\mathrm{f}\left(\mathrm{x}_1, \mathrm{x}_2, \ldots, \mathrm{x}_{\mathrm{n}}\right)=0 \ni \mathrm{f}\left(\propto_{\mathrm{i}}\right)=0$             (10)

is selected by the recipient which facilitates the working of the protocol that is secure for at most (n-2) times with the same LDE and the solution set. In the (n-1)^th round, the recipient needs to change the solution set of the chosen equation.

$\mathrm{f}\left(\mathrm{x}_1, \mathrm{x}_2, \ldots, \mathrm{x}_{\mathrm{n}}\right)=0$             (11)

to retain the security of the protocol.

Our protocol works over the public keys, multivariate polynomials $\mathrm{f}\left(\mathrm{x}_1, \mathrm{x}_2, \ldots, \mathrm{x}_{\mathrm{n}}\right), \mathrm{g}\left(\mathrm{x}_1, \mathrm{x}_2, \ldots, \mathrm{x}_{\mathrm{n}}\right)$ and the private keys, set of integers $\left\{\alpha_{\mathrm{i}}\right\}_{\mathrm{i}=1,2, \ldots, \mathrm{n}},\left\{\beta_{\mathrm{i}}\right\}_{\mathrm{i}=1,2, \ldots, \mathrm{n}}$, $\left[\mathrm{a}_{\mathrm{i}}, \mathrm{b}_{\mathrm{i}}\right]_{\mathrm{i}=1,2, \ldots, \mathrm{r}}$ and $\left[\mathrm{c}_{\mathrm{i}}, \mathrm{d}_{\mathrm{i}}\right]_{\mathrm{i}=1,2, \ldots, \mathrm{s}}$. The designed protocol is secure with the same polynomials and the set of integers for at most (n-2) rounds. After (n-2) rounds, either of the communicating parties needs to change the chosen polynomial or the set of integers alternately which would work for the next 2(n-2) rounds. Hence, both the communicating parties share the responsibility of changing public or private keys after each session. Although the system needs a change of polynomial or the set of integers after every (n-2) rounds, the individual communicating party needs to change the polynomial or the set of integers after 2(n-2) rounds.

The SKAP consists of a maximum of 2(n-2) rounds in a single session. The diagram below represents the changes required in the protocol after (n-2) rounds which are incorporated alternately by both the communicating parties A and B individually after 2(n-2) rounds.

3.png

Figure 3. Required change in the chosen multivariate polynomial or the set of integers in the (n-1)^th round

In the (n-1)^th step, the intruder has access to a set of n equations in n variables, which are:

$h\left(\beta_i\right)=v_j ; l\left(\alpha_i\right)=u_j, i, j=1,2, \ldots, n$                (12)

The above set of equations can be solved to retrieve the values of $\left\{\alpha_i\right\}_{i=1,2, \ldots, n}$ and $\left\{\beta_i\right\}_{i=1,2, \ldots, n}$.

As depicted in the diagram above, on changing the set of integers $\left\{\beta_i\right\}_{i=1,2, \ldots, n}$ in $(n-1)^{\text {th }}$ round, the values of $\left\{\propto_i\right\}_{i=1,2, \ldots, n}$ can be traced from the system of equations.

$l\left(\alpha_i\right)=u_j, i, j=1,2, \ldots, n$                (13)

But $\left\{\beta_{\mathrm{i}}\right\}_{\mathrm{i}=1,2, \ldots, \mathrm{n}}$ is unknown.

If the polynomial $\mathrm{g}$ is changed then the values of $\left\{\beta_{\mathrm{i}}\right\}_{\mathrm{i}=1,2, \ldots, \mathrm{n}}$ can be traced from the system of equations.

$h\left(\beta_i\right)=v_j, i, j=1,2, \ldots, n$                (14)

But the values of $\left\{\propto_i\right\}_{i=1,2, \ldots, n}$ is unknown for the next (n-2) rounds because of the change in the polynomial g. Therefore, the protocol is secure with the same set of integers and the polynomials chosen by both the communicating parties for at most (n-2) rounds but the individual communicating party can travel with the same polynomial or set of integers chosen for at most 2(n-2) rounds. Hence, the responsibility of changing the chosen polynomial or set of integers is divided equally among both the communicating parties in the protocol.

4.3 Session key

Session Key is a key that permits the users to access information for a single session. Once the session ends, the key expires and a new key is generated mutually among the authorized users to access the information and enhance the security.

The protocol developed in the study [11] generates Session key whereas the protocols in studies [10, 13] emphasis on exchanging a single cryptographic key and no discussion regarding the session key is encapsulated. The SKAP proposed in this paper generates a Session Key discussed in detail in section 4.7.

4.4 Session key confidentiality

Session Key Confidentiality (SKC) refers to accessibility of the generated session key to the authorized users only such that no intruder can intercept it. This feature is achieved by the study [11] and the proposed SKAP. The non-commutative and invertible nature of the Affine operator helps in achieving the SKC in our protocol. The mathematical explanation of the security of the protocol is explained in section 2. The order of applying the Affine operators to obtain ‘h’ and ‘g’ is private to the authorized users only, which is required for retrieving the key from the public information. Hence the generated Session Key is confidential.

4.5 Known key security

Known key security is a feature where the knowledge of the current session key reveals no information about the next session key. This feature is possessed by the protocol in the study [11].

In the proposed SKAP, the change in the solution sets after every session is responsible for the rejuvenation of the session key. The choice of solution sets is private to the respective parties. Hence, the generated session keys are independent of the previous session keys retaining the Known-Key Security feature.

4.6 Brute-force attack

Brute-force attack is the attack carried out by an intruder to discover the cryptographic key used in encryption by trying all the possible keys. Thus, a large set of possible keys is desirable to prevent a cryptosystem from Brute-force attack.

In the proposed SKAP, the maximum possible values for $f(\beta)$ is $p$ and for $g(\alpha)$ is $p$. Therefore, the number of possible keys $f(\beta) * g(\alpha)$ is $p^2$. Therefore, the attacker has to try $\mathrm{p}^2$ number of keys, which are $\left\{1,2, \ldots, p^2-1, p^2\right\}$ to reach the exchanged key. Thus, by sufficiently increasing the value of $p$, the number of possible keys can be increased to improve security.

4.7 Passive attack

A cryptographic protocol displays some information publicly and conceals some for attaining efficiency and security respectively. Adversaries attack the protocols through the available public information and such attacks are categorized as passive attacks.

The developed SKAP’s resistance to passive attacks is discussed as:

The intruder can use the publicly available information in the protocol in two ways to trace the key. One way is to reach the private keys $\left[\mathrm{a}_{\mathrm{i}}, \mathrm{b}_{\mathrm{i}}\right]_{\mathrm{i}=1,2, \ldots, \mathrm{r}}$ of $\mathrm{A}$ and $\left[\mathrm{c}_{\mathrm{i}}, \mathrm{d}_{\mathrm{i}}\right]_{\mathrm{i}=1,2, \ldots, \mathrm{s}}$ of $\mathrm{B}$. The other way is to trace the values of $\left\{\alpha_i\right\}_{i=1,2 \ldots, n}$ and $\left\{\beta_{\mathrm{i}}\right\}_{\mathrm{i}=1,2, \ldots \mathrm{n}}$ from the publicly available information:

$f\left(x_1, x_2, \ldots, x_n\right), h\left(\beta_1, \beta_2, \ldots, \beta_n\right)=v$         (8)

$\mathrm{g}\left(\mathrm{x}_1, \mathrm{x}_2, \ldots, \mathrm{x}_{\mathrm{n}}\right), \mathrm{l}\left(\alpha_1, \alpha_2, \ldots, \alpha_{\mathrm{n}}\right)=\mathrm{u}$        (9)

4.7.1 Infeasible to trace the private keys $\left[a_i, b_i\right]_{i=1,2 \ldots ., r}$ of $A$ and $\left[\mathrm{c}_{\mathrm{i}}, \mathrm{d}_{\mathrm{i}}\right]_{\mathrm{i}=1,2, \ldots, \mathrm{s}}$ of $\mathrm{B}$

Although the composition of Affine operators is Affine, but the composition of operators cannot be confined to a single operator due to the multivariate polynomial function used in the process. In the example discussed above, let us consider that $\mathrm{T}_{\left[\mathrm{a}_1, \mathrm{~b}_1\right]} \mathrm{T}_{\left[\mathrm{a}_2, \mathrm{~b}_2\right]}\left(\mathrm{f}\left(\mathrm{x}_1, \mathrm{x}_2, \mathrm{x}_3\right)\right)=\mathrm{T}_{[\mathrm{m}, \mathrm{n}]}\left(\mathrm{f}\left(\mathrm{x}_1, \mathrm{x}_2, \mathrm{x}_3\right)\right)$.

Then,

$\mathrm{T}_{[\mathrm{m}, \mathrm{n}]}\left(\mathrm{f}\left(\mathrm{x}_1, \mathrm{x}_2, \mathrm{x}_3\right)\right)=10 \mathrm{x}_1^2+10 \mathrm{x}_2+4 \mathrm{x}_3^2+6\Rightarrow\left(\mathrm{m} \cdot\left(\mathrm{x}_1^2+\mathrm{x}_2+3 \mathrm{x}_3^2+5\right)+\mathrm{n}\right) \bmod 13=10 \mathrm{x}_1^2+10 \mathrm{x}_2+4 \mathrm{x}_3^2+6\Rightarrow \mathrm{m}=10, \mathrm{n}=5, \mathrm{~m}^{-1}=4$

Now, $\mathrm{T}_{[\mathrm{m}, \mathrm{n}]}^{-1}\left(\mathrm{~h}\left(\beta_1, \beta_2, \beta_3\right)\right)=\mathrm{T}_{[\mathrm{m}, \mathrm{n}]}^{-1}(4)=9$, which is not the required value of $\mathrm{f}\left(\beta_1, \beta_2, \beta_3\right)$.

Therefore, it is not possible to use a single value in place of $\left[\mathrm{a}_{\mathrm{i}}, \mathrm{b}_{\mathrm{i}}\right]_{\mathrm{i}=1,2, \ldots, \mathrm{r}}$ or $\left[\mathrm{c}_{\mathrm{i}}, \mathrm{d}_{\mathrm{i}}\right]_{\mathrm{i}=1,2, \ldots, \mathrm{s}}$ by the intruder.

4.7.2 Infeasible to retrieve the set of integers $\left\{\alpha_{\mathrm{i}}\right\}_{\mathrm{i}=1,2 \ldots, \mathrm{n}}$ and $\left\{\beta_i\right\}_{i=1,2, \ldots, n}$ for $n>1$ for a single round

Through the available information, it is possible to retrieve the key only when the chosen f and g are polynomials in one variable i.e., n=1. Thus, the key exchange protocol is secure for n>1.

4.8 Computation and implementation

The proposed SKAP is easy to implement because choosing multivariate polynomials and selecting $\left[\mathrm{a}_{\mathrm{i}}, \mathrm{b}_{\mathrm{i}}\right]_{\mathrm{i}=1,2, \ldots, \mathrm{r}}$ or $\left[c_i, d_i\right]_{i=1,2, \ldots, s}$, solution sets $\left\{\alpha_i\right\}_{i=1,2, \ldots, n},\left\{\beta_i\right\}_{i=1,2, \ldots, n}$ are independent of each other. The methodology applies Affine operator to compute the key, which is computationally efficient. The initial step in protocols $[10,13]$ is to choose Diophantine equation $\mathrm{f}\left(\mathrm{x}_1, \mathrm{x}_2, \ldots, \mathrm{x}_{\mathrm{n}}\right)=\mathrm{a}_1 \mathrm{x}_1+\mathrm{a}_2 \mathrm{x}_2+\cdots+$ $a_n x_n=b \ni f\left(\alpha_1, \alpha_2, \ldots, \alpha_n\right)=b$. This choice is suitable, provided gcd $\left(a_1, a_2, \ldots, a_n\right)$ divides $b$. Tracing such solution sets for a Diophantine equation with large coefficients is computationally complex and difficult to implement in realtime.

4.9 Application

The developed SKAP is implementable in real-time applications where a secure online platform is to be constructed for sharing information and communication. One of the applications is Telemedicine which is discussed in detail in Section 5 of this paper.

The comparative analysis of the protocol is summarized in Table 1.

Thus, the developed SKAP is resistant to Brute-force and passive attacks. Also, the session key generated through the proposed SKAP retains confidentiality and known-key security feature. The number of secure rounds in a single session of the key agreement protocol is (n-2) which is extendable to 2 (n-2) as discussed in section 4.2. The protocol is easily implementable and computationally efficient whose application in Telemedicine is explored in section 5. Hence, the proposed protocol is ideal than the protocols developed in studies [10, 11, 13].

Table 1. Comparison of the proposed SKAP with studies [10, 11, 13]

Note: Y: Resistant to attacks or holds the property or incorporated in the work; N: Doesn’t hold the property; NM: Not incorporated in the work.

A robust and efficient Session Key Agreement Protocol (SKAP) based on Affine transformations over multivariate polynomials has been proposed. This protocol's methodology was derived from the classical Affine cipher, facilitating ease of understanding and implementation. The protocol is designed to generate a session key, thereby enhancing security. Notably, it delineates the number of possible secure rounds within a single session, given a consistent selection of public and private keys. Resistance to brute-force and passive attacks is inherent to the protocol, which operates independently of a trusted third party.

The developed SKAP is suitable for secure two-party communication, permitting information access and privacy for the participating entities. Telemedicine, characterized by remote diagnostics and treatment, presents an appropriate application scenario. In this context, the protocol's application in Telemedicine is elucidated, underscoring the practical value of SKAP in real-world settings.