5. Conclusion
In this paper, we give an example of an existing cryptographic mechanism that can be considered as a partial solution to the problem "Public keys for e-eoins" proposed at the International Olympiad in Cryptography NSUCRYPTO'2022, This mechanism is used with the class of signatures with rerandomizable keys and provides one of the two security properties required by the authors of the problem. The existence of mechanisms with the second property remains (hopefully temporarily) an unsolved problem.
The results of this paper contain a systematic description of security models that can be used to analyze signature with rerandomizable keys, which is of independent interest,
REFERENCES
1. Problem 10. "Public keys for e-coins". International Olympiad in Cryptography NSU-CRYPTO'2022. https: //nsucrypto.nsu.ru/archive/2022/round/2/section/0/task/10/.
2. Bellare M., CashD., and Miller R. Cryptography secure against related-kev attacks and tampering. LNCS, 2011, vol.7073, pp.486-503.
3. FIPS 186-5. Digital Signature Standard, https://csrc.nist.gov/publications/detail/ fips/186/5/final.
4. BIP 32. Hierarchical Deterministic Wallets, https://github.com/bitcoin/bips/blob/ master/bip-0032.mediawiki.
5. Das P., Faust S., and Loss J. A formal treatment of deterministic wallets. Proc. ACM SIGSAC Conf. CCS'19, N.Y., ACM, 2019, pp. 651-668.
6. Fleischhacker N., Krupp J., Malavolta G., et al. Efficient unlinkable sanitizable signatures from signatures with re-randomizable keys. LNCS, 2016, vol.9614, pp. 310-330.
7. Yuen Y. H. and Yiu S. M. Strong known related-kev attacks and the security of ECDSA. LNCS, 2019, vol. 11928, pp. 130-145.
8. Morita H., Schuldt J. C. N., Matsuda T., et al. On the security of the Schnorr signature scheme and DSA against related-kev attacks. LNCS, 2016, vol.9558, pp.20-35.
9. Bellare M., CanettiR., and Krawczyk H. Keying hash functions for message authentication. LNCS, 1996, vol. 1109, pp. 1-15.
UDC 519.7 DOI 10.17223/2226308X/16/29
EFFICIENT MATRIX MULTIPLICATION FOR CRYPTOGRAPHY
S. Pal
WITH A COMPANION MATRIX OVER Fo1
A number of schemes in cryptography and other allied areas require operations on matrices that are computationally expensive. However, the computational load due to standard operations like multiplication can be drastically reduced by the choice of special matrices. One such special matrix is the companion matrix of a monic polynomial of degree n over a finite field. Due to its cyclic structure and sparseness property, such a matrix not only helps us to reduce the complexity of matrix multiplication but also can be applied for cryptographic purposes. In this paper, an algorithm is proposed for the multiplication of an arbitrary matrix with a companion matrix over a finite field of order p. In our algorithm, we not only reduce the complexity but also minimize the number of multiplication operations as much as possible. The complexity of multiplication of any n x n matrix with a companion
1The work was supported by the Mathematical Center in Akademgorodok under the agreement No. 07515-2022-282 with the Ministry of Science and Higher Education of the Russian Federation.
matrix of a monic polynomial of degree n is O(n2), whereas the complexity of standard matrix multiplication is O(n3). Moreover, the number of multiplication operations is
n2 — nt, 0 ^ t < n, an d 0 for the fie Ids Fp and F2 of ord er ^d 2, respectively, which
n3
Keywords: companion matrix, matrix multiplication, cryptology.
1. Matrix Multipication with the companion matrix of a monic polynomial
1,1, Motivation
Due to the rapid increase in 5G and 6G technologies, AEX (Addition, Rotation and XOR)-based schemes are more popular nowadays. Avoiding the multiplication operation provides the efficiency in the lightweight system. This is the reason why we focus on reducing multiplication operations as much as possible. Matrices are not generally used for cryptographic purposes due to their expensive operations like multiplication. Researcher [1] tried to find a suitable way to reduce the expensive operations by searching for special kinds of matrices. Our goal is making the matrices useful for cryptographic purposes. In the case of the multiplication of two matrices, all elements of both of these matrices are required. But the operations can be reduced by observing the elements and structures of the matrices. Moreover, multiplying a companion matrix of a monic polynomial over a finite field with another matrix does not require all elements of the companion matrix. It is explained in the contribution section that the new matrix will be obtained after multiplication by observing only the second matrix and the coefficients of the monic polynomial. For the sake of the simplicity of our work, we provide a modified definition of matrix multiplication, which is given below.
Definition 1. Matrix multiplication of the two n x n matrices involves the multiplication of ith element of kth row of the first matrix with ith row of the second matrix, provides n new rows and the kth row of the new matrix is obtained by adding them, where 1 ^ i, k ^ n,
n
f (x) = a0 + a1x + ... + an-1xn-1 + xn over a field of order p is the n x n matrix
Cf
" 0 0 . .0 -ao
1 0 . .0 -a\
0 0. .1 -an-l
1,2, Contribution Theorem 1. Multiplication of a companion matrix of a monic polynomial of degree n over finite field of order p by a second matrix gives a new matrix whose rows are as follows:
— The first row of the new matrix is equal to the r times of nth row of the second matrix, where the constant coefficient of the monic polynomial is r, 0 < r < p.
— The kth row is equal to the (k — 1)th row of the second matrix, if the kth coefficient of the monic polynomial is zero, where 2 ^ k ^ n,
— The kth row of the new matrix is equal to the summation of the (k — 1)th row and r
nth kth r
where 2 ^ k ^ n and 0 < r < p.
n
nth
— The kth row is equal to the (k — 1)th row of the second matrix, if the kth coefficient of the monie polynomial is zero, where 2 ^ k ^ n,
— The kth row is equal to the summation of the (k — 1)th row and nth row of the second matrix, if the kth coefficient of the monic polynomial is one, where 2 ^ k ^ n.
Now, we can explain our Algorithm 1 to calculate an nxn new matrix D = C/ xB, where dj and bjj are the coefficients of nxn matrices D and B over any field respeetivelv, 1 ^ i, j ^ ^ n; C/ is a companion matrix of a monic polynomial f (x) = a0 + a1x +... + an-1xn-1 + xn over field Fp of order p. For the sake of applicability, we take the constant term of the polynomial as non-zero for our work.
Algorithm 1.
Input: f (x) = a0 + a1x + ... + anxn be a monic polynomial and B be any n x n matrix
with coefficient j 0 ^ i, j ^ n — 1,
Output: New matrix D with coefficient dj, 0 ^ i, j ^ n — 1
1
Set a = p — aj, 0 ^ i ^ n — 1, For i = 0,..., n — 1 do: For j = 0,..., n — 1 do: If i = ^^en djj := (aj ■ 6(n-i)j); else if a,; = ^^en dj ^ b(i-
d
(ai ■ b(n-1)j) + b(i-1)j-
and В be any 3 x 3 matrix over any
Example 1. Let C/ be the com panto matrix of a monic polvn omial f (x) = x3 +
002
1 0 0 011
"4~ 0 6
then D = C/B
+ 4x2 + 3 of degree 3 over F5, i.e., Cf
B
D3 = В2 + В3, w
2 1 4 1 3 5 203
iere D and В^ 1 ^ i ^ 3, are t
D1
2 ■ В3, D2
Bi,
214 3 3 8
DB
2. Complexity calculation for matrix multiplications
In this section, we calculate the complexity of matrix multiplication followed by counting
n x n
standard matrix multiplication method and our method, which includes a special matrix, the companion matrices of a monic polynomial of degree n over a field of order 2 and p. Multiplication and division operations are computationally expensive compared to addition, subtraction, and shift operations. The table shows that only addition and multiplication operations are required for standard matrix multiplication, whereas addition, multiplication, and shift operations are required for matrix multiplication by our method over Fp, Most importantly, only addition and shift operations are required for matrix multiplication by F2
Operations required for different type of matrix multiplications
Operations List
Matrix multiplication Number of additions Number of multiplications Number of shift operations
Standard 3 2 n3 — n2 3 n3 0
Using companion matrix over F2 n2 — nt — n 0 nt + n
Using companion matrix over Fp n2 — nt — n n2 — nt nt
Lemma 1. Standard matrix multiplication of two n x n matrices requires n3 multiplications, n3 — n2 additions, 2n3 operations in total. The complexitv is O(n3),
Lemma 2. Matrix multiplication by a companion matrix of a monic polynomial of degree n over Fp requires nt shift operations, n2 — nt multiplications, and n2 — nt — n additions, 2n2 — nt — n operations in total. Here, t is the number of rows of the companion matrix of the monic polynomial whose tth coefficient is zero. The complexity is O(n2).
Lemma 3. Matrix multiplication by a companion matrix of a monic polynomial of degree n over F2 requires nt + n shift operations and n2 — nt — n additions, n2 operations t
tth O(n2)
REFERENCES
1. Mahalanobis A. Are matrices useful in public-key cryptography? Intern. Math. Forum, 2013, vol. 8, no. 39, pp. 1939-1953.
2. Herstein I. N. Topics in Algebra, 2nd ed. John Wiley k, Sons, 2006.
3. Ghorpade S. R. and Ram S. Block companion Singer cycles, primitive recursive vector sequences and coprime polynomial pairs over finite fields. Finite Fields Their Appl., 2011, vol. 17, no. 5, pp. 461-472.
UDC 519.7 DOI 10.17223/2226308X/16/30
CRYPTANALYSIS OF LWE AND SIS-BASED CRYPTOSYSTEMS BY USING QUANTUM ANNEALING1
A. Qavvum, M. Haris
In the paper, we study lattice-based cryptographic problems, in particular Learning With Errors (LWE) and Short Integer Solution (SIS) lattice problems, which are considered to be known cryptographic primitives that are supposed to be secure against both classical and quantum attacks. We formulated the LWE and SIS problems as Mixed-Integer Programming (MIP) model and then converted them to Quadratic Unconstrained Binary Optimization (QUBO) problem, which can be solved by using a quantum annealer. Quantum annealing searches for the global minimum of an input objective function subjected to the given constraints to optimize the given model. We have estimated the q-bits required for the Quantum Processing Unit (QPU). Our results show that this approach can solve certain instances of the LWE and SIS problems efficiently.
Keywords: post-quantum cryptography, lattice-based cryptography, learning with errorss, short integer solution, quadratic unconstraint binary optimization, quantum processing unit.
1The work is supported by the Mathematical Center in Akademgorodok under the agreement No. 07515-2022-282 with the Ministry of Science and Higher Education of the Russian Federation.