Вестник СПбГУ. Прикладная математика. Информатика... 2021. Т. 17. Вып. 3 UDC 512.552.18+003.26 MSC 16Р10
Digital signature scheme on the 2 x 2 matrix algebra
N. A. Moldovyan, A. A. Moldovyan
St. Petersburg Federal Research Center of the Russian Academy of Sciences, 39, 14-ya liniya V. O., St. Petersburg, 199178, Russian Federation
For citation: Moldovyan N. A., Moldovyan A. A. Digital signature scheme on the 2 x 2 matrix algebra. Vestnik of Saint Petersburg University. Applied Mathematics. Computer Science. Control Processes, 2021, vol. 17, iss. 3, pp. 254-261. https://doi.org/10.21638/11701/spbul0.2021.303
x
GF (p). It is shown that this algebra contains three types of commutative subalgebras of order p2, which differ in the value of the order of their multiplicative group. Formulas describing the number of subalgebras of every type are derived. A new post-quantum digital signature scheme is introduced based on a novel form of the hidden discrete logarithm problem. The scheme is characterized in using scalar multiplication as an additional operation masking the hidden cyclic group in which the basic exponentiation operation is performed when generating the public key. The advantage of the developed signature scheme is the comparatively high performance of the signature generation and verification algorithms as well as the possibility to implement a blind signature protocol on its base.
Keywords: digital signature, post-quantum cryptoscheme, blind signature, hidden logarithm problem, finite associative algebra, matrix algebra.
1. Introduction. At present in the field of the public-key cryptography, considerable attention of the cryptographic community is paid to the development of post-quantum cryptoschemes [1-3]. Finite non-commutative associative algebras (FN A As) represent significant interest as algebraic support of practical post-quantum digital signature schemes based on different forms of the hidden discrete logarithm problem (HDLP) [4, 5]. A unified method for setting FN A As of arbitrary even dimensions is proposed in [6]. To get faster post-quantum signature algorithms, the latter are developed on 4-dimensional FNAAs [5, 7, 81.
A finite rn-dimensional vector space defined over a finite field (for example, GF(p)), in which the vector multiplication operation (distributive at the left and at the right relatively addition operation) is set, is called finite algebra. A vector A is denoted as A = (ao ) or as A = J2m=0 aiei> where ao,ai,..., am-i € GF(p) are called
coordinates; e0, e1; ..., em-1 are basis vectors.
The vector multiplication operation (o) of two rn-dimensional vectors A Mid B is set
here every of the products o ej is to be substituted by a single-component vector Aek, where A € GF (p), indicated in the cell in the intersection of the i-th row and j-th column of so called basis vector multiplication table (BVMT). To define associative vector multiplication operation the BVMT should define associative multiplication of all possible triples of the basis vectors (ei7 ej, ek):
© St. Petersburg State University, 2021
as
¿=0 j=0
(ei o ej) o ek = ei o (ej o ek).
The 2x2 matrix algebra set over GF(p) can be represented as the 4-dimensional FN A A defined by Table for the case A = 1. This BVMT is sparse and the computational difficulty of the vector multiplication is two times lower than in the 4-dimensional FNAA presented in [5, 8]. Therefore development of the HDLP-based signature schemes on the matrix algebra potentially gives higher performance. In this connection, it is of interest to study the structure of the 2x2 matrix algebra from the point of view of identifying various types of commutative multiplicative groups contained in the algebra.
Table. The BVMT setting the 4-dimensional FNAAs (A = 0) and the 2x2 matrix algebra (A = 1)
о ео ei ег ез
ео ео ei 0 0
ei 0 0 Лео ei
ег ег Лез 0 0
ез 0 0 ег ез
x
post-quantum signature algorithm based on a novel form of the HDLP.
x GF(p)
A.
fixed value of A the algebra contains the global two-sided unit E = (1,0,0,1). The vectors G = (00,31,32,33) satisfying the non-equality g0g3 = Ag1g2 are invertible. The vectors N = (n0,n1,n2,n3) satisfying the condition n0n3 = An1n2 are non-invertible. From the latter equality one can easily show that the number of non-invertible vectors contained in the algebra is equal to nN = p3 + p2 — p and the number of invertible vectors (the order of the multiplicative group of the algebra) is equal to
0 = p4 — nN = p(p — 1) (p2 — 1) .
Consider the set of the vectors X that are permutable with a fixed vector A. The vectors X = (x0,x1,x2,x3) can be computed from the vector equation A o X = X o A that can be reduced to the following system of three linear equations with the unknowns x0lxi,x2^(i x3:
Aa2 x1 — Aa1x2 = 0,
a1x0 + (a3 — a0) x1 — a1x3 = 0, (1)
a2x0 + (a3 — a0) x2 — a2x3 = 0.
A,
I. Case a1 = a2 = 0. The system (1) reduces to
(a3 — a0) x1 = 0, (a3 — a0) x2 = 0.
a3 = a0,
X = (x0,x1,x2,x.3) = (d, 0, 0, h), (2)
here d,,h = 0,1, ...,p — 1. The set (2) describes a commutative subalgebra of order p2 that contains 2p — 1 different non-invertible vectors of the forms (d, 0,0,0) Mid (0,0,0, h). Multiplicative group r1 of this subalgebra is cyclic and has order 01 = p2 — (2p — 1) = (p — 1)2. One can show that the group r2 possesses 2-dimensional cyclicity (in terms of [9]),
p — 1.
a3 = a0, A
all vectors of the algebra.
II. Case a1 =0, a2 = 0. The system (1) reduces to
x1 = 0,
(a3 — a0)
x3 = x0 H--x2
a2
and the solution space of this system is described as follows:
X = (xo, xi, x2, x3) = (d, 0, h, d + --—h
a2
where d,,h = 0,1,...,p — 1. The latter set includes non-invertible vectors satisfying the condition d(d+ (-a3a2ao-) fij = 0. The latter condition sets the two subsets of non-invertible
vectors: i) X = (o, 0, h, {a3~ao) hj and ii) X = (-("3~'"')fe, 0, h, o), which intersect in the zero vector (0,0,0,0).
Ila. Case a0 = a3. This subcase corresponds to commutative subalgabra of order p2 which includes 2p — 1 non-invertible vectors and multiplicative group r1 of order 01 = (p — 1)2.
lib. Case a0 = a3. This subcase corresponds to commutative subalgabra of order p2 which includes p non-invertible vectors of the form (0,0, h, 0) and contains a multiplicative group r2 of ord er 02 = p2 — p = p(p — 1).
III. Case a1 =0, a2 = 0. The system (1) reduces to
x2 = 0,
(a3 — a0)
x3 = x0 H--xi
a1
and the solution space of this system is described as follows:
X = (xo, xi, X2, X3) = (d, h, 0, d+ ^-—d
a1
where d,,h = 0,1,...,p — 1. The latter set includes non-invertible vectors satisfying the condition d(d+ {a3^ao) fij = 0. The latter condition sets the two subsets of non-invertible
vectors: 1) X = (0, h, 0, and ii) X = h, 0, 0
Ilia. Case a0 = a3. This subcase corresponds to commutative subalgabra of order p2 which includes 2p — 1 non-invertible vectors and multiplicative group r1 of ord er 01 = (p — 1)2.
Illb. Case a0 = a3. This subcase corresponds to commutative subalgabra of order p2 which includes p non-invertible vectors of the form (0, h, 0,0) and contains a multiplicative group r2 of ord er 02 = p(p — 1). It is easy to show that r2 is a cyclic group.
IV. Case a1 = 0, a2 = 0. The system (1) reduces to
a2
X2 = —Xl, ai
(a3 - ao)
x3 = x0 H--xi
ai
and the solution space of the system (1) is described as follows:
X = (xo, xi, X2, X3) = (d, h, —h, d + ^-—h ) , (3)
ai ai
here d,h = 0,1,. ..,p — 1. Taking into account the non-invertibility condition, for vectors from the set (3) one can write
d^ + ^^hA- A^2=0, ai ai
d=(a,3-a0)±VAl
2a1
where A = (a3 — ao)2 + 4Aaia2.
IVa. Case A = 0 is a quadratic residue in GF(p). The number of non-invertible
2p — 1
multiplicative group of the r1 type.
IVb. Case A = 0 is a quadratic non-residue in GF(p). The commutative subalgebra set
(0 , 0 , 0 , 0) GF( p 2 )
with cyclic multiplicative group r3 of order = p2 — 1.
IVc. Case A = 0. The number of non-invertible vectors in the set (3) equals to p and the commutative subalgebra set by (3) includes multiplicative group r2 of order fi = p(p — 1).
Thus, the studied 4-dimensional FNAA contains exactly three types of commutative
p2,
two of the subalgebras intersect exactly in the subset on scalar vectors. Indeed, each of the
vectors that is not a scalar vector defines a single commutative subalgebra of order p2. Each
p2 — p
contains p4 — p different nOIl-SCcllcir vectors, therefore for number n of the commutative subalgebras of all three types we get the following formula:
4
P~P 2 , , 1
r] = -t,-=p +p+ 1.
p2 — p
Suppose fc, t, and u denote number of different commutative groups of the types ri5 r2, and r3 correspondingly. Then we have n = k +1 + u and
k +1 + u = p2 + p + 1. (4)
p — 1
write
(fii — (p — 1)) k + (O2 — (p — 1)) t + (^3 — (p — 1)) u = fi — (p — 1),
((p — 1)2 — (p — 1)) k + (p(p — 1)— (p — 1)t + (p2 — 1 — (p — 1)) u =
0 ( t} )
= p ( p — 1)( p 2 — 1) — ( p — 1) ,
(p — 2)k + (p — 1)t + pu = p3 — p — 1.
To find the value t, consider the number of non-invertible vectors A relating to the Case IVc, i. e. a1 =0, a2 =0, A = 0, which define the commutative subalgebras containing multiplicative groups of the r2 type. Such vectors satisfy the conditions a0a3 — Aa1 a2 = 0 and A = (a3 — a0)2 + 4Aa1a2 = 0. From the condition A = 0 we have (a3 + a0)2 = ^d a3 = — a0. Thus, the Case IVc gives (p — 1)2 different vectors A that set the subalgebras containing the r2 type groups. Each of the subcases lib and Illb gives other p — 1 unique vectors A setting the subalgebras containing the r2 type groups. Totally, we have (p — 1)2 + 2(p — 1) = (p — 1)(p +1) of the said vectors A. Every of the said subalgebras contains p — 1 of the said vectors A Mid t algebras contain t(p — 1) = (p — 1)(p +1) of the said non-invertible vectors, therefore,
t = p + 1.
From (4) and (5) we have
_ p(p + 1) _ p(p - 1)
rv — -- U — -.
2 ' 2
3. The proposed post-quantum signature scheme. Suppose a 2x2 matrix algebra is defined over the field GF(p) with prime p = 2q + 1, where q is a 256-bit prime. Generation of the public key in the form of matrices (Y, T, Z) is performed as follows:
1) select at random an invertible 2x2 matrix G contained in a cyclic group of the r type (using results of Section 2 one can easily to propose a method for implementing this step);
2) generate a uniformly random invertible 2x2 matrix A and integer x < q and compute the matrix Y = AGxA-1;
3) generate a uniformly random invertible 2x2 matrix B and integer X < p and compute the matrix Z = BGB-1X;
4) compute the matrix T = AGuB-1.
The size of public key equals approximately to 384 bytes. The private key correspon-
G, A, B, x
X.
Procedure for generation of the signature (e, s, a) to the electronic document M:
• select at random integers k < q, p < p and calculate matrix R = AGkB-1 p;
• using some specified 256-bit hash-function fh compute the hash value e from the document M to which the matrix R is concatenated: e = fh(M, R). The value e is the first signature element;
• calculate the second signature element s = k — u — ex mod q and the third signature element a = pX-s.
The signature size equals near to 96 byte. Computaional difficulty of the signature
x
(approximately 3072 multiplications in GF (p)).
Signature verification procedure includes the three steps:
• compute the matrix R' = YeTZsa;
• compute the value e' = fh (M,R);
• e' = e,
Computaional difficulty of the signature verification can be estimated as 2 exponentiations in the 2x2 matrix algebra (about 6142 multiplications in GF(p)).
Correctness proof of the signature scheme IS clS follows:
R' = YeTZsa = (AGxA-1)e (AGUB-1) (BGB-1\)S a = = AGxe+U+sB-1Xs (p\-s) = AGxe+U+k-U-exB-1p = R, {R' = R]^fh (M, R') = fh (M, R) ^ e = e.
Thus, the correctly computed signature (e, s,a) passes the verification procedure as a genuine signature.
4. Blind signature protocol. Blind digital signature is used to solve problems of ensuring the anonymity (non-traceability) of users that arise in some special information technologies [10, 11], for example, electronic money systems and secret electronic voting. Blind signature is computed by a signer in the process of interacting with some user (client). The signer uses his personal private key to calculate the blind signature and transfers it to the client. Using the blind signature, the client computes an authentic signature of the signer to some document to which the signer does not have access during the protocol execution. In addition, the anonymity of the client is ensured by the fact that during the protocol he introduces one or two random blinding factors into the blind signature. After receiving a blind signature from the signer, the client removes the blinding factors, thereby-calculating the true signature.
Using the described signature scheme and applying a scalar blinding factor p and the left Ye and right ZT blinding factors in the form of two matrices, one can propose the blind sinature protocol.
1. The signer selects at random integers k < q, p < p and calculate matrix R* = AGkB-1. The latter is send to the client.
2. The client generates random non-negative integers e < q, t < q, and p < p and calculates the matrix R = YeR*ZTp. Then he computes the first signature element of a valid signer's signature e = fh(M,R) and the first element of the blind signature e* = e — e mod q. The value e* is sent to the signer. (The document M is prepared by the client.)
3. The signer calculates other elements of the blind signature: the second s* = k — u — e*x mod q and the third a* = p\-s elements. Then he sends the values s* and a* to the client.
4. The client calculates the second and third elements of the valid signer's signature: s = s* + t mod ^d a = a*p.
Correctness proof of this blind signature protocol is performed as proving that the
(e, s, a)
scheme as a genuine signature:
R' = Y eTZsa = Ye'+eTZs*+T a* p =
= Y^Ye''TZs*a*ZTp = YeR*ZTp = R ^ ^ fh (M, R') = fh (M,R) ^ e' = e.
x G.
introduced in Section 3 can be called a HDLP-based scheme, like the signature algorithms described in [5, 7, 8]. The main contribution to the security of the proposed signature
Gx
generated by the matrix G. The value Gx is contained in a hidden form in the first element of the public key Y = AGx A-1.
An important point of the proposed signature scheme is the use of the scalar multiplication as an additional masking operation, when computing the element Z = BGB-1A. Due to scalar multiplication, the permutable matrices Y and TZT-1 are contained in different cyclic groups. Therefore, construction of periodic functions on the base of public key elements leads to the formation of periods with a length determined by the values q (order of the matrix G) and p — 1 (order of scalar value A) and the use
x
G
retype groups, the post-quantum security design criterion proposed in [15] is satisfied by the proposed signature scheme. In the signature schemes [5, 8, 15] technique of doubling the verification equation was applied to satisfy that criterion. The said techniques defines larger sizes of public key and signature and lower performance of signature schemes.
Due to using the the 2x2 matrix algebra as algebraic support and a new design, the proposed signature scheme possesses significantly higher performance and smaller signature size than the HDLP-based schemes presented in [5, 8, 15]. In addition, the introduced signature scheme can be used to implement a blind signature protocol.
One can suppose that Table presents a particular case of sparse BVMTs which set various 4-dimensional FNAAs with computationally efficient vector multiplication, which represent interest as algebraic support of the HDLP-based signature schemes. Search of other sparse BVMTs and investigation of the structure of the FNAA defined by them represents a topic of a further research.
References
1. Post-quantum cryptography. 10t,h International conference. Chongqing, China, May 8-10, 2019 (PQCrypto 2019). Proceedings. Lecture Notes in Computer Science Series. Berlin, Springer Publ., 2019, vol. 11505, pp. 1-421.
2. Alamelou Q., Blazy O., Cauchie S., Gaborit Ph. A code-based group signature scheme. Designs, codes and cryptography, 2017, vol. 82, no. 1-2, pp. 469-493.
3. Kuzmin A. S., Markov V. T., Mikhalev A. A., Mikhalev A. V., Nechaev A. A. Cryptographic algorithms on groups and algebras. Journal of Mathematical Sciences, 2017, vol. 223, no. 5, pp. 629-641.
4. Moldovyan N. A., Moldovyan A. A. Finite non-commutative associative algebras as carriers of hidden discrete logarithm problem. Bulletin of the South Ural State University. Series Mathematical Modelling, Programming & Computer Software, 2019, vol. 12, no. 1, pp. 66-81. https://doi.org/10.14529/mmpl90106
5. Moldovyan N. A., Moldovyan A. A. Candidate for practical post-quantum signature scheme. Vestnik of Saint Petersburg University. Applied Mathematics. Computer Science. Control Processes, 2020, vol. 16, iss. 4, pp. 455-461. https://doi.org/10.21638/11701/spbul0.2020.410
6. Moldovyan N. A. A unified method for setting finite non-commutative associative algebras and their properties. Quasigroups and Related Systems, 2018, vol. 26, no. 2, pp. 263-270.
7. Moldovyan D. N. New form of the hidden logarithm problem and its algebraic support. Bulletin of Academy of Sciences of Moldova. Mathematics, 2020, no. 2 (93), pp. 3-10.
8. Moldovyan N. A. Signature schemes on algebras, satisfying enhanced criterion of post-quantum security. Bulletin of Academy of Sciences of Moldova. Mathematics, 2020, no. 2 (93), pp. 62-67.
9. Moldovyan N. A., Moldovyan P. A. New primitives for digital signature algorithms. Quasigroups and Related Systems, 2009, vol. 17, no. 2, pp. 271-282.
10. Chaum D. Security without identification. Transaction systems to make big brother obsolete. Communications of the AMS, 1985, vol. 28, no. 10, pp. 1030-1044.
11. Camenisch J. L., Piveteau J.-M., Stadler M. A. Blind signatures based on the discrete logarithm problem. Advances in Cryptology (EUROCR.YPT'94). Proceedings. Lecture Notes in Computer Science. Berlin, Springer Verlang Publ., 1995, vol. 950, pp. 428-432.
12. Shor P. W. Polynomial-time algorithms for prime factorization and discrete logarithms on quantum computer. SIAM Journal of Computing, 1997, vol. 26, pp. 1484-1509.
13. Jozsa R. Quantum algorithms and the fourier transform. Proceedings of the Royal Society of London. Series A, 1998, vol. 454, pp. 323-337.
14. Yan S. Y. Quantum attacks on public-key cryptosystems. Boston, Springer Publ., 2013, 207 p.
15. Moldovyan D. N., Moldovyan A. A., Moldovyan N. A. Digital signature scheme with doubled verification equation. Computer Science Journal of Moldova, 2020, vol. 28, no. 1 (82), pp. 80-103.
Received: January 18, 2020. Accepted: June 04, 2021.
Authors' information:
Nikolay A. Moldovyan — Dr. Sci. in Technics, Professor, Chief Researcher; [email protected] Alexandr A. Moldovyan — Dr. Sci. in Technics, Professor, Chief Researcher; [email protected]
Схема цифровой подписи на алгебре матриц 2x2
Н. А. Молдовян, А. А. Молдовян
Санкт-Петербургский Федеральный исследовательский центр Российской академии наук, Российская Федерация, 199178, Санкт-Петербург, 14-я линия В. О., 39
Для цитирования: Moldovyan N. A., Moldovyan A. A. Digital signature scheme on the 2 x 2 matrix algebra // Вестник Санкт-Петербургского университета. Прикладная математика. Информатика. Процессы управления. 2021. Т. 17. Вып. 3. С. 254-261. https://doi.org/10.21638/11701/spbul0.2021.303
x
полем GF(p). Показано, что эта алгебра содержит три типа коммутативных подалгебр порядка p2, которые различаются между собой значением порядка их мультипликативной группы. Выведены формулы, описывающие количество подалгебр каждого типа. Создана новая схема постквантовой цифровой подписи, основанная на новой форме скрытой задачи дискретного логарифмирования. Схема отличается использованием скалярного умножения в качестве дополнительной операции, маскирующей скрытую циклическую группу, в которой выполняется базовая операция возведения в степень при генерации открытого ключа. Достоинствами разработанной схемы подписи являются сравнительно высокая производительность алгоритмов генерации и проверки подписи и возможность реализации на ее основе протокола слепой подписи.
Ключевые слова: цифровая подпись, постквантовая криптосхема, слепая подпись, скрытая задача логарифмирования, конечная ассоциативная алгебра, алгебра матриц.
Контактная информация:
Молдовян Николай Андреевич — д-р техн. наук, проф., гл. науч. сотр.; [email protected] Молдовян Александр Андреевич — д-р техн. наук, проф., гл. науч. сотр.; [email protected]