1. Introduction
In the virtual world, protection of user identities is extremely important. However, to gain access to some restricted information, the user has to identify himself first. Naive approaches to this procedure such as a password system have proven ineffective and insufficient since many people use rather simple and easy-to-remember passwords, and many ways are known to recover them, e.g., dictionary attacks, total scan, or even personal experience. Hence, it may be easy to forge an identity by impersonating someone close, such as a friend or a work colleague. Though there exist a number of techniques to aggravate password recovery, it is clear that the lifespan of such systems is short. The sooner these disappear, the safer it will be for us all.
A modern solution to user identification problems is to use protocols designed specifically for such needs. Identification (ID) protocols are executed between two parties: the Prover and the Verifier. The Prover possesses a pair of keys 
 and 
 that are related to his/her identity. In ID protocols, 
 is usually called a witness for the statement 
. Secure ID protocols are executed by the conversation between Prover and Verifier and must satisfy the zero-knowledge proof (ZKP) paradigm, i.e., the Prover proves his identity without revealing 
, in which case conversation is accepted. The information available to the Verifier is the Prover’s public key 
 (the statement) and additional data computed during protocol execution [
1].
In this paper, we consider an approach to creating an identification protocol proposed by Schnorr in [
2]. His scheme was later named the sigma protocol since its three-step structure resembles the Greek letter 
. This general structure is shown below in 
Figure 1. Similarly, Okamoto protocol [
3] or Chaum–Pedersen protocol [
4] can be adapted to obtain working SIPs on their bases.
Evidently, the Verifier has to check if the received response truly identifies the Prover and, if so, grants him access to the restricted content. Therefore the sigma identification protocol (SIP) has to withstand any impersonation attacks.
Direct attacks are fairly easy to handle. These are aimed at the recovery of the private key of the user given his public key. In this way, an attacker can impersonate a legal user by acquiring full access to his personal data. Direct attacks can be avoided by using one-way functions—a concept well-known in modern cryptography.
Eavesdropping impersonation attacks are dealt with by ensuring that an unauthorized user cannot acquire any useful information based on the conversation between the two parties of SIP. In this scenario, the attacker is passive, i.e., he just listens to the conversations without making any efforts to modify them in some way. SIP can withstand this type of attack if it can be viewed as a zero-knowledge proof, i.e., any Prover who can identify himself knows some private information (namely the secret key k) that is linked to his physical identity.
An active impersonation attacker tries to gain valuable information from conversations by carefully selecting challenges and responses in such a way that he could produce an acceptable conversation without having to acquire the user’s private key. In this case, both parties of the SIP are protected by the knowledge soundness property, i.e., a malicious user can be identified using two acceptable conversations with identical commitments.
Sigma protocol is a concept well-known to cryptographic society. Though Schnorr sigma protocol is the most classic example, other similar protocols have been proposed. Several examples can be found in [
5], where Beullens considered sigma protocols with a helper and used the Fiat–Shamir transform to obtain signature schemes. Furthermore, in his paper, Beullens analyses zero-knowledge-based post-quantum signatures and mentions the permuted kernel problem (PKP), which requires finding an unknown permutation such that the permuted vector 
 is in the null space of the linear operator 
 given that 
 and 
 are known. This problem together with the considered signature scheme was proposed by Shamir in [
6] and is known to be HP-hard. To our knowledge, it is the closest scheme to our proposition (at least in the sense that it relies on the problem being defined for linear operators).
The drawback of the Shamir approach is its knowledge soundness property, which necessitates a large number of parallel rounds to obtain a secure signature [
5]. Our approach to constructing a working SIP involves matrix operations as well. However, as opposed to schemes considered in [
5], we expect a significantly better result regarding the soundness property of our SIP.
The traditional approach for SIP construction makes use of a discrete exponent function over a large finite ring of integers. Examples of such protocols were proposed by Schnorr in [
2], Okamoto in [
3], and Chaum and Pedersen in [
4]. The security of such protocols relies on the discrete logarithm problem (DLP). However, our research is based on an assumption that the DLP can be solved effectively since we use matrix operations. Since these operations can be executed by using reasonably small multiplication and exponentiation tables, we gain a significant boost in performance as compared to the traditional approach. Furthermore, the security of the SIP proposed in this paper relies on different phenomena, namely the complexity of inverting the so-called matrix power function (MPF). It was previously proven in [
7] that this problem is NP-complete. We think that at the very least it can be considered evidence that our proposal is resistant to quantum cryptanalysis. This comes from an assumption that NP-complete problems are hard to crack even for quantum computers. Important to note is the fact that we used the same templates defined in [
8]. Notably, DLP does not provide sufficient security against quantum cryptanalysis.
In this paper, we continue our research in the non-commuting asymmetric cryptography field. Recently we demonstrated how two users can agree on a shared key by executing a key exchange protocol based on the MPF defined over a non-commuting platform group [
8]. There we used highly non-linear matrix mapping, where the entries of the base matrix were chosen from a non-commuting modular group of size 16. We revise the definitions of this mapping and the so-called group 
 as well as their basic properties in greater detail in the upcoming 
Section 2. Notably, there we define templates for the base matrix and the power matrices in such a way that key exchange would be successful despite the lack of some important properties of MPF.
Our previous attempt to construct a SIP using MPF defined over a non-commuting semigroup was presented in [
9]. There, MPF was defined over the non-commuting medial semigroup, which by nature, is almost commuting. This property implies that the main MPF identity necessary to construct a SIP is valid together with the two-sided associativity of MPF [
9]. In that paper, we have shown that the proposed SIP is resistant to passive impersonation attacks by demonstrating that our protocol is a special honest Verifier zero knowledge.
Things go differently and are more complicated if we consider inherently non-commuting platform groups or semigroups. In this case, we lose two-sided associativity, but in doing so, we increase expected security. The problem was solved by defining the sets of commuting matrices for the private key (
) and commitment matrices generation. This is precisely the idea we used previously to construct a working key exchange between Alice and Bob. Further examination of the properties of MPF defined over 
 has shown that the templates presented in [
8] are suitable for our current goals. Hence, in this paper, we present SIP based on the MPF defined over the non-commuting group 
. Due to the result proven in [
7], we expect that our proposal belongs to the field of post-quantum cryptography.
As we have mentioned, in 
Section 2, we revise the mathematical background used in this paper. After that, we present the main object of this paper—a working SIP based on MPF—in 
Section 3. In 
Section 4, we consider the resistance of our SIP to impersonation attacks as described above. Lastly, we present our conclusions at the end of the paper.
  2. Mathematical Background
The main mapping used in our research is the MPF. In some sense, this mapping is a generalization of exponentiation operation defined for matrices. Interestingly enough, it also resembles regular matrix multiplication with slightly changed operations.
Let us revise basic definitions related to MPF. To start with, let us denote by 
 a multiplicative semigroup with maximal order of its elements denoted by 
. Hence, we have:
      where 1 is the unit of 
. We call 
 a platform semigroup. Moreover, we refer to the ring of integers 
 as the power ring.
We now define the sets of 
 square matrices by 
 and 
, indicating that the entries of the matrices are in the specified set. Then, we can formally define the left-sided MPF as a mapping 
 denoted as follows:
      where 
 is called the base matrix and is a parameter of the left-sided MPF, 
 is called the power matrix and is the argument of the left-sided MPF, and 
 is called the matrix exponent and is the value of the left-sided MPF. Entries of the latter matrix are calculated as follows:
Similarly we can define the right-sided MPF as a mapping 
 denoted as follows:
      where 
 is the value of the right-sided MPF with entries obtained in the following way:
Consequently, the two-sided MPF (or MPF for short) can be defined if the order of matrix exponentiation (in sense of left-sided and right-sided MPFs) does not matter, in which case we have:
      where the entries of the matrix exponent 
 are calculated in the following way:
It has been proven previously in [
10] that the two-sided MPF can always be defined if the platform semigroup 
 is commuting due to the following property:
Assuming that MPF is a conjectured one-way function (OWF) [
11], matrix 
 is associated as a public parameter, matrices 
 as the private key 
, and matrix 
 as the public key 
.
However, in general, the associativity property (4) does not hold if the platform semigroup is non-commuting, which is exactly the case of our study in this paper. Hence, in general, the order of actions has to be specified by the brackets. Furthermore, since the defined MPFs are quite similar, we refer to all three of them as MPFs, since it is obvious from the presented expressions which one of the three mappings we refer to.
Previously in our research, we mostly used commuting platform semigroups 
. However, it was later pointed out by the authors of [
12] that cryptographic protocols presented in [
13,
14] were vulnerable to an attack based on linear algebra. One of the ideas the authors of [
12] proposed is that non-commuting algebraic structures could be used as a platform for MPF.
Partly due to this reason (although there were other reasons, too), we began a search for suitable non-commuting algebraic groups to be used in our research. One such group was mentioned in [
15] and drew our attention due to its simplicity. The modular group 
 is just one of the family of groups of this type. Larger groups with essentially the same structure can be found in [
16,
17]. In this paper, we consider only the group 
, leaving the other ones for future work.
Notably, the authors of [
15] mentioned the group 
 as one of the seven indecomposable groups of size 16, meaning that it is not isomorphic to any products of low-order groups. The general representation of this group is given below:
      where 
a and 
b are two non-commuting generators of the group 
. It can be shown that the cardinality of this group is 16, which is indicated by the index. Basic operations in 
 were explored in [
18]. There, we also showed that each element of the considered group can be written in the form 
, where 
 and 
. We use this representation throughout the paper. However, to shorten this paper, we omit explicit formulas for basic operations in 
. These can be found in [
18].
Since 
 is a non-commuting group, the associativity property (4) fails, along with the following properties of one-sided MPFs, which hold for the commuting semigroup 
: 
To overcome the absence of these properties in [
8], we defined templates for the base matrix 
 and both power matrices 
 and 
. We revise these templates in the next section to keep everything in one place.
  3. Sigma Identification Protocol
Our first attempt to present a working SIP based on MPF was made in [
9]. Though it was a rather successful idea, our proposal lacked the proof of knowledge soundness property. Essentially, it states that given an input statement and two accepting conversations with distinct commitments, it is always possible to extract a witness for the given statement [
1]. Since the multiplicative order of 
 is equal to 8, which is a composite number, we cannot achieve knowledge soundness in the sense of the presented definition. However, in this paper, we prove an important proposition, which demonstrates that it is possible to achieve a slightly weaker asymptotic result concerning this notion.
In this paper, we use the modular group 
 to establish a SIP. Using elements of this group, we define the template for the matrix 
 in the following way:
      where the values of 
 can be chosen randomly from the ring 
.
Furthermore, let us define two additional matrices, 
 and 
, satisfying the following templates:
Due to the lack of the associativity property (4) in the general case, the purpose of the presented templates is to ensure that the SIP is valid. In other words, if these templates are neglected, then the correctness of the protocol fails, i.e., the Prover and the Verifier are not capable of producing an accepting conversation. The reason behind this is the non-commutative nature of the platform group . This nature is represented by the extra summands appearing when performing operations with the elements of  due to the identity . The purpose of the templates is to control these extra summands.
Publicly fixed parameters are the modular group , the ring of integers , and the order of the square matrices m. Matrix  is chosen randomly according to the presented template (6) and is published online. Moreover, public matrices  and , satisfying templates (7) and (8), respectively, are chosen.
The Prover generates his data: a private key 
, where 
 can be expressed as polynomials of 
 and 
, respectively, and a public key 
. More specifically, we have:
We define the public key 
 of the Prover using one-sided MPF denoted by 
 and 
. Note that since the order of actions has to be taken into the consideration, the parameter of the left-sided MPF is the publicly known matrix 
, whereas the parameter of the right-sided MPF is the matrix 
 and is not visible online. As mentioned previously, matrices 
, whereas 
. Hence, the 
 is calculated in the following way:
In the concept of an ID protocol, the pair  is a witness for the statement . Further, private matrices  and  commute with  and , respectively.
Assume that the Prover desires to prove his identity to the Verifier without revealing it. He initiates the following three-step communication:
- The Prover picks at random two coefficient vectors  -  and  -  and computes matrices  -  as polynomials of  -  and  - , i.e.,
           
- Using these matrices, he calculates a commitment as the following triplet  - :
           
- The Verifier generates a challenge in the form of , where . Here, we used a convenient notations  and  to denote linear spans of the first  powers of  and , respectively. He sends the challenge  to the Prover. 
- The Prover responds by computing a vector  - , where:
           
- The response  is sent to the Verifier. 
The Verifier accepts if the following identity is valid:
Interestingly enough, the order of actions on the right-hand side of identity (15) does not matter since all the base matrices (i.e., s and ) consist of commuting entries.
Note also that the Prover uses parts of his private key to compute the commitment . This fact distinguishes our scheme from others, e.g., Schnorr or Okamoto sigma protocols.
The validity of the presented protocol relies on the following facts:
- Fact 1.
- The defined templates (7) and (8) are preserved for polynomial structure (9)–(13) of power matrices . 
- Fact 2.
- Due to the template (7), the intermediate result of raising  to the matrix power on the left has identical distribution of generator b. In other words, the locations of this generator in the intermediate result are constant for all matrices in the set . 
- Fact 3.
- Due to the template (8), the matrix exponent has commuting entries contained in the set . 
- Fact 4.
- All the left power matrices commute. The same is true for right power matrices. 
Due to the presented facts, the following identity holds:
Notably, the latter identity resembles a similar property of MPF if the platform group is commuting. However, in our case, the order of actions has to be taken into consideration. Nevertheless, due to Facts 2 and 3, we can perform actions with power matrices on both sides, such as collecting or distributing through terms as if the platform group was commuting, as long as we stick to the defined templates. For these reasons we have:
It is also important to note that public key generation is one-way under the assumption that MPF is a candidate OWF. The two major facts supporting our assumption are:
- All the matrices defined over the ring  satisfying templates (7) and (8) are not invertible modulo 2, and hence, the same is true for modulo 8; 
- Since  is indecomposable, the discrete logarithm mapping or any kind of its analog cannot be defined for the elements of this group. 
It is important to note that these two facts are also the key factors that protect our protocol from the attack presented in [
12]. In other words, the presented facts prevent the transformation of Equation (11) to a linear form, thus protecting both the Prover and the Verifier.
Notably, it is possible to define the discrete logarithm function for s and . However, by that point, the non-commutative nature of  has been lost, and hence, this fact cannot be used for cryptanalysis of our protocol. Moreover, since during the verification process the value of  is unknown, there are too many variables to deal with despite the fact that a discrete logarithm can be applied to the expression .
Combined, these facts protect both protocol parties from the approach presented in [
12]. Moreover, in [
7], we proved NP-completeness of an MPF problem defined over 
 with precisely the setup for power matrices described in this paper. Interestingly enough, the lack of invertible matrices was greatly beneficial in that proof.
  4. Security against Eavesdropping and Active Adversaries
One-wayness of the MPF ensures that our proposal can withstand direct attacks, i.e., the secret key  cannot be extracted from the public key .
However, to resist other possible attacks on our sigma protocol, we have to establish other important properties. First, we consider the special honest Verifier zero knowledge (HVZK) property described explicitly in [
1].
Theorem 1. The MPF-based Sigma protocol presented above is a special HVZK.
 Proof.  The simulator takes as an input the public key 
 and the challenge 
, where 
 and 
. Furthermore, it generates the response vector 
 by uniformly selecting matrices 
 and 
. Using this information, the simulator computes the commitment vector as follows:
        
The output is an accepting conversation 
 for the public key 
, since
        
        as desired.
Notably, in our previous paper [
8], we considered the distribution of the entries of the matrix exponent 
. There we showed that for power matrices 
 and 
 uniformly chosen from 
 and 
, this distribution is asymptotically uniform. Correcting a small issue in that proof, we claim that the obtained distribution is, in fact, uniform, since in the last step there is no longer the need to apply limits. Hence, we have identical results for the simulator and the parties of the protocol.    □
 Secondly, we consider the knowledge soundness property of our scheme. We begin by establishing a one-to-one link between the pairs 
 and 
. We base our proof on the following property of the MPF:
The proof of this property in the case of a commuting platform semigroup follows immediately from the definition of the MPF. Hence, the solutions of Equation (11) come from the set of proportional matrices , where  and  are publicly known and  is some solution of (11). An essential fact is that these are the only solutions given that the platform group is  and the power ring is , where p is a prime.
Notably, since multiplying by a coefficient preserves the defined templates of the matrices, the property (17) holds for the non-commuting platform group  as well. In fact, since in our case  for all odd values of , the presented family of solutions consists of 4 distinct pairs. Evidently, all s in these pairs also commute with matrix , whereas all s commute with matrix . Due to the fact that as of now we cannot prove the absence of other solutions of (11) in the case of non-commuting platform group , we introduce the following heuristic:
Heuristic 1. All the solutions  of Equation (11) with respect to  satisfying the commutativity constraints can be written as follows:where α is an odd element of .  Relying on the presented heuristic, we prove the following lemma:
Lemma 1 (Private key alternative). Assume that the private key  is fixed and the Heuristic 1 holds. Then, there is a unique pair  such that  and , which corresponds to the fixed commitment vector .
 Proof.  Let us consider the system of Equation (14). Then due to the presented heuristic, we have the following families of solutions for each of the presented equations (if we consider them individually): ,  and . However, since the private key can be expressed as  and , all three presented families of solutions intersect at , , and . Hence, the pair of matrices  corresponds to a secret pair . Evidently, this pair is unique, which completes the proof.    □
 Consider the following system of matrix relations:
Note that this system is symmetric, i.e., by switching the pairs 
 and 
, we obtain the following result:
Due to this symmetry, Lemma 1 also works in the reverse direction. Hence, we have:
Lemma 2. Assume that the pair of matrices  such that  and  is fixed and the Heuristic 1 holds. Then there is a unique pair  such that  and , which corresponds to the fixed commitment vector , where , and a fixed public key .
 The proof of this lemma is similar to the one presented above. Evidently, we only consider such fixed matrices in Lemmas 1 and 2, where at least one set  satisfying all four relations exists in the first place.
These lemmas establish a one-to-one link between the private key and matrices  provided that four relations (18) are fixed. This link can be summarized by the following corollary of Lemmas 1 and 2:
Corollary 1. Let the commitment vector  and safe public key  be fixed. Assume also that Heuristic 1 holds. Then the number of pairs  resulting in the commitment  is equal to the number of solutions of the Equation (11).
 Relying on the latter corollary and our assumption regarding the solutions of (11), we can see that there are exactly four quadruples  that give us the same values of  and all s.
Before we consider the property of knowledge soundness, let us denote the binary matrices obtained by reducing all the power matrices modulo 2 by a lower index ⊕, i.e., 
, etc. Note that this affects the template (8) so that the matrix 
 contains a 
c-th row of zeros. Additionally, for simplicity, we assume that the initial matrices 
 and 
 are contained in the representations of 
 and 
 with odd coefficients, i.e.,
      
      where 
 and 
 are odd.
We now prove the following result:
Theorem 2. Assume we have two accepting conversations  and  for the same public key . Assume also that Heuristic 1 holds. Then the witness  can be extracted with probability .
 Proof.  Due to Lemma 1, matrices 
 and 
 are unique, and hence, we can perform the following calculations:
        
Denoting 
, 
, 
, 
, we obtain the following matrix equations defined over the ring 
:
        
However, all the matrices in the presented equations are contained in the appropriate linear spans 
 or 
. Hence, they can be expressed as linear combinations of the public matrices 
 of 
. Let us first focus on the right-hand sides of Equation (21). We have:
        
        where 
 and 
 are coefficients of the polynomial representations of matrices 
 and 
, respectively. Evidently, 
 are coefficients of polynomial representations of matrices 
, respectively. Expanding the obtained expressions, we get the following double sums:
        
We can now collect like terms and obtain the 
 temporary matrix of coefficients, where the 
i-th row corresponds to the coefficient of 
 (or 
) and the 
j-th column corresponds to the coefficient of 
 (or 
). For simplicity, we consider only the first double sum. Denoting this temporary matrix by 
, we have:
        
The key moment in this proof is the rank of matrix . It is important to note that if at least one of , then the rank of binary matrix  is equal to , i.e.,  is a full rank matrix.
However, since the basis of the linear span 
 consists of the first 
 powers of matrix 
, then each subsequent power of 
 can be represented by a linear combination of the basis matrices. Then, we can use row additions to transform the temporary matrix 
 to obtain a square matrix of coefficients 
 for the following system of linear equations:
        
        where 
 consists of the first 
 rows of the transformed matrix 
. Then, due to assumption (19), 
 is a full rank matrix, and hence, 
 is a full rank matrix as well. For this reason, both equation in (21) can be solved in polynomial time, and the witness 
 can be restored.
Lastly, we note that if  or  for all , then  is a zero matrix, and hence, the witness  cannot be restored. The probability of this happening is  for each matrix  and . It is now easy to show using basic laws that the probability of successful restoration is .    □
 For the reader to better understand the essential moment of the latter proof, let us consider a toy example.
Example 1. Let us assume that . Furthermore, let public matrix  be chosen such that . Then, the temporary matrix  for restoring  is: Limiting ourselves to the binary matrix  to suppress coefficients and observing that:we can perform the following transformations of the matrix : Hence, the binary matrix  has the following form: The matrix  has a similar structure. The only difference is that extra coefficients from elementary row operations may appear.
 Despite the fact that the obtained result is weaker than the original definition of knowledge soundness, we view it as a good alternative since the probability of success tends to 
 remarkably fast. Specifically, if 
, it surpasses 
, and for 
, it approximately equals 
. Moreover, even if, say, 
, the hopes of restoring a witness are not completely lost since the following cancellation is possible:
      and one can hopefully restore the matrix 
 modulo 4. However, to restore the original matrix in this case, the witness extractor needs to browse through a set of possible values of 
 until one finds the correct value of 
. This comes from the fact that the solution of (21) is not unique. In fact, the parity-defining bits of 
 are lost, and the witness extractor needs more time to restore them. As such, the witness extractor becomes inefficient. For the sake of the original notion, we based our proof on the assumption that the witness extractor is efficient.
Now we consider the resistance of our sigma identification protocol against eavesdropping and active attacks. Our proofs are inspired by the approach presented in [
1], which relies on the notions of special HVZK and knowledge soundness. Specifically, we consider Attack Games 18.1–18.3 and Theorems 19.15 and 19.22.
Theorem 3. MPF-based SIP presented above is secure against eavesdropping attacks.
 Proof.  Let 
 be an eavesdropping attacker. He can request a maximum of 
 conversations between the Prover and the Verifier. This number comes from counting all the possible pairs of matrices 
. Then, due to Lemma 1, all the commitments are distinct, and the identity of the legit user cannot be obtained, as shown in the proof of Theorem 2. Moreover, since the proposed SIP is a special HVZK, the received queries have identical distributions, i.e., they are all equally likely. Hence, to impersonate another user, the adversary has to find a solution to Equation (11) under the setup presented in this paper. However, this is an NP-complete problem, as shown in our previous paper [
7]. Furthermore, based on Theorem 19.15 and Attack Games 18.1 and 18.2 of [
1], we can see that any adversary who can successfully impersonate a legit user can also efficiently perform a direct attack on our SIP. For these reasons, any impersonation attempts of 
 result in failure.    □
 As we have shown, the initial notion of knowledge soundness is not satisfied in our case. However, due to the negligibly small knowledge error, this fact does not affect the following result:
Theorem 4. MPF-based SIP presented above is secure against active attacks.
 Proof.  Let  be an active attacker whose goal is to impersonate a legal user by generating an accepting conversation without knowing the private key .
The adversary  interacts with a challenger, who plays the role of a Prover and sends his public key  defined by (11) to the adversary while keeping  for himself. An attacker  now plays the role of the Verifier and, hence, can generate challenge  as he desires. However, due to the fact that  is not in control of the generation of  and , he fails to gain any information from this active probing phase due to Theorem 1. Note that since the attacker  can choose  at his will, he can control knowledge soundness and hence make the private key of the challenger unrestorable, as mentioned in our previous proof. However, this is not his goal, since he was only able to hide the challenger’s ID rather than learning how to impersonate him. Notably,  can interact with more than one challenger at this stage.
After the active probing phase, the challenger and the attacker switch places: now the challenger is the Verifier, whereas the attacker plays the role of the Prover, except for the lack of a private key . However, due to the one-wayness of MPF mapping, the adversary  cannot recover  from the public key . For this reason, he cannot generate a working conversation, since by using a random pair of matrices  and , the protocol falls apart during the verification phase, i.e., checking the validity of (15).
Another important fact is that the Verifier is now in control of challenges . Due to the presented probability of success, an honest Verifier can generate the challenge simply by picking the coefficients  and  at random. By doing so, he is almost always able to identify a suspicious user should the need arise.
In other words, if 
 is able to impersonate a legit user, then he is able to solve an NP-complete problem, as proven in [
7]. Moreover, if 
 uses his own private and public keys, the challenger is able to identify him with probability 
.    □
 To sum up the findings presented in this section, our proposal can withstand both eavesdropping and active attacks. Moreover, due to negligibly small knowledge error, our protocol does not require a large number of parallel rounds to achieve a NIST security level, as opposed to Shamir’s approach presented in [
6].