MPF Problem over Modified Medial Semigroup Is NP-Complete

This paper is a continuation of our previous publication of enhanced matrix power function (MPF) as a conjectured one-way function. We are considering a problem introduced in our previous paper and prove that tis problem is NP-Complete. The proof is based on the dual interpretation of well known multivariate quadratic (MQ) problem defined over the binary field as a system of MQ equations, and as a general satisfiability (GSAT) problem. Due to this interpretation the necessary constraints to MPF function for cryptographic protocols construction can be added to initial GSAT problem. Then it is proved that obtained GSAT problem is NP-Complete using Schaefer dichotomy theorem. Referencing to this result, GSAT problem by polynomial-time reduction is reduced to the sub-problem of enhanced MPF, hence the latter is NP-Complete as well.


Introduction
It is very natural to look for a new conjectured one-way functions (OWFs) for cryptographic applications in connection with new challenges caused by quantum cryptanalysis.This paper is a continuation of research in this field and is dealing with so called matrix power function (MPF).Some cryptographic primitives were built on the basis that MPF is a conjectured OWF in [1][2][3][4][5].Furthermore, some results were published considering the security of presented primitives in [6][7][8].The security of these primitives is based on the complexity of MPF inversion named as MPF problem.
So far, it is thought that OWF security based on the NP-Complete problem is not vulnerable to the quantum cryptanalysis, while the cryptosystems based on conjectured OWFs such as factoring and discrete logarithm problems are vulnerable due to [9].Therefore, it is very desirable to try to prove NP-Completeness of MPF problem.In [6] the NP-Completeness of a more general problem named as multivariate quadratic power problem is presented.However, the question of NP-Completeness of MPF problem remained open so far.
In [10] our efforts were directed toward the increasing expectable complexity of MPF problem by choosing more complicated algebraic structures for MPF definition but at the same time preserving the necessary properties for the cryptographic primitives construction.In that paper, we presented a key agreement protocol in Section 2, Construction 1 as well as an example of its realization with artificially small parameters in Section 6.
In this paper we present a proof of NP-Completeness of sub-problem of enhanced MPF problem previously considered in [10].The notion of sub-problem is defined as follows: Definition 1.The decision problem P 1 is a sub-problem of problem P 2 if every assignment to input values, which provides the answer YES to problem P 2 , also implies the answer YES to the problem P 1 .
The proof is based on the duality of multivariate quadratic MQ problem interpretation as a system of MQ equations over Z 2 = {0, 1} [11,12] and according to Schaefer dichotomy theorem [13] as a general satisfiability (GSAT) problem.
The main benefit of such approach is the opportunity to include some constraints to MPF necessary to construct cryptographic primitives as an additional GSAT equations.
The proof is based on proving that this GSAT is NP-Complete and on polynomial-time reduction from GSAT to the sub-problem of enhanced MPF problem.

Matrix Power Function
MPF was first introduced in [4].To be self-contained, we present here MPF in the following way: Definition 2. Symbolically MPF corresponds to matrix W m×m = w ij powered by matrix X m×m = x ij on the left and by matrix Y m×m = y ij on the right with MPF value equal to matrix E m×m = e ij and is expressed in the following way . ( The matrix W that is powered is named the base matrix and the matrices X and Y that are powering the base matrix are named power matrices.In general, we define the base matrix over the multiplicative (semi)group S and power matrices over some numerical (semi)ring R. We call semigroup S a platform (semi)group, which according to the MPF definition, is multiplicative, and R-an exponent (semi)ring.The appropriate matrix semigroups M S and matrix semiring M R contain base matrices and power matrices respectively.
The exact MPF definition depends on the type of sets over which matrices are defined.
In [3] authors proved, that if platform semigroup and power semiring are commutative, then the following associative properties of MPF takes place: Definition 3. MPF is one-side associative, (left-side and right-side associative, respectively) if the following identities hold: Definition 4. MPF is two-side associative if the following identities hold: In [3] authors proved, that if platform semigroup S and power semiring R are commutative, then MPF R S is one and two-side associative.It follows from Equation (1), that in general, MPF is a function Definition 5.The direct MPF value computation is to find matrix E, when matrices X, W, Y are given.The MPF problem is polynomially equivalent to a certain hard problem with not known polynomial time algorithm.
Assume, that the base matrix W in Expression 1 is defined over a platform semigroup denoted by S and the power matrices X and Y are defined over a power semiring denoted by R. We denote the MPF problem defined by these structures by MPF R S .Assume, that power matrices X and Y have to satisfy some constrains denoted by C. In this case we denote the MPF problem by MPF R,C S .To build cryptographic primitives, e.g., key agreement protocol, based on MPF R S the following additional property must be satisfied: square matrices of m-th order X and Y defined over the power semiring R must be elements of two subsets M R,1 and M R,2 of commuting matrices in M R respectively, i.e., for any U ∈ M R,1 and V ∈ M R,1 the following identities take place This defines a constrained MPF that we previously denoted by MPF R,C S .Further we will use the single subset of commuting matrices in M R , namely the subset of circulant matrices i.e., matrices of the following general form [14]: Any circulant matrix X can be represented by its column vector x, which transposed form is expressed by the following row vector x T = (x 1 , x 2 , ..., x m ).If MPF R,C S satisfies the conditions of Definition 8, then the following secret-key agreement protocol can be executed as proposed in [10]: Both parties agree on a public information: the modified medial semigroup S and a public base matrix W with its entries randomly chosen from S. Alice and Bob can agree on a common key as follows: 1.
Alice chooses two secret circulant matrices X and Y at random of size m.Using these matrices she computes the MPF value A = X W Y and sends it to Bob; 2.
Bob chooses two secret circulant matrices U and V at random of size m.Using these matrices he computes the MPF value B = U W V and sends it to Alice; 3.
Alice and Bob compute the same secret key in the following way: The Identity ( 6) is true due to the fact, that circulant matrices are commuting and associativity Conditions (2) and (3).

Remark 1.
In general two-sided association Condition (3) will be not necessary, if we agree upon on the order of operations, e.g., from the left to the right.
However, recently a linear algebra attack to the protocol presented in [3] based on MPF found by [16].This attack to MPF problem runs in polynomial time and hence can be used to break the algorithms presented in [1,3].The authors of [16] also suggested some improvements of our protocols to resist the proposed attack.In [7] we fixed this flaw for the asymmetric encryption protocol, presented in [1].
The intriguing idea was to extend MPF construction to non-commutative algebraic structures, namely S and R, hence expecting higher complexity of MPF problem and achieving a higher potential security for the construction of cryptographic primitives.The main problem of this approach was the loss of associativity of MPF, which made its application in cryptography impossible.
This approach was successful and is presented in [10], when platform semigroup S is a modified medial semigroup and power semiring is a special kind of so called near semiring NSR.In this study as a power semiring we use a semiring of non-negative integers denoted by N 0 = {0, 1, 2, 3, ...}.So we deal with the MPF denoted by MPF N 0 S .If power matrices satisfies commutation Constraints in (4), then we denote corresponding MPF by MPF N 0 ,C S .
In this paper we consider a class of MPF N 0 ,C S problems when power matrices are circulant matrices over the N 0 and hence they are commuting and satisfying Conditions (4).Interestingly enough, matrices X and Y are almost never invertible due to the fact, that both fractions and negative numbers are not contained in N 0 .This is essential to our proof of NP-Completeness of the MPF N 0 ,C S problem.In earlier work, the proof that random generated multivariate quadratic power problem over Z n is NP-Complete is presented.This proof is insufficient to prove the NP-Completeness of MPF N 0 ,C S problem due to fact that we are considering a partial case of this problem.Our multivariate quadratic power system of equations is predetermined by the matrix power equations.Hence this special case is not random generated.Therefore, the aim of this paper is to fill this gap.
In general, it is hard to prove that a problem with arbitrary constraints is NP-Complete (NP-Hard).We present here an approach to prove it based on Schaefer dichotomy theorem [13].This theorem is formulated for the GSAT problem, represented by arbitrary finite set of Boolean relations (formulas) with respect to the finite set of Boolean variables.The theorem defines six criteria when either GSAT is in P or in NP-Complete complexity class.
In this paper, we construct a certain sub-problem of GSAT problem which is a one-to-one mapping of certain sub-problem of MPF N 0 ,C S problem.We show, that this GSAT problem satisfies the Schaefer criteria to be NP-Complete.Hence, using polynomial-time reduction, we will prove that decision version of MPF N 0 ,C S problem is also NP-Complete.We revise the definition and basic properties of modified medial semigroup in the next section and present the main result in Section 4.

Modified Medial Semigroup as Platform Semigroup of MPF
Let us consider medial semigroup S M , which was previously introduced by [17].Assume, that the presentation of this semigroup consists of two generators a and b and a relation R M written in the following way: S M = a, b|R M ; (7) where ω 1 and ω 2 are arbitrary non-empty words in S M , written in terms of generators a and b.
Let us now present an important identity, which is useful to us for application of medial semigroup S M to MPF: (ω This identity is based on the Relation (8) and is valid for all words ω 1 , ω 2 ∈ S M and any exponent e ∈ N 0 .
To prevent the growth of powers of generators when exponentiation takes place we introduce a modified medial semigroup S with two extra relations R 1 and R 2 in the following general form: Thus, modified medial semigroup S has the following presentation: with relations R M , R 1 and R 2 defined above.Note, that we define S as a multiplicative, non-commuting, non-cancellative and infinite semigroup which is a non-symmetric algebraic structure.
Remark 2. The modified medial semigroup is well defined if relations R 1 and R 2 are symmetric, i.e., they link both generators in such a way, that the order of generators is symmetric and exponents of each generator add up to the same number.In our case the sum of exponents of generators a and b on the left side of R 1 and R 2 in Realtions (10) equals p + 2 and on the right side it equals 2. Remark 3. In our previous paper we considered a special case of p = 3.
Semigroups S M and S are made monoids by introducing an empty word as a multiplicatively neutral element, denoted by 1. Then conveniently, the following identities hold for all ω ∈ S M : The normal form for the words in S M was also defined in the following way: Definition 9.The normal form ω M,n f of any word ω 0 in semigroup S M is expressed as follows: where α, β ∈ {0, 1} and α a , β b , r a , s b , i a , j b ∈ N .To obtain the normal form for the word ω we consider its first and last literals.Using Relation (9) we can determine the values of α and β.For example the normal form for the word b 7 a 8 b 2 a 6 is ba 13 b 8 a.The word b 6 a 7 b 3 a 7 has the same normal form and hence we consider all these words equivalent.The normal form for the word a 7 b 8 a 2 b 6 is b 0 a 9 b 14 a 0 .Hence in the last case we have α = 0 and β = 0. Evidently for the normal form of the word a 5 b 7 a 3 we have α = 1 and β = 0 whereas in case of the word b 5 a 7 b 3 we have α = 0 and β = 1.In fact, the normal forms for the presented words are b 0 a 7 b 7 a and ba 7 b 7 a 0 respectively.We generally omit zeroth powers when writing normal forms.
On the base of ω M,n f the normal form in S is defined as follows: Definition 10.The normal form ω n f of any word ω 0 in semigroup S is expressed by the following expression: Let T be an additive non-commuting semigroup consisting of the tuples (β, i, j, α) , where α, β ∈ {0, 1} ⊂ N 0 and i, j ∈ N 0 , with the following addition operation: then there is an isomorphism ϕ : S M,n f → T, which can be expressed by the following relation for any word ω n f ϕ(ω n f ) = ϕ(b β a i b j a α ) = (β, i, j, α). (15) Hence, using our notation, we defined MPF N 0 S , where S is modified medial semigroup.It is important to note, that MPF N 0 S satisfies associativity conditions in Definitions ( 2) and (3) due to the properties of medial semigroup.
Adding the commutation Constraints (4) to the power matrices X and Y defined over N 0 , constrained MPF N 0 S problem we denoted by MPF N 0 ,C S .
In the next section we prove, that MPF N 0 ,C S problem is NP-Complete.

Proof of NP-Completeness
Let us consider the following binary matrix equation: where all matrices Q, A, X and Y are defined over the field Z 2 = {0, 1} with multiplication operation denoted by ∧ (logical AND) and addition operation by ⊕ (logical XOR).This equation corresponds to binary matrix multivariate quadratic (BMMQ) equation and associated problem to BMMQ problem.
Definition 11.The binary matrix MQ (BMMQ) problem is to find matrices X and Y in Equation ( 16), when matrices Q and A are given.
Remark 4. Throughout this paper we assume, that matrix Q is well-balanced, i.e., the quantity of 1's is close to m 2 /2.Furthermore all the 1's are distributed uniformly in the rows and columns of matrix Q.
If at least one of square matrices X or Y is invertible, then BMMQ Problem ( 16) is solvable in polynomial time due to one the following transformations: since XOR operation is inverse to itself.It is clear, that both transformations represent the system of m 2 homogeneous linear equations with 2 m 2 unknown variables.
However, if both binary matrices X and Y are singular, then Transformations ( 17) are not possible and hence the initial Problem ( 16) bears a resemblance to the well known multivariate quadratic (MQ) problem.It is known, that random generated MQ problem is NP-Complete over any field [11,12].
Hence, we define the following problem: Definition 12.The singular binary matrix MQ problem (SBMMQ) is to solve BMMQ problem, when matrices X and Y in Equation ( 16) are singular.
It is important to note, that we are interested in this particular problem, since in case of MPF N 0 ,C S power matrices are defined over the semiring N 0 and hence any randomly chosen power matrix is not invertible with overwhelming probability.Here and onwards we say that a random event happens with overwhelming probability if its probability of failure is negligible.We begin from the complexity consideration of CSBMMQ problem.
Our proof is based on Schaefer dichotomy theorem [13].Let us define a set of Boolean relations {r 1 , r 2 , . . ., r M } with variables defined by two vectors x T = (x 1 , x 2 , ..., x m ) and y T = (y 1 , y 2 , ..., y m ).Then the following generalized satisfiability problem GSAT can be formulated: where 1 is a true value assignment to the relations.

Definition 13.
The decision GSAT problem is to answer YES/NO to the question: are there any assignment to the variables x and y that all Boolean relations in Problem ( 18) are true?Theorem 1. (Schaefer dichotomy theorem [13]).If at least one of the following criteria is satisfied, then the satisfiability problem GSAT is in P, otherwise it is NP-Complete : As it was mentioned above, to satisfy the commutation Conditions (4), matrices X and Y are chosen to be circulant.Then matrix Equation ( 16) can be transformed to the following system of equations: where vectors x T and y T are row vectors of the first row and first column of matrix Q respectively, and matrices Q 11 , Q 12 , ..., Q mm are obtained by cyclic permutations of matrix Q.For example, Q 11 = Q and Q 12 = q 2 q 3 • • • q m q 1 , where the vector q j denotes the j-th column of matrix Q.All matrices Q ij are obtained from the initial matrix by performing shifts of rows and/or columns.
The latter system consist of m 2 quadratic equations with 2 m variables being a components of vectors x and y.System (19) is a special type of random generated MQ problem over Z 2 defined by special type of matrices Q 11 , Q 12 , ..., Q mm , generated by deterministic permutations of random generated matrix Q in Equation (16).Every equation in System (19) represents a Boolean relation written in terms of logical operations AND and XOR.
To choose a suitable GSAT problem to prove NP-Completeness of the initial MPF N 0 ,C S problem the set of logical Relations (18) must be supplemented by logical relations defining the singularity constraints of matrices X and Y. Since System (19) is defined over Z 2 = {0, 1} , these constraints can be expressed by the following Boolean relations: We can rewrite the System (22) in the following way by using Chinese Remainder Theorem: XΛY ≡ B mod 2; XΣY ≡ C mod 2; (24) It is important to note, that, due to Chinese Remainder Theorem, Systems (23) and ( 24) must be considered separately.These systems of equations provide two different and mutually independent components of solution of Problem (22).Matrices X 2p and X 2p satisfying System (22) are calculated as follows: where matrices X p and Y p satisfy System (23) and X 2 and Y 2 satisfy System (24).We can assume, that solution of (23) can be found in polynomial time if at least one of matrices X or Y are invertible modulo p.However, nevertheless we cannot recover the solution of (22) from the one component ( X p , Y p ), i.e., the component ( X 2 , Y 2 ) is required.It is directly implied by the Chinese Remainder Theorem isomorphism.
Furthermore, since matrices Λ and Σ have the same parity the following congruence is valid: Hence we have B ≡ C mod 2, since otherwise the answer to Problem (22) is NO.However in this case we can remove either one of equations of System (24) and hence we obtain a CSBMMQ problem.This problem was proven to be NP-Complete in Theorem 2.
We have shown, that the proof of complexity of Problem (21) relies on the complexity of CSBMMQ problem.Since CSBMMQ is NP-Complete and is a sub-problem of CSMMQ Problem (21), then the latter is also NP-Complete.Remark 7. Theorem 3 is the key factor, which allows us to claim the correctness of Theorem 4.However, based on our logic presented here, we cannot claim, that the singular MMQ problem is NP-Complete over Z p , where p is prime, due to the fact that CSBMMQ problem is not a sub-problem of the latter problem.
To demonstrate the relation of CSMMQ Problem (21) to modified medial semigroup S let us define the following mappings: Remark 8. Obviously Mappings (25) and (26) define functions of powers i and j if we preset the values of α and β.
Clearly, this reduction is polynomial since for a fixed pair ϕ (α 0 ,β 0 ) (λ, σ) we have: Then the following theorem can be formulated: Theorem 5.The mapping λ (w) is an invariant of the reduction, i.e., λ (w) = λ w n f , and the mapping σ (w) is an invariant modulo 2p of the reduction, i.e., σ (w) ≡ σ w n f mod (2p), where w n f is the any word in S reduced to its normal form.
The proof of this theorem follows from the definition of the reduction and thus we omit it.The defined mappings have the following important property: Let us assume that the entries of matrices Λ and Σ satisfy the conditions presented in Problem (21).Then the following one-to-one-mapping mapping can be defined: where the values of α 0 and β 0 are fixed.
If we apply mapping ϕ (α 0 ,β 0 ) to the pair of matrices (Λ, Σ) elementwise then we obtain a matrix W = {w ij }, where the entries w ij are defined as follows: Now we introduce the following expression: and apply the mapping ϕ (α 0 ,β 0 ) to it.Due to Properties (28) and (29) we have: where the entries of matrix W are defined by Expression (31).Furthermore, we apply the mapping ϕ (α 0 ,β 0 ) to the pair of matrices (B, C) in Problem (21) to obtain the following matrix: where the entries of matrix D are defined by Expression (31).The two latter equations can be combined to yield MPF N 0 ,C S problem, symbolically presented in Definition 1.
Since, according to Theorem 2, CSBMMQ is NP-Complete, then the MPF N 0 ,C S problem is NP-Complete as well.
Remark 10.In fact, circulant MPF problem is NP-Complete in more general case, since for matrices X and Y with no zero entries only the upper left corner and bottom right corner entries of the base matrix W play an important role.More precisely the first and the last literal of the specified entries produce fixed values α 0 and β 0 .Normal forms of other entries of the base matrix W are irrelevant.

1.
The proof of NP-Completeness of author's constructed MPF in previous Symmetry journal publication is presented.It is a new evidence, that this type of MPF can be considered for construction of a non-commuting cryptography primitive as a conjectured OWF.

2.
The proof is based on two main approaches: we prove that certain GSAT is NP-Complete using modified Schaefer criteria, and, using this result, we prove that this GSAT is a sub-problem of the considered MPF problem.Hence this type of MPF problem is NP-Complete.
(a)Every relation in S is satisfied when all the variables are 0 (0-valid clause); (b) Every relation in S is satisfied when all the variables are 1 (1-valid clause); (c) Every relation in S is definable by a CNF formula in which each conjunct has at most one negated variable (dual Horn clause); (d) Every relation in S is definable by a CNF formula in which each conjunct has at most one unnegated variable (Horn clause); (e) Every relation in S is definable by a CNF formula having at most two literals in each conjunct (bijunctive clause); (f) Every relation in S is the set of solutions of a system of linear equation over the two element field {0, 1} (affine clause).
Clearly, if the answer to the initial Problem (21) is YES, then the same answer applies also to Problem (22), since to obtain the solution of the Problem (21) extra matrices T and S in the relations X = (2p)T + X 2p ; Y = (2p)S + Y 2p have to be found.Here matrices X 2p and Y 2p satisfy the Problem (22).
3.It is a new step to prove that KAP presented in our previous publication mentioned above has a provable security property.