MPF Problem over Modified Medial Semigroup Is NP-Complete

Abstract

This paper is a continuation of our previous publication of enhanced matrix power function (MPF) as a conjectured one-way function. We are considering a problem introduced in our previous paper and prove that tis problem is NP-Complete. The proof is based on the dual interpretation of well known multivariate quadratic (MQ) problem defined over the binary field as a system of MQ equations, and as a general satisfiability (GSAT) problem. Due to this interpretation the necessary constraints to MPF function for cryptographic protocols construction can be added to initial GSAT problem. Then it is proved that obtained GSAT problem is NP-Complete using Schaefer dichotomy theorem. Referencing to this result, GSAT problem by polynomial-time reduction is reduced to the sub-problem of enhanced MPF, hence the latter is NP-Complete as well.

1. Introduction

It is very natural to look for a new conjectured one-way functions (OWFs) for cryptographic applications in connection with new challenges caused by quantum cryptanalysis. This paper is a continuation of research in this field and is dealing with so called matrix power function (MPF). Some cryptographic primitives were built on the basis that MPF is a conjectured OWF in [1,2,3,4,5]. Furthermore, some results were published considering the security of presented primitives in [6,7,8]. The security of these primitives is based on the complexity of MPF inversion named as MPF problem.

So far, it is thought that OWF security based on the NP-Complete problem is not vulnerable to the quantum cryptanalysis, while the cryptosystems based on conjectured OWFs such as factoring and discrete logarithm problems are vulnerable due to [9]. Therefore, it is very desirable to try to prove NP-Completeness of MPF problem. In [6] the NP-Completeness of a more general problem named as multivariate quadratic power problem is presented. However, the question of NP-Completeness of MPF problem remained open so far.

In [10] our efforts were directed toward the increasing expectable complexity of MPF problem by choosing more complicated algebraic structures for MPF definition but at the same time preserving the necessary properties for the cryptographic primitives construction. In that paper, we presented a key agreement protocol in Section 2, Construction 1 as well as an example of its realization with artificially small parameters in Section 6.

In this paper we present a proof of NP-Completeness of sub-problem of enhanced MPF problem previously considered in [10]. The notion of sub-problem is defined as follows:

Definition 1.

The decision problem $P_1$ is a sub-problem of problem $P_2$ if every assignment to input values, which provides the answer YES to problem $P_2$, also implies the answer YES to the problem $P_1$.

The proof is based on the duality of multivariate quadratic MQ problem interpretation as a system of MQ equations over ${\mathcal{Z}}_2=\{0,1\}$ [11,12] and according to Schaefer dichotomy theorem [13] as a general satisfiability (GSAT) problem.

The main benefit of such approach is the opportunity to include some constraints to MPF necessary to construct cryptographic primitives as an additional GSAT equations.

The proof is based on proving that this GSAT is NP-Complete and on polynomial-time reduction from GSAT to the sub-problem of enhanced MPF problem.

2. Matrix Power Function

MPF was first introduced in [4]. To be self-contained, we present here MPF in the following way:

Definition 2.

Symbolically MPF corresponds to matrix $W_{m\times m}=\left\{w_{ij}\right\}$ powered by matrix $X_{m\times m}=\left\{x_{ij}\right\}$ on the left and by matrix $Y_{m\times m}=\left\{y_{ij}\right\}$ on the right with MPF value equal to matrix $E_{m\times m}=\left\{e_{ij}\right\}$ and is expressed in the following way

$${}^X{W}^Y=E,e_{ij}=\prod _{k=1}^m\prod _{l=1}^m{w}_{kl}^{x_{ik}·y_{lj}}.$$

(1)

The matrix W that is powered is named the base matrix and the matrices X and Y that are powering the base matrix are named power matrices. In general, we define the base matrix over the multiplicative (semi)group $\mathcal{S}$ and power matrices over some numerical (semi)ring $\mathcal{R}$. We call semigroup $\mathcal{S}$ a platform (semi)group, which according to the MPF definition, is multiplicative, and $\mathcal{R}$–an exponent (semi)ring. The appropriate matrix semigroups ${\mathcal{M}}_{\mathcal{S}}$ and matrix semiring ${\mathcal{M}}_{\mathcal{R}}$ contain base matrices and power matrices respectively.

The exact MPF definition depends on the type of sets over which matrices are defined.

In [3] authors proved, that if platform semigroup and power semiring are commutative, then the following associative properties of MPF takes place:

Definition 3.

MPF is one-side associative, (left-side and right-side associative, respectively) if the following identities hold:

$$\begin{array}{c}{}^Y\left({}^{X}W\right)={}^{\left(YX\right)}W={}^{YX}W;\\ {\left(W^X\right)}^Y=W^{\left(XY\right)}=W^{XY}.\end{array}$$

(2)

Definition 4.

MPF is two-side associative if the following identities hold:

$${\left({}^{X}W\right)}^Y={}^X\left(W^Y\right)={}^X{W}^Y.$$

(3)

In [3] authors proved, that if platform semigroup $\mathcal{S}$ and power semiring $\mathcal{R}$ are commutative, then MPF${}_{\mathcal{S}}^{\mathcal{R}}$ is one and two-side associative.

It follows from Equation (1), that in general, MPF is a function

$$\mathrm{MPF}:{\mathcal{M}}_{\mathcal{R}}\times {\mathcal{M}}_{\mathcal{S}}\times {\mathcal{M}}_{\mathcal{R}}\mapsto {\mathcal{M}}_{\mathcal{S}}.$$

Definition 5.

The direct MPF value computation is to find matrix E, when matrices $X,W,Y$ are given.

Definition 6.

The inverse MPF value computation is to find matrices X and Y, when matrices W and E are given.

Definition 7.

MPF problem is its inverse value computation.

Definition 8.

MPF presented in 1 is a candidate one-way function (OWF) if the following necessary (but not sufficient) conditions are satisfied:

1. 

The direct MPF value computation is easy;

2. 

The MPF problem is polynomially equivalent to a certain hard problem with not known polynomial time algorithm.

Assume, that the base matrix W in Expression 1 is defined over a platform semigroup denoted by $\mathcal{S}$ and the power matrices X and Y are defined over a power semiring denoted by $\mathcal{R}$. We denote the MPF problem defined by these structures by MPF${}_{\mathcal{S}}^{\mathcal{R}}$. Assume, that power matrices X and Y have to satisfy some constrains denoted by $\mathcal{C}$. In this case we denote the MPF problem by MPF${}_{\mathcal{S}}^{\mathcal{R},\mathcal{C}}$.

To build cryptographic primitives, e.g., key agreement protocol, based on MPF${}_{\mathcal{S}}^{\mathcal{R}}$ the following additional property must be satisfied: square matrices of m-th order X and Y defined over the power semiring $\mathcal{R}$ must be elements of two subsets ${\mathcal{M}}_{\mathcal{R},1}$ and ${\mathcal{M}}_{\mathcal{R},2}$ of commuting matrices in ${\mathcal{M}}_{\mathcal{R}}$ respectively, i.e., for any $U\in {\mathcal{M}}_{\mathcal{R},1}$ and $V\in {\mathcal{M}}_{\mathcal{R},1}$ the following identities take place

$$\mathcal{C}:\hspace{1em}\begin{array}{c}XU=UX;\\ YV=VY.\end{array}.$$

(4)

This defines a constrained MPF that we previously denoted by MPF${}_{\mathcal{S}}^{\mathcal{R},\mathcal{C}}$. Further we will use the single subset of commuting matrices in ${\mathcal{M}}_{\mathcal{R}}$, namely the subset of circulant matrices i.e., matrices of the following general form [14]:

$$X=\left(\begin{array}{ccccc}{x}_1& x_m& \ddots & \ddots & x_2\\ x_2& x_1& x_m& \ddots & \ddots \\ x_3& x_2& x_1& \ddots & \ddots \\ \ddots & \ddots & \ddots & \ddots & x_m\\ x_m& \ddots & x_3& x_2& x_1\end{array}\right).$$

(5)

Any circulant matrix X can be represented by its column vector $\overrightarrow{x}$, which transposed form is expressed by the following row vector ${\overrightarrow{x}}^T=(x_1,x_2,\dots ,x_m)$. If MPF${}_{\mathcal{S}}^{\mathcal{R},\mathcal{C}}$ satisfies the conditions of Definition 8, then the following secret-key agreement protocol can be executed as proposed in [10]:

Both parties agree on a public information: the modified medial semigroup $\mathcal{S}$ and a public base matrix W with its entries randomly chosen from $\mathcal{S}$. Alice and Bob can agree on a common key as follows:

• Alice chooses two secret circulant matrices X and Y at random of size m. Using these matrices she computes the MPF value $A={}^X{W}^Y$ and sends it to Bob;
• Bob chooses two secret circulant matrices U and V at random of size m. Using these matrices he computes the MPF value $B={}^U{W}^V$ and sends it to Alice;
• Alice and Bob compute the same secret key in the following way:

  $$K_A={}^X{B}^Y={}^X{\left({}^U{W}^V\right)}^Y={}^U{\left({}^X{W}^Y\right)}^V=K_B=K.$$

  (6)

The Identity (6) is true due to the fact, that circulant matrices are commuting and associativity Conditions (2) and (3).

Remark 1.

In general two-sided association Condition (3) will be not necessary, if we agree upon on the order of operations, e.g., from the left to the right.

In our previous research the base matrix W was defined over the multiplicative platform group ${\mathcal{Z}}_p^{*}=\{1,2,...,p-1\}$ and power matrices X and Y over the numerical power ring ${\mathcal{Z}}_{p-1}=\{0,1,2,...,p-2\}$. This kind of MPF is denoted by MPF${}_{{\mathcal{Z}}_p^{*}}^{{\mathcal{Z}}_{p-1}}$ and constrained version by MPF${}_{{\mathcal{Z}}_p^{*}}^{{\mathcal{Z}}_{p-1},\mathcal{C}}$. It represents the MPF defined over commutative algebraic structures considered in [1,2,5,7,15].

However, recently a linear algebra attack to the protocol presented in [3] based on MPF${}_{{\mathcal{Z}}_p^{*}}^{{\mathcal{Z}}_{p-1},\mathcal{C}}$ was found by [16]. This attack to MPF${}_{{\mathcal{Z}}_p^{*}}^{{\mathcal{Z}}_{p-1},\mathcal{C}}$ problem runs in polynomial time and hence can be used to break the algorithms presented in [1,3]. The authors of [16] also suggested some improvements of our protocols to resist the proposed attack. In [7] we fixed this flaw for the asymmetric encryption protocol, presented in [1].

The intriguing idea was to extend MPF construction to non-commutative algebraic structures, namely $\mathcal{S}$ and $\mathcal{R}$, hence expecting higher complexity of MPF problem and achieving a higher potential security for the construction of cryptographic primitives. The main problem of this approach was the loss of associativity of MPF, which made its application in cryptography impossible.

This approach was successful and is presented in [10], when platform semigroup $\mathcal{S}$ is a modified medial semigroup and power semiring is a special kind of so called near semiring $NSR$. In this study as a power semiring we use a semiring of non-negative integers denoted by ${\mathcal{N}}^0=\{0,1,2,3,...\}$. So we deal with the MPF denoted by MPF${}_{\mathcal{S}}^{{\mathcal{N}}^0}$. If power matrices satisfies commutation Constraints in (4), then we denote corresponding MPF by MPF${}_{\mathcal{S}}^{{\mathcal{N}}^0,\mathcal{C}}$.

In this paper we consider a class of MPF${}_{\mathcal{S}}^{{\mathcal{N}}^0,\mathcal{C}}$ problems when power matrices are circulant matrices over the ${\mathcal{N}}^0$ and hence they are commuting and satisfying Conditions (4). Interestingly enough, matrices X and Y are almost never invertible due to the fact, that both fractions and negative numbers are not contained in ${\mathcal{N}}^0$. This is essential to our proof of NP-Completeness of the MPF${}_{\mathcal{S}}^{{\mathcal{N}}^0,\mathcal{C}}$ problem.

In earlier work, the proof that random generated multivariate quadratic power problem over ${\mathcal{Z}}_n$ is NP-Complete is presented. This proof is insufficient to prove the NP-Completeness of MPF${}_{\mathcal{S}}^{{\mathcal{N}}^0,\mathcal{C}}$ problem due to fact that we are considering a partial case of this problem. Our multivariate quadratic power system of equations is predetermined by the matrix power equations. Hence this special case is not random generated. Therefore, the aim of this paper is to fill this gap.

In general, it is hard to prove that a problem with arbitrary constraints is NP-Complete (NP-Hard). We present here an approach to prove it based on Schaefer dichotomy theorem [13]. This theorem is formulated for the GSAT problem, represented by arbitrary finite set of Boolean relations (formulas) with respect to the finite set of Boolean variables. The theorem defines six criteria when either GSAT is in P or in NP-Complete complexity class.

In this paper, we construct a certain sub-problem of GSAT problem which is a one-to-one mapping of certain sub-problem of MPF${}_{\mathcal{S}}^{{\mathcal{N}}^0,\mathcal{C}}$ problem. We show, that this GSAT problem satisfies the Schaefer criteria to be NP-Complete. Hence, using polynomial-time reduction, we will prove that decision version of MPF${}_{\mathcal{S}}^{{\mathcal{N}}^0,\mathcal{C}}$ problem is also NP-Complete.

We revise the definition and basic properties of modified medial semigroup in the next section and present the main result in Section 4.

3. Modified Medial Semigroup as Platform Semigroup of MPF

Let us consider medial semigroup ${\mathcal{S}}_{\mathcal{M}}$, which was previously introduced by [17]. Assume, that the presentation of this semigroup consists of two generators a and b and a relation $R_{\mathcal{M}}$ written in the following way:

$${\mathcal{S}}_{\mathcal{M}}=〈a,b|R_{\mathcal{M}}〉;$$

(7)

$$R_{\mathcal{M}}:{\omega }_{1}ab{\omega }_2={\omega }_{1}ba{\omega }_2.$$

(8)

where ${\omega }_1$ and ${\omega }_2$ are arbitrary non-empty words in ${\mathcal{S}}_{\mathcal{M}}$, written in terms of generators a and b.

Let us now present an important identity, which is useful to us for application of medial semigroup ${\mathcal{S}}_{\mathcal{M}}$ to MPF:

$${\left({\omega }_1{\omega }_2\right)}^e={\omega }_1^e{\omega }_2^e.$$

(9)

This identity is based on the Relation (8) and is valid for all words ${\omega }_1,{\omega }_2\in {\mathcal{S}}_{\mathcal{M}}$ and any exponent $e\in {\mathcal{N}}^0$.

To prevent the growth of powers of generators when exponentiation takes place we introduce a modified medial semigroup $\mathcal{S}$ with two extra relations $R_1$ and $R_2$ in the following general form:

$$\begin{array}{c}{R}_1:b{a}^{p+2}{b}^{p+1}=b{a}^{2}b;\\ R_2:a{b}^{p+2}{b}^{p+1}=a{b}^{2}a.\end{array}$$

(10)

Thus, modified medial semigroup $\mathcal{S}$ has the following presentation:

$$\mathcal{S}=〈a,b|R_{\mathcal{M}},R_1,R_2〉,$$

(11)

with relations $R_{\mathcal{M}}$, $R_1$ and $R_2$ defined above.

Note, that we define $\mathcal{S}$ as a multiplicative, non-commuting, non-cancellative and infinite semigroup which is a non-symmetric algebraic structure.

Remark 2.

The modified medial semigroup is well defined if relations $R_1$ and $R_2$ are symmetric, i.e., they link both generators in such a way, that the order of generators is symmetric and exponents of each generator add up to the same number. In our case the sum of exponents of generators a and b on the left side of $R_1$ and $R_2$ in Realtions (10) equals $p+2$ and on the right side it equals 2.

Remark 3.

In our previous paper we considered a special case of $p=3$.

Semigroups ${\mathcal{S}}_{\mathcal{M}}$ and $\mathcal{S}$ are made monoids by introducing an empty word as a multiplicatively neutral element, denoted by 1. Then conveniently, the following identities hold for all $\omega \in {\mathcal{S}}_{\mathcal{M}}$:

$$\omega 1=1\omega =\omega ,w^0=1,0\in {\mathcal{N}}^0.$$

(12)

The normal form for the words in ${\mathcal{S}}_{\mathcal{M}}$ was also defined in the following way:

Definition 9.

The normal form ${\omega }_{\mathcal{M},nf}$ of any word ${\omega }_0$ in semigroup ${\mathcal{S}}_{\mathcal{M}}$ is expressed as follows:

$${\omega }_{\mathcal{M},nf}=\underset{{\alpha }_a,{\beta }_b}{max}{b}^{{\beta }_b}{a}^{r_a}{b}^{s_b}{a}^{{\alpha }_a}=b^{\beta }{a}^{i_a}{b}^{j_b}{a}^{\alpha },$$

(13)

where $\alpha ,\beta \in \{0,1\}$ and ${\alpha }_a,{\beta }_b,r_a,s_b,i_a,j_b\in \mathcal{N}$.

To obtain the normal form for the word $\omega$ we consider its first and last literals. Using Relation (9) we can determine the values of $\alpha$ and $\beta$. For example the normal form for the word $b^7{a}^8{b}^2{a}^6$ is $b{a}^{13}{b}^{8}a$. The word $b^6{a}^7{b}^3{a}^7$ has the same normal form and hence we consider all these words equivalent. The normal form for the word $a^7{b}^8{a}^2{b}^6$ is $b^0{a}^9{b}^{14}{a}^0$. Hence in the last case we have $\alpha =0$ and $\beta =0$. Evidently for the normal form of the word $a^5{b}^7{a}^3$ we have $\alpha =1$ and $\beta =0$ whereas in case of the word $b^5{a}^7{b}^3$ we have $\alpha =0$ and $\beta =1$. In fact, the normal forms for the presented words are $b^0{a}^7{b}^{7}a$ and $b{a}^7{b}^7{a}^0$ respectively. We generally omit zeroth powers when writing normal forms.

On the base of ${\omega }_{\mathcal{M},nf}$ the normal form in $\mathcal{S}$ is defined as follows:

Definition 10.

The normal form ${\omega }_{nf}$ of any word ${\omega }_0$ in semigroup $\mathcal{S}$ is expressed by the following expression:

$${\omega }_{nf}=\underset{i_a,j_b}{min}\underset{\beta ,\alpha }{max}{b}^{\beta }{a}^{i_a}{b}^{j_b}{a}^{\alpha }.$$

(14)

Let T be an additive non-commuting semigroup consisting of the tuples $\left(\beta ,i,j,\alpha \right),$ where $\alpha ,\beta \in \left\{0,1\right\}\subset {\mathcal{N}}^0$ and $i,j\in {\mathcal{N}}^0$, with the following addition operation:

$$\left({\beta }_1,i_1,j_1,{\alpha }_1\right)+\left({\beta }_2,i_2,j_2,{\alpha }_2\right)=$$

$$=\left({\beta }_1,i_1+{\alpha }_1+i_2,j_1+{\beta }_2+j_2,{\alpha }_2\right),$$

then there is an isomorphism $\phi :{\mathcal{S}}_{\mathcal{M},nf}\mapsto T$, which can be expressed by the following relation for any word ${\omega }_{nf}$

$$\phi ({\omega }_{nf})=\phi (b^{\beta }{a}^i{b}^j{a}^{\alpha })=(\beta ,i,j,\alpha ).$$

(15)

Hence, using our notation, we defined MPF${}_{\mathcal{S}}^{{\mathcal{N}}^0}$, where $\mathcal{S}$ is modified medial semigroup. It is important to note, that MPF${}_{\mathcal{S}}^{{\mathcal{N}}^0}$ satisfies associativity conditions in Definitions (2) and (3) due to the properties of medial semigroup.

Adding the commutation Constraints (4) to the power matrices X and Y defined over ${\mathcal{N}}^0$, constrained MPF${}_{\mathcal{S}}^{{\mathcal{N}}^0}$ problem we denoted by MPF${}_{\mathcal{S}}^{{\mathcal{N}}^0,\mathcal{C}}$.

In the next section we prove, that MPF${}_{\mathcal{S}}^{{\mathcal{N}}^0,\mathcal{C}}$ problem is NP-Complete.

4. Proof of NP-Completeness

Let us consider the following binary matrix equation:

$$XQY=A,$$

(16)

where all matrices $Q,A,X$ and Y are defined over the field ${\mathcal{Z}}_2=\{0,1\}$ with multiplication operation denoted by ∧ (logical AND) and addition operation by ⊕ (logical XOR). This equation corresponds to binary matrix multivariate quadratic (BMMQ) equation and associated problem to BMMQ problem.

Definition 11.

The binary matrix MQ (BMMQ) problem is to find matrices X and Y in Equation (16), when matrices Q and A are given.

Remark 4.

Throughout this paper we assume, that matrix Q is well-balanced, i.e., the quantity of 1’s is close to $m^2/2$. Furthermore all the 1’s are distributed uniformly in the rows and columns of matrix Q.

If at least one of square matrices X or Y is invertible, then BMMQ Problem (16) is solvable in polynomial time due to one the following transformations:

$$\begin{array}{c}XQ\oplus A{Y}^{-1}=0;\\ QY\oplus X^{-1}A=0,\end{array}$$

(17)

since XOR operation is inverse to itself.

It is clear, that both transformations represent the system of $m^2$ homogeneous linear equations with 2 m${}^2$ unknown variables.

However, if both binary matrices X and Y are singular, then Transformations (17) are not possible and hence the initial Problem (16) bears a resemblance to the well known multivariate quadratic (MQ) problem. It is known, that random generated MQ problem is NP-Complete over any field [11,12].

Hence, we define the following problem:

Definition 12.

The singular binary matrix MQ problem (SBMMQ) is to solve BMMQ problem, when matrices X and Y in Equation (16) are singular.

It is important to note, that we are interested in this particular problem, since in case of MPF${}_{\mathcal{S}}^{{\mathcal{N}}^0,\mathcal{C}}$ power matrices are defined over the semiring ${\mathcal{N}}^0$ and hence any randomly chosen power matrix is not invertible with overwhelming probability. Here and onwards we say that a random event happens with overwhelming probability if its probability of failure is negligible.

We begin from the complexity consideration of CSBMMQ problem.

Our proof is based on Schaefer dichotomy theorem [13]. Let us define a set of Boolean relations $\{r_1,r_2,\dots ,r_M\}$ with variables defined by two vectors ${\overrightarrow{x}}^T=(x_1,x_2,...,x_m)$ and ${\overrightarrow{y}}^T=(y_1,y_2,\dots ,y_m)$. Then the following generalized satisfiability problem GSAT can be formulated:

$$\left\{\begin{array}{c}{r}_1(\overrightarrow{x},\overrightarrow{y})=1;\\ r_2(\overrightarrow{x},\overrightarrow{y})=1;\\ \cdots \\ r_M(\overrightarrow{x},\overrightarrow{y})=1,\end{array}\right.$$

(18)

where 1 is a true value assignment to the relations.

Definition 13.

The decision GSAT problem is to answer YES/NO to the question: are there any assignment to the variables $\overrightarrow{x}$ and $\overrightarrow{y}$ that all Boolean relations in Problem (18) are true?

Theorem 1.

(Schaefer dichotomy theorem [13]). If at least one of the following criteria is satisfied, then the satisfiability problem GSAT is in P, otherwise it is NP-Complete:

(a) 

Every relation in S is satisfied when all the variables are 0 (0-valid clause);

(b) 

Every relation in S is satisfied when all the variables are 1 (1-valid clause);

(c) 

Every relation in S is definable by a CNF formula in which each conjunct has at most one negated variable (dual Horn clause);

(d) 

Every relation in S is definable by a CNF formula in which each conjunct has at most one unnegated variable (Horn clause);

(e) 

Every relation in S is definable by a CNF formula having at most two literals in each conjunct (bijunctive clause);

(f) 

Every relation in S is the set of solutions of a system of linear equation over the two element field $\{0,1\}$ (affine clause).

As it was mentioned above, to satisfy the commutation Conditions (4), matrices X and Y are chosen to be circulant. Then matrix Equation (16) can be transformed to the following system of equations:

$$\left\{\begin{array}{c}{\overrightarrow{x}}^T{Q}_{11}\overrightarrow{y}=a_{11};\\ {\overrightarrow{x}}^T{Q}_{12}\overrightarrow{y}=a_{12};\\ \cdots \\ {\overrightarrow{x}}^T{Q}_{mm}\overrightarrow{y}=a_{mm},\end{array}\right.$$

(19)

where vectors ${\overrightarrow{x}}^T$ and ${\overrightarrow{y}}^T$ are row vectors of the first row and first column of matrix Q respectively, and matrices $Q_{11},Q_{12},\dots ,Q_{mm}$ are obtained by cyclic permutations of matrix Q. For example, $Q_{11}=Q$ and $Q_{12}=\left(\begin{array}{ccccc}{\overrightarrow{q}}_2& {\overrightarrow{q}}_3& \cdots & {\overrightarrow{q}}_m& {\overrightarrow{q}}_1\end{array}\right)$, where the vector ${\overrightarrow{q}}_j$ denotes the j-th column of matrix Q. All matrices $Q_{ij}$ are obtained from the initial matrix by performing shifts of rows and/or columns.

The latter system consist of m${}^2$ quadratic equations with 2 m variables being a components of vectors $\overrightarrow{x}$ and $\overrightarrow{y}$. System (19) is a special type of random generated MQ problem over ${\mathcal{Z}}_2$ defined by special type of matrices $Q_{11},Q_{12},\dots ,Q_{mm}$, generated by deterministic permutations of random generated matrix Q in Equation (16). Every equation in System (19) represents a Boolean relation written in terms of logical operations AND and XOR.

To choose a suitable GSAT problem to prove NP-Completeness of the initial MPF${}_{\mathcal{S}}^{{\mathcal{N}}^0,\mathcal{C}}$ problem the set of logical Relations (18) must be supplemented by logical relations defining the singularity constraints of matrices X and Y. Since System (19) is defined over ${\mathcal{Z}}_2=\{0,1\}$, these constraints can be expressed by the following Boolean relations:

$$\begin{array}{c}detX=0;\\ detY=0,\end{array}$$

(20)

where 0 is a false value assignment to the relations. The actual expressions of (20) are determined by the format of matrices X and Y. Hence, here and onwards we consider square matrices of m-th order X and Y with even values of determinants.

Definition 14.

The constrained singular binary matrix MQ problem (CSBMMQ) is to solve SBMMQ problem, when matrices X and Y in Equation (16) are singular and hence satisfy Conditions (4) and (16) while also satisfying Condition (20).

Theorem 2.

Decision CSBMMQ problem is NP-Complete.

Proof. 

To prove the theorem, we use the Schaefer dichotomy theorem. System of binary Equation (19) and Relations (20) represent the system of generalized satisfiability relations in Problem (18) and corresponds to GSAT problem with $M=m^2+2$. Then to prove NP-Completeness of CSBMMQ we need to verify inconsistency of Schaefer criteria (a)–(f).

The first two criteria (a) and (b) are not satisfied due to the fact, that we are choosing matrix Q at random and hence the satisfiability of these criteria has a negligible probability.

To verify Schaefer criteria (c)–(e) we denote three pairs of vectors satisfying Equations (19) and (20) by $({\overrightarrow{x}}_1,{\overrightarrow{y}}_1)$, $({\overrightarrow{x}}_2,{\overrightarrow{y}}_2)$ and $({\overrightarrow{x}}_3,{\overrightarrow{y}}_3)$. Note, that we generate circulant matrices from selected vectors to check the validity of Equation (20). Schaefer criteria (c)–(e) can be reformulated as follows [18]:

(c’)

For all pairs $({\overrightarrow{x}}_1,{\overrightarrow{y}}_1)$ and $({\overrightarrow{x}}_2,{\overrightarrow{y}}_2)$, satisfying System (19) and Equation (20), the pair $({\overrightarrow{x}}_1\vee {\overrightarrow{x}}_2,{\overrightarrow{y}}_1\vee {\overrightarrow{y}}_2)$ is a solution of System (19) and Equation (20);

(d’)

For all pairs$({\overrightarrow{x}}_1,{\overrightarrow{y}}_1)$ and $({\overrightarrow{x}}_2,{\overrightarrow{y}}_2)$, satisfying System (19) and Equation (20), the pair $({\overrightarrow{x}}_1\wedge {\overrightarrow{x}}_2,{\overrightarrow{y}}_1\wedge {\overrightarrow{y}}_2)$ is a solution of System (19) and Equation (20);

(e’)

For all pairs $({\overrightarrow{x}}_1,{\overrightarrow{y}}_1)$, $({\overrightarrow{x}}_2,{\overrightarrow{y}}_2)$ and $({\overrightarrow{x}}_3,{\overrightarrow{y}}_3)$, satisfying System (19) and Equation (20), the pair $(({\overrightarrow{x}}_1\vee {\overrightarrow{x}}_2)\wedge ({\overrightarrow{x}}_1\vee {\overrightarrow{x}}_3)\wedge ({\overrightarrow{x}}_2\vee {\overrightarrow{x}}_3),({\overrightarrow{y}}_1\vee {\overrightarrow{y}}_2)\wedge ({\overrightarrow{y}}_1\vee {\overrightarrow{y}}_3)\wedge ({\overrightarrow{y}}_2\vee {\overrightarrow{y}}_3))$ is a solution of System (19) and Equation (20).

Remark 5.

All logical operations in criteria ($c^{\prime }$)-($e^{\prime }$) are performed component-wise.

Then applying criterion ($c^{\prime }$) to the single equation in System (19) in vector form and assigning arbitrary values to the vectors $({\overrightarrow{x}}_1,{\overrightarrow{y}}_1)$, $({\overrightarrow{x}}_2,{\overrightarrow{y}}_2)$ we obtain the corresponding values $b_{ij}$ satisfying the following equation in every case

$${({\overrightarrow{x}}_1\vee {\overrightarrow{x}}_2)}^T{Q}_{ij}({\overrightarrow{y}}_1\vee {\overrightarrow{y}}_2)=b_{ij}.$$

Evidently, in most cases $b_{ij}\ne a_{ij}$. Note, however, that for this criterion to be valid the identity $b_{ij}=a_{ij}$ has to hold for all $i,j=1,2,\dots ,m$. Hence, dual Horn clause in System (19) is not satisfied and criterion ($c^{\prime }$) is inconsistent.

Analogously, verifying Horn clause we obtain

$${({\overrightarrow{x}}_1\wedge {\overrightarrow{x}}_2)}^T{Q}_{ij}({\overrightarrow{y}}_1\wedge {\overrightarrow{y}}_2)=c_{ij},$$

where $c_{ij}\ne a_{ij}$. Hence, Horn clause in System (19) is not satisfied for all $i,j=1,2,\dots ,m$ and criterion ($d^{\prime }$) is inconsistent.

Inconsistency of criterion ($e^{\prime }$) follows directly from the latter three expressions. Note, that the key point which allows us to claim the desired result is Remark 5 since no distributive law can be applied to the latter two expressions.

Criterion (f) is not satisfied since, in general, relations in System (19) are non-linear.

So, CSBMMQ problem is NP-Complete. □

Remark 6.

Two additional Relations (20) are needed to ensure that matrices X and Y are singular and hence to ensure the inconsistency of Schaefer criteria.

Now we turn to constrained singular matrix multivariate quadratic (CSMMQ) problem defined over the semiring of integers ${\mathcal{N}}_0$ which we denote by CSMMQ${}_{{\mathcal{N}}_0}$. This means that Equation (16) and corresponding Conditions (19) and (20) are defined over ${\mathcal{N}}_0$.

Theorem 3.

CSBMMQ problem is a sub-problem of CSMMQ${}_{{\mathcal{N}}_0}$.

Proof. 

Let us consider all matrices in Equation (16) defined over ${\mathcal{N}}_0$. Then they can be rewritten in the following way:

$$\begin{array}{c}X=2U+X^{\prime };\\ Y=2V+Y^{\prime };\\ Q=2P+Q^{\prime };\\ A=2T+A^{\prime }.\end{array}$$

By substituting these expressions in Equation (16) we obtain the following result:

$$\left(2U+X^{\prime }\right)\left(2P+Q^{\prime }\right)\left(2V+Y^{\prime }\right)=2T+A^{\prime }$$

and hence

$$X^{\prime }{Q}^{\prime }{Y}^{\prime }\equiv A^{\prime }mod2.$$

Let us consider the following decision problem: does there exist assignments to matrices X and Y defined over the semiring ${\mathcal{N}}_0$ satisfying Equation (16), which adding commutation constraints corresponds to Relations (19), (20) and is a CSMMQ${}_{{\mathcal{N}}_0}$ problem? Assume, that we have an answer YES to decision CSMMQ${}_{{\mathcal{N}}_0}$ problem. Due to penultimate equation, it implies the answer YES to CSBMMQ problem.

In computational CSMMQ${}_{{\mathcal{N}}_0}$ version its transformation to CSBMMQ requires the reduction of the solution modulo 2. This is done in polynomial time.

We proved, that CSBMMQ problem is a sub-problem of CSMMQ${}_{{\mathcal{N}}_0}$ problem, when semiring ${\mathcal{N}}_0$ is homomorphically mapped to the field ${\mathcal{Z}}_2$. □

Since Theorem 3 is valid, every solution of CSMMQ${}_{{\mathcal{N}}_0}$ problem has to satisfy CSBMMQ problem as well. Clearly, this problem is non-trivial and was proven to be NP-Complete.

Let us consider the following system of equations

$$\left\{\begin{array}{c}X\mathsf{\Lambda }Y=B;\\ X\mathsf{\Sigma }Y\equiv Cmod\left(2p\right).\end{array}\right.$$

(21)

where p is an odd prime, matrices $X,Y,\mathsf{\Sigma }$ and C are defined over the semiring of positive integers ${\mathcal{N}}^0$, and matrices $\mathsf{\Lambda }$ and B over the ring $\mathcal{Z}$. Furthermore, the parity of matrices $\mathsf{\Lambda }$ and $\mathsf{\Sigma }$ is the same, i.e., $\mathsf{\Lambda }-\mathsf{\Sigma }=2T$, where $T\in {\mathcal{M}}_{\mathcal{Z}}$.

Theorem 4.

The decision CSMMQ problem, defined by System (21), is NP-Complete.

Proof. 

It is easy to assume also with overwhelming probability, that matrices X and Y defined over the ${\mathcal{N}}^0$ are not invertible. We define the following sub-problem of Problem (21) by reducing its first equation modulo $2p$:

$$\left\{\begin{array}{c}X\mathsf{\Lambda }Y\equiv Bmod\left(2p\right);\\ X\mathsf{\Sigma }Y\equiv Cmod\left(2p\right).\end{array}\right.$$

(22)

Clearly, if the answer to the initial Problem (21) is YES, then the same answer applies also to Problem (22), since to obtain the solution of the Problem (21) extra matrices T and S in the relations

$$X=(2p)T+{\tilde{X}}_{2p};$$

$$Y=(2p)S+{\tilde{Y}}_{2p}$$

have to be found. Here matrices ${\tilde{X}}_{2p}$ and ${\tilde{Y}}_{2p}$ satisfy the Problem (22).

We can rewrite the System (22) in the following way by using Chinese Remainder Theorem:

$$\left\{\begin{array}{c}X\mathsf{\Lambda }Y\equiv Bmodp;\\ X\mathsf{\Sigma }Y\equiv Cmodp.\end{array}\right.$$

(23)

$$\left\{\begin{array}{c}X\mathsf{\Lambda }Y\equiv Bmod2;\\ X\mathsf{\Sigma }Y\equiv Cmod2;\end{array}\right.$$

(24)

It is important to note, that, due to Chinese Remainder Theorem, Systems (23) and (24) must be considered separately. These systems of equations provide two different and mutually independent components of solution of Problem (22). Matrices ${\tilde{X}}_{2p}$ and ${\tilde{X}}_{2p}$ satisfying System (22) are calculated as follows:

$${\tilde{X}}_{2p}=p{\tilde{X}}_2+(p+1){\tilde{X}}_p;$$

$${\tilde{Y}}_{2p}=p{\tilde{Y}}_2+(p+1){\tilde{Y}}_p,$$

where matrices ${\tilde{X}}_p$ and ${\tilde{Y}}_p$ satisfy System (23) and ${\tilde{X}}_2$ and ${\tilde{Y}}_2$ satisfy System (24).

We can assume, that solution of (23) can be found in polynomial time if at least one of matrices X or Y are invertible modulo p. However, nevertheless we cannot recover the solution of (22) from the one component (${\tilde{X}}_p,{\tilde{Y}}_p$), i.e., the component (${\tilde{X}}_2,{\tilde{Y}}_2$) is required. It is directly implied by the Chinese Remainder Theorem isomorphism.

Furthermore, since matrices $\mathsf{\Lambda }$ and $\mathsf{\Sigma }$ have the same parity the following congruence is valid:

$$\mathsf{\Lambda }\equiv \mathsf{\Sigma }mod2.$$

Hence we have $B\equiv Cmod2$, since otherwise the answer to Problem (22) is NO. However in this case we can remove either one of equations of System (24) and hence we obtain a CSBMMQ problem. This problem was proven to be NP-Complete in Theorem 2.

We have shown, that the proof of complexity of Problem (21) relies on the complexity of CSBMMQ problem. Since CSBMMQ is NP-Complete and is a sub-problem of CSMMQ Problem (21), then the latter is also NP-Complete. □

Remark 7.

Theorem 3 is the key factor, which allows us to claim the correctness of Theorem 4. However, based on our logic presented here, we cannot claim, that the singular MMQ problem is NP-Complete over ${\mathcal{Z}}_p$, where p is prime, due to the fact that CSBMMQ problem is not a sub-problem of the latter problem.

To demonstrate the relation of CSMMQ Problem (21) to modified medial semigroup $\mathcal{S}$ let us define the following mappings:

$$\lambda \left(b^{\beta }{a}^i{b}^j{a}^{\alpha }\right)=\left(i+\alpha \right)-\left(j+\beta \right);$$

(25)

$$\sigma \left(b^{\beta }{a}^i{b}^j{a}^{\alpha }\right)=\left(i+\alpha \right)+\left(j+\beta \right).$$

(26)

Remark 8.

Obviously Mappings (25) and (26) define functions of powers i and j if we preset the values of α and β.

Remark 9.

In general we have $\lambda (w)\in \mathcal{Z}$ and $\sigma (w)\in {\mathcal{N}}^0$. Furthermore, if $\sigma (w)=0$, then w is an empty word, i.e., $w=1$.

It is clear that if we preset two exponents $\alpha ,\beta \in \{0,1\}$, then the pair $\left(\lambda \left(w\right),\sigma \left(w\right)\right)$ defines a unique element w if these elements have the same parity and satisfy inequality $|\lambda \left(w\right)|<\sigma \left(w\right)$. Clearly, this reduction is polynomial since for a fixed pair ${\phi }_{({\alpha }_0,{\beta }_0)}\left(\lambda ,\sigma \right)$ we have:

$$\left\{\begin{array}{c}i=\frac{\lambda +\sigma }{2}-{\alpha }_0;\\ j=\frac{\sigma -\lambda }{2}-{\beta }_0.\end{array}\right.$$

(27)

Then the following theorem can be formulated:

Theorem 5.

The mapping $\lambda \left(w\right)$ is an invariant of the reduction, i.e., $\lambda \left(w\right)=\lambda \left(w_{nf}\right)$, and the mapping $\sigma \left(w\right)$ is an invariant modulo $2p$ of the reduction, i.e., $\sigma \left(w\right)\equiv \sigma \left(w_{nf}\right)mod\left(2p\right)$, where $w_{nf}$ is the any word in $\mathcal{S}$ reduced to its normal form.

The proof of this theorem follows from the definition of the reduction and thus we omit it.

The defined mappings have the following important property:

$$\lambda \left(w^k\right)=k\lambda \left(w\right);$$

(28)

$$\sigma \left(w^k\right)=k\sigma \left(w\right).$$

(29)

Let us assume that the entries of matrices $\mathsf{\Lambda }$ and $\mathsf{\Sigma }$ satisfy the conditions presented in Problem (21). Then the following one-to-one-mapping mapping can be defined:

$${\phi }_{({\alpha }_0,{\beta }_0)}\left(\lambda ,\sigma \right)=b^{{\beta }_0}{a}^i{b}^j{a}^{{\alpha }_0},$$

(30)

where the values of ${\alpha }_0$ and ${\beta }_0$ are fixed.

Example 1.

Assume, that $\lambda =3$ and $\sigma =7$. Then we have:

$$\begin{array}{c}{\phi }_{(0,0)}(3,7)=a^5{b}^2;\\ {\phi }_{(0,1)}(3,7)=a^4{b}^{2}a;\\ {\phi }_{(1,0)}(3,7)=b{a}^{5}b;\\ {\phi }_{(1,1)}(3,7)=b{a}^{4}ba.\end{array}$$

Furthermore, if $\lambda =-3$ and $\sigma =7$, then:

$$\begin{array}{c}{\phi }_{(0,0)}(-3,7)=a^2{b}^5;\\ {\phi }_{(0,1)}(-3,7)=a{b}^{5}a;\\ {\phi }_{(1,0)}(-3,7)=b{a}^2{b}^4;\\ {\phi }_{(1,1)}(-3,7)=ba{b}^{4}a.\end{array}$$

However, ${\phi }_{({\alpha }_0,{\beta }_0)}(3,6)$ and ${\phi }_{({\alpha }_0,{\beta }_0)}(7,3)$ are undefined for any values of ${\alpha }_0$ and ${\beta }_0$.

If we apply mapping ${\phi }_{({\alpha }_0,{\beta }_0)}$ to the pair of matrices $(\mathsf{\Lambda },\mathsf{\Sigma })$ elementwise then we obtain a matrix $W=\left\{w_{ij}\right\}$, where the entries $w_{ij}$ are defined as follows:

$$w_{ij}={\phi }_{({\alpha }_0,{\beta }_0)}\left({\lambda }_{ij},{\sigma }_{ij}\right).$$

(31)

Now we introduce the following expression:

$$X\left(\mathsf{\Lambda },\mathsf{\Sigma }\right)Y=\left(X\mathsf{\Lambda }Y,X\mathsf{\Sigma }Y\right),$$

and apply the mapping ${\phi }_{({\alpha }_0,{\beta }_0)}$ to it. Due to Properties (28) and (29) we have:

$${\phi }_{({\alpha }_0,{\beta }_0)}\left(X\mathsf{\Lambda }Y,X\mathsf{\Sigma }Y\right)={}^X{W}^Y.$$

(32)

where the entries of matrix W are defined by Expression (31). Furthermore, we apply the mapping ${\phi }_{({\alpha }_0,{\beta }_0)}$ to the pair of matrices $(B,C)$ in Problem (21) to obtain the following matrix:

$${\phi }_{({\alpha }_0,{\beta }_0)}\left(B,C\right)=D,$$

where the entries of matrix D are defined by Expression (31). The two latter equations can be combined to yield MPF${}_{\mathcal{S}}^{{\mathcal{N}}^0,\mathcal{C}}$ problem, symbolically presented in Definition 1.

Theorem 6.

MPF${}_{\mathcal{S}}^{{\mathcal{N}}^0,\mathcal{C}}$ is NP-Complete.

Proof. 

Due to the properties of mappings $\lambda \left(w\right)$ and $\sigma \left(w\right)$ in Expressions (25)–(27), the property of bijective mapping ${\phi }_{({\alpha }_0,{\beta }_0)}$ and Theorem 4, we find that CSBMMQ is a sub-problem of MPF${}_{\mathcal{S}}^{{\mathcal{N}}^0,\mathcal{C}}$. Since, according to Theorem 2, CSBMMQ is NP-Complete, then the MPF${}_{\mathcal{S}}^{{\mathcal{N}}^0,\mathcal{C}}$ problem is NP-Complete as well. □

Remark 10.

In fact, circulant MPF problem is NP-Complete in more general case, since for matrices X and Y with no zero entries only the upper left corner and bottom right corner entries of the base matrix W play an important role. More precisely the first and the last literal of the specified entries produce fixed values ${\alpha }_0$ and ${\beta }_0$. Normal forms of other entries of the base matrix W are irrelevant.

5. Conclusions

• The proof of NP-Completeness of author’s constructed MPF in previous Symmetry journal publication is presented. It is a new evidence, that this type of MPF can be considered for construction of a non-commuting cryptography primitive as a conjectured OWF.
• The proof is based on two main approaches: we prove that certain GSAT is NP-Complete using modified Schaefer criteria, and, using this result, we prove that this GSAT is a sub-problem of the considered MPF problem. Hence this type of MPF problem is NP-Complete.
• It is a new step to prove that KAP presented in our previous publication mentioned above has a provable security property.