MATHEMATICAL PROBLEMS AND SOLUTIONS OF THE NINTH INTERNATIONAL OLYMPIAD IN CRYPTOGRAPHY NSUCRYPTO Текст научной статьи по специальности «Математика»

2023 Математические методы криптографии № 62

УДК 519.7 DOI 10.17223/20710410/62/4

MATHEMATICAL PROBLEMS AND SOLUTIONS OF THE NINTH INTERNATIONAL OLYMPIAD IN CRYPTOGRAPHY NSUCRYPTO1

V. A. Idrisova2, N. N. Tokareva2, A. A. Gorodilova2, 1.1. Beterov3, T. A. Bonich2, E.A. Ishchukova4, N. A, Kolomeec2, A. V, Kutsenko2, E. S, Malvgina5, I. A. Pankratova6,

M. A. Pudovkina7, A. N. Udovenko8

2

3

4Southern Federal University, Taganrog, Russia 5HSE, Moscow, Russia

6

7National Research Nuclear University MEPhI, Moscow, Russia

8

E-mail: vvitkup@vandex.ru, crvptoll27@mail.ru, gorodilova@math.nsc.ru, beterov@isp.nsc.ru, t.bonich@g.nsu.ru, uaishukova@sfedu.ru, kolomeec@math.nsc.ru, alexandrkutsenko@bk.ru, emalygina@hse.ru, pank@mail.tsu.ru, maricap@rambler.ru,

aleksei.udovenkol@gmail.com

Every year the International Olympiad in Cryptography Non-Stop University CRYPTO (NSUCRYPTO) offers mathematical problems for university and school students and, moreover, for professionals in the area of cryptography and computer science. The main goal of NSUCRYPTO is to draw attention of students and young researchers to modern cryptography and raise awareness about open problems in the field. We present problems of NSUCRYPTO'22 and their solutions. There are 16 problems on the following topics: ciphers, cryptosystems, protocols, e-money and cryp-tocurrencies, hash functions, matrices, quantum computing, S-boxes, etc. They vary from easy mathematical tasks that could be solved by school students to open problems that deserve separate discussion and study. So, in this paper, we consider several open problems on three-pass protocols, public and private keys pairs, modifications of discrete logarithm problem, cryptographic permutations, and quantum circuits.

Keywords: cryptography, ciphers, protocols, number theory, S-boxes, quantum circuits, matrices, hash functions, interpolation, cryptocurrencies, postquantum cryptosystems, Olympiad, NSUCRYPTO.

1The work of the first, second, third, fifth, seventh and eighth authors was supported by the Mathematical

Center in Akademgorodok under the agreement No. 075-15-2022-282 with the Ministry of Science and Higher

Education of the Russian Federation. The work of the ninth author was supported by the Kovalevskaya

North-West Centre of Mathematical Research under the agreement No. 075-02-2023-934 with the Ministry

of Science and Higher Education of the Russian Federation. The work is also supported by Novosibirsk

State University and Kryptonite.

2023 Математические методы криптографии № 62

МАТЕМАТИЧЕСКИЕ ПРОБЛЕМЫ И РЕШЕНИЯ ДЕВЯТОЙ МЕЖДУНАРОДНОЙ ОЛИМПИАДЫ ПО КРИПТОГРАФИИ

NSUCRYPTO

В, А, Идрисова2, Н. Н. Токарева2, А. А. Городилова2, И. И. Бетеров3, Т. А. Бонич2,

Е. А. Ищукова4, Н, А, Коломеец2, А. В, Куценко2, Е. С. Малыгина5,

И, А. Панкратова6, М. А, Пудовкина7, А. Н, Удовенко8

2

3

4

5

6

7Национальный исследовательский ядерный университет, «МИФИ», г. Москва,, Россия

8

Ежегодно Международная олимпиада по криптографии Non-Stop University CRYPTO (NSUCRYPTO) предлагает математические задачи для студентов университетов и школ, а также для профессионалов в области криптографии и информатики. Основная цель NSUCRYPTO — привлечь внимание студентов и молодых исследователей к современной криптографии, в частности к её открытым проблемам. Мы рассматриваем задачи NSUCRYPTO'22 и их решения. Приводятся 16 задач по следующим темам: шифры, криптосистемы, протоколы, электронные деньги и криптовалюты, хэш-функции, матрицы, квантовые вычисления, S-блоки и т.д. Задачи варьируются от простых математических задач, которые могут быть решены школьниками, до открытых задач, заслуживающих отдельного обсуждения и исследования. Рассматриваются несколько открытых задач по трёхпроходным протоколам, парам открытых и закрытых ключей, модификациям задачи дискретного логарифмирования, криптографическим перестановкам и квантовым схемам.

Ключевые слова: криптография, шифры, протоколы, теория чисел, S-блоки, квантовые схемы, матрицы, хэш-функции, интерполяция, криптовалюты, пост,квантовые криптосистемы, олимпиада, NSUCRYPTO.

1. Introduction

Non-Stop University CRYPTO (NSUCRYPTO) is the unique international competition for professionals, school and university students, providing various problems on theoretical and practical aspects of modern cryptography [1]. The main goal of the olympiad is to draw attention of young researchers not only to competetive fascinating tasks, but also to sophisticated and tough scientific problems at the intersection of mathematics and cryptography That is why each year there are several open problems in the list of tasks that require rigorous studying and, if solved, deserve a separate publication. Since NSUCRYPTO holds via the Internet, everybody can easily take part in it. Rules of the Olympiad, the archive of problems, solutions and mach more can be found on the official website [2].

The first Olympiad was held in 2014, since then more than 3000 students and specialists from almost 70 countries took part in it. The Program committee now is including 22 members from cryptographic groups all over the world. Main organizers and partners are Cryptographic Center (Novosibirsk), Mathematical Center in Akademgorodok,

Novosibirsk State University, KU Leuven, Tomsk State University, Belarusian State University, Kovalevskava North-West Center of Mathematical Research, and Krvptonite,

This year, 37 participants in the first round and 27 teams in the second round from 14 countries have become the winners (see the list [3]), We proposed 16 problems to participants and 5 of them were entirely open or included some open questions. Totally, there were 623 particpants from 36 countries.

Following the results of each Olympiad, we also publish scientific papers with detailed solutions and some analysis of the solutions proposed by the participants, including advances on unsolved ones [4-11],

2. An overview of open problems

One of the main characteristic of the Olympiad is that unsolved scientific problems are proposed to the participants in addition to problems with known solutions. All 31 open problems that have been offered since the first NSUCRYPTO can be found in [12], Some of these problems have been of great interest to cryptographers and mathematicians for many years. These are such problems as "APN permutation" (2014), "Big Fermat numbers" (2016), "Boolean hidden shift and quantum computings" (2017), "Disjunct Matrices" (2018), and others.

Despite the fact that it is noted that the problem is open and therefore requires a lot of work to advance it, some of the problems we proposed have been solved or partially solved by our participants during the Olympiad, For example, problems "Algebraic immunity" (2015), "Sylvester matrices" (2018), "Miller — Rabin revisited" (2020) were solved completely. Also, partial solutions were suggested for problems "Curl27" (2019), "Bases" (2020), "Quantum error correction" (2021), and "s-Boolean sharing" (2021),

Moreover, some researchers continue to work on solutions even after the Olympiad was over. For example, the authors of [13] proposed a complete solution for the problem "Orthogonal arrays" (2018), Partial solutions for another open problem, "A secret sharing" (2014), were presented in [14, 15], and a recursive algorithm for finding the solution was proposed in [16],

This year, two open problems have been solved during the Olympiad, These are problems "Public keys for e-eoins" (Problem 4,10) and "Quantum entanglement" (Problem 4,16),

3. Problem structure of the Olympiad

There were 16 problems stated during the Olympiad, some of them were included in both rounds (Tables 1 and 2), Section A of the first round consisted of six problems, while Section B of the first round consisted of eight problems. The second round was composed of eleven problems; five of them included unsolved questions (awarded special prizes).

Table 1

Problems of the first round

No. Problem title Max score

1 Numbers and points 4

2 Wallets 4

3 A long-awaited event 4

4 Hidden primes 4

5 Face-to-face 4

6 Crypto locks 4 + open problem

Section A

No. Problem title Max score

1 Numbers and points 4

2 Hidden primes 4

3 Face-to-face 4

4 Matrix and reduction 4

5 Reversing a gate 6

6 Bob's symbol 8

7 Crypto locks 4 + open problem

8 Public keys for e-coins Open problem

Section B

Tabic 2

Problems of the second round

No. Problem title: Max score

1 CP problem Open problem

2 Interpolation with errors 8

3 HAS01 8

4 Weaknesses of the PHIGFS 8

5 Super dependent S-box C — open problem

G Quantum entanglement C — open problem

7 Numbers and points 4

8 Bob's symbol 8

9 Crypto locks 4 — open problem

10 Public keys for e-eoins Open problem

11 A long-awaited event 4

4. Problems and their solutions

In this section, we formulate all the problems of 2022 year Olympiad and present their detailed solutions, in some particular cases we also pay attention to solutions proposed by the participants,

4.1. P r o b 1 e in " N u in hers an d points "

Formulation

Decrypt the message in Fig. 1.

3 5 1

4 3 3

1 . 4 2 4

2 4 . 3

1 4 2

Fig. 1. The illustration for the problem "Numbers and points"

Solution

There is a board made up of numbers and dots on the right half of Fig. 1. One cell is highlighted in red. The path along which the sensible plaintext is encrypted begins with it (Fig. 2). The ciphertext has a "number - number - dot" pattern. The ciphertext is the following:

21 . 42 . 24 . 15 . 33 . 14 .

Fig. 2. The path along which the sensible plaintext is encrypted

The table in the left half of Fig, 1 refers to the Polybius square. Each letter is represented by its coordinates in the grid. Comparing the numbers from the ciphertext with the coordinates of the letters in the Polybius square, we get:

F . E. (I/J) , E , N , D ,

Picking I from (I/J), we get the sensible plaintext FRIEND,

The problem looked simple but there was only one complete solution proposed by the team of Robin Jadoul (Belgium), Esrever Yu (Taiwan) and Jack Pope (United Kingdom),

4.2. Problem "Wallets"

Formulation

Bob has a wallet with 2022 NSUcoins. He decided to open a lot of new wallets and spread his NSUcoins among them. The platform that operates his wallets can distribute content of any wallet between 2 newly generated ones, charging 1 NSUcoin commission and removing the initial wallet.

He created a lot of new wallets, but suddenly noticed that all of his wallets contain exactly 8 NSUcoins each. Bob called the platform and told that there might be a mistake. How did he notice that?

Solution

Suppose that there were n such operations, so we had n +1 wallets. Since 1 NSUcoin is charged for each operation, the total commission is equal to n. Therefore, we have 2022-n = = 8(n + 1) and 2014 = 9n, but that is impossible since n is a natural number. The most accurate and detailed solution was sent by Egor Desvatkov (Russia).

4.3. Problem "A long-awaited event"

Formulation

Bob received from Alice the secret message

L78V8LC7GBEYEE

informing him about some important event.

It is known that Alice used an alphabet with 37 characters from A to Z, from 0 to 9 and a space. The character encoding is shown in Table 3.

Table 3

A B C D E F G H I J K L M N 0 p Q E S

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18

T u V W X Y Z 0 1 2 3 4 5 6 7 8 9 SPACE

19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36

For the encryption, Alice used a function / such that f (x) = ax2 + bx + c mod 37 for some integers a, b, c and / satisfies the property

/(x — y) — 2/(x)f (y) + /(1 + xy) = 1 (mod 37) for any integers x, y.

Decrypt the message that Bob received.

Solution

Let y = 0:

f (x) - 2f (x)f (0) + f (1) = 1 (mod 37), f (x)(1 - 2f (0)) = 1 - f (1) (mod 37).

f

so f (0) = 19 (mod 37) and f (1) = 1 (mod 37), From this we obtain that c = 19, Let

y = -1

f (1 + x) + f (1 - x) = 1 + 2f (x)f (-1) (mod 37). By replacing x m (-x) we get

f (1 - x) + f (1 + x) = 1 + 2f (-x)f (-1) (mod 37).

Left sides of the last two expressions are equal, therefore f (x) = f (-x) (mod 37) that is f is even function, provided f (-1) = 0 (mod 37), We can check the last condition by putting x = 0 y = 1 to the initial relation on f, that yields f (-1) = 1 = 0 (mod 37), Therefore, f (x) = f (-x) (mod 37) for any integer x, hence b = 0,

From f (1) = 1 (mod 37) we reveal the value of the coeffeeient a that is equal to 19, Thus, we have f (x) = 19 (x2 + 1) (mod 37), then for recovering of the plaintext we use the inverse expression x = 2f (x) + 36 (mod 37) and for every symbol of the ciphertext we choose the appropriate variant of the corresponding symbol of the plaintext:

L78V8LC7GBEYEE m NSUCRYPTO 2022.

The only correct solution was sent by William Zhang (United Kingdom), 4,4, Problem "Hidden primes"

Formulation

The Olympiad team rented an office at the Business Center, 1-342 room, on 1691th street for NSUCRYPTO-2022 competition for 0 nsucoins (good deal!), Mary from the team wanted to create a task for the competition and she needed to pick up three numbers for this task. She used to find an inspiration in numbers around her and various equations with them. After some procedure, she found three prime numbers! It is interesting that when Mary added the smallest number to the largest one and divided the sum by the third number, the result was also the prime number.

Can you guess these numbers she found?

Solution

We may assume from the problem statement that Mary used some numbers around her and some equations with them in order to find these three numbers. We may also get from the description that she used only one procedure to find these hidden numbers.

So all three numbers are connected by some procedure and the numbers around Mary are used, from phrase "various equations" we can assume that there exists some equation with these numbers as coefficients. There were 5 numbers around Mary: 1, -342, 1691, -2022

In addition, analyzing the picture (Fig, 3), you can see the curve, cubes with 4 letters: a, b, c, d and the cube with 0, The curve resembles a graph of a cubic function and the

letters on the cubes look like coefficients of a cubic function. The cube with 0 gives a hint for the use of a cubic equation.

Fig. 3. The illustration for the problem "Hidden primes"

Let us substitute the numbers from the problem statement into the cubic equation. Solving the equation x3 — 342x2 + 1691x — 2022 = 0 we find the roots 2, 3, 337. All three numbers are prime and satisfy the condition from the statement: (2 + 337)/3 = 113, where 113 is also a prime number.

Best solutions were proposed independently by Konstantin Romanov (Russia), Vasiliy Kadykov (Russia) and Sergey Zabolotskiy (Russia).

4.5. Problem "Face-to-face"

Formulation

Alice picked a new pin code (4 pairwise distinct digits from {1, 2,..., 9}) for her credit card such that all digits have the same parity and are arranged in increasing order. Bob and Charlie wanted to guess her pin code. Alice said that she can give each of them a hint but face-to-face only.

Bob alone came to Alice and she told him that the sum of her pin code digits is equal to the number of light bulbs in the living room chandelier. Bob replied that he didn't have enough information yet to guess the code and left. After that, Charlie alone came to Alice and she told him that if we find the product of all pin code digits and then sum up digits of those product, this result number would be equal to the amount of books on the shelf. Charlie also replied that he didn't have enough information to guess the code yet and left.

Unfortunately, Eve was eavesdropping in the next apartment and, after Charlie had left, she immediately found out Alice pin code despite that she had never seen those chandelier and bookshelf. Could you find the pin code too?

Solution

Let P be the pin code. Since all the digits of P have the same parity and are arranged in increasing order, we have only six options (Table 4).

Table 4

Pin code P The sum of digits The product of digits The sum of product digits

1357 16 105 6

1359 18 135 9

1379 2Ü 189 18

1579 22 315 9

2468 2Ü 384 15

3579 24 945 18

Since Bob could not guess the code, the sum of digits must allow at least two options for the code, so we have P G {1379,2468}. Since Charlie could not guess the code either, we have the same problem for the sum of product digits and it follows that P G {1359,1579,1379, 3579}. Therefore, the pin code is equal to 1379.

The best solutions to this problem were sent by Henning Seidler (Germany), Himanshu Sheoran (India) and Phuong Hoa Nguyen (France).

4.6. Problem "Crypto locks"

Formulation

Alice and Bob are wondering about the creation of a new version for the Shamir three-pass protocol. They have several ideas about it.

The Shamir three-pass protocol was developed more than 40 years ago. Recall it. Let p be a big prime number. Let Alice take two secret numbers cA and dA such that cAdA = = 1 (mod (p — 1)). Bob takes numbers cB and dB with the same property. If Alice wants to send a secret message m to Bob, where m is an integer number, 1 < m < p — 1, then she calculates xi = mCA mod p and sends it to Bob. Then Bob computes x2 = x1 mod p and forwards it back to Alice. On the third step, Alice founds x3 — x^A mod p Bob. Finally, Bob recovers m as x(B mod p according to Fermat's Little theorem.

It is possible to think about action of cA and dA over the message as about locking and unlocking, see Fig. 4.

Crypto locks

%M>

Fig. 4. The illustration for the problem "Crypto locks"

Alice and Bob decided to change the scheme by using symmetric encryption and decryption procedures instead of locking and unlocking with cA, cB, dA, and dB.

Q1 Propose some simple symmetric ciphers that would be possible to use in such scheme.

What properties for them are required? Should Alice and Bob use the same cipher (with

different own keys) or not?

Q2 Problem for a special prize! Could you find such symmetric ciphers that make the

modified scheme to be secure as before? Please, give your reasons and proofs.

Solution

Q1 Assume that Alice and Bob use functions EncA, DecA and EncB, DecB for encryption

m

three-pass protocol will look as follows:

• Alice calculates EncA(m, kA), where kA is her secret key, and sends it to Bob.

• Bob computes EncB(EncA(m, kA), kB) where kB is his secret key, and forwards it to Alice.

• Finally, Alice computes DecA(EncB(EncA(m, kA), kB), kA) and sends it to Bob.

m

DecB(DecA(EncB(EncA(m, kA), kB), kA), kB) = m.

The most common approach was to use encryption functions that commute with each other. In that case, if Alice wants to send a secret message m to Bob, then she calculates x = m o kA and sends it to Bob. Then Bob computes x2 = x o kB and forwards it back to Alice, On the third step, Alice finds x3 = x2 o k-1 and sends it to Bob, Finally, the commutative property of operation o allows Bob to re cover m as x3 o k-1,

m

she could compute x-1, sinee x o x3 o x-1 = m. As a result, all schemes that use ciphers with only XOE operation (the most common suggestion by the participants) have this weakness. Regarding Q2, one interesting idea found by a few participants is to use the product of matrices for encryption and decryption, with the additional condition that the matrix M

m

countermeasure against the attack described in Remark 1, However, such schemes require additional security analysis.

Another interesting idea suggested by the team of Himanshu Sheoran, Gvumin Roh and Yo Iida (India, South Korea, Japan) was to base the scheme on permutations that commute with each other. Note that a three-pass cryptographic protocol with a similar idea was presented in [17].

4,7, Problem "Matrix and reduction"

Formulation

Alice used an alphabet with 30 characters from A to Z and 0, 1, «,», «!», The character encoding is shown in Table 5,

Table 5

A B C D E F G H I J K L M N 0

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14

P Q E S T U V W X Y Z 0 1 > 1

15 16 17 18 19 20 21 22 23 24 25 26 27 28 29

Encryption. The plaintext is divided into consequent subwords of length 4 that are encrypted independently via the same encryption (2 x 2)-matrix F with elements from Z30, For example, let the j-th subword be WORD and the encryption matrix F be equal to

F = i11 9 ^11 10

The matrix that corresponds to WORD is denoted by Pj and the matrix that corresponds to the encryption result of WORD is Cj and is calculated as follows:

c = f■ Pj = ;; * 22 "Moo : (mod30),

11 9\ /22 17\ = / 8 4

11 10 14 3 = 22 7

that is, the j-th subword of the ciphertext is IWEH,

Eve has intercepted a ciphertext that was transmitted from Alice to Bob:

CYPHXWQElWNKHZQZ

Also, she knows that the third subword of the plaintext is FORW, Will Eve be able to restore the original message?

Solution

The third word of the plaintext is FGRW:

P = FORW = 1^, if) (mod 30).

,14 22

The eiphertext corresponding to it is

C = !WNK =(29 10) (mod 30).

Since C3 = F • P3, where F is the encryption matrix, the matrix for the decryption could have the following form:

D = P3 • C3-1.

But det(C3) = 4 (mod 30) and ged(4,30) = 1, that is, such matrix does not exist modulo 30, So we will consider the following calculations by reduction modulo 15, Let P3 = P3 (mod 15) C3 = C (mod 15), and F = F (mod 15). We have

F-1 = P3 (C3)-1 =(4 9) (mod 15),

__i — ^)-i (9 2

consequently,

D =(4 9 j +15 Fo (mod 30), where F0 is 2 x 2 binary matrix. We have D • C3 = P3, or

F-1 (2"13)+15Fo (2"13) = (1^4 22) (mod 30).

Finally, we obtain

14 22)=Fo( 105 105) = G54 22) (mod30).

(a b\

If we set F0 = ( ^ ) > then ^ '1S clear that only the values a = c = 0 and b =1 d = 0 give

us the answer GOODLUCKFORWIN! !.

Best solutions for this problem were sent by Pieter Senden (Belgium) and by Sergey Zabolotskiy (Russia).

4.8. Problem "Reversing a gate"

Formulation

Daniel continues to study quantum circuits. A controlled NOT (CNOT) gate is the most complex quantum gate from the universal set of gates required for quantum computation. This gate acts on two qubits and makes the following transformation:

|00> ^ |00> , |01> —^ |01>, |10)^|11) , |11)^|10).

This gate is clearly asymmetric. The first qubit is considered as the control qubit, and the second is the target qubit. CNOT is described by the following quantum circuit (x, y G F2):

- |x) é— |y © x)

The problem. Help Daniel to design a circuit in a special way that reverses CXOT gate:

|x) —e— |x © y)

It makes the following procedure: |00) ^ |00) , |01) ^ 111), 110) ^ 110), 111) ^ |01).

To do this, you should modify the original CXOT gate without re-ordering the qubits but by adding some single-qubit gates from the following (Table 6),

Table C

Pauli-X gate |x) — X — |x © 1) Acts on a single qubit in the state |x), x g {0, 1}

Panli-Z gate |x) — Z — (-1)x |x) Acts on a single qubit in the state |x), x g {0,1}

Hadamard gate |x) — H |0) + (-1)x |1) ^ v2 Acts on a single qubit in the state |x), x g {0,1}

Remark 2. Let us briefly formulate the key points of quantum circuits, A qubit is a two-level quantum mechanical system whose state is the superposition of basis quantum states |0) and |1). The superposition is written as = a0 |0) + a1 |1), where a^d a1 are complex numbers, called amplitudes, that possess |a0|2 + |a1|2 = 1, The amplitudes a0 and a1 have the following physical meaning: after the measurement of a qubit which has the state fy), it will be observed in the state |0) with probability |a0|2 and in the state |1) with probability |a112, In order to operate with multi-qubit systems, we consider the bilinear operation © : |x) , |y) ^ |x) © |y) on x,y G {0,1} which is defined on pairs |x), |y) and, by bilinearitv, is expanded on the space of all linear combinations of |0) and 11), When we have two qubits in states and correspondingly, the state of the whole system of these two qubits is © . In general, for two qubits we have = a00|0) © |0) + a01 |0) ® |1) + + a10 |1) ® |0) + a11 |1) ® |1). The physical meaning of complex numbers a^ is the same as for one qubit, so we have the essential restriction |a0012 + |a01|2 + |a1012 + |a11|2 = 1, We use more brief notation |a) ® |b) = |ab). In order to verify your circuits, you can use different quantum circuit simulators, for example, see |18|.

Solution

The desired circuit has the following form for any x,y G F2:

|x)

|x © y)

| x) | y)

^) = (|0) + (—1)x |1) \( |0) + (—1)y |1)

y/2 J \ V2 |00) + (-1)y |01) + (-1)x 110) + (-1)x®y 111)

. ; . |00) + (-1)y |01) + (-1)x 111) + (-1)x®y 110)

|^2) = -2-

|0) + (-1)x®y |1)N /|0) + (-1)y |1)

y/2 J V V2

i^a) = |x © y) |y) .

Best solutions were sent by Daniel Popeseu (Romania), by Yo Iida (Japan) and by David Marton (Hungary),

4,9, Problem "Bob's symbol"

Formulation

Bob learned the Goldwasser — Mieali ervptosystem at university. Now he is thinking about functions over finite fields that are similar to Jacobi symbol.

He chose a function Bn : F2n ^ F2 (Bob's symbol) defined as follows for any a G F2n:

g ^ 11, if a = x2 + x for some x G F2n, n [0, otherwise.

Bob knows that finite fields may have some subfields. Indeed, it is well known that F2k is a subfield of F2n if and only if k | n, Bob wants to exclude the elements of subfields. In

Bn

F2n = F2n \ U F2k.

k|n, k=n

Here, by F2n \ F2k we mean the removal from F2n the elements forming the field of order 2k, Finally, Bob is interested in the sets

Bn = {y G F2n : Bn(y) = 0^d Bn = {y G F2n : Bn(y) = 1}.

Q1 Help Bob to find |B0|/B| if n is odd.

Q2 Help Bob to find B1 and B | f°r an arbitrarv n.

Solution Let us define

B(F2n) = {x G F2n : B„(x) = 0}, i.e., B^ = F2- n B(F2n).

First we prove the following lemma. Lemma 1. Let k | n, Then

|F2k n B(F2n)| = {1 |F2k|, ifn/kisodd, 0, .

Proof. Let us consider the function G(x) = x2 + x = x(x + 1) where x G F2k, First, G(x) = G(x + 1) Secondly, x2 + x + a a G F2k, has at most 2 roots. It means that G is a two-to-one function. Therefore, there are exactly 2k-1 distinct a such that x2 + x = a for any x G F2fc,

Next, for any such a the polynomial x2 + x + a is irreducible over F2k, It means that it has a root q in the quadratic extension F22k of F2k, i.e., a = q2 + q. If n/k is even, F22k is a subfield of F2n, i.e., q G F2n, Thus, |F2k R B(F2n)| = 0, If n/k is odd, then F22k is not a subfield of F2n. Moreover, F22k R F2n = F2k. It means that any root q does not belong to F2n, i.e., |F2k R B(F2n)| = 2fc-1. ■

Now we are ready to answer the questions. Let n = m2i, where m is odd. We define

ft(d) = |F2d2t R B(F2n)| and g(d) = ,

where d | m. This means that B| = |Bm2t | = ft(m). At the same time, the definition of F2n gives us that

Y, |F2d R B(F2n)| = |F2n R B(F2n)|. According to Lemma 1 and the denotations above,

E |F2d R B(F2n)| = £ |F2d2t R B(F2n)| = £ ft(d),

d|n d|m d|m

1|

|F2n n B(F2n)| = |F2m2t n B(F2n)| = -|F2m2t | = gt(m).

Hence,

gt(m) = ft(d) holds for any integers m ^ 1 and t ^ 0.

According to the Möbius inversion formula,

/t(m) = £ ^(d)gt(m/d) = 2 E ^(d)2(m/d)2t.

d|m 2 d|m

Recall that ^(d) = 0 if d is not square-free (there is an integer u ^ 2 such th at u2 | d); otherwise, it is equal to 1 (—1) if d has an even (odd) number of prime factors. As a result,

BI = 2 £ Md)2n/d.

Also, |BI = |F2n | - |B|. We need only to note that |F2n | = £ ^(d)2n/d. This can be easily proven just using 2n = |F2n | = Y^ |F2d | together with the Möbius inversion formula. Finally,

we can see that |B| = B| = 1 |F2n | for odd n, which means that the answer for Q1 is 1.

In fact, it directly follows from Lemma 1 and the definition of F2n,

Many teams provided the correct answers in the second round using similar ideas: Himanshu Sheoran, Gvumin Roh, Yo Iida (India), Mikhail Kudinov, Denis Nabokov, Alexev Zelenetskiy (Russia), Stepan Davvdov, Anastasiia Chiehaeva, Kirill Tsaregorodtsev (Russia), Mikhail Borodin, Vitalv Kirvukhin, And rev Rvbkin (Russia), Kristina Geut, Sergey Titov, Dmitry Ananiehev (Russia), Pham Minh, Dung Truong Viet (Vietnam), and Alexander Belov (Russia).

4,10, Problem "Public keys for e-eoins"

Formulation

Alice has n electronic coins that she would like to spend via some public service S (bank). The service applies some asymmetric algorithm of encryption E (■) and decrypt ion D(-) in its work. Namely, for the pair of public and private keys (PK, SK) and for any message m it holds: if c = E(m,PK), then m = D(c,SK), and visa vers a: if cC = E (m,SK), then m = D(cC, PK).

To spend her money, Alice generates a sequence of public and private key pairs (PK1, SK1),..., (PKn, SKn) and sends the sequence of public keys PK1,..., PKn to the service S, By doing so, she authorizes the service S to control her n coins.

If Alice would like to spend a coin with number i in the shop of Bob, she just gives the secret key SKj to Bob and informs him about the number i. To get the coin with number i,

S i m

its electronic signature cC = e(m, SKj). The service S checks whether the signature cC corresponds to the message m, i.e., does it hold the equality m = D(c', PKj). If it is so, the

i

Problem for a special prize! Propose a modification of this scheme related to generation of public and private key pairs. Namely, is it possible for Alice not to send the sequence of public keys PK1,... PKn to the service S, but send only some initial information enough for generating all necessary public keys on the service's side? Suppose that Alice sends to the service S only some initial key PK (denote it also as PK0), some function f and a set of parameters T such that PKi+1 = f (PKi,T) for all i ^ 0, Propose your variant of this function f and the set T. Also think what asymmetric ervptosystem could be used in such a scheme,

PK f T

private key SKj, where i = 1,..., n. It should be impossible to recover SKi even if the secret keys SK1,..., SKi-1 are also known, or even if all other secret keys are known (more strong condition).

Solution

The problem was solved by two teams and partially solved by four teams.

One of the best partial solutions was proposed by the team of Viet-Sang Nguyen, NhatLinh Le Tan, and Phuong Hoa Nguyen from France, It is described in the BIP32

SKi

related to each other: SKi = SK0 + p^ where pi = HMACT(PK0||i). Public keys can be

S

schemes, but requires additional security analysis [20] The main disadvantage of the scheme is described by the authors: server S should keep the point PK0 in secret, as well as Bob SKi

Alice will be lost. So the potential complicity of the server and Bob forms a crucial danger for Alice,

The remaining partial solutions use the interesting idea of generating a private key from a public key.

An original attempt to solve the problem was proposed by two teams: Alexander Bakharev, Einchin Zapanov, and Denis Bvkov (Russia); Himanshu Sheoran (India), Gvumin Eoh (South Korea), and Yo Iida (Japan), They applied ESA-like techniques and considered private keys as SKi = PKj-1 mod 0(n), where n = pq and prime numbers p, q are known to Alice only, as well as 0(n), In the solution of A. Bakharev et al,, public keys are formed as

the consecutive prime numbers: PKj+i is the next prime number after PKj. In the solution of H, Sheoran et al,, public keys are formed using a hash function. But the security of this schemes is still under the question,

A very nice partial solution was proposed by Robin Jadoul (Belgium), Esrever Yu (Taiwan), and Jack Pope (United Kingdom), The authors describe an identity-based signature scheme with message recovery based on the RSA hardness assumption. The main idea is to generate public keys from the corresponding master keys by application of hash-to-field functions (four functions are used).

We have accepted two complete solutions.

One of them was proposed by the team of G, Teseleanu, P. Cotan, and L, Constantin-Sébastian from the Institute of Mathematics of the Romanian Academy, On the first round the partial solution was proposed by G, Teseleanu, Private and public keys are connected as (SKj)2 = PK mod N, while public keys are generated via HMAC function: PKj = = HMACT(i). The authors also provide a signature scheme that uses keys of this type. Only Alice can produce private keys because she knows the prime factors p and q, where N = pq.

Another accepted solution was proposed by Ivan Ioganson, Zhan-Mishel Dakuo and Andrei Golovanov from Saint Petersburg ITMO University (Russia), It uses the ideas of an ID-based signature scheme. Public and private keys are generated from the corresponding master keys PK^d SK0, The principles of Diffie — Hellman protocol on finite groups are applied. Namely, private keys are generated as SK = SK0 * H(i), where H is hash-to-field function, whereas public keys used by the server are combinations of PK0 = SK0 * P and numbers i, where P is a generator element of the group, It is difficult to recover SK by information from the server and from SK1,..., SKi-1, SKi+1,..., SKn if the hash-to-field H

It is nice to mention the paper of A, Babueva and S, Kvazhin [20] that appeared after the Olympiad, in which the authors continued solving the problem,

4.11. Problem "CP Problem"

Formulation

Let G = (g) be a group of prime order q, k is the to length of q. Let us consider two known modifications of the discrete logarithm problem over G, namely, s-DLOG problem and l-OMDL problem. Both of them are believed to be difficult,

s-DLOG problem (with parameter s G N)

Unknown values: x is chosen uniformly at random from Z*.

Known values: gx,gx2, ...,gxS-

Access to oracles: no.

The task: to find x,

l-OMDL (One-More Discrete Log) problem (with parameter l G N)

Unknown values: x1, x2,..., xl+1 are chosen uniformly at rand om from Z*. Known values: gx1 ,gx2,...,gx£+1.

Access to oracles: at most l queries to O1 that on input y G G returns x

such that gx = y. The task: tofindx1,x2, ...,xl+1.

Consider another problem that is close to the s-DLOG and l-OMDL problems: (k,t)-CP (Chaum—Pedersen) problem (with parameters k,t e N)

Unknown values: x1,x2,..., xt+1 are chosen uniformly at random from Z*. Known values: gX1, gX2 ,...,gxt+1.

Access to oracles: at most k queries to O1 that on input (i,z) e {1,..., t + 1} x G returns zx\ and at most t queries to O2 that on input (a1,..., at+1) e Zq+1 returns a1x1 + ... + at+1 xt+1. The task: tofindx1,x2,...,xt+1.

It is easy to see that if there exists a polynomial (by k) algorithm that solves the s-DLOG problem, then there exists a polynomial algorithm that solves the (s — 1,t)-CP teN

Problem for a special prize! Prove or disprove the following conjecture: if there exists a polynomial algorithm that solves (k, t)-CP problem, then there exists a polynomial algorithm that solves at least one of the s-DLOG and l-OMDL problems, where k,t,.s,£ are upper bounded by polynomial of k.

Solution

Unfortunately, there were no any advances on solving this problem among participants, so this conjecture is still open,

4,12, Problem "Interpolation with Errors"

Formulation

Let n = 2022 and let Zn be the ring of integers modulo n. Given xi,yi e Zn for i e {1,..., 324}, find monic polynomials

f (x) = x16 + a15x15 + ... + a1x + a0, g(x) = x16 + ¡315 x15 + ... + 3xx + ¡0

of degree d = 16 and coefficients from Zn such that the relation

_ f (xi) _ x16 + «15x15 + ... + a1xj + a0

y = gj£) = x16 + 315x15 + ... + ¡xi + ¡0

holds for at least 90 of the ind ices i e {1,..., 324},

Note. The coefficients ¡0,... ,315 are such that the denominator of the above fraction

xi e Zn

uniformly at random from all such sets of values. Furthermore, the positions and error values can be also assumed to be sampled uniformly at random.

The attachment (see [21]) contains a CSV file with 324 triplets (i,xi,yi).

Solution

First, note that n = 2022 = 2 ■ 3 ■ 337, Therefore, the problem can be solved for moduli 2, 3, 337 independently, and then recovered using the Chinese Remainder Theorem (CRT), Furthermore, for moduli 2 and 3, there are only a few possible polynomials (in view of the relations x2 = x (mod 2) and x3 = x (mod 3)), The best candidate polynomial modulo 6 (ignoring equivalent forms) satisfies m out of 324 values xi,yi, while the next best one does only 109. Note that the expected value is 90 + (324 — 90)/6 = 129 (90 correct ones and 1/6 wrong pairs satisfying the relation modulo 6 by chance), so that it is safe to assume that the best one is correct. We can now consider the problem modulo 337, where we know that

the 90 correct pairs must be among those m correct pairs observed modulo 6, Denote the set of those m remaining indiees by I.

Note that the relation can be rewritten as yi • g(xi) — f (xi) = 0, or, more explicitly,

15 A / 15 A

yi E Pixl) — E aixj + (yX — xf) = 0. (1)

j=o J \j=0 J

The target problem can now be formulated as the problem of decoding a linear code over the finite field GF(337), Indeed, let the generator matrix G be given by columns

( 1 xil xj , . . . , xl , yii yixii yixi , . . . , yixl ) for all chosen indexes i e I, let the target vector v be given by

v = {yixd — xd)ieI,

and consider the "solution" vector

s = («o,..., «15,^0,... ,^15).

It is easy to verify that the codeword s • G differs from — v in at most m — 90 places, i.e., has at most 35 errors. Indeed, the vector s • G computes the contribution of the first two

v

zero on correct data pairs. Note that G defines a [m, 32]-eode, i.e., a 32-dimensional code m

35

distance) should likely be unique (modulo 337).

A very basic yet efficient method for linear code decoding is the so-called "pooled Gauss" method: choosing k = 32 random coordinates of the code and assuming that they are error-free, allowing to recover full codeword by solving a linear system. Alternatively, SageMath includes an implementation of the Lee — Brickell method, which is slightly faster. The decoding should take less than 30 minutes using the basic method.

Remark 3. Due to the equivalent polynomial fractions modulo 2 and modulo 3, the overall solution is not unique (but there are only a few candidates).

4.13. Problem "HAS 0 1"

Formulation

Bob is a beginner cryptographer. He read an article about the new hash function HAS01 [22]. Bob decided to implement the HAS01 function in order to use it for checking the integrity of messages being forwarded. However, he was inattentive and made a mistake during the implementation. In the function f1; he did not notice the sign «'» in the variable a and used the following set of formulas:

For i = 0,..., 7 For j = 0,..., 6

a(i+1) mod 8 j : = SBox(((aij © a(i+1) mod 8, j) < 3) © ((a ij+1 © a(i+1) mod 8,j+1) » 5)); a(i+1) mod 8,7 := SBox(((ai,7 © a(i+1) mod 8,7) < 3) © ((ai,o © a(i+1) mod 8,0) » 5) © 7).

Q1 Prove that Bob's version of the hash function is eryptographieallv weak. Q2 Find a collision to the following message (given in hexadecimal format): 316520393820336220323620343720316320373820386520.

The test set value for the original HAS01 hash function is given in [23],

The test set value for Bob's implementation is given in [24],

Solution

Ql, In the case when Bob makes a mistake and uses formulas with recursion, it turns out that for each first byte of the string (a00, «10, «20, «30, «40, «50, «60, «70), the most significant three bits do not affect the formation of the digest. Therefore, the function is not collision resistant, making it easy to pick up a number of different values that produce the same hash value,

Q2, According to the formulas, the most significant three bits for the first byte of each string do not affect the formation of the hash value. However, the original message fills only the first three rows of the original matrix. Therefore, changing the upper three bits in bytes a00,a10,a20 will allow you to get the same hash values. Therefore, for a given value 316520393820336220323620343720316320373820386520, you can get 29 - 1 = 511 collisions.

For example:

316520393820336220323620343720316320373820386520;

F16520393820336220323620343720316320373820386520

F165203938203362E0323620343720316320373820386520

31652039382033622032362034372031E320373820386520;

and so on.

It should be noted that most of the participants who tried to solve this problem were able to get the correct answer and identify the collision. Separately, it is worth noting that the team of Mikhail Borodin, Vitalv Kirvukhin and Audrey Rvbkin (Russia) not only answered the questions of the task correctly, but also considered the issues of a possible vulnerability for the HAS01-512 algorithm,

4,14, Problem "Weaknesses of the PHIGFS"

Formulation

A young cryptographer Philip designs a family of lightweight block ciphers based on a 4-line tvpe-2 Generalized Feistel scheme (GFS) with better diffusion effect.

Its block is divided into four m-bit subbloeks, m ^ 1, For better diffusion effect, Philip decides to use a (4 x 4)-matrix A over F2m instead of a standard subbloeks shift register in each round. The family PHIGFSl(A, b) is parameterized by a non-linear permutation b: F2m ^ F2m, the matrix A and the number of rounds I ^ 1, The one-round keyed transformation of PHIGFS^(A, b) is a permutation on F2m defined as

gfc(X3,X2,X1,X0) = A (X3,X2 © b(x3 © ki),Xi,X0 © b(xi © M)T,

where x0,x1,x2,x3 G F2m, k = (k^k0) is a 2m-bit round key, k0, k1 G F2

l

is given by

The l-round encryption function /k(i)... k(i) : F2m ^ F^m under a key (k(1),..., k(l)) G F^m

/fc(i),...,fc(i)(x) = gk(i) ... gk(i)(x) for al 1 x G F2m.

For effective implementation and security, Philip chooses two binary matrices A' ,A'' with the maximum branch number among all binary matrices of size 4:

/ 1 1 0 1 \ / 0 1 1 1 \

10 11 = 1110

0 111 , = 110 1 1 1 1 0 1 0 1 1

A'

For approval, he shows the cipher to his friend Antony who claims that A', A'' are bad choices because ciphers PHIGFSl(A',b) and PHIGFSl(A'', b) are insecure against distinguisher attacks for all b: F2m ^ F2m, l ^ 1.

Help Philip to analyze the cipher PHIGFS^A, b). Namely, for any b: F2m ^ F2m and any l ^ 1, show that PHIGFSi(A,b) has

a) I-round differential sets with probability 1,

b) l-round impossible differential sets

for the following cases: Ql: A = A' and Q2: A = A'', In each case, construct these nontrivial differential sets and prove the corresponding property. Remark 4. Let us recall the following definitions,

— Let 5,e e F2n be fixed nonzero input and output differences. The differential probability of s: F2n ^ F2n is defined as

ps,e(s) = 2-n • |{a e Fin : s(a © 5) © s(a) = e}|.

— If s: F2n x K ^ F2n depends on a key space K, then the differential probability of s is defined as

Ps,e(s) = |K|-1 £ P&,e(sk), keK

where s(x, k) = sk(x), x e F2n, k e K. In this case, the pair (5, e) represents a differential denoted by 5 e.

— Let Q, A C F2n\{0^d Q, A are nonempty. If ps,£(s) = 0 for any 5 e Q, e e A, then (Q, A) are impossible differential sets. But if

E P&,e(s) = 1

¿en,e eA

(Q, A) (Q, A)

differential sets if Q e {0, F2n\{0}} or A e {0, F2n\{0}}.

— For the /-round encryption function f, we will sometimes write 5 ^ e to emphasize the number of rounds / instead of 5 ^f e.

— For 5 e F2m, b : F2m ^ F2m, we denote

As (b) = {b(a © 5) © b(a) : a e Fim } .

Solution

Note that gk consists of a transfermation vk : F4L ^ F4L and the matrix A over F2m, where

vk(x3,x2,x1,xo) = (x3,x2 © b(x3 © k1),x1,xo © b(x1 © ko)) , gk(x) = A(vk(x))T, x e F^L.

Ql. A = A'.

Let e e Fim W(e) = {(«3, a2) «1, ao) e Fim : «3 © «1 = e} \ {(0,0, 0, 0)}. Theorem 1. Let / be any positive integer, e e F2m. Then /-round differential sets W(e) ^1 W(e) of the PHIGFSi(A',b) hold with probability 1.

Proof. For any (x3,x2,x1,x0) G F2m we have the following equality:

A'(X3,X2,X1,X0^ = (X3 © X2 © X0,X3 © Xi © X0,X2 © Xi © X0,X3 © X2 © Xi)T.

Let us consider any nonzero (5, A, w) G F2m and any round key k G F2m. Note that maps a difference (5, A, 5 © e, w) G W(e) to a difference (5, A(1), 5 © e, w(1)) G W(e) for any

A(1) G (b) © A, w(1) G A5e£(b) © w.

Then A' (5, A(1), 5 © e,w(1)) = (w(1) © 5 © A(1),w(1) © e,w(1) © 5 © A(1) © e,A(1) © e). Thus, maps the difference (5, A, 5 © e,w) G W(e) to the differenee (5(1), A(2), 5(1) © e,w(2)) G G W(e), where 5(1) = A(1) © 5 © w(1), A(2) = w(1) © e, w(2) = A(1) © e. Therefore,

P [W(e) W(e)] = 1.

By induction on the number of rounds /, we get P[W(e) ^ W(e)] = 1, ■

Corollary 1. For any number of rounds / ^ 1, (W(e), W(5)) are a pair of impossible /-round differential sets for any different e, 5 G F2m, Q2. A = A".

Let W = {(0,5,5,0) : (5,0) G F2m \ {(0,0)}}.

Theorem 2. Let / be any positive integer, e G F2m. Then /-round differential sets W ^ W of the PHIGFSi(A",b) holds with probability 1.

Proof. For any (x3,x2,x1,x0) G F2m, we have

A''(X3,X2,Xi,X0^ = (X3 © X2 © Xi,X3 © X2 © £0,^3 © X © X0,X2 © Xi © .

Let us consider any nonzero (5, 0) G F^ and any round ke v k G F^, Note th at maps a difference (0,5,5,0) G W to a difference (0,5,5,0(1)) G W for any 0(1) G A5 (b) © 7. Then

A'' (0,5,5,0(1)) = (0,0(1) © 5,0(1) © 5,0(1)).

Thus, maps the difference (0,5,5,0) G W to the differe nee (0,5(1),5(1) , 0(1)) G W, where

5(1) = 0(1) © 5

P [W W] = 1.

By induction on the number of rounds /, we get P[W ^ W] = 1, ■

Corollary 2. For any number of rounds / ^ 1, (W, W') are a pair of impossible /-round differential sets for any W' C F4m\(W U {0}).

We would like to mention the solution of Gabriel Tulba-Lecu, loan Dragomir and Mireea-Costin Preoteasa (Romania),

4,15, Problem "Super dependent S-box"

Formulation

Harry wants to find a super dependent S-box for his new cipher. He decided to use a permutation that is strictly connected with every of its variables. He tries to estimate the number of such permutations,

A vectorial Boolean function F(x) = (/^x),/2(x),...,/n(x)), where x G F^, is a permutation on F^ if it is a one-to-one mapping on the set F^. Its coordinate function /k (x)

(that is a Boolean function from Fn to F2) essentially depends on the variable Xj if there exist values bi,b2,..., bj—i,bj+i,... ,bn G F2 such that

fk (bi,b2,.. .,bj-i, 0,bj+i, ...,b,n) = fk (bi ,b2,..., bj-i, l,bj+i, ...,bn).

In other words, the essential dependence on the variable Xj of a function f means the

Xj f

the basis of binary operations AND, XOE, and constants 0 and 1),

An example. Let n = 3. Then the Boolean function f (xi, x2,x3) = xix2©x3 essentially depends on all its variables; but g(xi, x2, x3) = xix2 ©x2 © 1 essentially depends only on xi x2

The problem. Find the number of permutations on Fn such that all their coordinate

n

Q1 Solve the problem for n = 2, 3,

Q2 Problem for a special prize! Solve the problem for arbitrary n. Solution

Let us denote the number of super-dependent S-boxes in n variables by S(n). We can represent F as F (x) = (fi(x),..., fn(x)), where x G Fn and fi,... ,fn are Boolean functions in n variables (i.e., functions of the form Fn ^ F2), Recall that F is a permutation if and only if any its component function bifi(x) © ... © bnfn(x), b G Fn \ {0}, is balanced (i.e., it takes zero and one in the same number of arguments).

The most of solutions provided by the participants contain an answer for Ql, As a rule,

S(2) = 0

S(3) = 24576, At the same time, some progress has been made on Q2, A short description of these results is bellow.

The team of Mikhail Kudinov, Denis Nabokov and Alexev Zelenetskiy (Russia) used the

S(n)

were the following. Let H(k) be the set of functions f : ^ F2 that essentially depend on

xi, . . . , xk

_ 1 n— i

|H(n)| = c- E cn |H(k)|, k=0

where C^i is a binomial coefficient. Next, let us define for any i G {1,..., n} the sets

Ai = {a permutat ion F (x) = (fi(x),..., fn (x)) on Fn : fi G H (n)}.

It means that the number of super-dependent S-boxes is the following:

S (n) = 2n! - |Ai U ... U An|.

It is not difficult to see that |Ai1 n ... n Aik | = |Ai n ... n Ak | for any 1 ^ k ^ n and any k-element s et {ii,... ,ik} C {1,..., n}. The inclusion-exclusion principle gives us that

S (n) = 2n!+£(-1)kCÎ; A n ... n Ak |. k=1

The cardinalities of intersections can be calculated in the following way:

|Ai n ... H Ak | = 2n! k i d(n,k)

n (c£=r

i=0

where d(n, k) is the number of tuples (/1,..., /k) consisting of Boolean functions in n variables such that /1,..., /k G H(n^d b1/1 ©... © bk/k is balanced for any b G F^ \ {0}, It is not easy to calculate d(n, k), However, there is a trivial estimation d(n, k) ^ C^-i. Also,

|Ai| = 2n!

C2n- - |H(n)|

r2

n — 1

This can be used to estimate S(n):

2n! - n|Ai| ^ S(n) ^ 2n! - |Ai|.

The team of Stepan Davvdov, Anastasiia Chichaeva, and Kirill Tsaregorodtsev (Russia) proposed interesting ideas as well. They noticed that 2n | S(n), implemented Monte-Carlo

S(n)

simulations for n = 4 and n = 5, and showed that lim = 1, Also, the team

n^ro 2n!

pointed out a subclass of super-dependent S-boxes such that even component functions of its representatives essentially depend on all its variables.

The team of Mikhail Borodin, Vitalv Kirvukhin and And rev Rvbkin (Russia) calculated that S(4) = 19344102217728 = 24■ 16 ■ 50375266192. They used that the addition to a super-dependent S-box in n variables of any binary veetor from F^ and rearranging its output bits provided a super-dependent S-box as well. In other words, (n! ■ 2n) | S(n) holds. Note that some other participants mentioned such kind of classifications (for instance, in the solution above). However, the team exploited this fact most successfully,

4,16, Problem "Quantum entanglement "

Formulation

The Nobel Prize in Physics in 2022 was awarded to researchers who experimentally investigated quantum entanglement. One of their studies was devoted to a Greenberger —

Horne — Zeilinger state |GHZ) = (|000) + |111)), which is an entangled state of three

2

qubits. This state can be created using the following quantum circuit:

— H

f

VI L> -(

|0) |0) |0)

After the measurement, the probability to find the system described by |GHZ) in the state 1000) or in the state 1111) is equal to 1/2,

When we make measurements in quantum physics, we are able to make post-selection.

| 0)

| 0)

means. We also see that the post-selection destroys entanglement of two remaining qubits, Q1 But what will happen, if we post-select the events when the 1st qubit is in the Hadamard

state |+) = (|0) + |1))? How can we perform this kind of post-selection if the result 2

01

these events? Will the two remaining qubits be entangled after post-selection? Design the circuit which will provide an answer.

Q2 Problem for a special prize! There are two different classes of three-qubit entang-

lement, One of them is

and the other is

|GHZ > = ^(l000> + I111)),

|W > = ^=(|001> + |010> + 1100)).

Discuss the possible ideas how the difference between these states can be found with the usage of post-selection and measurement. Don't forget that you need to verify entanglement for both types of states!

Remark 5. For details about quantum circuits, see Remark 2, Additionally, we can measure qubit, initially given in the state |^> = a0 |0) + a1 |1), in other basis, for example

Hadamard basis |+) = (|0> + |1>) and |-> = (|0> + |1>), In order to do this, we consider

v 2 V 2

the state in the form |^> = a0 |+> + ai |->, where complex amplitudes a0, ai have the same

physical meaning as a^d a^ Then we can calculate the probability that the qubit will

be in the state |+> or |-> after the measurement and consider the process of post-selection

in this case. Recall that for two qubits we use notation |a> ® |b> = |ab>. By induction, this

process is expanded on the case of three qubits and more. Mathematically, the entanglement

of n-qubits state means that we can not consider this state in the form |^> = |^1> ® |^2>,

where |^1> and |^2> are some states of ^^d n — m qubits, correspondingly.

Solution

Ql, The circuit for creation of the Greenberger following:

Home — Zeilinger state |GHZ> is the

|0> |0>

— H

r

VJ U -6

|000> + 1111) V2

First, we need to post-select events when the first qubit is in the Hadamard

state |+> = (|0> + |1>), For this purpose, we make an Hadamard gate prior to the 2

measurement of the first qubit. After this we perform a post-selection.

The state |GHZ> can be written as |000> + |111>

|GHZ >

V2

|+>

(|00> +111>) + |_> (|00>-|11>)

2^2

2^2

where |±> = (|0> ± |1>)A/2. It means that if we select the first qubit in the state |+>, the other qubits will be in the entangled Bell state |$+> = (|00> + |11>)/v/2- This state can be detected using a CNOT gate followed by the Hadamard gate. The whole circuit is

|0> |0> |0>

Q2, This question that supposed to be the open problem was solved during the Olympiad by the team of Viet-Sang Nguyen, Nhat Linh LE Tan and Phuong Hoa Nguyen (France), Here we provide the solution.

If we measure any qubit of the state IGHZ} and know the result of the measurement, we immediately know the state of two rest qubits. Thus, the state of the whole system of 3 qubits is an entangled one. But the state of two rest qubits after the measurement of any qubit is separable.

When we measure the first qubit of the state | W}, the result is 0 with probabilitv 2/3 and 1 with probability 1/3, When the state of the first qubit is measured 1, the system collapses to a separable state 100} hence it is not entangled anymore. However, when the state of the first qubit is measured 0, the remaining two qubits become the maximally entangled state of two qubits. Given the measurement of one qubit as |1}, we can deduce the information about the other two because there is correlation in the information between qubits. Thus, |W} is an entangled quantum state of three qubits.

Unlike |GHZ}, measuring one qubit in |W} creates an entangle state of two remaining qubit with probability 2/3. While being in |GHZ}, the system collapses to a separable state after measurement of any qubit.

The post-selection procedure for the state |GHZ} was discussed in the question Ql,

| W}

entanglement after measurement of a qubit, we can post-selection the third qubit in the | 0}

|0}

|0} |0}

Here, Ry(0) gate is a single-qubit rotation through angle 9 = 2arccos(1/v/3) (radians) around the y-axis, | W}

|W} = -13(|001} +1010} +1100}) = —(100+} +101+} +110+} -100 } +101 } +110 }).

If we can post-select the state |+} for the third qubit, we have

— (100+} + 101+} + 110+}) = (100} +101} +110}) ® |+} ,

| W}

qubit in the state |+}, There is a correlation between two rest qubits in this system: if we measure 1 in one qubit, the other must be 0, Hence, we have an entanglement between two qubits.

The circuit for the system with third qubit in the state |+} and two entangled qubits:

|0}

|0} — Ry (9)

| W}

qubits are still entangled. But after the measurement of any qubit of the state |GHZ}, the states of the remaining qubits become known. When post measuring Hadamard |+} state, both |W^d |GHZ} states return outcome equivalent to a separate qubit in the state |+} and an entangled state of two qubits.

We also would like to mention participants who made a progress in solution, that is the team of Gabriel Tulba-Lecu, Mireea-Costin Preoteasa, and loan Dragomir (Romania), the team of Mikhail Kudinov, Denis Nabokov, and Alexev Zelenetskiy (Russia), the team of Himanshu Sheoran, Gvumin Roh, and Yo Iida (India, South Korea, Japan), and the team of Donat Akos Roller, Csaba Riss, and Marton Marits (Hungary),

5. Acknowledgement

The authors are grateful to Audrey Nelvubin, Yuliva Maksimlvuk, Irina Rhilchuk, Darya Zvubina, Valeria Roehetkova, and Sergey Rvazhin for useful discussions and various help,

REFERENCES

1. https://nsucrypto.nsu.ru/.

2. https://nsucrypto.nsu.ru/outline/.

3. https://nsucrypto.nsu.ru/archive/2021/total_results/\#data.

4. Agievich S., Gorodilova A., Kolomeec N., et al. Problems, solutions and experience of the first international student's Olympiad in cryptography. Prikladnava Diskretnava Matematika, 2015, no. 3(29), pp.41-62.

5. Agievich S., Gorodilova A., Idrisova V., et al. Mathematical problems of the second international student's Olympiad in cryptography. Crvptologia, 2017, vol.41, no. 6, pp. 534-565.

6. Tokareva N., Gorodilova A., Agievich S., et al. Mathematical methods in solutions of the problems from the Third International Students' Olympiad in Cryptography., Prikladnava Diskretnava Matematika, 2018, no. 40, pp. 34-58.

7. Gorodilova A., Agievich S., Carlet C., et al. Problems and solutions of the Fourth International Students' Olympiad in Cryptography (NSUCRYPTO). Crvptologia, 2019, vol. 43, no. 2, pp. 138-174.

8. Gorodilova A., Agievich S., Carlet C., et al. The Fifth International Students' Olympiad in Cryptography — NSUCRYPTO: problems and their solutions. Crvptologia, 2020, vol.44, no. 3, pp.223-256.

9. Gorodilova A., Tokareva N., Agievich S., et al. On the Sixth International Olympiad in Cryptography NSUCRYPTO. J. Appl. Industr. Math., 2020, vol. 14, no. 4, pp. 623-647.

10. Gorodilova A. A., Tokareva N. N., Agievich S. V., et al. The Seventh International Olympiad in Cryptography: problems and solutions. Siberian Electronic Math. Reports, 2021, vol. 18, no. 2, pp. A4-A29.

11. Gorodilova A. A., Tokareva N. N., Agievich S. V., et al. An overview of the Eight International Olympiad in Cryptography "Non-Stop University CRYPTO". Siberian Electronic Math. Reports, 2022, vol. 19, no. 1, pp. A9-A37.

12. https://nsucrypto.nsu.ru/unsolved-problems/.

13. Kiss R. and Nagy G. P. On the nonexistence of certain orthogonal arrays of strength four. Prikladnava Diskretnava Matematika, 2021, no. 52, pp. 65-68.

14. GeutK.L., Kirienko K. A., Sadkov P. O., et al. O vavnvkh konstruktsivakh diva resheniva zadachi "A secret sharing" [On explicit constructions for solving the problem "A secret sharing"]. Prikladnava Diskretnava Matematika. Prilozhenie, 2017, no. 10, pp. 68-70. (in Russian)

15. Geut K. L. and Titov S. S. O blokirovke dvumernvkh affinnvkh mnogoobraziv [On the blocking of two-dimensional affine varieties]. Prikladnava Diskretnava Matematika. Prilozhenie, 2019, no. 12, pp. 7-10. (in Russian)

16. Ayat S. M. and Ghahramani M. A recursive algorithm for solving "A secret sharing" problem. Crvptologia, 2019, vol.43, no.6, pp.497-503.

17. Shcherba A., Faure E., and Lavdanska O. Three-pass cryptographic protocol based on permutations. IEEE 2nd Intern. Conf. ATIT, Kviv, Ukraine, 2020, pp. 281-284.

18. https://algassert.com/quirk.

19. Wuille P. Hierarchical Deterministic Wallets, https://github.com/bitcoin/bips/blob/ master/bip-0032.mediawiki.

20. Babueva A. A. and Kyazhin S. N. Public keys for e-coins: partially solved problem using signature with rerandomizable keys. Prikladnava Diskretnava Matematika. Prilozhenie, 2023, no. 16, pp. 110-114.

21. https://nsucrypto.nsu.ru/media/MediaFile/data_round2.txt.

22. Kapalova N., Dyusenbayev. D., and Sakan K. A new hashing algorithm — HAS01: development, cryptographic properties and inclusion in graduate studies. Global J. Engineering Education, 2022, vol.24, no. 2, pp. 155-164.

23. https://nsucrypto.nsu.ru/media/MediaFile/test_vector.txt.

24. https://nsucrypto.nsu.ru/media/MediaFile/test_vector2.txt.