Sigma Identification Protocol Construction Based on MPF

A new sigma identification protocol (SIP) based on matrix power function (MPF) defined over the modified medial platform semigroup and power near-semiring is proposed. It is proved that MPF SIP is resistant against direct and eavesdropping attacks. Our security proof relies on the assumption that MPF defined in the paper is a candidate for one-way function (OWF). Therefore, the corresponding MPF problem is reckoned to be a difficult one. This conjecture is based on the results demonstrated in our previous studies, where a certain kind of MPF problem was proven to be NP-complete.


Introduction
In this paper a new paradigm for the so-called Sigma Identification Protocol (SIP) based on the authors' earlier proposed new candidate for one-way function (OWF) is presented. In general, Sigma protocols are three-round protocols similar to the well-known Schnorr identification protocol. They are typically used as sub-protocols in more complicated settings and for more advanced use. For example, Sigma protocols can easily be transformed into corresponding identification and signature schemes. Another application is to design protocols that allow one party to prove to another that certain facts are true (without revealing private information). For example, to prove that encrypted value V lies in a certain range without revealing any other information about V. Sigma protocols can be combined to make new Sigma protocols. For example, in the AND-proof construction, a Prover can convince a Verifier that he knows witnesses for a pair of statements. In the OR-proof construction, a Prover can convince a Verifier that he knows witnesses for one of two statements. These examples convince us that the development of Sigma protocols based on new paradigms is promising.
The construction of cryptographic primitives based on matrix power function (MPF) belongs to the field of so called non-commuting cryptography [1], [2]. The development of non-commuting cryptography is important due to the need to replace traditional cryptographic methods vulnerable to quantum cryptanalysis. Peter W. Shor has proposed the polynomial-time quantum cryptanalysis [3] for the traditional cryptographic primitives such as Diffie-Hellman key exchange protocol, RSA and ElGamal cryptosystems, Digital signature algorithm (DSA) and Elliptic Curve DSA (ECDSA).
One of the promising trends is the creation of OWFs, the security of which relies on the NP-hard problems [4]. Thus far, there are no known effective quantum cryptanalytic algorithms solving NP-hard problems; therefore, this cryptographic trend is a significant part of the so-called post-quantum cryptography [5]. One of the trends to create cryptographic primitives that can resist quantum cryptanalysis attacks is lattice-based cryptography [6] and hidden field equations (HFE) based cryptosystems [7][8][9][10]. Despite some cryptanalytic attacks on the HFE cryptosystem [8,9], this trend is viewed as promising [10].
MPF is somewhat related to the multivariate polynomials used in HFE cryptosystems since the complexity of so called MPF problem and the NP-completeness of this problem is proved using polynomial-time reduction of multivariate quadratic (MQ) problem [7]. Referencing [11] it is proved that certain kinds of MPF problems are NP-complete as well [12,13].
In this paper the novel MPF based sigma identification protocol (SIP) is presented using several specifically selected algebraic structures introduced in [14]. The concept of abstract MPF as well as main definitions for the construction of SIP are given in Section 2. The algebraic structures for the construction of MPF are defined in Section 3. MPF SIP is presented in Section 4. The security of MPF SIP against eavesdropping attacks is proven in Section 5. In Section 6, the selection of security parameters as well as the efficiency analysis are presented. The discussions and conclusions are presented in Section 7. The table of notations used in this paper as well as the numerical example are displayed in the Appendices A and B, respectively.

The Construction of the Abstract Matrix Power Function
In this section, the matrix power function (MPF) is constructed in an abstract form without specifying exact algebraic structures that will be introduced in subsequent sections. Let X = {xil}, W = {wlj} and Y = {yjk} be m × m matrices over some semiring, and indices i, j, k, l ∈ Im = {1, 2, …, m}. Multiplying matrix W by matrix X from the left and by matrix Y from the right yields a new matrix Q = {qik}.
Let S be some multiplicative semigroup and R some numerical semiring. In the case that MPF S is named a platform semigroup and R an exponent semiring. The exponent semiring of natural numbers with zero is denoted by N0 = {0, 1, 2, …}. The corresponding semigroup of matrices defined over S is denoted by MS and the semiring of power matrices defined over R is denoted by MR. Then, using an analogy with the matrix multiplication defined in (1), the left MPF, the right MPF and the left-right or simply MPF are introduced for X, Y ∈ MR, xil, yjk ∈ R and for W ∈ MS, wlj ∈ S as follows. Definition 1. The left MPF corresponding to the matrix W powered by matrix X from the left with the MPF value equal to the matrix C = {cij} has the following form: The MPF definition is related to the following associativity identities.
Definition 4. MPF is one-side, (left-side or right-side) associative and two-side associative if the following respective identities hold: In general, MPF is a function F: MR × MS × MR → MS. To be concise, we will use the notation R S MPF for the definition of MPF with base matrix defined over the platform semigroup S in MS and with power matrices defined over the exponent semiring R in MR. The categorical interpretation of MPF is presented in [15], in the context of the construction of several key agreement protocols. We slightly reformulate the notions used in the authors' interpretation by the following proposition, which is more appropriate for our study.

Proposition 1. If MPF is associative, then MS is a multiplicative MR-semibimodule.
This means that there exist bilinear (left and right) actions of the matrix semiring MR on the matrix semigroup MS. According to the definition of action, it must satisfy the associative law corresponding to Definition 4. Since matrix semigroup MS is multiplicative, then MR-semibimodule MS is multiplicative in our case. The following lemma is presented without proof. The proof can be found in [14].
The direct MPF value computation requires finding matrix A in (4), when matrices X, Y and W are given. The inverse MPF value computation requires finding matrices X and Y in (4), when matrices W and A are given. The MPF problem is the computation of the inverse MPF value. Paraphrasing this definition in a non-formal way, MPF is candidate for OWF if: (1) the MPF direct value computation is easy, and (2) the MPF problem is hard.
The computation of the direct MPF value is effective and can be done by powering elements of the platform semigroup S by elements of the exponent semiring R with relatively small values (e.g., up to 5 used in this study). It is related to the matrix multiplication by the two matrices from the left and right. In this paper we present some evidence that the solution of the MPF problem is hard. Proposition 2. The necessary requirements for MPF for the proposed SIP are the following: (1) it is a candidate for OWF, (2) it is associative, and (3) the following distributive identity holds: where * is a Hadamard product of matrices [16].

The Definition of Algebraic Structures
In order to construct a platform semigroup for MPF, the class of modified multiplicative medial semigroups [17] is used. A medial semigroup SM has the presentation consisting of two generators a, b and relation RM is defined in the following way: where w1 and w2 are arbitrary non-empty words in SM, written in terms of generators a and b. The reason for the introduction of the medial semigroup is the existence of the following identity, based on the relation RM, valid for all words w1, w2 ∈ SM and any exponent e ∈ N0, where N0 = {0, 1, 2, …} is the semiring of natural numbers with zero: In order to construct a platform semigroup S for MPF in (4), two extra relations R1 and R2 are added to SM: These relations can be generalized for arbitrary finite exponents instead of 5, however, only relations (11) are considered in this paper for simplicity. Thus, modified medial semigroup S has the following presentation: Note that we define S as a multiplicative, non-commuting and cancellative semigroup. Proposition 3. Semigroups SM and S are transformed into monoids by introducing an empty word as a multiplicatively neutral element, denoted by 1. Then, conveniently, the following identities hold for all w in SM and S: Using relation RM in (9) any word in SM can be transformed to the form w = b s a t b u a v moving generators a, b left and right, where s, t, u, v ∈N0. Let w = b s a t b u a v be such word in SM. Reformulating the Theorem 12 in [14], the normal form wnf of word w in the semigroup SM is defined by the following function nf: SM → SM,nf and is expressed by the relation: The normal form in the modified medial semigroup S is defined by the following theorem. Theorem 1. The normal form wη of the word wnf in the normal form of SM, is represented by the function η: SM → S and obtained by applying the minimization procedure of exponents ia, ib in (14) using the relations R1, R2: Since S is a multiplicative semiring, the following exponent identities hold for any generator g ∈ {a, b}: g i g j g i j ; g i j g ij . (16) Addition and multiplication tables for exponents i, j are presented in Tables 1 and 2 below.
Referencing relations R1, R2 the semiring N0 can be replaced by the finite semiring N4 = {0, 1, 2, 3, 4}. This semiring has an additive semigroup with index 1 and period 4. The exponent functions defined on S are determined by non-negative exponents in semiring N4.
We generalize these functions by introducing the "imaginary" unit ι which has some weak analogy with complex numbers in classical numerical algebra based on the imaginary unit i (i 2 = −1). According to this "analogy" the set of complex exponents can be introduced and denoted by ι•N4, where "•" denotes a formal multiplication of ι by any number in N4. According to our assumption and using the relation RM in (9), the following properties of exponent ι are defined: where t, u ∈ N4. This means that elements t + ι•u and ι•u + t do not commute. The algebraic structure termed a near-semiring [18] was introduced for the construction of MPF in [14]. In general, it can be defined in the following way.

Definition 6. A near-semiring (NSR) is a nonempty set with two binary operations "+" and "
•", such that <NSR; +; 0> is an additive monoid with neutral element 0, and <NSR; •; 1> is a multiplicative monoid with neutral element 1, satisfying the following (two-sided) axioms for all x, y, z in NSR: Referencing to this definition the special type NSR required for MPF SIP construction is defined in the following way.

Definition 7.
The exponent near-semiring NSR consist of non-commuting additive monoid <NSR; +; 0> and commuting multiplicative monoid <NSR; •; 1> satisfying Definition 6 and is a union of the following sets where the set N4 + ι•N4 + N4 defines the class of elements {t + ι•u + v} and the set ι•N4 + N4 + ι•N4- The presentation of the semigroup S by relations RM, R1, R2 in (9) and (11) induces certain properties and relations in NSR that can be directly verified and are presented below without the proof.

Proposition 4.
For any x, y ∈ NSR, where x = t + ι•u + v and y = ι•t + u + ι•v and t, u, v ∈ N4, the following identities hold for the exponents of generators a and b in S: Identity to (21) can be extended for any word w ∈ S: where the word w is obtained from w by renaming the generator a to b and b to a respectively. It is easily verified that the exponent function in S satisfies the following more general identities for any w, w1, w2 ∈ S and any x, y ∈ NSR: The partial case of (23) are the following identities: a x a y = a x+y , (a x ) y = a (x•y) = a x•y and (a1a2) x = (a1) x (a2) x for any a, a1, a2 ∈ S and x, y ∈ NSR. The same is valid for the generator b. The illustration of the computation of exponents in S is presented in Example 1 below.
The set of matrices defined over the NSR is denoted by MNSR.
Referencing to the Proposition 1, we present the following easily verifiable theorem without a proof.

Theorem 2. MS is a multiplicative MNSR-semibimodule.
Since NSR is acting on the semigroup S as an exponent function, then MNSR is acting on MS as MPF. According to Definition 7 and semigroup S presentation in (12) the following proposition can be formulated.

Proposition 5. NSR introduced in the Definitions 6 and 7 has non-commuting additive monoid
<NSR; +; 0> and commuting multiplicative monoid <NSR; •; 1>, i.e., for all x, y, z1, z2 ∈ NSR the following identities hold: (24) Relation (25) implies the following identity: At the second step transformation to the normal form (15), every word in parentheses is performed. The gray part of Table 1 represents the additive subgroup N4 + = {1, 2, 3, 4} with neutral element equal to 4. Subgroup N4 + has the subset of two generators Γ = {1, 3}. The subgroup N4 + and generators Γ will play an important role in proving the uniform distribution of conversations and the security against eavesdropping attack of MPF SIP in Section 5. Moreover, relations R1, R2 in (11) define the smallest exponent e = 5 where subgroup N4 + has at least two generators. It is important to have a random choice in the set having at least two generators and will be used in our construction as well. The gray part of Table 2 represents the multiplicative semigroup N4 + in N4. It is easily verified that N4 + is a subsemiring of N4. Replacing N4 by N4 + in Definition 7, we obtain a new near-semiring as a sub-semiring of NSR which is denoted by sNSR. The matrix set over the sNSR is denoted Together with the introduced here near-semirings the introduction of anti-NSR, denoted by aNSR, to the original NSR is necessary. According to (20), aNSR is defined by: where for any element x in NSR there exists a unique element x′ in aNSR obtained by switching the sign of x from positive to negative, i.e., x′ = −x. The matrix set over the aNSR is denoted by MaNSR. For any matrix H in MNSR there exists a unique matrix −H in MaNSR with negative entries. Then, formally, we assume that where O is the zero matrix, i.e., matrix with all entries equal to zero. This construction will be used in the security proofs for the so-called simulator Sim The last identity remains valid if the presented actions are reversed from the left to the right.

MPF Sigma Identification Protocol (SIP)
In general, sigma identification protocols (SIP) are realized using the conversation between the Prover and the Verifier when the Prover proves to the Verifier the knowledge of the secret (e.g., his private key-witness) without revealing knowledge about this secret [19]. In this case it is said that SIP has the Zero Knowledge Proof (ZKP) property [19]. Prover is using his private, public key pair we denote by PrK, PuK named as a witnessstatement pair.
We denote any matrix Q that is generated uniformly at random from the matrix set M by Q ← rand(M).
We use matrix sets MsNSR and MΓ introduced in Section 3 instead of the matrix set MNSR to provide a random uniform distribution of data generated in MPF SIP.
Parties share the same public parameter represented by matrix W in MS generated at random W ← rand(MS). The prover runs the following key pair generation algorithm. For the private key PrK-witness generation two secret matrices X, Y in MΓ = {1, 3} are chosen at random: Then PrK = (X, Y)∈MΓ × MΓ.
The public key PuK-statement is computed using sNSR S MPF defined above: Prover distributes his PuK = A ∈ MS to all users including Verifier. According to the 3-rd condition in the Proposition 2 represented by the distributive identity (7), we formulate the following easily verified theorem without proof.

Definition 8. Equation (32) defines a set of relations Rel between the set of witnesses (PrK) and statements (PuK) which is a subset of the following direct product of sets: Rel  (MΓ × MΓ) × MS.
Since relations R1, R2 in (11) define a finite semiring S, they induce the finiteness of sNSR. Then, sets MsNSR and MS are finite as well.

Proposition 7. Relation Rel is effective.
Referencing to the general definition of Sigma protocol in [19], the corresponding definition can be formulated for MPF SIP.

Definition 12. Let Rel  (MΓ × MΓ) × MS be an effective relation. An MPF SIP for Rel is a pair (P, V) of interactive protocols executed by the Prover and the Verifier. Protocol P is taking a witness-statement pair (PrK, PuK) ∈ Rel as an input. Protocol V is taking as an input statement PuK ∈ MS. Then after the conversation V outputs accept or reject.
MPF SIP is performed during three pass communications named as a conversation between the Prover and the Verifier.
and if it is the case outputs accept.
The distinct feature of the proposed protocol (against, e.g., Schnorr or Okamoto protocols, [19]) is that the Prover generates a commitment at the first step of the protocol using components X, Y of the witness-PrK = (X, Y).
Completeness. On the common statement input PuK = A, the honest Prover knows witness-PrK = (X, Y) for PuK and succeeds in convincing the Verifier of his knowledge with probability 1. It follows from the validity of associativity identity (6) and distribution identity (7): Verifier uses the conversation (C, H, R) together with the Prover's statement PuK = A for the verification and yields accept if (35) holds.
The test example of this protocol is presented in Appendix A.

Security Analysis
We consider the main three main kind of attacks for SIP presented in [19] ordered by their power, i.e., direct attack, eavesdropping attack and active attack. The weakest attack of the three is a direct attack and it is applied mainly for password protected systems which can also be realized using symmetric cryptography. The outcome of these attacks is either adversary impersonation of legal Prover or even compromisation of legal prover's secret, namely his password or private key PrK-witnwss. The detailed description of the attack game and the theorem formulating security against this attack is presented in ( [19], Section 18.3). Since this attack is not of direct interest for our research, we only use the security formulation for this attack in our construction in Theorem 4 below as an intermediate result to consider the more powerful eavesdropping attack. In this section we prove the conditions under which the proposed MPF SIP is resistant against eavesdropping attack finalizing it in Theorems 5 and 6. Unfortunately, we were not able to prove the resistance against most powerful active attack for the reasons presented below.

NSR S MPF is a candidate for one-way function (OWF).
This assumption can be supported by our previous results presented in [11][12][13][14]. The MPF is constructed using similar algebraic structures as in [14]. In [12,13] the NP-completeness of the similar MPF problem is proven. MPF function introduced there is defined in finite modified medial platform semigroup and finite power near-semiring. Despite the lack of proof of the NP-completeness of the MPF problem defined here, we can present some links of this MPF with the well-known multivariate quadratic (MQ) problem which is proved to be NP-complete over any field [7]. Let φ: S → Sa is the homomorphism of the semigroup S to the semigroup Sa defined by the introduced new relation b = 1. Then Sa = {1, a, a 2 , a 2 , a 4 } is a cyclic monoid with index 1 and period 4 [20]. The corresponding public matrix denoted by W'. Then the entries of this public matrix W' consist of elements a i , where I ∈ {0, 1, 2, 3, 4} due to relation R1. Analogously, the NSR can be homomorphically transformed to the set of integers Z5 = {0, 1, 2, 3, 4} by introducing the relation ι = 0. Then the matrices X', Y' ← rand(Z5) are generated.
Since Sa is a cyclic semigroup then the discrete logarithm operation dloga with the base a can be applied elementwise to the MPF relation X′ (W′) Y′ = A′. In this case we obtain MQ problem but defined not over the field F5 = {0, 1, 2, 3, 4} (where operations are defined mod 5) since according to relation R1 in (11) the exponents of generator a cannot be reduced mod 5. It seems that the obtained MQ problem represented by matrix equation dloga( X′ (W′) Y′ ) = dloga(A′), is at least no less complex than the "standard" MQ problem. Then, we can make an assumption that MPF introduced in (4), (32), where unknown monomials are in exponents is a candidate for one-way function (OWF).
This assumption is required to prove that the proposed MPF SIP is secure against the eavesdropping attack and to select the values of the security parameters.
Referencing to Assumption 1 and [19], we can formulate the following theorem. Referencing to the relations R1, R2 in (11), the challenge space is exponential with respect to the order m of matrices in MNSR. The cardinality of MNSR is no less than 5 2mm , thus, it is super poly as well. □ It is easily verified that Assumption 1 and Theorem 4 can be applied to sNSR S MPF .
In order to formulate the security against the eavesdropping attack, we need the definition and the proof of the Honest Verifier Zero Knowledge (HVZK) property [19] for MPF SIP. We realized that instead of HVZK of MPF SIP we can prove a rather stronger result denoted as a special HVZK.

Definition 13. Identification protocol is a special HVZK if there exists an efficient probabilistic algorithm called a simulator Sim such that for all possible witness-statement pairs or private and public key pairs (PrK, PuK) the following two conditions hold: 1) the output distribution of Sim on input (PuK, H) is identical to the distribution of transcript of a conversation (C, H, R) between Prover on input (PrK, PuK) and Verifier on input Puk, and 2) for all inputs PuK and H, algorithm Sim always outputs a pair (C, R) such that (C, H, R) is an accepting conversation for PuK.
Following the methodology presented in [19], the following theorem can be formulated.

Theorem 5. MPF SIP protocol is a special HVZK.
Proof. On Sim input R', H' and PuK, the valid commitment C′ = (C0′, C1′, C2′) and corresponding transcript of a conversation (C′, H′, R′) must be generated with identical distribution as (C, H, R) between the Prover and the Verifier. □ Lemma 2. Let W be a public parameter and two pairs of matrices X,Y ← rand(MΓ), X′,Y′ ← rand(MΓ) are generated uniformly at random, then the entries of matrices A = X W Y and A′= X′ W Y′ computed according to (32) are uniformly distributed. = {a, a 2 , a 3 , a 4 }, Sb = {b, b 2 , b 3 , b 4 } and a set of exponents of generators in S denoted earlier by N4 + = {1, 2, 3, 4}. Then exponent function of generator a in Sa provides the following 1-to-1 mapping expa: N4 + → Sa. Since expa is 1-to-1, then for any I ← rand(N4 + ) the value expa (i) = a i will have a uniform random distribution. The same is valid for the function expb: N4 + → Sb. Let expa,a: N4 + × N4 + → Sa is a function defining multiplication of generator a i by generator a j , where i, j ← rand(N4 + ), i.e., expa,a (i, j) = a i a j = a i+j . According to R1 in (11), function expa,a (i, j) provides a 4-to-1 mapping and hence the value a e obtained after the reduction of exponent a i+j using R1 will have a uniform random distribution.

Proof of Lemma. Define two subsemigroups in S, namely Sa
Let us consider the double exponent function expexpa: N4 + × Γ → Sa, where expexpa(i, k) = (a i ) k with I  N4 + , k  Γ. This function provides a 2-to-1 mapping. Let i, k values are random and uniformly distributed, then the value (a i ) k is also random and uniformly distributed. The same is valid for the generator b and for complex exponents ι·i and ι·k. In the latter case complex unit ι simply changes a to b and vice versa.
As a consequence, the mentioned above exponents of generators a, b are random and uniformly distributed.
If we have any word w ∈ S and exponentiate it by i, then after the reduction of exponents corresponding to the generators a and b the uniform distribution of resulting exponents will be obtained. After that the generators are grouped according to the normal form defined in (15) and this grouping simply corresponds to computing expressions of the type a i a j = a i+j . Hence the grouping procedure will not change the uniform distribution. As a result, we obtain uniformly distributed normal form wη in (14).
These results are applied subsequently to the left MPF and right MPF (according to Definitions 1 and 2) to prove the uniform distribution of entries of matrices A and A' being a value of two sided MPF in Definition 3. The proof is performed by induction with respect to the order m of MPF matrices. The first step of induction for m = 1 is proved above.
The Lemma is proved. □ have the same uniform random distribution.
Proof of Lemma. Firstly, we prove that the product of matrices H′X, YH″ has the same uniform random distribution as the product of matrices H^′X′, Y′H^″. Let us consider a scalar case with h′x, yh″ and h^′x′, y′h^″ instead, where h′, h″, h^′, h^″ ∈N4 + and x, y, x′, y′ ∈ Γ. Then the multiplication function is defined by the mapping mulh,x: N4 + × Γ → N4 + which according to Table 2 is 2-to-1. Since multipliers are chosen uniformly at random, then the value mulh, x(h, x) = hx in N4 + is distributed uniformly at random. The same is valid for other terms. Now consider the addition function addu,z: Γ × N4 + → N4 + which according to Table 1 is 2-to-1. Then, since the value z = hx is distributed uniformly at random the value addu, z(u, z) = s is also distributed uniformly at random.
The random and uniform distribution of entries of matrices H′X, YH″ and H^′X′, Y′H^″ can be proved by induction using the uniform and random distribution of values of functions mulh, x and addu, z. Then, the entries of matrices S, T and S′, T′ are distributed uniformly at random as well.
The Lemma is proved. □

Proof.
Proceeding with the proof of the theorem, the response R′ = (S′, T′) must be computed referencing to (34). Then, the following random matrices in MNSR are generated independently: U′, V′ ← rand(MΓ), X′, Y′ ← rand(MΓ According to Theorem 5, the entries of matrices C0′, C1′, have the same uniform distribution as of matrices C0, C1. Since (1) the distribution of S′ W T′ is the same distribution as of S W T , (2) X′ W V′ is uniformly distributed and (3) the computation of matrix C2′ in (39) is based on Hadamar multiplication rule [16] (i.e., elementwise), then the distribution of C2′ is the same as the distribution of C2. Then the commitment C′ = (C0′, C1′, C2′) has the same distribution as C = (C0, C1, C2). It remains to prove that (C′, H′, R′) is an accepting conversation using the following identities.
The theorem is proved. □ Since special HVZK implies HVZK, then according to the Assumption 1 and Theorems 4 and 5, proposed MPF SIP is secure against the direct attack and is HVZK. The Theorem 19.3 in [19] states that if an identification protocol is secure against direct attacks, and is HVZK, then it is secure against eavesdropping attacks. Referencing to this result we have proven the following theorem. Theorem 6. MPF SIP is secure against the eavesdropping attack. Unfortunately, we are not able to prove the security of MPF SIP against an active attack since we have not proved the soundness of MPF SIP. Our construction is based on far more complicated algebraic structures than many traditional identification protocols including Schnorr protocol.

Selection of the Security Parameters and Efficiency Analysis
Since relations R1, R2 are fixed, the security parameter is the order m of matrices defining MPF. Then, according to (32) PrK and PuK matrix relation in the Definition 8 consists of m 2 exponent equations of the type (4). According to the Assumption 1 and the belief that the solution of randomly generated MQ system is hopeless when system consists of n ≥ 80 equations with v ≥ 80 variables [9], it is sensible to choose the number of exponent equations of the type (4) corresponding to the matrix equation (32) to be no less than 80. Then, m can be chosen to be equal to 10, 11, 12. In this case the number of exponent equations is equal to 100, 121, 144 correspondingly. To represent NSR elements of the types t + ι•u + v and t•ι + u + v•ι, where t, u, v ∈ {1, 2, 3, 4} 9 bits are required. Thus, memory requirement for PrK = (X, Y) is 2 × 9 m 2 bits. To represent the word w in S in normal form (15) 6 bits are required. So, PuK = A representation requires 6 m 2 bits.
Effectivity of SIP is related to the left and right MPF value computations in (2)

A
Public key (PuK) matrix and statement in MPF SIP. a, b Generators in modified medial semigroup S. aNSR Anti Near-semiring to the NSR. C = (C0, C1, C2  Upon receiving R = (S, T), Verifier checks if the identity (35) holds: Since in this case the identity (35) is satisfied, the Verifier outputs accept.