On the associativity property of MPF over M 16

The objective of this paper is to find suitable non-commuting algebraic structure to be used as a platform structure in the so-called matrix power function (MPF). We think it is non-trivial and interesting problem could be useful for candidate one-way function (OWF) construction with application in cryptography. Since the cornerstone of OWF construction using non-commuting algebraic structures is the satisfiability of certain associativity conditions, we consider one of the possible choices, i.e. the group M16, explore its basic properties and construct templates to use in our future work.


Introduction
MPF is the function that computes the matrix obtained by powering some given matrix by two numerical matrices: one from the left and the other from the right.It is somewhat similar to the matrix multiplication by two matrices from the left and right, respectively.The matrix that is powered is named the base matrix and the matrices that are powering the base matrix are named power matrices.In general, the base matrix can be defined over the (semi)group S and power matrices, over the (semi)ring R. Base matrices are defined in a certain matrix semigroup M S and power matrices in a certain matrix semiring M R .
S is named a platform (semi)group, which according to the MPF definition, is a multiplicative, and R is an exponent (semi)ring.So far, all the matrices in the MPF construction were defined over certain commutative algebraic structures, namely, the base matrix W was defined over the commutative numerical (semi)group S and power matrices X and Y over the commutative numerical ring R. Formally one-sided MPFs as well as two-sided MPF (or simply MPF for short) can be defined by the following expressions: For more information of the MPF and its application we recommend papers [3,4] and [5].Here we present the following definition of MPF problem: Definition 1.The MPF problem is to find matrices X and Y in (3), when the matrices W and D are given.
In general, MPF is a function Throughout this paper we use the notation MPF R S to define an MPF over platform semigroup S and exponent semiring R as well as corresponding MPF problem defined over these algebraic structures.
It is important to note that recently a successful attempt to solve an MPF problem using linear algebra has been made in [2].It was shown, that in case of commuting platform group Z n , where a composite integer n is a product of two primes the corresponding MPF problem is solvable in polynomial time if any of the matrices X, Y, U, V has an inverse.The authors also proposed some improvements to fix the flaws found.
Due to this recent attack we focus our research on exploring non-commuting structures for application to MPF as a platform structure.Here we consider one of the possible choices, i.e. the group M 16 , and discuss its application to cryptography using MPF.

The definition of the group M 16 and its basic properties
In their paper the authors of [1] discussed the automatic realization of Galois groups of order 16.They considered ten distinct groups and distinguished seven indecomposable non-commuting groups.One of those seven groups is called the modular group M 16 and will be considered in this paper.
The group M 16 is defined as follows: where two generators a and x do not commute and e is a neutral element of the group.Note, that the group M 16 is non-commuting and hence is not isomorphic to the Cartesian product Z 8 × Z 2 .In fact ax = xa 5 and a 5 x = xa.These equalities follow directly from definition of Let us write down all the elements of M 16 : Hence the cardinality of M 16 is |M 16 | = 16.Note, that any element of the form a p x is represented by a certain element of the form xa p depending on the parity of p, e.g. a 6 x = xa 6 , a 7 x = xa 3 .The product of two elements x α a k , x β a n ∈ M 16 is calculated as follows: The case of β = 0 is trivial.If β = 1, the proof of this formula relies on the identities a 5 x = xa and (a 5 ) k = a 4k a k , resulting in an extra summand of 4 if k is odd.
The formula for calculating the exponent of an arbitrary element can be derived from formula (6) and looks as follows: The inverse element is defined in the following way: where negative powers of generator a are reduced modulo 8, i.e. −3 ≡ 5 mod 8.
The validity of this formula can be verified by multiplying the corresponding elements in their general form.
By considering the multiplicative orders of the elements of M 16 we can derive an important cyclic subgroup of multiplicative order 8: The group M 16 also has a subgroup of order 8 generated by a.We denote this subgroup by a .It is clear, that each subgroup contains a center C and all other elements have multiplicative order 8. Hence we consider the set Note, that the elements of A do not form a multiplicative group since the closure property is not satisfied.However, since we consider the set A as a subset of the group M 16 , the latter fact is of no importance to us.

The application of the group M 16 to MPF
Using elements of set A we define a matrix W which has the following form: We will call this matrix a corner matrix and fix it as a base matrix for MPF function.
It is important to note, that for two arbitrary commuting matrices X and U we have: Furthermore, for two arbitrary matrices Z and Y we have: Liet. matem.rink.Proc.LMS, Ser.A, 59, 2018, 7-12.
Let us consider the key exchange protocol presented in [4].We present it here in a general form: 1. Two parties Alice and Bob agree on a commutative platform group G with multiplicative order ord (G) and a public square matrix W with entries randomly selected from G.
2. Alice and Bob agree on two sets of commuting matrices Mat (L) and Mat (R), where L and R are generators of the defined sets.Entries of these matrices are randomly selected from the numerical ring Z ord(G) .
3. Alice selects two matrices X ∈ Mat (L) and Y ∈ Mat (R) as her private key and publishes her public key A = X W Y .
4. Bob selects two matrices U ∈ Mat (L) and V ∈ Mat as his private key and publishes his public key B = U W V .

Using shared information Alice and Bob agree on a common key
Due to recent attack [2] we aim to switch to a non-commutative platform group M 16 .Hence we have to modify the initial protocol so that valid key exchange would be possible.
Note that the MPF defined over M 16 is nor associative, nor one-way associative in general case as shown above in ( 12) and ( 13).Hence we have to define templates for generation of base matrix W and all power matrices X, Y, U, V .
We first consider the matrix W and split it to two parts, namely W x = {x αij } and W a = {a kij }.Note, that due to the properties of M 16 we have α ij ∈ Z 2 and k ij ∈ Z 8 .Furthermore, looking at the structure of the set A defined by ( 9) and (10) we see, that if α ij = 1, then k is odd.Hence we choose the powers k ij of matrix W a in the following way: where r ij and s ij are random positive integers less than 4 and 8 respectively.The corner matrix W = W x ⊙ W a , where ⊙ denotes hadamard product of matrices W x and W a .This template guarantees, that each entry of matrix W w ij ∈ A.
We now consider private keys of both parties, i.e. pairs of matrices (X, Y ) and (U, V ).Since MPF is associative if the platform (semi)group is commutative, one of possible choices of private keys are matrices with even entries.More specifically, either matrices X and U or Y and V may contain even entries whereas the other pair of commuting matrices may be chosen freely.Hence we define the following template: Template 1.
(a) Choose matrix X with even entries and select matrix Y freely; (b) Choose matrix X freely and select matrix Y with even entries.
However, this trivial approach has a fundamental flaw, i.e. it eliminates all noncommuting elements and hence endangers the security of key exchange.
To define suitable templates we consider the following assumptions: • We perform actions left-to-right, i.e. public keys are A = ( X W ) Y for Alice and B = ( U W ) V for Bob; • The entries of public key matrices are commutative.
An important aspect to note is the fact, that we aim to remove non-commuting elements after performing actions, not before it as in the case of Template 1. Two other templates are possible: Template 2. Choose matrix X in such a way, that x i1 + x im ≡ 0 mod 2. Select commuting matrix Y freely.Template 3.
1. Select X in such a way, that X + T ≡ O mod 2, where T is an arbitrary fixed matrix and O is a zero matrix.
2. Choose matrix Y in such a way, that y 1j + y mj ≡ 0 mod 2.
Both of these templates can be successfully implemented using polynomials, i.e. for an arbitrary fixed matrix T any odd power of this matrix satisfies Template 3.1 as well as commuting with T itself.Alternatively any linear combination of odd powers can be used.Furthermore, since 2T ≡ O mod 2 any powers of this matrix may be considered as well.
Another fact to notice is that for an arbitrary fixed matrix Z satisfying Template 2 the polynomial P n (Z) = 2c 0 I +c 1 Z +c 2 Z 2 +• • •+c n Z n preserves the desired property.The same is true for Template 3.2.
Hence we make the following modifications of the initial key exchange protocol • On step 1 of the initial protocol Alice and Bob agree on the group M 16 , which implies the numerical power ring Z 8 .Parties also agree on a corner matrix W .
• On step 2 both parties agree on a Templates 2 or 3 and public matrices M L and M R satisfying the chosen template.Private key matrices are calculated using polynomials as specified above.
• On steps 3 and 4 parties calculate public key matrices and the common key by performing operations left-to-right.

Discussions
The future work involves a more detailed study of the latter templates, i.e. exploring the structure of public keys and the common key.Furthermore, it remains an open problem if the both Templates 2 and 3 provide the same security for key exchange protocol considered in this paper.