**1. Introduction**

In this paper a new paradigm for the so-called Sigma Identification Protocol (SIP) based on the authors' earlier proposed new candidate for one-way function (OWF) is presented. In general, Sigma protocols are three-round protocols similar to the wellknown Schnorr identification protocol. They are typically used as sub-protocols in more complicated settings and for more advanced use. For example, Sigma protocols can easily be transformed into corresponding identification and signature schemes. Another application is to design protocols that allow one party to prove to another that certain facts are true (without revealing private information). For example, to prove that encrypted value *V* lies in a certain range without revealing any other information about *V*. Sigma protocols can be combined to make new Sigma protocols. For example, in the ANDproof construction, a Prover can convince a Verifier that he knows witnesses for a pair of statements. In the OR-proof construction, a Prover can convince a Verifier that he knows witnesses for one of two statements. These examples convince us that the development of Sigma protocols based on new paradigms is promising.

The construction of cryptographic primitives based on matrix power function (MPF) belongs to the field of so called non-commuting cryptography [1], [2]. The development of non-commuting cryptography is important due to the need to replace traditional cryptographic methods vulnerable to quantum cryptanalysis. Peter W. Shor has proposed the polynomial-time quantum cryptanalysis [3] for the traditional cryptographic primitives such as Diffie—Hellman key exchange protocol, RSA and ElGamal cryptosystems, Digital signature algorithm (DSA) and Elliptic Curve DSA (ECDSA).

One of the promising trends is the creation of OWFs, the security of which relies on the NP-hard problems [4]. Thus far, there are no known effective quantum cryptanalytic algorithms solving NP-hard problems; therefore, this cryptographic trend is a significant part of the so-called post-quantum cryptography [5]. One of the trends to create cryptographic primitives that can resist quantum cryptanalysis attacks is lattice-based cryptography [6]

and hidden field equations (HFE) based cryptosystems [7–10]. Despite some cryptanalytic attacks on the HFE cryptosystem [8,9], this trend is viewed as promising [10].

MPF is somewhat related to the multivariate polynomials used in HFE cryptosystems since the complexity of so called MPF problem and the NP-completeness of this problem is proved using polynomial-time reduction of multivariate quadratic (MQ) problem [7]. Referencing [11] it is proved that certain kinds of MPF problems are NP-complete as well [12,13].

In this paper the novel MPF based sigma identification protocol (SIP) is presented using several specifically selected algebraic structures introduced in [14]. The concept of abstract MPF as well as main definitions for the construction of SIP are given in Section 2. The algebraic structures for the construction of MPF are defined in Section 3. MPF SIP is presented in Section 4. The security of MPF SIP against eavesdropping attacks is proven in Section 5. In Section 6, the selection of security parameters as well as the efficiency analysis are presented. The discussions and conclusions are presented in Section 7. The table of notations used in this paper as well as the numerical example are displayed in the Abbreviations and Appendix A, respectively.

#### **2. The Construction of the Abstract Matrix Power Function**

In this section, the matrix power function (MPF) is constructed in an abstract form without specifying exact algebraic structures that will be introduced in subsequent sections. Let *X* = {*xil*}, *W* = {*wlj*} and *Y =* {*yjk*} be *m* × *m* matrices over some semiring, and indices *i, j, k*, *l* ∈ *Im* = {1, 2, ... , *m*}. Multiplying matrix *W* by matrix *X* from the left and by matrix *Y* from the right yields a new matrix *Q* = {*qik*}.

$$XWY = Q; \sum\_{j=1}^{m} \sum\_{l=1}^{m} x\_{il} w\_{lj} y\_{jk} = q\_{ik}; i\_{\prime}, j, k, l \in I\_m. \tag{1}$$

Let *S* be some multiplicative semigroup and *R* some numerical semiring. In the case that MPF *S* is named a platform semigroup and *R* an exponent semiring. The exponent semiring of natural numbers with zero is denoted by *N*0 = {0, 1, 2, ... }. The corresponding semigroup of matrices defined over *S* is denoted by *MS* and the semiring of power matrices defined over *R* is denoted by *MR*. Then, using an analogy with the matrix multiplication defined in (1), the left MPF, the right MPF and the left-right or simply MPF are introduced for *X*, *Y* ∈ *MR*, *xil*, *yjk* ∈ *R* and for *W* ∈ *MS*, *wlj* ∈ *S* as follows.

**Definition 1.** *The left MPF corresponding to the matrix W powered by matrix X from the left with the MPF value equal to the matrix C = {cij} has the following form:*

$${}^{\mathcal{K}}\mathcal{W} = \mathcal{C} \quad \mathfrak{c}\_{l\bar{j}} = \prod\_{l=1}^{m} w\_{l\bar{j}} {}^{x\_{il}}.\tag{2}$$

**Definition 2.** *The right MPF corresponding to the matrix W powered by matrix Y from the right with the MPF value equal to the matrix D = {dlk} has the following form:*

$$\mathcal{W}^Y = D \quad d\_{lk} = \prod\_{j=1}^{m} w\_{lj}^{\mathcal{Y}\_{jk}}.\tag{3}$$

**Definition 3.** *The left-right, or simply MPF corresponds to the matrix W powered by matrix X from the left and by matrix Y from the right with the MPF value equal to the matrix Q = {qik} and is expressed in the following way:*

$${}^{X}\mathcal{W}^{Y} = A\_{\prime} \quad a\_{ik} = \prod\_{j=1}^{m} \prod\_{l=1}^{m} w\_{lj}^{x\_{il} \cdot y\_{jk}}; i, j, k, l \in I^{(m)}. \tag{4}$$

The MPF definition is related to the following associativity identities.

**Definition 4.** *MPF is one-side, (left-side or right-side) associative and two-side associative if the following respective identities hold:*

$$\mathbf{W}^{\mathbf{Y}}(^{X}\mathbf{W}) = \mathbf{}^{(YX)}\mathbf{W} = \mathbf{}^{YX}\mathbf{W}; \begin{pmatrix} \mathbf{W}^{X} \end{pmatrix} ^{Y} = \mathbf{W}^{(XY)} = \mathbf{W}^{XY}.\tag{5}$$

$$(\prescript{X}{}{W})^Y = \prescript{X}{}{(W}^Y) = \prescript{X}{}{W}^Y. \tag{6}$$

In general, MPF is a function *F*: *MR* × *MS* × *MR* → *MS*. To be concise, we will use the notation *MPF<sup>R</sup> S* for the definition of MPF with base matrix defined over the platform semigroup *S* in *MS* and with power matrices defined over the exponent semiring *R* in *MR*. The categorical interpretation of MPF is presented in [15], in the context of the construction of several key agreemen<sup>t</sup> protocols. We slightly reformulate the notions used in the authors' interpretation by the following proposition, which is more appropriate for our study.

#### **Proposition 1.** *If MPF is associative, then MS is a multiplicative MR-semibimodule.*

This means that there exist bilinear (left and right) actions of the matrix semiring *MR* on the matrix semigroup *MS*. According to the definition of action, it must satisfy the associative law corresponding to Definition 4. Since matrix semigroup *MS* is multiplicative, then *MR*-semibimodule *MS* is multiplicative in our case. The following lemma is presented without proof. The proof can be found in [14].

**Lemma 1.** *If R is a commutative numerical semiring (e.g., N0 = {0, 1, 2,* ... *}) and S is a commutative semigroup, then MPF is two-side associative.*

The direct MPF value computation requires finding matrix *A* in (4), when matrices *X*, *Y* and *W* are given. The inverse MPF value computation requires finding matrices *X* and *Y* in (4), when matrices *W* and *A* are given. The MPF problem is the computation of the inverse MPF value.

**Definition 5.** *A function F: Dom* → *Ran with finite sets of domain (Dom) and range (Ran) is a candidate for one-way function (OWF) if for all d* ∈ *Dom the F(d) can be computed by a polynomial time algorithm, but any polynomial time randomized algorithm that attempts to compute an inverse value <sup>F</sup>*−*1(r) = d for F, where r* ∈ *Ran is given, succeeds with negligible probability. That is, for all randomized algorithms, all positive integers c and all sufficiently large n = length(d), the probability to compute an inverse value r for F is at most n*<sup>−</sup>*c. The probability is taken over the choice of r from the discrete uniform distribution in Ran.*

Paraphrasing this definition in a non-formal way, MPF is candidate for OWF if: (1) the MPF direct value computation is easy, and (2) the MPF problem is hard.

The computation of the direct MPF value is effective and can be done by powering elements of the platform semigroup *S* by elements of the exponent semiring *R* with relatively small values (e.g., up to 5 used in this study). It is related to the matrix multiplication by the two matrices from the left and right. In this paper we present some evidence that the solution of the MPF problem is hard.

**Proposition 2.** *The necessary requirements for MPF for the proposed SIP are the following: (1) it is a candidate for OWF, (2) it is associative, and (3) the following distributive identity holds:*

$$\mathbf{V}^{(IL+X)}\mathbf{W}^{(\ast \ast Y)} = {}^{\iota \square}\mathbf{V}\mathbf{V}^{\vee} \ast {}^{\iota \square}\mathbf{V}\mathbf{V}^{\vee} \ast {}^{X}\mathbf{V}\mathbf{V}^{\vee} \ast {}^{X}\mathbf{V}\mathbf{V}^{\vee},\tag{7}$$

*where \* is a Hadamard product of matrices [16].*

#### **3. The Definition of Algebraic Structures**

In order to construct a platform semigroup for MPF, the class of modified multiplicative medial semigroups [17] is used. A medial semigroup *SM* has the presentation consisting of two generators *a*, *b* and relation *RM* is defined in the following way:

$$S\!\!\!M = \!\!\!a , \, b \mid R\_{\!\!\!M} \} , \tag{8}$$

$$R\_M \colon w\_1 \\ 
abw\_2 = w\_1 \\ 
bar{w}\_2,\tag{9}$$

where *w*1 and *w*2 are arbitrary non-empty words in *SM*, written in terms of generators *a* and *b*. The reason for the introduction of the medial semigroup is the existence of the following identity, based on the relation *RM*, valid for all words *w*1, *w*2 ∈ *SM* and any exponent *e* ∈ *N***0**, where *N***0** = {0, 1, 2, . . . } is the semiring of natural numbers with zero:

$$(w\_1 w\_2)^\epsilon = w\_1 {}^\epsilon w\_2 {}^\epsilon. \tag{10}$$

In order to construct a platform semigroup *S* for MPF in (4), two extra relations *R*1 and *R*2 are added to *SM*:

$$R\_1 \colon a^5 = a \text{; } R\_2 \colon b^5 = b. \tag{11}$$

These relations can be generalized for arbitrary finite exponents instead of 5, however, only relations (11) are considered in this paper for simplicity. Thus, modified medial semigroup *S* has the following presentation:

$$S\_M = \prec a, b \mid R\_{M\prime} R\_1, R\_2 \succ . \tag{12}$$

Note that we define *S* as a multiplicative, non-commuting and cancellative semigroup.

**Proposition 3.** *Semigroups SM and S are transformed into monoids by introducing an empty word as a multiplicatively neutral element, denoted by 1. Then, conveniently, the following identities hold for all w in SM and S:*

$$w1 = 1w = w, \; w^0 = 1; 0 \in \mathbb{N}\_0. \tag{13}$$

Using relation *RM* in (9) any word in *SM* can be transformed to the form *w* = *bsatbuav* moving generators *a*, *b* left and right, where *s*, *t*, *u*, *v* ∈*N***0**. Let *w* = *bsatbuav* be such word in *SM*. Reformulating the Theorem 12 in [14], the normal form *wnf* of word *w* in the semigroup *SM* is defined by the following function *nf*: *SM* → *SM,nf* and is expressed by the relation:

$$w\_{nf} = \max\_{t,u} (b^s a^t b^u a^v) = b^\S a^{i\_a} b^{i\_b} a^a = nf(w); a, \beta \in \{0, 1\}; i\_a, i\_b \in N\_0. \tag{14}$$

The normal form in the modified medial semigroup *S* is defined by the following theorem.

**Theorem 1.** *The normal form <sup>w</sup>η of the word wnf in the normal form of SM, is represented by the function η: SM* → *S and obtained by applying the minimization procedure of exponents ia, ib in (14) using the relations R1, R2:*

$$\boldsymbol{w}\_{\emptyset} = \min\_{i\_{a}, \boldsymbol{j}\_{b}} \boldsymbol{w}\_{\boldsymbol{n}f}(\boldsymbol{\beta}, i\_{a}, \boldsymbol{j}\_{b}, \boldsymbol{a}) = \min\_{i\_{a}, \boldsymbol{j}\_{b}} (b^{\mathcal{S}} a^{i\_{a}} b^{\mathcal{S}} a^{a}) = b^{\mathcal{S}} a^{i} b^{\prime} a^{a} = \eta(\boldsymbol{w}\_{\mathcal{i}f}); \boldsymbol{a}, \boldsymbol{\beta} \in \{0, 1\}; i\_{a}, i\_{b} \in \mathbb{N}\_{0}. \tag{15}$$

Since *S* is a multiplicative semiring, the following exponent identities hold for any generator *g* ∈ {*<sup>a</sup>*, *b*}:

$$\mathbf{g}^{i}\mathbf{g}^{j} = \mathbf{g}^{i\*j}; (\mathbf{g}^{i})^{j} = \mathbf{g}^{\ i\dot{j}}.\tag{16}$$

Addition and multiplication tables for exponents *i*, *j* are presented in Tables 1 and 2 below.


**Table 1.** Addition (+) table for exponents *i*, *j*.

**Table 2.** Multiplication (•) table for exponents *i*, *j*.


Referencing relations *R*1, *R*2 the semiring *N*0 can be replaced by the finite semiring *N*4 = {0, 1, 2, 3, 4}. This semiring has an additive semigroup with index 1 and period 4. The exponent functions defined on *S* are determined by non-negative exponents in semiring *N*4.

We generalize these functions by introducing the "imaginary" unit ι which has some weak analogy with complex numbers in classical numerical algebra based on the imaginary unit *i* (*i*2 = −1). According to this "analogy" the set of complex exponents can be introduced and denoted by <sup>ι</sup>·*N*4, where "·" denotes a formal multiplication of ι by any number in *N*4. According to our assumption and using the relation *RM* in (9), the following properties of exponent ι are defined:

$$\mathfrak{u}^2 = 1,\; 1 \in \mathbb{N}\_4;\; a^\iota = b;\; b^\iota = a;\; t + \iota \cdot \iota \ne \iota \cdot \iota + t,\tag{17}$$

where *t*, *u* ∈ *N*4. This means that elements *t* + ι·*u* and ι·*u* + *t* do not commute.

The algebraic structure termed a near-semiring [18] was introduced for the construction of MPF in [14]. In general, it can be defined in the following way.

**Definition 6.** *A near-semiring (NSR) is a nonempty set with two binary operations "+" and "* ·*", such that <sup>&</sup>lt;NSR; +;* 0*> is an additive monoid with neutral element 0, and <sup>&</sup>lt;NSR;* ·*;* 1*> is a multiplicative monoid with neutral element 1, satisfying the following (two-sided) axioms for all x, y, z in NSR:*

$$\mathbf{x} \cdot (\mathbf{y} + \mathbf{z}) = \mathbf{x} \cdot \mathbf{y} + \mathbf{x} \cdot \mathbf{z}, \text{ and } \quad (\mathbf{x} + \mathbf{y}) \cdot \mathbf{z} = \mathbf{x} \cdot \mathbf{z} + \mathbf{y} \cdot \mathbf{z}, \tag{18}$$

$$\mathbf{0} \cdot \mathbf{0} + \mathbf{x} = \mathbf{x} + \mathbf{0} = \mathbf{x}; \mathbf{0} \cdot \mathbf{x} = \mathbf{x} \cdot \mathbf{0} = \mathbf{0}; \mathbf{1} \cdot \mathbf{x} = \mathbf{x} \cdot \mathbf{1} = \mathbf{x}.\tag{19}$$

Referencing to this definition the special type *NSR* required for MPF SIP construction is defined in the following way.

**Definition 7.** *The exponent near-semiring NSR consist of non-commuting additive monoid <sup>&</sup>lt;NSR; +;* 0*> and commuting multiplicative monoid <sup>&</sup>lt;NSR;* ·*;* 1*> satisfying Definition 6 and is a union of the following sets*

$$\text{NSR} = \text{N}\_4 + \iota \cdot \text{N}\_4 + \text{N}\_4 \cup \iota \cdot \text{N}\_4 + \text{N}\_4 + \iota \cdot \text{N}\_{4\prime} \tag{20}$$

*where the set N4 + <sup>ι</sup>*·*N4 + N4 defines the class of elements {t + ι*·*u + v} and the set <sup>ι</sup>*·*N4 + N4 + <sup>ι</sup>*·*N4—the class {t*·*<sup>ι</sup> +u+v*·*<sup>ι</sup>}, where t, u, v* ∈ *N4.*

The presentation of the semigroup *S* by relations *RM*, *R*1, *R*2 in (9) and (11) induces certain properties and relations in *NSR* that can be directly verified and are presented below without the proof.

**Proposition 4.** *For any x, y* ∈ *NSR, wherex=t+ ι*·*u + v and y = ι*·*t+u+ ι*·*v and t, u, v* ∈ *N4, the following identities hold for the exponents of generators a and b in S:*

$$a^x = a^{t+\iota \cdot u + v} = a^t a^{\iota \cdot u} a^v = a^t b^u a^v; \; a^y = a^{\iota \cdot t + u + v \cdot v} = a^{\iota \cdot t} a^u a^{\iota \cdot v} = b^t a^u b^v. \tag{21}$$

Identity to (21) can be extended for any word *w* ∈ *S*:

$$w^x = w^{t+\iota \cdot u + v} = w^t \overline{w}^u w^v ; w^y = w^{\iota \cdot t + u + v \cdot v} = \overline{w}^t w^u \overline{w}^v,\tag{22}$$

where the word *w* is obtained from *w* by renaming the generator *a* to *b* and *b* to *a* respectively. It is easily verified that the exponent function in *S* satisfies the following more general identities for any *w*, *w*1, *w*2 ∈ *S* and any *x, y* ∈ *NSR*:

$$w^x w^y = w^{(x+y)} = w^{x+y}, \qquad (w^x)^y = w^{(x \cdot y)} = w^{x \cdot y}, \\ (w\_1 w\_2)^x = (w\_1)^x (w\_2)^x. \tag{23}$$

The partial case of (23) are the following identities: *a<sup>x</sup> ay* = *<sup>a</sup>x+y*, (*a<sup>x</sup>*)*<sup>y</sup>* = *a*(*<sup>x</sup>*·*y*) = *ax*·*y* and (*<sup>a</sup>*1*<sup>a</sup>*2)*<sup>x</sup>* = (*a*1)*<sup>x</sup>*(*a*2)x for any *a*, *<sup>a</sup>*1, *a*2 ∈ *S* and *x, y* ∈ *NSR*. The same is valid for the generator *b*. The illustration of the computation of exponents in *S* is presented in Example 1 below.

The set of matrices defined over the *NSR* is denoted by *MNSR*.

Referencing to the Proposition 1, we present the following easily verifiable theorem without a proof.

#### **Theorem 2.** *MS is a multiplicative MNSR-semibimodule*.

Since *NSR* is acting on the semigroup *S* as an exponent function, then *MNSR* is acting on *MS* as MPF. According to Definition 7 and semigroup *S* presentation in (12) the following proposition can be formulated.

**Proposition 5.** *NSR introduced in the Definitions 6 and 7 has non-commuting additive monoid <sup>&</sup>lt;NSR; +;* 0*> and commuting multiplicative monoid <sup>&</sup>lt;NSR;* ·*;* 1*>, i.e., for all x, y, z1, z2* ∈ *NSR the following identities hold:*

$$z\_1 + x + y + z\_2 = z\_1 + y + x + z\_2. \tag{24}$$

$$
\propto \mathbf{y} = \mathbf{y} \cdot \mathbf{x}.\tag{25}
$$

Relation (25) implies the following identity:

*z*1

$$
\mathfrak{u} \cdot \mathfrak{x} = \mathfrak{x} \cdot \mathfrak{u}.\tag{26}
$$

**Example 1.** *The computation of wx. Let w = b3aba2 and x = 2 + <sup>ι</sup>*·*3 + 4, then the 1-st step of the computation is performed in the following way.*

*w<sup>x</sup> = w2+<sup>ι</sup>*·*3*·*<sup>+</sup> 4 = (b3aba2)2+<sup>ι</sup>*·*3+4 = (b3aba2)2 (b3aba2)<sup>ι</sup>*·*<sup>3</sup> (b3aba2)4 = (b6a2b2a4) (a9b3a3b6) (b12a4b4a48)*

*At the second step transformation to the normal form (15), every word in parentheses is performed.*

*(b6a2b2a4) (a9b3a3b6) (b12a4b4a48) = (b7aba5) (a12b9) (b15aba11) = (b3aba) (a4b) (b3aba3) = = ba9b8a = bab4a*.

> *The final word is found using R1 and R2 as well, where b8 = b4, a9 = a.*

The gray part of Table 1 represents the additive subgroup *N*4<sup>+</sup> = {1, 2, 3, 4} with neutral element equal to 4. Subgroup *N*4<sup>+</sup> has the subset of two generators **Γ** = {1, 3}. The subgroup *N*4<sup>+</sup> and generators **Γ** will play an important role in proving the uniform distribution of conversations and the security against eavesdropping attack of MPF SIP in Section 5. Moreover, relations *R*1, *R*2 in (11) define the smallest exponent *e* = 5 where subgroup *N*4<sup>+</sup> has at least two generators. It is important to have a random choice in the set having at

least two generators and will be used in our construction as well. The gray part of Table 2 represents the multiplicative semigroup *N*4<sup>+</sup> in *N*4. It is easily verified that *N*4<sup>+</sup> is a subsemiring of *N*4. Replacing *N*4 by *N*4<sup>+</sup> in Definition 7, we obtain a new near-semiring as a sub-semiring of *NSR* which is denoted by *sNSR*. The matrix set over the *sNSR* is denoted by *MaNSR* and matrix set with entries in **Γ** = {1, 3} is denoted by *M***Γ**. MPFs defined by the multiplicative *MsNSR*-semibimodule *MS* and by the multiplicative *MsNSR*-semibimodule *MS* are denoted by *MPFNSR S*and *MPFsNSR S*respectively.

Together with the introduced here near-semirings the introduction of anti-*NSR*, denoted by *aNSR*, to the original *NSR* is necessary. According to (20), *aNSR* is defined by:

$$a\text{NSR} = -\mathbf{N\_4} - \imath \cdot \mathbf{N\_4} - \mathbf{N\_4} \cup - \imath \cdot \mathbf{N\_4} - \mathbf{N\_4} - \imath \cdot \mathbf{N\_{4\prime}}\tag{27}$$

where for any element *x* in *NSR* there exists a unique element *x* in *aNSR* obtained by switching the sign of *x* from positive to negative, i.e., *x* = <sup>−</sup>*x*. The matrix set over the *aNSR* is denoted by *MaNSR*. For any matrix *H* in *MNSR* there exists a unique matrix −*H* in *MaNSR* with negative entries. Then, formally, we assume that

$$H-H=\mathcal{O}\_{\prime}\tag{28}$$

where *O* is the zero matrix, i.e., matrix with all entries equal to zero.

This construction will be used in the security proofs for the so-called simulator Sim computations. Several additional properties of *MPFaNSR S* are presented below without the proof. Let *O* be a zero matrix in *MNSR* and *E* is a unity matrix in *MS* consisting of all entries equal to 1 in *S*. Then according to (7), (27) and (28), for any *W*, *A* ∈ *MS* and *U*, *H* ∈ *MNSR* the following identities hold:

$$A^O = E; \; ^O A = E; \; \mathcal{W} \; ^\* E = E \; ^\* \mathcal{W} = \mathcal{W}; \tag{29}$$

$${}^{\!\!\!\!\!\!\!\!}A^{H}\,\,\star\,{}^{\!\!\!\!\!\!\!\/}A^{\!\!\!\!\!\/} = {}^{\!\!\!\!\!\!\/}A^{H\!\!\!\!\/-H}\,\tag{30}$$

$${}^{\!\!\!\!\!\/}A^{\!\!\!\!\/} = {}^{\!\!\!\!\/}A^{\!\!\!\/} = {}^{\!\!\!\!\/}E = E.\tag{30}$$

The last identity remains valid if the presented actions are reversed from the left to the right.

#### **4. MPF Sigma Identification Protocol (SIP)**

In general, sigma identification protocols (SIP) are realized using the conversation between the Prover and the Verifier when the Prover proves to the Verifier the knowledge of the secret (e.g., his private key—witness) without revealing knowledge about this secret [19]. In this case it is said that SIP has the Zero Knowledge Proof (ZKP) property [19]. Prover is using his private, public key pair we denote by PrK, PuK named as a witnessstatement pair.

We denote any matrix *Q* that is generated uniformly at random from the matrix set *M* by *Q* ← rand(*M*).

We use matrix sets *MsNSR* and *M***Γ** introduced in Section 3 instead of the matrix set *MNSR* to provide a random uniform distribution of data generated in MPF SIP.

Parties share the same public parameter represented by matrix *W* in *MS* generated at random *W* ← rand(*MS*). The prover runs the following key pair generation algorithm. For the private key PrK-witness generation two secret matrices *X*, *Y* in *M***Γ** = {1, 3} are chosen at random:

$$X\_\prime Y \leftarrow \text{rand}(\mathbf{M}\_\Gamma). \tag{31}$$

Then PrK = (*X*, *Y*)∈*M***Γ** × *M***Γ**.

The public key PuK-statement is computed using *MPFsNSR S*defined above:

$$\mathbf{P}\mathbf{u}\mathbf{K}={}^{\mathcal{X}}\mathcal{W}^{\mathcal{Y}}=\mathcal{A}.\tag{32}$$

Prover distributes his PuK = *A* ∈ *MS* to all users including Verifier. According to the 3-rd condition in the Proposition 2 represented by the distributive identity (7), we formulate the following easily verified theorem without proof.

**Theorem 3.** *MPFsNSR Ssatisfies the distributive identity (7).*

**Definition 8.** *Equation (32) defines a set of relations Rel between the set of witnesses (PrK) and statements (PuK) which is a subset of the following direct product of sets:* **Rel** ⊆ (**MΓ** × **MΓ**) × **MS**.

Since relations *R*1, *R*2 in (11) define a finite semiring *S*, they induce the finiteness of *<sup>s</sup>NSR*. Then, sets *MsNSR* and *MS* are finite as well.

**Definition 9.** *Let matrix A = {aij} be of finite order and assume that all entries qij can be effectively encoded by the finite string of bits not exceeding polynomial length. Then, matrix A is effectively recognizable in MS if all its entries can be effectively decoded and effectively transformed to the normal form (15).*

**Proposition 6.** *Any finite length word w in S can be transformed to the normal form (15) using the linear number of operations with respect to the length of w.*

**Definition 10.** *Relation Rel is efficiently recognizable if every matrix A' = {aij'}, where aij'are finite strings of generators a, b in MS, can be effectively transformed into the matrix A in MS with all entries expressed in the normal form (15).*

**Definition 11.** *Relation is an effective relation if it is efficiently recognizable.*

**Proposition 7.** *Relation Rel is effective.*

Referencing to the general definition of Sigma protocol in [19], the corresponding definition can be formulated for MPF SIP.

**Definition 12.** *Let Rel* ⊆ *(M***Γ** × *M***Γ***)* × *MS be an effective relation. An MPF SIP for Rel is a pair (P, V) of interactive protocols executed by the Prover and the Verifier. Protocol P is taking a witness-statement pair (PrK, PuK)* ∈ *Rel as an input. Protocol V is taking as an input statement PuK* ∈ *MS. Then after the conversation V outputs accept or reject.*

MPF SIP is performed during three pass communications named as a conversation between the Prover and the Verifier.

1. Prover generates two matrices *U*, *V* ← rand(*M***Γ**) at random and using his witness-PrK computes the **commitment** *C* = (*C*0, *C*1, *C*2) consisting of three matrices *C*0, *C*1, *C*2 in *MS*:

$$\mathbf{C}\_{0} = \,^{\text{II}}\mathbf{W}^{\text{V}}, \,\mathbf{C}\_{1} = \,^{\text{II}}\mathbf{W}^{\text{V}}, \,\mathbf{C}\_{2} = \,^{\text{X}}\mathbf{W}^{\text{V}}.\tag{33}$$

Prover sends *C* to the Verifier.


$$S = \mathcal{U} + H'X,\\
\mathcal{T} = V + \mathcal{Y}H'',\tag{34}$$

and sends *R* = (*S*, *T*) to the Verifier.

At this stage Prover and Verifier complete the conversation. After receiving *R* = (*S*, *T*), Verifier checks if

$$^S\mathcal{W}^T = \mathbb{C}\_0 \, ^\ast\mathcal{C}\_1 \, ^{H''}\, ^\ast\mathcal{C}\_2 \, ^{H'}\mathcal{A}^{H'},\tag{35}$$

and if it is the case outputs *accept*.

The distinct feature of the proposed protocol (against, e.g., Schnorr or Okamoto protocols, [19]) is that the Prover generates a commitment at the first step of the protocol using components *X*, *Y* of the witness-PrK = ( *X*, *Y*).

**Completeness**. On the common statement input PuK = *A*, the honest Prover knows witness-PrK = ( *X*, *Y*) for PuK and succeeds in convincing the Verifier of his knowledge with probability 1. It follows from the validity of associativity identity (6) and distribution identity (7):

*SWT* = (*U*+*<sup>H</sup> X*) *W*(*V*+*YH*") = *UWV* \* *UWYH* \* *H XWV* \* *HX WYH* = *UWV* \*(*UWY*) *H*" \* *H* ( *XWV*)\* *H* ( *XWY*) *H* = *C*0\* *C*1*H*" \* *H C*2\* *H A<sup>H</sup>*".

> Verifier uses the conversation ( *C*, *H*, *R*) together with the Prover's statement PuK = *A* for the verification and yields accept if (35) holds.

The test example of this protocol is presented in Appendix A.

## **5. Security Analysis**

We consider the main three main kind of attacks for SIP presented in [19] ordered by their power, i.e., direct attack, eavesdropping attack and active attack. The weakest attack of the three is a direct attack and it is applied mainly for password protected systems which can also be realized using symmetric cryptography. The outcome of these attacks is either adversary impersonation of legal Prover or even compromisation of legal prover's secret, namely his password or private key PrK-witnwss. The detailed description of the attack game and the theorem formulating security against this attack is presented in ([19], Section 18.3). Since this attack is not of direct interest for our research, we only use the security formulation for this attack in our construction in Theorem 4 below as an intermediate result to consider the more powerful eavesdropping attack. In this section we prove the conditions under which the proposed MPF SIP is resistant against eavesdropping attack finalizing it in Theorems 5 and 6. Unfortunately, we were not able to prove the resistance against most powerful active attack for the reasons presented below.

#### **Assumption 1.** *MPFNSR Sis a candidate for one-way function (OWF).*

This assumption can be supported by our previous results presented in [11–14]. The MPF is constructed using similar algebraic structures as in [14]. In [12,13] the NPcompleteness of the similar MPF problem is proven. MPF function introduced there is defined in finite modified medial platform semigroup and finite power near-semiring. Despite the lack of proof of the NP-completeness of the MPF problem defined here, we can present some links of this MPF with the well-known multivariate quadratic (MQ) problem which is proved to be NP-complete over any field [7]. Let ϕ: *S* → *Sa* is the homomorphism of the semigroup *S* to the semigroup *Sa* defined by the introduced new relation *b* = 1. Then *Sa* = {1, *a*, *a*2, *a*2, *a*4} is a cyclic monoid with index 1 and period 4 [20]. The corresponding public matrix denoted by *W'*. Then the entries of this public matrix *W'* consist of elements *ai*, where *I* ∈ {0, 1, 2, 3, 4} due to relation *R*1. Analogously, the *NSR* can be homomorphically transformed to the set of integers *Z*5 = {0, 1, 2, 3, 4} by introducing the relation ι = 0. Then the matrices *X'*, *Y'* ← rand( *Z5*) are generated.

Since *Sa* is a cyclic semigroup then the discrete logarithm operation dlog*a* with the base *a* can be applied elementwise to the MPF relation *X* (*W* ) *Y* = *A*. In this case we obtain MQ problem but defined not over the field *F*5 = {0, 1, 2, 3, 4} (where operations are defined mod 5) since according to relation *R*1 in (11) the exponents of generator *a* cannot be reduced mod 5. It seems that the obtained MQ problem represented by matrix equation

$$\operatorname{dloga}(\prescript{X'}{}{(W')}^{Y'}) = \operatorname{dloga}(A'),$$

is at least no less complex than the "standard" MQ problem. Then, we can make an assumption that MPF introduced in (4), (32), where unknown monomials are in exponents is a candidate for one-way function (OWF).

This assumption is required to prove that the proposed MPF SIP is secure against the eavesdropping attack and to select the values of the security parameters.

Referencing to Assumption 1 and [19], we can formulate the following theorem.

**Theorem 4.** *If MPFNSR S is a candidate for OWF and the challenge space is super-poly, then MPF SIP identification protocol is secure against the direct attack.*

**Proof.** According to the Assumption 1, *MPFNSR S*is a candidate for OWF.

 Referencing to the relations *R1*, *R2* in (11), the challenge space is exponential with respect to the order *m* of matrices in *MNSR*. The cardinality of *MNSR* is no less than 52mm, thus, it is super poly as well. 

It is easily verified that Assumption 1 and Theorem 4 can be applied to *MPFsNSR S* . In order to formulate the security against the eavesdropping attack, we need the definition and the proof of the Honest Verifier Zero Knowledge (HVZK) property [19] for MPF SIP. We realized that instead of HVZK of MPF SIP we can prove a rather stronger result denoted as a special HVZK.

**Definition 13.** *Identification protocol is a special HVZK if there exists an efficient probabilistic algorithm called a simulator Sim such that for all possible witness-statement pairs or private and public key pairs (PrK, PuK) the following two conditions hold: 1) the output distribution of Sim on input (PuK, H) is identical to the distribution of transcript of a conversation (C, H, R) between Prover on input (PrK, PuK) and Verifier on input Puk, and 2) for all inputs PuK and H, algorithm Sim always outputs a pair (C, R) such that (C, H, R) is an accepting conversation for PuK.*

Following the methodology presented in [19], the following theorem can be formulated.

**Theorem 5.** *MPF SIP protocol is a special HVZK.*

**Proof.** On Sim input *R'*, *H'* and PuK, the valid commitment *C* = ( *C*0 , *C*1 , *C*2) and corresponding transcript of a conversation ( *C* , *H* , *R*) must be generated with identical distribution as ( *C*, *H*, *R*) between the Prover and the Verifier. 

**Lemma 2.** *Let W be a public parameter and two pairs of matrices X,Y* ← *rand(M***Γ***), X,Y* ← *rand(M***Γ***) are generated uniformly at random, then the entries of matrices A = XWY and A = X W<sup>Y</sup> computed according to (32) are uniformly distributed*.

**Proof of Lemma.** Define two subsemigroups in *S*, namely *Sa* = {*a, <sup>a</sup>2*, *a3, a<sup>4</sup>*}, *Sb* = {*b, b2*, *b3, b<sup>4</sup>*} and a set of exponents of generators in *S* denoted earlier by *N***4 +** = {1, 2, 3, 4}. Then exponent function of generator *a* in *Sa* provides the following 1-to-1 mapping exp*a*: *N***4 +** → *Sa*. Since exp*a* is 1-to-1, then for any *I* ← rand( *N***4 +**) the value exp*a* (*i*) = *ai* will have a uniform random distribution. The same is valid for the function exp*b*: *N***4 +** → *Sb*. Let exp*a,a*: *N***4 +** × *N***4 +** → *Sa* is a function defining multiplication of generator *ai* by generator *aj*, where *i*, *j* ← rand( *N***4 +**), i.e., exp*a,a* (*i*, *j*) = *ai aj* = *<sup>a</sup>i+j*. According to *R*1 in (11), function exp*a,a* (*i*, *j*) provides a 4-to-1 mapping and hence the value *ae* obtained after the reduction of exponent *ai+j* using *R*1 will have a uniform random distribution.

Let us consider the double exponent function expexp*a*: *N***4 +** × Γ → *Sa*, where expexp*a*(*i*, *<sup>k</sup>*)=(*a<sup>i</sup>* ) *k* with *I* ∈ *N***4 +**, *k* ∈ Γ. This function provides a 2-to-1 mapping. Let *i*, *k* values are random and uniformly distributed, then the value (*ai* ) *k* is also random and uniformly distributed. The same is valid for the generator *b* and for complex exponents <sup>ι</sup>·*i* and <sup>ι</sup>·*k*. In the latter case complex unit ι simply changes *a* to *b* and vice versa.

As a consequence, the mentioned above exponents of generators *a*, *b* are random and uniformly distributed.

If we have any word *w* ∈ *S* and exponentiate it by *i*, then after the reduction of exponents corresponding to the generators *a* and *b* the uniform distribution of resulting exponents will be obtained. After that the generators are grouped according to the normal form defined in (15) and this grouping simply corresponds to computing expressions of the type *ai aj* = *<sup>a</sup>i+j*. Hence the grouping procedure will not change the uniform distribution. As a result, we obtain uniformly distributed normal form *<sup>w</sup>*η in (14).

These results are applied subsequently to the left MPF and right MPF (according to Definitions 1 and 2) to prove the uniform distribution of entries of matrices *A* and *A'* being a value of two sided MPF in Definition 3. The proof is performed by induction with respect to the order *m* of MPF matrices. The first step of induction for *m* = 1 is proved above.

The Lemma is proved. 

**Lemma 3.** *Suppose the following pairs of matrices X, Y* ← *rand(M***Γ***), U, V* ← *rand(M***Γ***), X , Y* ← *rand(M***Γ***), U, V* ← *rand(M***Γ***) and Hˆ, Hˆ"* ← *rand(MsNSR) are generated uniformly at random. Then the distribution of entries of matrices S, T in (34) and of matrices S, T computed by the relations.*

$$S'=ll'+H^{\prime}X^{\prime},\;T^{\prime}=V^{\prime}+\mathcal{Y}^{\prime}H^{\prime\prime},\tag{36}$$

*have the same uniform random distribution.*

**Proof of Lemma.** Firstly, we prove that the product of matrices HX, YH" has the same uniform random distribution as the product of matrices Hˆ X, YHˆ". Let us consider a scalar case with *h x*, *yh*" and *h*ˆ *<sup>x</sup>, y h*ˆ" instead, where *h* , *h***"**, *h*ˆ *, h*ˆ**"** <sup>∈</sup>*N*4 + and *x*, *y*, *<sup>x</sup>, y* ∈ **Γ**. Then the multiplication function is defined by the mapping mul*h,x*: *N*4 + × **Γ** → *N*4 + which according to Table 2 is 2-to-1. Since multipliers are chosen uniformly at random, then the value mul*h, <sup>x</sup>*(*h*, *x*) = *hx* in *N*4 + is distributed uniformly at random. The same is valid for other terms.

Now consider the addition function add*u,z*: **Γ** × *N*4 + → *N*4 + which according to Table 1 is 2-to-1. Then, since the value *z* = *hx* is distributed uniformly at random the value add*u, <sup>z</sup>*(*<sup>u</sup>*, *z*) = *s* is also distributed uniformly at random.

The random and uniform distribution of entries of matrices *H X*, *YH*" and *H*ˆ *X* , *Y H*ˆ" can be proved by induction using the uniform and random distribution of values of functions mul*h, x* and add*u, z*. Then, the entries of matrices *S*, *T* and *S* , *T* are distributed uniformly at random as well.

The Lemma is proved. 

**Proof.** Proceeding with the proof of the theorem, the response *R* = (*S* , *T*) must be computed referencing to (34). Then, the following random matrices in *MNSR* are generated independently: *U* , *V* ← rand( *M***Γ**), *X* , *Y* ← rand( *M***Γ**). As an additional input the simulator takes two challenge matrices *H*ˆ , *H*ˆ" ← rand( *MsNSR* × *MsNSR*). Then, according to (34):

$$
\Delta S' = \mathcal{U}\mathcal{I}' + \mathcal{H}^{\prime}\mathcal{X}',\\
\mathcal{T}' = \mathcal{V}' + \mathcal{Y}^{\prime}\mathcal{H}^{\prime\prime}.\tag{37}
$$

Referencing to Lemmas 2 and 3, *R* = (*S* , *T*) and *R* = (*S*, *T*) have the same uniform distribution and hence the distribution of *S W<sup>T</sup>* is the same as the distribution of *SWT* in (35). According to the Theorem 3 *S W<sup>T</sup>* has the following expression

$${}^{S'}W^{\dagger} = {}^{(\mathcal{U}+\mathcal{U}^{\prime}X^{\prime})}W^{\dagger}{}^{V\*}Y^{H\dagger}{}^{\prime} = {}^{\mathcal{U}}W^{\dagger}{}^{\prime} \ast {}^{\mathcal{U}}W^{\dagger}{}^{H\dagger} \ast {}^{\mathcal{U}}\hat{X}^{\prime}{}^{\prime}W^{\dagger}{}^{V\*} \ast {}^{\mathcal{U}}\hat{X}^{\prime}{}^{V}W^{\dagger}{}^{H\dagger} = {}^{\mathcal{U}}W^{\dagger}{}^{\prime} \ast {}^{\mathcal{U}}\hat{X}^{\prime}{}^{\prime}{}^{H\dagger} \ast {}^{\mathcal{U}}\hat{X}^{\prime}{}^{V}{}^{\prime} \ast {}^{\mathcal{U}}\hat{X}^{\prime}{}^{H\dagger}, \tag{38}$$

where *B* = *X W<sup>Y</sup>* 

.

For given matrices *U* , *V* , *X* , *Y* and ( *H*ˆ , *H*ˆ") generated uniformly at random and independently, Sim must compute a challenge *C* = ( *C*0 , *C*1 , *C*2) satisfying the following equation:

$$^{S'}\mathcal{W}^{T'} = \mathbb{C}\_{0'}\,^\*(\mathbb{C}\_{1'})^{H''}\,^\*\,^{H''}(\mathbb{C}\_{2'})\,^\*\,^{H''}A^{H''} \tag{39}$$

Referencing to identity (37), Sim computes

$$\mathbf{C}\_{0'} = {}^{\mathbb{L}'}\mathbf{W}^{V'}, \mathbf{C}\_{1'} = {}^{\mathbb{L}'}\mathbf{W}^{Y'}, \mathbf{C}\_{2'} = {}^{\mathbb{X}'}\mathbf{W}^{V'} \ \* \, {}^{\mathbb{H}}\mathbf{B}^{H''} \ \* \, {}^{\mathbb{A}}\mathbf{A}^{-H''}.\tag{40}$$

According to Theorem 5, the entries of matrices *C*0 , *C*1 , have the same uniform distribution as of matrices *C*0, *C*1. Since (1) the distribution of *S W<sup>T</sup>* is the same distribution as of *SWT*, (2) *X W<sup>V</sup>* is uniformly distributed and (3) the computation of matrix *C*2 in (39) is based on Hadamar multiplication rule [16] (i.e., elementwise), then the distribution of *C*2 is the same as the distribution of *C*2. Then the commitment *C* = ( *C*0 , *C*1 , *C*2) has the same distribution as *C* = ( *C*0, *C*1, *C*2). It remains to prove that ( *C, H, R*) is an accepting conversation using the following identities.

$$\begin{array}{rcl} \mathbf{C}\_{\mathcal{O}'} \triangleq \left(\mathbf{C}\_{1'}\right)^{H^{\mathcal{T}} \ast H'} \left(\mathbf{C}\_{\mathcal{Z}'}\right)^{\ast H'} \mathbf{C}\_{\mathcal{I}}^{H'} & \mathbf{A}^{H'} = {}^{\mathcal{U}}\mathbf{W}^{\mathcal{V}'} \ast \left({}^{\mathcal{U}}\mathbf{W}^{\mathcal{V}}\right)^{H'} \ast {}^{H'} \mathbf{V}^{\mathcal{X}'} \mathbf{V}^{\mathcal{X}'} \ast {}^{\mathcal{H}'} \mathbf{B}^{H'} \ast {}^{\mathcal{H}'} \mathbf{A}^{-H'} \ast {}^{\mathcal{H}'} \mathbf{A}^{H'} \\ & = {}^{\mathcal{S}'}\mathbf{W}^{\mathcal{T}'} \ast {}^{\mathcal{H}'} \mathbf{A}^{H'} \ast {}^{\mathcal{H}'} \mathbf{A}^{\mathcal{T}} = {}^{\mathcal{S}'}\mathbf{W}^{\mathcal{T}'} \ast {}^{\mathcal{H}'} \mathbf{A}^{\mathcal{O}} = {}^{\mathcal{S}'}\mathbf{W}^{\mathcal{T}'} \ast \mathbf{E} = {}^{\mathcal{S}'}\mathbf{W}^{\mathcal{T}'}. \end{array} \tag{41}$$

The theorem is proved. 

Since special HVZK implies HVZK, then according to the Assumption 1 and Theorems 4 and 5, proposed MPF SIP is secure against the direct attack and is HVZK. The Theorem 19.3 in [19] states that if an identification protocol is secure against direct attacks, and is HVZK, then it is secure against eavesdropping attacks. Referencing to this result we have proven the following theorem.

#### **Theorem 6.** *MPF SIP is secure against the eavesdropping attack*.

Unfortunately, we are not able to prove the security of MPF SIP against an active attack since we have not proved the soundness of MPF SIP. Our construction is based on far more complicated algebraic structures than many traditional identification protocols including Schnorr protocol.

#### **6. Selection of the Security Parameters and Efficiency Analysis**

Since relations *R*1, *R*2 are fixed, the security parameter is the order *m* of matrices defining MPF. Then, according to (32) PrK and PuK matrix relation in the Definition 8 consists of *m*<sup>2</sup> exponent equations of the type (4). According to the Assumption 1 and the belief that the solution of randomly generated MQ system is hopeless when system consists of *n* ≥ 80 equations with *v* ≥ 80 variables [9], it is sensible to choose the number of exponent equations of the type (4) corresponding to the matrix equation (32) to be no less than 80. Then, *m* can be chosen to be equal to 10, 11, 12. In this case the number of exponent equations is equal to 100, 121, 144 correspondingly. To represent *NSR* elements of the types *t* + ι·*u* + *v* and *t*·ι + *u* + *v*·ι, where *t*, *u*, *v* ∈ {1, 2, 3, 4} 9 bits are required. Thus, memory requirement for PrK = ( *X*, *Y*) is 2 × 9 *m*<sup>2</sup> bits. To represent the word *w* in *S* in normal form (15) 6 bits are required. So, PuK = *A* representation requires 6 *m*<sup>2</sup> bits.

Effectivity of SIP is related to the left and right MPF value computations in (2) and (3) and can be performed using exponentiation tables of the size 4x4 in our case. Transformation of matrix entries to the normal form requires asymptotically O ( *m*2) operations. The computational resources for the one-sided MPF value computation are equivalent to the matrix multiplication and are asymptotically at most O ( *m*3). SIP realization for Prover requires 6 one-sided MPF values computation, 2 multiplication of matrices in *NSR* requiring O ( *m*3) operations and two additions of matrices in *NSR* requiring O ( *m*2) operations. Both matrix multiplication and addition can be performed using the table of operations of the size 4 × 4 as shown in Tables 1 and 2.

For the Verifier's side one must compute MPF values presented in (35). It takes two one-sided MPF computations for the left side of (35) and six one-sided MPF computations. Hence asymptotically it takes O ( *m*3) operations.

#### **7. Discussion and Conclusions**

It was an intriguing idea for the authors to create and analyze Sigma identification protocol (SIP) based on the matrix power function (MPF) defined over the specially selected algebraic structures, namely modified platform medial semigroup *S* and power nearsemiring (*NSR*). The initial medial semigroup is infinite, cancellative, multiplicative and non-commuting and is chosen to have two generators *a* and *b*. The modification of this medial semigroup is performed by introducing two extra relations *R*1 and *R*2 for the generators. It induces certain homomorphism yielding finite semigroup and preserving other properties of medial semigroup. In order to construct MPF, the certain power *NSR* is constructed. The properties of *NSR* are induced by the generic relation *R M* of medial semigroup which makes addition operation non-commuting. Therefore, the notion of *NSR* is applied. The reason is that constructed *NSR* is simply not a semiring.

These algebraic structures are far more complicated than the structures used currently in well-known identification and sigma identification protocols, e.g., Schnorr or Okamoto protocols. They are based on relatively simple algebraic structures, namely cyclic groups *Zp \** or *Gq*. MPF SIP construction based on more complicated algebraic structures was successful since a very important property of MPF presented in Proposition 2 was satisfied. In this connection we are expecting that proposed MPF SIP should provide greater security than existing Sigma protocols based on numerical cyclic groups. The investigation of the resistance against quantum cryptanalysis attack is very attractive and could be dedicated for the future research.

MPF, presented here, has some similarity to the certain MPF problem which was proven to be NP-complete in our previous publications [12,13]. It is believed so far that NP-complete problems cannot be effectively solved by quantum computers. The security of MPF SIP presented here relies on the assumption that this MPF problem is a candidate for one-way function (OWF).

Following the methodology, notions and security analysis of Sigma protocols presented in D. Boneh, and V. Shoup tutorial we proved that the proposed SIP is secure against the eavesdropping attack. Unfortunately, the proof that this protocol is secure against active attack was not presented since we have not proved the soundness of this protocol yet. The soundness of identification protocols is easily proven for simple algebraic structures, namely *Zp \** or *Gq*. In our case, however, the algebraic structures are far more complicated and existing proof methodology used in cyclic groups cannot be applied.

**Author Contributions:** Conceptualization, methodology and investigation E.S.; Software, validation, writing—review and editing I.T.; Software, writing—original draft preparation A.K. All authors have read and agreed to the published version of the manuscript.

**Funding:** This research received no external funding.

**Institutional Review Board Statement:** Not applicable.

**Informed Consent Statement:** Not applicable.

**Acknowledgments:** Many thanks to the Reviewers and their remarks, allowing us to substantially improve the security proof as well as the overall quality of the paper.

**Conflicts of Interest:** The authors declare no conflict of interest.
