Finite non-commutative associative algebras as carriers of hidden discrete logarithm problem Текст научной статьи по специальности «Математика»

MSC 94A60, 16Z05, 14G50, 11T71, 16S50

DOI: 10.14529/mmp190106

FINITE NON-COMMUTATIVE ASSOCIATIVE ALGEBRAS AS CARRIERS OF HIDDEN DISCRETE LOGARITHM PROBLEM

N.A. Moldovyan1, A.A. Moldovyan1

1 St. Petersburg Institute for Informatics and Automation of Russian Academy of Sciences, St. Petersburg, Russian Federation E-mails: nmold@mail.ru, maa1305@yandex.ru

The article introduces new finite algebras attractive as carriers of the discrete logarithm problem in a hidden group. In particular new 4-dimensional and 6-dimensional finite non-commutative algebras with associative multiplication operation and their properties are described. It is also proposed a general method for defining finite non-commutative associative algebras of arbitrary even dimension m > 2. Some of the considered algebras contain a global unit, but the other ones include no global unit element. In the last case the elements of the algebra are invertible locally relatively local bi-side units that act in the frame of some subsets of elements of algebra. For algebras of the last type there have been derived formulas describing the sets of the (right-side, left-side, and bi-side) local units. Algebras containing a large set of the global single-side (left-side and right-side) units and no global bi-side unit are also introduced. Since the known form of defining the hidden discrete logarithm problem uses invertibility of the elements of algebra relatively global unit, there are introduced new forms of defining this computationally difficult problem. The results of the article can be applied for designing public-key cryptographic algorithms and protocols, including the post-quantum ones. For the first time it is proposed a digital signature scheme based on the hidden discrete logarithm problem.

Keywords: finite associative algebra; non-commutative algebra; global unit; left-side units; local unit; local invertibility; discrete logarithm problem; public-key cryptoscheme; digital signature; post-quantum cryptography.

Introduction

The public-key cryptographic algorithms and protocols are widely used for solving different security problems of information and telecommunication technologies [1, 2]. A large part of such cryptoschemes is based on the following two computationally difficult problems: factorization and finding discrete logarithm [3]. However each of these two problems can be solved on a quantum computer in polynomial time [5]. Since quantum computing develops towards efficient practical implementations [4], one of actual challenges in the area of cryptography is development of public-key cryptoschemes based on other computationally difficult problems solution of which will remain infeasible even while solving them on a quantum computer. The response to this challenge was the announcement (December 20, 2016) by the National Institute of Standards and Technology (NIST) of the competition of the post-quantum public-key cryptograms development and the appearance of regularly held thematic conferences [6, 7]. The current results of the NIST competition have shown the following:

- no difficult computational problem suitable as single primitive for desgning the postquantum cryptoschemes of the main types (algorithms and protocols for public encryption, public key distribution, commutative encryption, and digital signature) had been proposed;

- the hidden discrete logarithm problem (HDLP) defined in the finite non-commutative associative algebras (FNAAs), which are promising as a universal primitive of the postquantum cryptoschemes of different types, have remained outside the scope of attention of participants of the NIST competition.

The purpose of this article is to attract the attention of researchers and developers of cryptographic schemes to the HDLP as to a universal cryptographic primitive, providing the possibility of building the post-quantum cryptographic algorithms and protocols of various types, which are convenient for practical application. To achieve this goal, the following scientific tasks are considered in the article:

- construction of new FNAAs as potential carriers of the HDLP;

- studying of the properties of the proposed algebras;

- setting new forms of the HDLP;

- designing the digital signature scheme based on the HDLP.

1. Non-Commutative Finite Groups and Associative Algebras for Post-Quantum Cryptography

In a number of articles the cojugacy-search problem defined over the braid groups was considered as the base of post-quantum cryptoschemes [8] and was used to design digital signature protocols [9]. Unfortunately it had been shown possibility to reduce the cojugacy-search problem to solving a system of linear equations [10]. Such reduction means existance of principal problems with providing high security of the cryptoschemes based on the mentioned computational problem.

Another proposal for post-quantum primitives is the discrete logarithm problem in a hidden group, which is defined over finite non-commutative associative algebras [11, 12] and can be called HDLP. The HDLP is described as follows.

Suppose a finite non-commutative group r contains element Q having large prime order q and we have a method for an easy selection of the elements from commutative subgroup r' C r. To construct a public key-agreement cryptoscheme in [12] it is proposed to select a private key composed of two parts, random invertible element W £ r' satisfying condition W o Q = Q o W and random number x < q. Then the public key Y can be computed as follows

Y = W o Qx o W-1. (1)

Finding pair (W, x) (where W £ r') from the last equation, while there are known values Q and Y, is a computationally difficult problem that can be called the HDLP. The HDLP represents interest as the base primitive for constructing the public-key post-quantum cryptoschemes. The HDLP suits also well for designing post-quantum commutative encryption algorithms.

Public key-agreement scheme [13] is decribed as follows. Suppose the elements G £ r and Q £ r having sufficiently large prime order are specified and two remote users have intensions to generate a shared secret key using a public channel. The first user selects his private key as pair of random numbers (w1, x1), computes his public key Y1 = GWl o Qxi o G-Wl and sends Y1 to the second user. The last selects his private key (w2,x2), computes his public key Y2 = Gw2 o Qx2 o G-W2 and sends Y2 to the first user. Then the first user computes value

K12 = GWl o (Y2)xi o G-Wl = GWl+W2 o QX2Xl o G-Wl-W2.

The second user computes value

K21 = GW2 o (Y1)x2 o G-W2 = GW2 +Wl o Qxix2 o g-w2-w1.

Thus, K21 = K12 = K, i.e., the users have generated securely common secret key K interacting via a public channel.

Suppose a user has published his public-key Y = Gw o Qx o G-W, where pair (w,x) is his private key, and a symmetric encryption algorithm FK with key K is specified. Using a public communication channel and public key Y any person can send securely confidential message M to the user as follows [13]:

1. Sender generates two random numbers r and u, then computes elements R = Gr o Qu o G-r and K = Gr o Yu o G-r = Gr+W o Qxu o G-r-W.

2. Using element K as encryption key and encryption algorithm FK the sender encrypts message M into cryptogram C = FK(M) and sends group elements C and R to the user.

3. Using value R the user computes key K as follows K = GW o Rx o G-W = Gr+WQux o G-r-W and discloses source message M from ciphertext C : M = F-1(C), where F-1 is the decryption function corresponding to encryption function FK. The commutative-encryption algorithm is described as follows [14].

1. Represent a message as element M G r.

2. Encrypt M with first encryption key (w1,e1,d1) (where integers e1 and d1 satisfy condition e1d1 = 1 mod Q; Q is the order of group r), as follows: C1 = GWl o Mei o G-Wl.

3. Encrypt ciphertext C1 with second encryption key (w2,e2,d2) (where integers e2 and d2 satisfy condition e2d2 = 1 mod Q; Q is the order of group r) as follows:

C2 = GW2 o Cf o G-W2 = GW2+W1 o Meie2 o G-W1-W2.

It is easy to show the encryption of message M with second key (w2,e2,d2) and then with first key (w1,e1,d1) outputs the same ciphertext C21 = C12, i.e. the described encryption algorithm is commutative (note key elements d1 and d2 are required to perform the decryption procedure).

Currently in literature no digital signature scheme is proposed. In the next sections of the paper we introduce new forms of the defining the HDLP and one of the last is used to propose a post-quantum digital signature scheme.

Proposed in literature post-quantum cryptoschemes are based on the HDLP defined over finite quaternion algebra [11] multiplicative group of which is used as non-commutative group r. Detailed study of the HDLP in finite quaternion algebra defined over ground field GF(p) [15] had shown that the HDLP can be reduced to the problem of finding discrete logarithm in finite field GF(p2). To design post-quantum cryptoschemes on the base of the HDLP, in paper [15] it had been proposed to look for other finite non-commutative associative algebras (FNAAs) as carriers of the HDLP. However currently in literature there are considered only very few other FNAAs. The HDLP in 2-dimensional and 3-dimensional FNAAs over GF(p), which are considered in [16,17], can be reduced to discrete logarithm in GF(p).

In the present article there are introduced new 6-dimensional FNAAs possessing various properties and a general method for constructing FNAAs of arbitrary fixed even dimension m > 2. Some of the introduced algebras contain only local unit elements therefore there are proposed new forms of defining the HDLP which are different from the form considered in [13,15 — 17]. The paper also proposes a digital signature scheme based on a new form of the HDLP. The paper is organized as follows. Section 1 describes the

HDLP as cryptographic primitive and several cryptoschemes based on the HDLP. Section 2 consideres general construction of the FNAAs. Section 3 introduces new 6-dimensional FNAAs and considers some of their properties. In one of the introduced FNAAs there is a large set of the global left-sided units and no global right-sided unite contained. In Section 4 it is proposed a unified method for constructing the FNAAs for the case of arbitrary even dimension. In Section 5 there are proposed new forms of defining the HDLP, including the case of using the global left-sided unites, and a new post-quantum signature scheme.

2. Finite Non-Commutative Associative Algebras

Let us consider finite m-dimensional vector space elements of which are vectors A = (a0, ai,... am-1) defined over some finite field, for example, over ground field GF(p), i.e. a0, a1,...am-1 G GF(p), where p is a prime number having sufficiently large size (256 to 512 bits). Suppose " + " is the addition operation in the vector space and the sum of vectors A and B = (b0, b1,... bm-1) is defined as follows:

A + B = (ao + bo, a1 + 61,... am-1 + bm-1),

where sign " + " designates both the addition in vector space and the addition in field GF(p). Multiplying vector A by some scalar ^ G GF(p) is defined as follows

^A = (^a0, ^a1,... ^am-1).

The finite m-dimensional vector space becomes the finite m-dimensional algebra with defining the second binary operation that is distributive relatively the addition operation and is called multiplication. For defining the multiplication operation it is reasonable to use the notion of formal basis vectors denoted as e0 = (1, 0, 0 ..., 0, 0), e1 = (0,1, 0 ..., 0, 0),

m- 1

... em-1 = (0, 0, 0 ..., 0,1) and representation of vectors A and B as follows: A = aiei

i=0

and B = Y1 m-01 bjej, where terms aiei and bjej are called components of vectors A and B correspondingly.

The multiplication operation "o" of m-dimensional vectors A and B is defined by the following formula

(m-1 \ /m-1 \ m-1 m-1

a ei) ◦ (Y1 bj ej I = Y1Y1 a bj (eio ej), (2)

i=0 J \j=0 J j=0 i=0

where product ei o ej for all possible pairs of values i and j is to be replaced by some one-component vector in accordance with some basis vector multiplication table (BVMT) in every cell of which it is contained some one-component vector. The coordinate of the last is called structural coefficien. On definition it is assumed the following (where A G GF(p)):

(^ei) o (Aej) = ^A (ei o ej) = ^Aei o ej.

In (2) it is assumed that the intersection of ith row and jth column of the BVMT defines the cell in which it is given the value of product ei o ej.

If the used BVMT defines associative multiplication, then the algebra is called associative. If the multiplication operation is non-commutative (commutative), then the algebra is called non-commutative (commutative). In case m|p — 1 the BVMT can be composed so that algebra represents itself finite field GF(pm) [18].

Suppose number u is the minimum one from the set natural numbers 7 that for some invertible vector A, contained in a FNAA with global bi-side unit E, it holds AY = E.

Then the value u is called order of vector A. If vector B is contained in a subset of algebra elements, which contains local bi-side unit E' = E, and for some minimum integer u' we have Bw = E', then value u' is called local order of vector B and the last is called locally invertible.

In the next section there are introduced several 6-dimensional FNAAs containing no global bi-side unit:

i) algebras with large set of the global single-side units,

ii) algebra with compressing multiplication operation.

The proposed 6-dimensional FNAAs are attractive for application as carriers of the HDLP, however one should introduce new forms of the HDLP.

3. New Carriers of the Hidden Discrete Logarithm Problem 3.1. The 6-Dimension FNAA with Set of Global Right-Side Unites

Table 1

The BVMT defining the 6-dimensional FNAA with local invertibility of its elements

For case m = 6 the associative multiplication operation can be defined with the BVMT presented as Table 1. The associativity of the multiplication can be easily proved using formula (2) and considering fulfillment of the following condition for arbitrary three vectors A, B,

m— 1

and C = cfcefc : (A ◦ B) o C = A o fc=0

(B o C).

From vector equation AoX = A, where

m— 1

X = Y1 Xjej is the unknown vector, with using Table 1 one can get the following system

o e0 ei e2 e3 e4 e5

e0 e0 re3 e0 e3 re0 e3

ei ei r^e4 e1 ^e4 t e1 /ie4

e2 e2 t e5 e2 e5 t e2 e5

e3 e3 r^e0 e3 ^e0 t e3

e4 e4 t e1 e4 e1 t e4 ei

e5 e5 T/je2 e5 №2 re5 №2

fc=0

of six linear equations with unknown values Xj G GF(p), j = 0,1,

, m — 1 :

a0x0 + t^a3 x1 + a0 x2 + ^a3x3 + ra0x4 + ^a3 x5 = a0; a1x0 + ra4x1 + a1x2 + a4x3 + ra1 x4 + a4 x5 = a1; a2x0 + r^a5 x1 + a2 x2 + ^a5x3 + ra2x4 + x5 = a2; a3x0 + ra0x1 + a3x2 + a0x3 + ra3 x4 + a0 x5 = a3; a4x0 + r^a1 x1 + a4 x2 + ^a1x3 + ra4x4 + x5 = a4; 05x0 + ra2^1 + «5x2 + «2x3 + ra5 x4 + 02 x5 = 05.

(3)

The system of equations (3) can be represented in the following form:

' 00 (X0 + X2 + TX4 + ^3 (tx1 + X3 + X5) = ^0;

a1 (x0 + X2 + tx4 + 04 (TX1 + X3 + X5 ) = 01;

< a2 (X0 + X2 + TX4 + ^5 (tx1 + X3 + X5) = 02; (4)

03 (X0 + X2 + TX4 + 00 (TX1 + X3 + X5 ) = 03;

a4 (x0 + x2 + tx4 + (TX1 + X3 + X5) = °4;

k a5 (X0 + X2 + TX4 + a2 (tx1 + X3 + X5 ) = 05-

It is easy to see the solutions of the last system satisfy the following two equations:

Xo + X2 + TX4 = 1; . .

(5)

txi + £3 + £5 = 0.

From (5) one can write the following formula describing the set of local right-side units Er relating to vector A:

Er = k, j, h, 1 ~lr~3, ~rk - h^j . (6)

it is esy to see that each vector from set (6) is the global right-side unit, since it acts as the right unit on all elements of the considered FNAA.

To get the formula for the left-side units corresponding to vector A one should consider the following vector equation

X o A = A

that can be rewritten in the form of the following system of six linear equations with unknowns £0, £1, £2, £3, £4, £5:

$£0 + ^£3 = a0; $£ + ^£4 = a1;

$£2 + ^£5 = «2; (7)

^£0 + $£3 = «3; + $£4 = a4;

_ ^£2 + $£5 = «5,

where $ = a0 + a2 + ra4 and ^ = ra1 + a3 + a5.

There exists the single solution of system (7) that defines the following formula for the left-side local unit corresponding to vector A:

/ $a0 - $ai - ^a4 $a2 - $a3 - $a4 - ¿¿^ai $a5-^a2\

1 = v - ' $2 - №2 ' - №2 ' - №2 ' - jutf2 ' - J '

It is easy to see that value E is included in set (6). Thus, to vector A such that

(a0 + a2 + ra4)2 = ^ (T« + a3 + a5)2 (9)

it correspons the single bi-side local unit, i.e. every of such vectors is locally invertible.

3.2. The 6-Dimension FNAA with Compressing Multiplication Operation

Table 2 defines the multiplication operation possessing property of the compressing map of the 6-dimensional FNAA into some subset of the algebra elements, which can be described with the following formula

A o V = H, (10)

m— 1

where operands A and V = vje^ take on all possible values of the considered FNAA

j=0

m— 1

and vector H = ek is an element from some subset representing all possible results

k=0

of the multiplication operation. Such property is sufficiently specific and illustrates that constructing different types of the BVMTs one can define FNAAs possessing significantly different properties.

Using Table 2 one can represent vector equation (10) in the form of the system of six linear equations with coordinates of the right operand v0,vi,...,v5 as the unknown values. It is easy to show that the last system contains the following three independent systems of two linear equations:

^vo ( ao + +

^vo ( ai + a3 + a5

(ao + a2 + a4

^V2 (ai + a3 + a5

^v4 (a0 + a2 + a4

^V4 (ai + a3 + a5

From systems (11), (12), and (13) we get

Table 2

The BVMT for Defining FNAA with Compressing Multiplication Operation

o e0 ei e2 e3 e4 e5

e0 ße0 e0 Me2 e2 /¿e4 e4

ei fie i ei ^e3 e3 ^e5 e5

e2 /ie0 eo e2 ^e4 e4

e3 ße1 ei e3 e5

e4 ße0 eo ^e2 e2 e4

e5 ße1 ei ße3 e3 ße5 e5

+ Vi «0 + «2 + «4) = ho

+ Vi «1 + «3 + «5) = h1

+ V3 «0 + «2 + «4) = h2

+ V3 «1 + «3 + «5) = h3

+ V5 «0 + «2 + «4) = h4

+ V5 «1 + «3 + «5) = h5

ho h

h

h

h4

h-5

do + «2 + «4 «1 + «3 + «5

= P,

(11) (12)

(13)

(14)

where p (1 < p < p — 1) depends only on the left operand in the left part of (10). It is easy to estimate the number } of possible different values at output of multiplication operation: #{H} < p4.

3.3. The FNAA Containing a Set of Global Left-Side Units

Another example of the 6-dimensional Table 3

FNAAs possessing interesting properties The BVMT defining FNAA

is defined by Table 3. If structural with set of the global left-side units (^ = 1) coefficient ^ is equal to 1, then the

defined multiplication operation possesses o e0 ei e2 e3 e4 e5

compressing property, like in the FNAA e0 e0 e4 e2 e2 e4 e0

described in previous subsection. If ^ = ei e5 e1 e3 e3 e1 e5

1, then the algebra defined with Table 3 e2 ße0 e4 ^e2 e2 e0

contains a large set of the left-side units e3 ße5 e1 ^e3 e3 e5

acting on each element of the algebra e4 e0 e4 e2 e2 e4 e0

(such units can be called the global left- e5 e5 ei e3 e3 ei e5

side units). At the same time, the algebra

contains no global bi-side unit and no global right-side unit. The single local bi-side unit corresponds to each locally invertible element of the considered FNAA. Let us consider case ^ =1.

For some left-side unit X acting on vector A it holds the vector equation

X о A = A.

(15)

Using Table 3 one can represent (15) in the form of the following system of six linear equations with coordinates of the left operand x0,x,... ,x5 as unknown values:

' ao (xo + + £4) + Й5 (xo + X2 + £4 ai (xi + £3 + £5) + a4 (xi + ^.£3 + £5

a2 (xo + V£2 + £4) + аз (xo + £2 + £4 a2 (xi + ^£3 + £5) + аз (xi + £3 + £5 a1 (xo + x2 + x4 ) + a4 (xo + vx2 + x4 k ao (xi + ^£3 + £5) + a5 (xi + £3 + £5

ao;

ai; a2;

a3; a4; a5.

(16)

System (16) has the same solutions as the following system of four linear equations with six unknowns:

' X0 + X2 + X4 = 0;

x0 + ^x2 + x4 = 1;

X1 + X3 + X5 = 1; k X1 + ^X3 + X5 = 0.

The solution of system (17) does not depend on value A and describes the following set of global left-side units:

(17)

1

1

1

Ei = (x0,xi,x2,xs,x4,x5) = I d,h,--, --, ---d,

V

V — 1 1 — v 1 — V

V — 1

— h

(18)

where d, h = 0,1,... ,p — 1.

Finding the right-side units acting on vector A is connected with solving the following vector equation:

A o X = A. (19)

Using Table 3 one can represent (19) in the form of the following three independent systems each of which contains two linear equations:

xo (ao + va2 + a4) + £5 (ao + a2 + a4 xo (ai + va3 + a5) + £5 (ai + a3 + a5

xi (ai + a3 + a5) + £4 (ai + va3 + a5

xi (ao + a2 + a4) + x4 (ao + va2 + a4

£2 (ao + va2 + a4) + £3 (ao + a2 + a4 £2 (ai + va3 + a5) + £3 (ai + a3 + a5

ao; a5;

ai;

a4;

a2;

a3.

Each of systems (20), (21), and (22) has the single solution, therefore for vector exists single right-side unit

Er = (x0,x1,x2,x3,x4,x5) ,

(20)

(21)

(22) A there

where:

«0 («1 + «3) — a5 (a2 + a4) a^ + — ^a3a4 — a4a5

Xo = 7-777-;-r! xi =

(^ — 1) (a1a2 + a2a5 — a0a3 — a3a4) ' (^ — 1) (a1 a2 + a2a5 — a0a3 — a3a4) '

1 1

x2 — -7) x3

3

^ — 1 1 — ^

«3 «4 + «4 «5 — «o«1 — «1 «2 ^«2«5 + «4«5 — «0 «1 — ^«o«3

X4 = 7 777 ; rj £5

— 1) (aia2 + a2a5 — a0a3 — a3a4)' — 1) (aa2 + a2a5 — a0a3 — a3a4)

It is easy to show that the right-side unit related to an arbitrary vector A is contained in the set of global left-side units (18). The last means the right-side local units are simultaneously the bi-side local units.

4. Unified Method for Defining FNAAs for Arbitrary Even Dimension

For the case of even dimension m of the finite vector space the FNAAs can be defined by the following general method that consists in defining the multiplication of formal basis vectors e» and ej for i, j = 0,1,..., m — 1 with formula

ej, if the value i + j is even, em-1-i, if the value i + j is odd,

e ° ej = \ _____. , . ._ _ j j (23)

where addition and subtraction are performed modulo m.

Proposition 1. Formulas (2) and (23) define the associative multiplication operation for arbitrary even value of dimension m.

Proof. Suppose i, j, k denote even integers and i', j', k' denote odd integers. While multiplying three formal basis vectors we have the following cases:

(ej ° ej ) ° efc = ej ° efc = ej, ej ° (ej ° efc ) = ej ° ej = ej ;

(ei ° ej) ° ek' ej ° ek' em—1—j, ej ° (ej ° ek') ej ° em—1—j em—1—j;

(ej ° ej/) ° efc = em_ 1—j ° efc = em_ 1—(m— 1—j) = ej, ej ° (ej/ ° efc) = ej ° em— 1—r

e j ;

(ej/ o ej) o efc = em-i-j' o efc = em-i-j', e^ o (ej o efc) = e^ o ej = em-i-j'; (ej/ o ej) o efc' = em-i-j' o efc/ = e»/, e»/ o (ej o efc/) = e»/ o em-i-j = e»/;

(ej' o ej') o ek ei' o ek em-1-j', ei' o (ej' o ek) ei' o em-1-j' em-1-j';

(e»' o ej/) o efc/ = ej/ o efc/ = ej/, ej/ o (ej/ o efc/) = ej/ o ej/ = ej/;

(ej o ej/) o efc/ = em-i-j o efc/ = em-i-j, e» o (ej/ o efc/) = e» o ej/ = em-i-j.

Thus, for multiplying all possible ordered triples of the basis vectors it holds the property of associativity. ^

Formula (23) defines structure of the BVMT for arbitrary fixed even dimension m > 2. After the BVMT will have been constructed one can add one or several structural coefficients in some of the cells of the table so that the property of associativity will be saved. Tables 4, 5, and 6 presents some examples of the BVMT constructed in line with such unified method for cases m =2, 4 and 6 respectively.

The 4-dimensional FNAA defined by Table 5, where ^r = 1, represents itself a ring with global bi-side unit

11 T

Table 4

The BVMT for the case m =2

о е0 ei

е0 е1 це0 цег те0 rei

Table 5

The BVMT for the case m = 4

E

v

о е0 ei е2 е3

е0 е0 е3

е1 те2 ei e2 те !

е2 е2 vei ve2 ei

е3 ге0 е3 е0 ге3

1 — ^T 1 — ^T ^T — 1 ^T — 1

such that for arbitrary 4-dimensional vector A the following equations V o E = E o V = V hold true. In this ring 4-dimension vectors A = (a0, a1; a2, a3) such that a0al = a2a3 are invertible. All invertible

4-dimensional vectors compose a finite group order of which is equal to p(p — 1) (p2 — 1). If aoal = a2a3 vector A is non-invertible. In the ring there exist p3 + p2 — p different non-invertible vectors. In the subset of the non-invertible vectors there exists the single local bi-side unit E' corresponding to some fixed non-invertible vector A. The local bi-side unit E' depends on the coordinates of vector A as follows:

ao + a3T

E '

Xo,

a3

a o v + аз -i

ao ^ + a3

where x0 = a0 (a0 + ai + ^a2 + ra3)

In case m = 6 we found a variety of options for embedding structural coefficients. For example, in Table 6 three different structural coefficients are included, which are distributed in such a way that the associativity property of the multiplication operation is preserved. The FNAA defined by Table 6 contains a set of p2 different global right-side units Er described by the following formula:

a3 a3

— Xo, -;-

ao aov + аз

ар + аз аз а^ + d а0

Table 6

The BVMT defining the 6-dimensional FNAA with p2 different global right-side units

о е0 ei е2 e3 e4 e5

е0 е0 е5 t eo t e5 e0 e5

ei Ае4 ei ve4 vei e4 Aei

е2 е2 e3 t e2 t e3 e2 e3

е3 Ае2 e3 ve2 ve3 e2 Ae3

е4 е4 ei t e4 t ei e4 ei

е5 Ае0 е5 /ie0 /ie5 e0 Ae5

Er

г,J,

. 1 + (A - 1)i 1 + (A - 1)J (v - AT)i - v (T - v)J - t

t - v

where г, J = 0,1,... ,p - 1.

V - AT

T - v

V - AT

5. New Forms of Defining the Hidden Discrete Logarithm Problem

Using different types of the BVMTs for defining the associative multiplication operation one can define different types of m-dimensional FNAAs, including algebras

containing only locally invertible elements. The last does not suit to define the HDLP while using the known form of the formulation of the HDLP. To use such type of finite algebras as carriers of the HDLP it needs to propose another form for formulating the HDLP.

Suppose N be some locally invertible vector such that for some prime number u we have Nw = E', where E' is the local bi-side unit relating to N. Then the sequence {N, N2 ,...,NW} contains u different elements of the considered FNAA and represents a cyclic finite group with the group operation o, therefore u can be called local order of the element N. Using the local bi-side unit element E' one can define the following homomorphism over the set of locally invertible elements VE/ computed as

ve' = V o E',

where V takes on all values in the considered FNAA (note the element E' acts in the frame of the set of elements VE' as the right-side unit).

Like standard automorphisms in the finite non-commutative group described by the formula (V) = W-i o V o W, where W is an invertible element of the ring, the homomorphism is defined as follows:

№ (ve/) = Nw-t o ve' o Nl.

Actually, the last formula defines homomorphism since with evidence the following holds true:

(VE o v' E') = (ve/ ) o ^ (v'e' ), № (VE/ + v'E') = (VE/) + (V'E').

To define public-key cryptoschemes, like that described in [13, 15], one can select some locally invertible vector G having sufficiently large prime order g, which satisfies condition G o N = N o G, compute vector GE/ = G o E' and use the formula

Y = Nw-t o GE' o N1, (24)

where Y is a public key and the pair of numbers (t, x) is a private key (the integers t < u and x < g is to be selected at random). Finding values (t, x) from equation (24) represents a novel form of the HDLP. The FNAAs with local invertibility of all elements (except zero), like that described in subsection 3.2 (see case with structural coefficient equal to a quadratic non-residue) are especially attractive as carriers of the HDLP while the last is defined by formula (24).

The second proposed new form of defining the HDLP relates to using the 6-dimensional FNAA containing the set of the global left-side units {L» : L» o V = V} , where i is an integer and V is an arbitrary 6-dimensional vector. For arbitrary left-side unit L» and arbitrary integer w it holds L™ = L». Suppose N is a vector having sufficiently large prime order relatively its local bi-side unit and vectors U and D satisfy the condition D o U = Li, where Li is some global left-side unit. Then the public key Y can be computed as follows

Y = Uw o Nx o Dw = (Uw o N o Dw)x , (25)

where the pair of integers (w,x) is the private key. Finding values w and x from the equation (25) represents a kind of the HDLP. The last equation can be used to define the public key agreement protocol and public encryption algorithm.

To provide possibility to construct the digital signature scheme we propose the following form of the HDLP in which there is used a double masking mechanism as follows. Suppose the private key represents the set of values x, N, U, U', D, and T, where x is a random integer and the following two conditions are met D o U = Li, D o U' = L2, and T o U' = L3 for some left-side units Li, L2, and L3. Besides vector N has a local order equal to sufficiently large prime q. The required triple of vectors U, D, and T can be computed as follows:

1. Select values D, Li and L2.

2. Compute vector U from vector equation D o U = Li.

3. Compute vector U' from vector equation T o U' = L2.

4. Compute vectors T and L3 from vector equation T o U' = L3.

The public key represents the pair of the 6-dimensional vectors Y and Q that can be computed using the following two formulas:

Y = U o Nx o D; Q = U' o N o T. (26)

The signature generation procedure includes the following steps:

1. Generate random value k and compute vector R = U o Nk o T.

2. Using specified hash function Fh compute first signature element e = Fh(M, R), where M is some signed document.

3. Considering bit string e as a binary number compute second signature element s = k — xe mod q.

Verification of signature (e, s) (representing a pair of integers) to document M is executed as follows:

1. Compute vector R? : R? = Ye o Qs.

2. Compute bit string e? = Fh(M, R?).

3. Compare values e? and e. If e? = e, then the signature is valid. Otherwise the signature is rejected as false one.

Corrctness proof of the proposed signature scheme is evident:

R? = (U o Nx o D)e o (U' o N o T)k-xe = U o Nxe o D o U' o Nk-xe o T = = U o Nxe o L2 o Nk-xe o T = U o nxe+k-xe o T = U o Nk o T = R ^ ^ e? = Fh(M, R?) = Fh(M, R) = e.

Like in the case of the Schnorr digital signature protocol [19] in the described signature scheme there is use some cyclic group of the prime order. The difference consists in the hiding this cyclic group. The public part of the proposed signature scheme is the used FNAA and two its elements Y and Q that are connected with the hidden cyclic group generated by powers of vector N that is an element of a private key. Connection between vectors Y and Q can be represented as

Y = Z o Qx o Zr,

where integer x and vectors Zj and Zr are unknowns. The last formula shows vectors Y and Q belong to different cyclic groups contained in the used FNAA with set of the global left-side units. Therefore, the potential forgery of a signature should find a representation of public key elements Y and Q in a form like (26) and to solve the discrete logarithm

problem in a finite cyclic group contained in the FNAA. There exists many different variants of mentioned representation, however finding at least one of them appears to be a computationally difficult problem.

Estimation of the security of the propose signature scheme to attacks with using hypothetic quantum computer is connected with estimation of the computational difficulty of the reduction of the used HDLP to the discrete logarithm problem in some cyclic group. Consideration of this item represents an individual problem.

Conclusion

Several 6-dimensional FNAA have been introduced as novel carriers of the HDLP that is attractive as post-quantum primitive of the public-key cryptoschemes. Some properties of algebras, which relate to defining the HDLP, have been investigated. It also introduced a general method for constructing FNAAs of arbitrary even dimensions. Some of the introduced FNAA contain only vectors that are locally invertible. For the last case there are proposed new forms of the definition of the HDLP. One of the proposed novel forms of the HDLP has been used to design a digital signature scheme. The proposed new forms of the HDLP represent an interest as independent primitives of post-quantum cryptography. Comparing with the signature schemes proposed in frame of NIST project PQCrypto the introduced signature scheme based on the HDLP has the following significant advantages: a higher perfomance and smaller signature size. One can hope that due to the last merits the proposed signature scheme will attract attention of the researchers to the task of the estimating its security.

Acknowledgements. The reported study was partially funded by Russian Foundation for Basic Research (project no. 18-07-00932-a).

References

1. Sirwan A., Majeed N. New Algorithm for Wireless Network Communication Security. International Journal on Cryptography and Information Security, 2016, vol. 6, no. 3, pp. 1-8.

2. Yiteng Feng, Guomin Yang, Joseph K.Liu. A New Public Remote Integrity Checking Scheme with User and Data Privacy. International Journal of Applied Cryptography, 2017, vol. 3, no. 3, pp. 196-209. DOI: 10.1504/IJACT.2017.086232

3. Chiou S.Y. Novel Digital Signature Schemes Based on Factoring and Discrete Logarithms. International Journal of Security and Its Applications, 2016, vol. 10, no. 3, pp. 295-310. DOI: 10.14257/ijsia.2016.10.3.26

4. Yan S.Y. Quantum Computational Number Theory. N.Y., Springer, 2015. DOI: 10.1007/9783-319-25823-2

5. Yan S.Y. Quantum Attacks on Public-Key Cryptosystems. N.Y., Springer, 2014.

6. Proceedings of the 7th International Workshop on Post-Quantum Cryptography, PQCrypto 2016. Fukuoka, Springer, 2016.

7. Post-Quantum Cryptography. 9th International Conference, PQCrypto 2018. Fort Lauderdale, Springer, 2018.

8. Hiranvanichakorn P. Provably Authenticated Group Key Agreement based on Braid Groups. The Dynamic Case. International Journal of Network Security, 2017, vol. 19, no. 4, pp. 517-527.

9. Verma G.K. Probable Security Proof of a Blind Signature Scheme over Braid Groups. International Journal of Network Security, 2011, vol. 1, no. 2, pp. 118-120.

10. Myasnikov A., Shpilrain V., Ushakov A. A Practical Attack on a Braid Group Based Cryptographic Protocol. 2005. Springer, vol. 3621, pp. 86-96.

11. Moldovyan D.N., Moldovyan N.A. A New Hard Problem over Non-Commutative Finite Groups for Cryptographic Protocols. Conference on Mathematical Methods, Models and Architectures for Computer Network Security. 2010, Springer, vol. 6258, pp. 183-194. DOI: 10.1007/978-3-642-14706-7_14

12. Sakalauskas E., Tvarijonas P., Raulynaitis A. Key Agreement Protocol Using Conjugacy and Discrete Logarithm Problems in Group Representation Level. Informatica, 2007, vol. 18, no. 1, pp. 115-124.

13. Moldovyan D.N. Non-Commutative Finite Groups as Primitive of Public-Key Cryptoschemes. Quasigroups and Related Systems. 2010, vol. 18, no. 2, pp. 165-176.

14. Moldovyan D.N., Moldovyan N.A. Cryptoschemes Over Hidden Conjugacy Search Problem and Attacks Using Homomorphisms. Quasigroups Related Systems, 2010, vol. 18, no. 2, pp. 177-186.

15. Kuzmin A.S., Markov V.T., Mikhalev A.A., Mikhalev A.V., Nechaev A.A. Cryptographic Algorithms on Groups and Algebras. Journal of Mathematical Sciences, 2017, vol. 223, no. 5, pp. 629-641. DOI: 10.1007/s10958-017-3371-y

16. Moldovyan A.A., Moldovyan N.A., Shcherbacov V.A. Non-Commutative Finite Associative Algebras of 2-Dimension Vectors. Computer Science Journal of Moldova, 2017, vol. 25, no. 3, pp. 344-356.

17. Moldovyan D.N., Moldovyan N.A., Shcherbacov V.A. Non-Commutative Finite Associative Algebras of 3-Dimensional Vectors. Quasigroups and Related Systems, 2018, vol. 26, no. 1, pp. 109-120.

18. Moldovyan N.A., Moldovyan P.A. Vector Form of the Finite Fields GF(pm). Bulletinul Academiei de stiinte a Republicii Moldova. Matematica, 2009, no. 3, pp. 57-63.

19. Schnorr C.P. Efficient Signature Generation by Smart Cards. Journal of Cryptology, 1991, vol. 4, pp. 161-174. DOI: 10.1007/BF00196725

Received September 11, 2018

УДК 512.624.5 DOI: 10.14529/mmp190106

КОНЕЧНЫЕ НЕКОММУТАТИВНЫЕ АССОЦИАТИВНЫЕ АЛГЕБРЫ КАК НОСИТЕЛИ СКРЫТОЙ ЗАДАЧИ ДИСКРЕТНОГО ЛОГАРИФМИРОВАНИЯ

Н.А. Молдовян1, А.А. Молдовян1

1 Санкт-Петербургский институт информатики и автоматизации РАН, г. Санкт-Петербург, Российская Федерация

Статья рассматривает новые конечные алгебры, представляющие интерес в качестве носителей задачи дискретного логарифмирования в скрытой группе. В частности, предложены новые 4-мерные и 6-мерные конечные некоммутативные алгебры с ассоциативной операцией умножения и описаны их свойства. Также предложен общий метод

задания конечных некоммутативных ассоциативных алгебр произвольной четной размерности m > 2. Некоторые из рассмотренных алгебр содержат глобальную двухстороннюю единицу, а другие не содержат такой единицы. В последнем случае элементы алгебры обратимы локально относительно некоторой локальной двухсторонней единицы, действующей в рамках некоторого подмножества элементов алгебры. Для алгебр последнего типа выведены формулы, описывающие множества правосторонних, левосторонних и двухсторонних локальных единиц. Также представлены алгебры, содержащие большое множество глобальных левосторонних (правосторонних) единиц при отсутствии в них глобальной двухсторонней единицы. Поскольку известные формы задания крытой задачи дискретного логарифмирования используют обратимость элементов алгебры относительно глобальной двухсторонней единицы, были предложены новые формы задания этой вычислительно трудной задачи. Результаты статьи могут быть использованы для разработки криптографических алгоритмов и протоколов с открытым ключом, включая постквантовые криптосхемы. Впервые предложена схема цифровой подписи, основанная на скрытой задаче дискретного логарифмирования.

Ключевые слова: конечная ассоциативная алгебра; некоммутативная алгебра; глобальная единица; левосторонняя единица; локальная единица; локальная обратимость; задача дискретного логарифмирования; криптосхема с открытым ключом; цифровая подпись; постквантовая криптография.

Литература

1. Sirwan, A. New Algorithm for Wireless Network Communication Security / A. Sirwan, N. Majeed // International Journal on Cryptography and Information Security. - 2016. -Т. 6, № 3. - С. 1-8.

2. Feng, Yiteng. A New Public Remote Integrity Checking Scheme with User and Data Privacy / Yiteng Feng, Guomin Yang, Joseph K.Liu // International Journal of Applied Cryptography. - 2017. - Т. 3, № 3. - С. 196-209.

3. Chiou, S.Y. Novel Digital Signature Schemes Based on Factoring and Discrete Logarithms / S.Y. Chiou // International Journal of Security and Its Applications. - 2016. - Т. 10, № 3. -С. 295-310.

4. Yan, S.Y. Quantum Computational Number Theory / S.Y. Yan. - New York: Springer, 2015.

5. Yan, S.Y. Quantum Attacks on Public-Key Cryptosystems / S.Y. Yan. - New York: Springer, 2014.

6. Proceedings of the 7th International Workshop on Post-Quantum Cryptography, PQCrypto

2016. Fukuoka, Japan, February 24-26, 2016. - Springer, 2016.

7. Post-Quantum Cryptography. 9th International Conference, PQCrypto 2018, Fort Lauderdale, FL, USA, April 9-11, 2018, Proceedings. - Springer, 2018.

8. Hiranvanichakorn, P. Provably Authenticated Group Key Agreement Based on Braid Groups. The Dynamic Case / P. Hiranvanichakorn // International Journal of Network Security. -

2017. - Т. 19, № 4. - С. 517-527.

9. Verma, G.K. Probable Security Proof of a Blind Signature Scheme over Braid Groups / G.K. Verma // International Journal of Network Security. - 2011. - Т. 12, № 2. - С. 118-120.

10. Myasnikov, A. A Practical Attack on a Braid Group Based Cryptographic Protocol / A. Myasnikov, V. Shpilrain, A. Ushakov // Advances in Cryptology - CRYPT0'05. Springer, 2005. - Т. 3621. - С. 86-96.

11. Moldovyan, D.N. A New Hard Problem over Non-Commutative Finite Groups for Cryptographic Protocols / D.N. Moldovyan, N.A. Moldovyan // 5th Int. Conference on Mathematical Methods, Models, and Architectures for Computer Network Security, MMM-ANCS 2010 Proceedings. - Springer, 2010. - Т. 6258. - С. 183-194.

12. Sakalauskas, E. Key Agreement Protocol (KAP) Using Conjugacy and Discrete Logarithm Problems in Group Representation Level / E. Sakalauskas, P. Tvarijonas, A. Raulynaitis // Informatica. - 2007. - Т. 18, № 1. - C. 115-124.

13. Moldovyan, D.N. Non-Commutative Finite Groups as Primitive of Public-Key Cryptoschemes / D.N. Moldovyan // Quasigroups and Related Systems. - 2010. -Т. 18, № 2. - С. 165-176.

14. Moldovyan, D.N. Cryptoschemes over Hidden Conjugacy Search Problem and Attacks Using Homomorphisms / D.N. Moldovyan, N.A. Moldovyan // Quasigroups Related Systems. -2010. - Т. 18, № 2. - C. 177-186.

15. Kuzmin, A.S. Cryptographic Algorithms on Groups and Algebras / A.S. Kuzmin, V.T. Markov, A.A. Mikhalev, A.V. Mikhalev, A.A. Nechaev // Journal of Mathematical Sciences. - 2017. - V. 223, № 5. - С. 629-641.

16. Moldovyan, A.A. Non-Commutative Finite Associative Algebras of 2-Dimension Vectors / A.A. Moldovyan, N.A. Moldovyan, V.A. Shcherbacov // Computer Science Journal of Moldova. - 2017. - Т. 25, № 3. - С. 344-356.

17. Moldovyan, D.N. Non-Commutative Finite Associative Algebras of 3-Dimensional Vectors / D.N. Moldovyan, N.A. Moldovyan, V.A. Shcherbacov // Quasigroups and Related Systems. -2018. - Т. 26, № 1. - С. 109-120.

18. Moldovyan, N.A. Vector Form of the Finite Fields GF(pm) / N.A. Moldovyan, P.A. Moldovyanu // Bulletinul Academiei de Stiinte a Republicii Moldova. Matematica. -2009. - № 3. - С. 57-63.

19. Schnorr, C.P. Efficient Signature Generation by Smart Cards / C.P. Schnorr // Journal of Cryptology. - 1991. - V. 4. - P. 161-174.

Николай Андреевич Молдовян, доктор физико-математических наук, профессор, главный научный сотрудник, лаборатория «Кибербезопасность и постквантовая криптография:», Санкт-Петербургский институт информатики и автоматизации Российской академии наук (г. Санкт-Петербург, Российская Федерация), nmold@mail.ru.

Александр Андреевич Молдовян, доктор физико-математических наук, профессор, главный научный сотрудник, лаборатория «Кибербезопасность и постквантовая криптография: , Санкт-Петербургский институт информатики и автоматизации Российской академии наук (г. Санкт-Петербург, Российская Федерация), maa1305@yandex.ru.

Поступила в редакцию 11 сентября 2018 г.