CC BY
14
УДК 512.54; 003.26; 003.26.09
DOI 10.25513/1812-3996.2018.23(4).44-50
КРИПТОГРАФИЧЕСКИМ АНАЛИЗ МОДИФИЦИРОВАННОМ МАТРИЧНОМ МОДУЛЯРНОЙ КРИПТОСИСТЕМЫ
(посвящается 80-летию профессора Владимира Никаноровича Ремесленникова)
В. А. Романьков
Омский государственный университет им. Ф. М. Достоевского, г. Омск, Россия
Информация о статье
Дата поступления 17.09.2018
Дата принятия в печать 17.10.2018
Дата онлайн-размещения 14.12.2018
Ключевые слова
Алгебраическая криптография, алгебраический криптоанализ, метод линейного разложения
Финансирование
Работа выполнена при поддержке гранта Российского фонда фундаментальных исследований в рамках научного проекта №18-41-550001
Аннотация. Показано, что Модифицированная матричная модулярная криптосистема, предложенная С.К. Росошеком, является криптографически незащищенной относительно атаки, основанной на методе линейного разложения. Приведен конкретный пример реализации системы, предложенный Росошеком, вместе с его криптографическим анализом. Криптографическая стойкость схемы шифрования системы Росо-шека базируется на проблеме поиска сопрягающего элемента и на использовании параметра «случайной соли». Указанная проблема не решается, точное значение параметра «соли» не ищется. Передаваемое секретное сообщение раскрывается без вычисления секретных параметров, использованных при его шифровании.
CRYPTOGRAPHIC ANALYSIS OF THE MODIFIED MATRIX MODULAR CRYPTOSYSTEM (paper is dedicated to professor Vladimir Nikanorovich Remeslennikov on the occasion of his 80th birthday)
V. A. Roman'kov
Dostoevsky Omsk State University, Omsk, Russia
Article info Abstract. We show that the Modified Matrix Modular Cryptosystem by S.K. Rososhek is not
Received secure against the attack based on the linear decomposition method. The specific realiza-
17.09.2018 tion of this system proposed by Rososhek is described and analyzed. The security of the
encryption scheme in the Rososhek's system is based on the mix of the conjugacy search Accepted problem and "random salt". We do not solve the conjugacy search problem and we do not
17.10.2018 seek exact value of the "salt". The transported secret message is recovered without compu-
tation the secret parameters, that have been used for its encryption.
Available online 14.12.2018
Keywords
Algebraic cryptography, algebraic cryptanalysis, linear decomposition method
Acknowledgements
The reported study was funded by Russian Basic Research Foundation according to the research project 18-41-550001
1. Introduction
The Basic Matrix Modular Cryptosystem (BMMC) is a public key cryptosystem, which was developed by S.K. Rososhek in [1]. In the most important case for the use of public-key cryptosystems, namely, key exchange protocols for symmetric ciphers, such as AES, the key length is usually equal to 128 or 256 bits. Protocol using BMMC was developed for the key exchange in [2]. BMMC realization needs three matrix modular exponentiations for key generation, three exponentiations under encryption and two exponentiations under decryption for every data block. One may to accelerate encryption by decreasing the number of exponentiations. To reach this aim it is necessary to explore the central-izer of random matrix in the general linear group over residue ring. The structure of this centralizer is unknown in general case.
In [3] Rososhek proposed two different modifications of BMMC. We consider them as two versions of the Modified Matrix Modular Cryptosystem (MMMC). The aim of [3] was to decrease the number of exponentiations and consequently to accelerate the execution of encryption algorithm. The author of [3] proposed to determine the large abelian subgroup in general linear group over the large residue ring and to choose the session keys in this subgroup, what will be to give the encryption without exponentiations. Below we consider one of the main protocols, proposed in [3].
In this paper, we show that MMMC is vulnerable against the attack based on the linear decomposition method invented by the author in the monographs [45] and developed by the author et al. in the papers [612]. We describe the attack in general case and illustrate the efficiently of this attack on the example of the realization of MMMC proposed by Rososhek in [3]. The security of the encryption scheme in the Rososhek's system is based on the mix of the conjugacy search problem and "random salt". We do not solve the conjugacy search problem and we do not seek exact value of the "salt". The transported secret message is recovered without computation the secret parameters, that have been used for its encryption.
2. Description of MMMC
As usual we suppose, that there are two correspondents, Alice and Bob, and that they use a non-secure net for their communications. A potential intruder, Eve, can read all their messages.
Assumptions.
Alice doing the following:
1) picks a pair of random numbers q *p and computes n = pq or picks a random prime number p and
integer 2 <l and computes n = pl, then she determines Zn, that is the residue ring over n;
2) takes the obviously abelian subgroup G
={ (af g), g, f e zn and det(G) = g2-f2 = 1};
3) picks four random integers a, b, c, d e Zn such that a2 - b2= 1 and c2- d2 = 1;
4) composes two random matrices:
V=(l b) and W = (c d); \b a> \d c>
5) defines two commuting inner automorphisms of the ring M2(Zn):
a : D ^ 7-1DV, p : D ^ W-1DW for every matrix D e M2(Zn);
6) computes the following automorphisms of the ring M2(Zn):
^ = a2p, ^ = aft2;
7) picks a random invertible matrix L e GL2(Z2) such that L does not belong to the subgroup G;
8) Alice public key is (n, ^(L), ip(L-1), private key is (V,W).
Algorithm.
Bob doing the following:
1) presents the plaintext M as a sequence of 2-by-2-matrices over residue ring Zn:
m1||m2|| ... Ilmt ;
2) for every m^, i = 1, 2, ..., t, chooses a random matrix Yt e G;
3) defines for every i = 1, 2, ..., t, the automorphisms
& : D ^ Y^DYi for every D e M2(Zn);
4) computes for every i = 1, 2,..., t matrices
& ML), & ML-1)), m& ML));
5) picks for every i = 1, 2, ..., t random units Yi e Zn ("salt") and computes the ciphertext:
C = (C(1) || C(2) ||... ||C(t)), C® = (C®, C2(i)), cf = Y-Hi (V(L-1)), cf = Yi^iML)), i = 1, 2.....t.
Decryption.
Alice doing the following:
1) computes for every i = 1, 2, ..., t, using her private key
Di = «-1p (C®) = «-1p (y-1^ (ty(L-1)));
2) computes for every i = 1, 2,..., t
c2°Di=Yimi(i (<p(L))Di=mi;
3) recovers the plaintext M from the matrix sequence m1, m2,..., mt.
3. Cryptanalysis
We are going to show that every mi can be recovered by any intruder that based only on the public data.
It is sufficient to show how we can recover any of the blocks m,i. For a given i, denote for brevity m = mt, Ci= C(), C2 = C®, { = fc,y = n, i =1, 2, ..., t.
Everybody can see the following data: n, V(L), ^(L-1) (and so q(L-1),iP(L), C1=r1^(^(i-1)),C2=Vm^(9(L)).
It is enough to calculate y-1% (^(L-1)) (and then swap ^ and ^ in C1).
Let H be abelian subgroup of GL2(Zn) consisting of all matrices of the form
(a b\ (b a)'
where a2 — b2 is invertible in Zn.
Let Z be the set of all linear combinations of all matrices x of the form (L-1)), in M2(Zn), where q is a conjugation by a matrix in H. Below we shall explain how we can construct a set c",1(^(L=1)), ..., <;t(^ (L-1)), Si e H, i = 1,2,..., t, for which every matrix in Z is a linear combination of these matrices over Zn. We also will show that we can take n < 4.
Then we compute a presentation of the form ^(L-1) = Zl^a^(y(L-1)), at e Zn.
Then we change in the right-hand side of this formula ip(L-1) by C1:
Zl=1ai<;i (C1) = = y-1fc (ZP^a^№(L-1)) = K-1; ML-1)).
Now we recover the message as C2Y-1 * (^(L-1)) = m.
For a ring R and any R-module M, the subset E of M is a basis for M if: E is a generating set for M that is to say, every element of M is a finite sum of elements of E multiplied by coefficients in R, and E is linearly independent, that is, a1e1 + ... + anek = 0 for e1, ... , ek distinct elements of E implies that a1 = ... = ak = 0. A free module is a module with a basis. But not each module has a basis.
For any submodule M of the free module Zrn, where r is a natural number and n = pq or n = pl, as above, we define a notion of quasi-basis as a minimal subset E of M such that every element of M is a finite sum of elements of E multiplied by coefficients in Zn.
Now we prove that M has a quasi-basis and show how this quasi-basis can be obtained. First we consider the case n = pq. Let Mp be the p-replic of M, i.e., a ho-momorphic image of M modulo p and Mq is the q-replic of M modulo q. Then Mp is a linear space over Zp, and Mq is a linear space over Zq. Let {a1, ..., ak} be a basis of Mp and {b1, ..., bt} be a basis of Mq. Since Mp and Mq are subspaces of Zrp and Zq respectively, we have k,t < r. Suppose that k > t. If k * t we add to the set {b1,..., bt} k-t zero elements and get a generating set {b1,...,
bk}. We can consider elements at and bj as r-tuples of components and b(j that are written as integers. Then by the Chinese remainder theorem we can find e(j) e N such that e(j) = a() (mod p) and e() = b() (mod q), respectively. We doing this for all i and j. As result we have a quasi-basis E = {e1, ..., ek} of M. Indeed, two the replics of arbitrary element v e M has two presentations of the forms
vp = Zk=1ai and vq = Z^k=1pi, respectively, where all coefficients are written as natural numbers. Again, by the Chinese remainder theorem we can find Yi such that Yi = ai (mod p) and Yi = Pi (mod q) for each i =1,..., k. Then
v = Zt=1Vi^i
is a presentation of v as a linear combination of vectors of E over Zn.
The just described algorithm can be applied only in the case when p and q are known. Now we only know that there is a quasi-basis consisting of k < r elements.
Second we consider the case n = pl. Any subgroup M of r-generated abelian group of exponent pl is a direct sum of k <r cyclic subgroups. Then a tuple (e1, ..., ek) of generators of these cyclic subgroups is a quasibasis of the submodule M. Such quasi-basis can be efficiently constructed by standard methods of the theory of abelian groups.
Constructing of a quasi-basis in the case n = pq. In the denotations of the protocol under consideration, let
C=(a <)
be an arbitrary matrix in M2(Zn). We are to find a quasibasis E of the submodule M generated by all matrices of the form T-1CT, where Te H. For simplicity, we assume that all four entries of C are different, and also that a + b + c + d, a + c - b - d and a + b - c - d are invertible in Zn.
Let e1= C be the first element of E. The second element of E is
e2 = -Ti 1CTi where Ti =
It is easy to calculate that
«2=a a).
If e2 = ae1 for a e Zn, then d = aa, c= ab, b = ac, and a = ad. It follows that a + b + c + d = a(a + b + c + d). By our assumption a = 1. Then a = aa = a2d = d, that contradicts to our assumptions. The third element in E is
e3 = 5 T2 1C T2, where T2T =
(I2 -2)
Then
е
= (° (2
a + 2c-2b-4d -2a-4c + b + 2d 3 (2a + с-4b-2d -4a -2c + 2b + d
Suppose that e3 = ae1 + 6e2 for some a, 6 e Zn. This is equivalent to the following set of equations: a + 2c - 2b - 4d = aa + pd, - 2a - 4c + b + 2d = a b + Pc, 2a + c - 4b - 2d = ac + pb, - 4a - 2c + 2b + d = ad + Pa. Add all these equations and get
-3(a + b + c + d) = (a + P)(a + b + c + d). We have assumed that a + b + c + d is invertible in Zn, hence a + p = -3. We substitute p = 3 - a to the set of equations. Now we can consider only first two the equations:
a - 2b + 2c - d = a (a - d), -2a + b - c + 2d = a (b - c). Add all these equations and get
-(a + b - c - d) = a (a + b - c - d). By our assumptions a + b - c- d is invertible in Zn, then a = -1.
Since 2 is invertible because p and q are odd primes, we immediately obtain a contradiction 2(a - b) = 2(d - c) ^ a + c - b - d = 0 to our assumptions. Theorem.
We use denotations of the protocol under consideration. Let C be a matrix in M2(Zn) with the following restrictions: a, b, c, d are four distinct elements of Zn; a + b + c + d, a + b - c - d and (d — a)2 — (c — b)2 are invertible in Zn. Then the just constructed set E = {e1, e2, e3} generates the submodule generated by all matrices of the form T-1CT, where TeH. In other words, E is a quasi-basis of this submodule. Proof:
To prove our statement we'll show that every matrix D of the form T-1CT, TeH, belongs to the submodule generated by e1, e2 and e3. Let
= {Bf fB\°2-f2^Zn•
Suppose that D = ae1 + pe2 + ye3, where a, p, y e e Zn. Then by direct computation we obtain the following set of equations:
1) g2a - gfc + gfb - ff2d = aa + pd + Ya + 2yc - 2Yb - 4Yd,
2) gfa - f2c + g2b - gfd = ab + pc - 2Ya - 4yc + Yb + 2Yd,
3) -gfa + g2c - f2b + gfd = ac + pb + 2Ya + yc - 4Yb - 2Yd,
4) -fa + gfc - gfb + g2d = ad + pa - 4Ya - 2yc + 2Yb + Yd.
Adding all these equations, we get (g2 - f)(a + b + c + d) = (a + p - 3y)(a + b + c + d). Since a + b + c + d is invertible matrix, this equality implies that a + p - 3y = g2 - f2. Substitute a = -p + 3y + + g2 - f2 to each of the equations:
5) g2a - gfc + gfb - 2f2d = -pa + 4Ya + g2a - f2a + pd + + 2Yc - 2Yb - 4Yd,
6) gfa - f2c + g2b - gfd = -pb + 4Yb + g2b - f2b + pc -- 2Ya - 4Yc + 2Yd,
T
7) -gfa + g2c - f2b + gfd = -pc + 4yc + g2c - f2c + pb + + 2ya - 4yb - 2yd,
8) -f2a + gfc - gfb + g2d = -pd + 4yd + g2d - f2d + pa -- 4ya - 2yc + 2yb.
It is easy to see that the first and fourth equations are equivalent. Similarly, the second and third equations are equivalent. It follows that the set of equations is equivalent to a pair of them:
1) - gfc + gfb - f2d + fa = p(d - a) + 2y(2a + c - b - 2d),
2) gfa - fc - gfd + f2b = p(c - b) + 2y(2b - a - 2c + d).
Since
d
d - a
2(2a + с - b - 2d)\ _ c-b 2(b - a - 2c + d))~ = 4((d - a)2 -(c- b)2)
С
is invertible by assumptions, the Cramer's rule allows to conclude that this system has a solution in Zn. Hence E is a quasi-basis of M.
Remark 1.
The security of the scheme MMMC is based on the mix of conjugacy search problem and "random salt" y. If y in the encryption algorithm is removed, then the system is insecure. This is because the usual conjugacy search problem on the general linear group GL2(Zn) is not hard. The equation C1= Y-1^(L-1)Y can be trans-fo rmed to a system of four linear equations with four unknowns. On the other hand, the author of MMMC claimed that the "salt" can be found only under brute force attack and for large n this problem becomes intractable. In our cryptanalysis we do not find y.
Remark 2.
In general each user can compute y2 for the "random salt" y. Indeed, det(C1) = y"2det (&(L-1)).
It follows that y~2 = det(C1)(det (ip(L-1))-1. If n = pl then y can be efficiently computed by y~2. The task of computing square roots in any finite field Fq is a problem of considerable importance. Moreover, calculation of roots in finite fields Fqs, where q = pd for some prime p and some positive integer d > 0 is a classical problem in computational algebra and number theory. Taking t-roots in a finite field Fqs is most commonly computed by means of the Adleman-Manders-Miller algorithm [13] (see also [14], section 7.3), which extends Tonelli's square root algorithm. The complexity of the Adleman-Manders-Miller algorithm is 0(ts4(log q)4) steps in general, but for certain special fields Fqs this drops to 0(ts3(logq)3) steps if s is fixed and small. Cipolla's square-root algorithm attains complexity O(s 3(logq)3) for any finite field Fqs, but does not seem to admit of a simple generalization for higher order roots. For a prime finite field Fp with p = 3 (mod 4) an equation x2 = c has a simple solution x = cp+1/4.
Let we find for an equation x2 = a (mod pr) the solutions x1 and x2 =-x1 for the corresponding equation x2 = a(mod p). Then x\ = a + pu (mod p2). If u = 0(mod p) then x1 is a solution of x2 = a (mod p2). In other case u = - 2x1w (mod p) (we assume that a * 0 (mod p2) and p is odd prime). Then x2 = x1 + pw is a solution of x2 = a (mod p2). Continuing such process we'll get a solution of x2 = a (mod pr).
Hence, in the case n = p r one can reduce protocol to the case without y, that is insecure. But in the case n = pq it looks intractable problem in general.
Remark 3.
In [3], the author proposed the other version of protocol MMMC, in which the group G was changed by a cyclic group. The cryptanalysis above doesn't explore a specific of abelian group G. It can be applied for arbitrary abelian G and for arbitrary size of matrices included.
4. Example
Now I consider Example 1 in [3] and give a crypta-nalysis.
Assumptions.
Alice doing the following:
1) picks the primes p = 5, q = 7 and computes n = pq = 35;
2) chooses four random integers in the modular ring Z3S: 7, 4, 6, 2;
3) composes the random matrices
>=(2 2);
4) computes det(V) = 33, det(W) = 32 and then computes det(V)-1 = 17, det(W)-1 = 23, therefore V and W are units in the matrix ring M2(Z35);
5) defines two automorphisms of the ring M2 (Z35):
a : D ^ V-1DV, в : D ^ W-1DW
for every matrix D e M2(Z35);
6) computes the following automorphisms:
^ = a2p, 9 = ap2;
7) chooses a random matrix in GL2 (Z35):
5)
and computes its inverse
1_ (30 2 Y L = ( 3 34);
8) computes matrices:
9(L) =(VW2)-1L(VW2) = (34 34),
y(L-1)=(V2W)-1L-1(V2W)=(2l 24);
9) Alice public key is
(n = 35, ф(1_) = (VW2)-1L(VW2) = ( ф(1-1) = (V2W)-1l-1(V2W) = (
34 34 6 7
23 24)),
16 6
private key is
(v=(4
Algorithm.
Bob doing the following:
1) presents the plaintext as a matrix
m = (11 2) e M2(Z35);
2) picks the random matrix
Y = (l 3).G
)• w=(2 6>
and computes
Y-
= ( 2 20y (20 2 );
defines automorphism % of the ring M2(Z35):
* : D ^ Y-1DY
for every D e M2(Z35);
3) computes matrices:
* (9(L))=y-1(9(L))Y = (29 24), ;№(L-1)) = Y-1(^(L-1))Y=(13 24);
4) picks a random unit y e Z35, y = 9, y-1 = 4;
5) computes the ciphertext C = ( C1, C2):
С1=7-1^(ф(1-1)) = (17
K29
26 29
C2 = VmiW-)l = (16 228). Decryption.
Alice doing the following:
1) computes matrix z, using her private the key:
z=«-^ = (21 26);
2) computes then
11 2
Czz = ( 9 2) = m' Cryptanalysis. Firstly we compute
v(L-1) = (<KL))-1=(28 34).
By the way we can calculate y-2. Indeed, det(^(L-1)) = 34, det( CJ = det(^(L-1)) = 19, then
y-2 = 16.
Note, that in the denotations of Theorem the element (d - a)2 -(c- b)2 = 212 - 282 = 15 is not in-vertible in Z35. Hence one of the necessary conditions of the theorem is not satisfied. Since we cannot apply this theorem we'll use the recommended method by choosing a four "random" matrices of the form q(^(L-1)), $ where ç e H (in fact we take four matrices with simplest conjugators):
1
Вестник Омского университета 2018. Т. 23, № 4. С. 44-50
ISSN 1812-3996-
,т-и (23 24\ "i = ^ = (16 б)
е7 =
е, = 12
б 1б
е. = 23
34\(23 24\(0 1\ = (
<34 oAl6 6)(1 0) (24 23
<23 24\ (2 3^/ 0 27\
<16 6 )(34 2 ) (13 29)
23 24\(1 33\ = (29 13\
2 1)(16 6 )(33 1 ) (27 0 )■ Then we are to solve the equation
V(L-1)
— %i = iaiei,
namely:
(28 34) = aJ23 24) + a2 (б 1б) + (б8 1 ) 1(1б б) 2 (24 23)
13
( 0 27\ , (29 13\ a3(13 29) + (7 o)-By direct computation via the Gauss elimination process we obtain the unique solution:
a1 = 7, a2 = 0, a3 =1, a4 = 28.
+
Then we swap w(L 1) = (23 on the right-
V16 6 /
hand side of the last equality with C1 = ( 26) and compute:
7(17 26) + 12 (2 1)(17 26)( 2 34) \29 29) \1 2)\29 29)\34 2 )
+28(23(2 D(19 29)(1 3?))=
= (14 7 A (15 , f28 21\ =
(28 28) (22 31) (14 0 ) 22 26
(29 24)'
14 7
28 28) ' (22 31) ' (14 0 22 26
29 24)
At last we multiply C2 to the just computed ma-
trix:
(9 2 Л 122 2б\(11 24 (1б 28)(29 24) ( 9 3)
ш,
and we succeeded.
СПИСОК ЛИТЕРА ТУРЫ
1. Rososhek S. K. New practical algebraic public-key cryptosystem and some related algebraic and computational aspects // Applied Mathematics. 2013. Vol. 4, no. 7. P. 1043-1049.
2. Rososhek S. K., Gorbunov E. S. Non-commutative analogue of Diffie-Hellman protocol in matrix ring over the residue ring // International Journal of Computers and Technology. 2013. Vol. 11, no. 10. P. 3051-3059; 2015. Vol. 5, no. 5. P. 613-636. Article no. BJMCS.2015.046.
3. Rososhek S. K. Modified Matrix Modular Cryptosystems// British Journal of Mathematics & Computer Science. 2015. Vol. 5. P. 613-636. Article no. BJMCS.2015.046.
4. Roman'kov V. A. Essays in algebra and cryptology. Algebraic cryptanalysis. Omsk. Omsk State University Publishing House, 2017. 208 p.
5. Романьков В. А. Алгебраическая криптография. Омск : Изд-во Ом. гос. ун-та, 2013. 135 с.
6. Myasnikov A. G., Roman'kov V. A. A linear decomposition attack // Groups Complexity Cryptology. 2015. Vol. 7, no. 2. P. 81-94.
7. Романьков В. А. Криптографический анализ некоторых схем шифрования использующих автоморфизмы // Приклад. дискрет. матем. 2013. № 21. С. 35-51.
8. Roman'kov V. A. A nonlinear decomposition attack // Groups Complexity Cryptology. 2017. Vol. 8, no. 2. P. 197-207.
9. Roman'kov V. A. A polynomial time algorithm for the braid double shielded public key cryptosystems // Bulletin of the Karaganda University. Mathematics Series. 2016. No. 4 (84). Р. 110-115; arXiv math.:1412.5277v1 [math.GR], 17 Dec. 2014. 7 p.
10. Roman'kov V. A., Menshov A. V. Cryptanalysis of Andrecut's public key cryptosystem // arXiv math.: 1507.01496v1 [math.GR], 6 Jul. 2015. 5 p.
11. Романьков В. А., Обзор А. А. Общая алгебраическая схема распределения криптографических ключей и ее криптоанализ // Приклад. дискрет. матем. 2017. № 37. С. 52-61.
12. Романьков В. А., Обзор А. А. Метод нелинейного разложения для анализа криптографических схем, использующих автоморфизмы групп // Приклад. дискрет. матем. 2018. № 41. С. 38-45.
13. Adleman L. M., Manders K., Miller G. On taking roots in finite fields // 18th IEEE Symposium on Foundations of Computer Science. P. 175-177.
14. Bach E., Shallit J. Algorithmic Number Theory. Vol. 1: Efficient Algorithms (Foundations of Computing). Cambridge, Massachusetts, London: MIT Press, 1996. 515 p.
ИНФОРМАЦИЯ ОБ АВТОРЕ
Романьков Виталий Анатольевич - доктор физико-математических наук, профессор, заведующий кафедрой компьютерной математики и программирования, Омский государственный университет им. Ф. М. Достоевского, 644077, Россия, г. Омск, пр. Мира, 55а; e-mail: romankov48@ mail.ru.
ДЛЯ ЦИТИРОВАНИЯ
Романьков В. А. Криптографический анализ модифицированной матричной модулярной криптосистемы // Вестн. Ом. ун-та. 2018. Т. 23, № 4. С. 44-50. DOI: 10.25513/1812-3996.2018.23(4).44-50.
INFORMATION ABOUT THE AUTHOR
Roman'kov Vitalii Anatolievich - Doctor of Physical and Mathematical Sciences, Professor, Head of the Chair of Computing Mathematics and Programming, Dostoevsky Omsk State University, 55a, pr. Mira, Omsk, 644077, Russia; e-mail: romankov48@mail.ru.
FOR QTATIONS
Roman'kov V.A. Cryptographic analysis of the modified matrix modular cryptosystem. Vestnik Omskogo uni-versiteta = Herald of Omsk University, 2018, vol. 23, no. 4, pp. 44-50. DOI: 10.25513/1812-3996.2018. 23(4).44-50. (in Russ.).
