# Algebraic and quantum attacks on two digital signature schemes

• Vitaly Roman’kov , Alexander Ushakov and Vladimir Shpilrain

## Abstract

In this article, we analyze two digital signature schemes, proposed in Moldovyan et al., that use finite noncommutative associative algebras as underlying platforms. We prove that these schemes do not possess the claimed property of being quantum safe. We also show that in many cases these schemes are, in fact, vulnerable to “classical” algebraic cryptanalysis.

MSC 2010: 94A60

## 1 Introduction

In [1], the authors offered two digital signature schemes that they claimed to be quantum safe, i.e., resistant to attacks by quantum algorithms.

Here, we show that, in fact, there is a polynomial-time quantum algorithm (for solving the hidden subgroup problem) that allows one to forge digital signatures in either scheme. Note that a polynomial-time quantum algorithm for solving the hidden subgroup problem in any abelian (=commutative) group was offered in [2] (see also [3]).

Moreover, we establish that the proposed schemes are typically vulnerable even to attacks that do not use quantum algorithms.

Several other, similar, digital signature schemes including [4] and [5] can be attacked using the same approach.

We also note that in [6], the authors suggested a public key establishment protocol based on similar ideas. That protocol was attacked in [7] by a method altogether different from ours.

## 2 Preliminaries

In [1], the authors use a particular finite associative algebra as the platform for their scheme, but our attack is not platform specific, i.e., it works for any associative algebra that fits the general design of the scheme, as described below.

Let F be a field. An associative F -algebra (or an algebra over F , or simply an algebra if F is clear from the context) is an associative ring, denoted here by Σ , + , , which is a vector space over F , so that ( α a ) b = α ( a b ) = a ( α b ) for all a , b Σ , α F . Here, Σ denotes the set of elements of the ring, “+” denotes the operation of addition in Σ , “ ” denotes the operation of multiplication in Σ , and α b denotes the action of α F on b Σ .

In [1], the authors propose to use as a platform the finite-dimensional algebra Σ , + , , with a fixed basis e 0 , e 1 , , e m 1 . Algebra elements are written as coordinate vectors with respect to this fixed basis. As usual, the multiplication operation of two vectors a = i = 0 m 1 α i e i and b = i = 0 m 1 β i e i is defined by the following formula:

a b = i = 0 m 1 j = 0 m 1 α i β j ( e i e j ) ,

where the products e i e j are defined by the basis vector multiplication table. In [1], each ( i , j ) -entry of this table had the form λ e k , where λ F , k = k ( i , j ) . The number of basis vectors e i was 4, and the following basis multiplication table was recommended:

e 0 e 1 e 2 e 3 e 0 e 0 e 1 e 2 e 3 e 1 e 1 μ e 0 e 3 μ e 2 e 2 e 0 e 1 e 2 e 3 e 3 e 1 μ e 0 e 3 μ e 2 ,

where μ is a fixed element of the ground field F .

Now let Σ , + , be an associative algebra. We say that

• E Σ is the two-sided global unit if X Σ one has E X = X E = X ;

• L Σ is a left-sided global unit if X Σ one has L X = X ;

• R Σ is a right-sided global unit if X Σ one has X R = X ;

• The local order of W Σ is the least n N (if exists) such that W n is a global (perhaps one-sided) unit.

The scheme proposed in [1] essentially uses only the operation defined on Σ , i.e., uses the (finite) multiplicative semigroup Σ , as the platform.

We often use the following basic facts.

## Lemma 2.1

Suppose that L Σ is a global left-sided unit and A B = L . Then for any X Σ and i N

1. ( X L ) i = X i L ;

2. ( B X A ) i = B X i A .

## 3 The signature algorithms

The two proposed signature algorithms use the same public key generation procedure but slightly different signing/verification procedures. A public key is a triple Y , Z , T of elements of a semigroup Σ , , generated as follows.

• Generate elements A , B , L Σ and A , B , L Σ , where L , L are global left-sided units satisfying

A B = L and A B = L .

• Compute the local order w of B , i.e., the least w N satisfying X Σ ( B ) w X = X , i.e., ( B ) w = L , where L is a global left-side unit.

• Compute T from the equation A T = ( B ) w 1 (it is easy to see that T = B ( B ) w 1 satisfies the equation).

• Generate N Σ of local order q (assumed to be a large prime number).

• Generate a uniformly random integer x , 0 x < w , and compute Y = B N x A L .

• Compute Z = B N A .

To summarize:

1. public information: Σ , , q , Y , Z , T .

2. private information: A , B , A , B , L , L , L , N , x , w .

### 3.1 Signature generation/verification algorithm A

A signature for a text M (encoded by an element of Σ ) is a pair ( v , s ) generated using a (public) hash function F h : Σ Z q as follows.

• Generate a random nonnegative integer k < q and compute V = B N k A .

• Compute v = F h ( V ) .

• Compute e = F h ( M ) (it is assumed that e 0 ).

• Compute s = k e x v ( mod q ) .

A signature ( v , s ) for M is verified as follows.
• Compute e = F h ( M ) .

• Compute V = Y v e 1 T Z s e 1 , where e 1 is the multiplicative inverse of e mod q .

• Compute v = F h ( V ) .

• The signature is accepted if v = v .

It is easy to check the soundness of the described protocol. Indeed,

V = Y v e 1 T Z s e 1 = ( B N x A L ) v e 1 ( B ( B ) w 1 ) ( B N A ) s e 1 = B N x v e 1 B w N ( k e x v ) e 1 A = B N k A = V .

Hence, v = F h ( V ) = F h ( V ) = v .

### 3.2 Signature generation/verification algorithm B

The second signature scheme is slightly different from the first one. A signature for a text M is a pair ( v , s ) generated using a (public) hash function F h as follows.

• Generate a random integer k < q and compute V = B N k A .

• Compute v = F h ( M , V ) .

• Compute s = k + x v ( mod q ) .

A signature ( v , s ) for M is verified as follows.
• Compute V = Y q v T Z s .

• Compute v = F h ( M , V ) .

• The signature is accepted if v = v .

### 3.3 Security assumption

There are several types of attack models against digital signature schemes described in [8]. Security of the above scheme A against key-only selective/universal forgery relies on computational hardness of the following algorithmic problem. For given Y , Z , T , M , and F h defined as earlier, compute a pair ( v k , s k ) , for a parameter value k N of our choice, where

• v k = F h ( B N k A ) ,

• s k = k F h ( M ) x v k ( mod q ) .

## 4 Algebraic cryptanalysis

The proposed digital signature schemes A and B are variations of the classical ElGamal scheme (see [9], Section 11.5.2), based on an algebraic platform. Recall that in schemes A and B, x is a long-term key and k is a session key. The key k can be chosen by any user of the system, including a potential attacker. If the attacker, Eve, knows the key x , then she will be able to sign any message M for any of the two schemes A and B. It is important to also note that if Eve can calculate the parameter k for some digital signature session, then she can easily calculate x , thereby making the scheme vulnerable. Indeed, we have x = k e v 1 s v 1 ( mod q ) (scheme A) and x = s v 1 k v 1 ( mod q ) (scheme B).

In [1], the authors do not actually provide any cryptographic analysis, limiting themselves to a reference to the fact that the element N is not public. Neither do they explain in scheme A what happens if e = 0 , and therefore, e 1 does not exist. The following argument shows that in many cases the parameter k can be calculated by algebraic methods using the Jordan form of a matrix. In the remaining cases, it can be recovered by solving simultaneous discrete logarithm problems in the multiplicative group of a finite field, which is an extension of the ground field F .

It is easy to see that the public element V = B N k A (common to both schemes A and B) is expressed as follows:

V = B N k A = B L N k A = B ( B ) w 1 B N k A = ( B ( B ) w 1 T ) ( B N A Z ) k = T Z k .

To compute k from V , we use the obtained expression V = T Z k as follows. Write the element T in the form T = i = 0 m 1 t i e i where e 0 , , e m 1 is a basis of ( Σ , + , ) , and t i F for i = 0 , , m 1 . Right multiplication by Z defines a linear transformation of the algebra Σ , + , having a matrix A ( Z ) with respect to the basis e 0 , , e m 1 . With a particular basis multiplication table in [1], the matrix A ( Z ) looks as follows:

A ( Z ) = z 0 z 1 z 2 z 3 z 1 μ z 0 z 3 μ z 2 z 0 z 1 z 2 z 3 z 1 μ z 0 z 3 μ z 2 ,

where μ is a fixed element of the ground field F .

## Proposition 4.1

If the Jordan form of the matrix A ( Z ) contains a cell of size 2 with nontrivial diagonal elements, then the parameter k is immediately calculated from V = B N k A = T Z k . In other cases (i.e., if the matrix A ( Z ) is diagonalizable), the problem of recovering k is reduced to simultaneous discrete logarithm problems in the multiplicative group of a finite field.

## Proof

Note that B A T = ( B ) w = L . Therefore, by solving the corresponding set of linear equations of the form T T e i = e i , i = 0 , , m 1 , one can efficiently compute an element of T such that T T is the global left unit L . Then T V = L Z k = Z k .

Let A ˜ ( Z ) be the Jordan form of the matrix A ( Z ) and let A ˜ ( Z ) = C 1 A ( Z ) C for some m × m matrix C . The Jordan form exists over an extension of the ground field F obtained by adjoining to F all roots of the characteristic polynomial of the matrix A ( Z ) . Note that with the parameters suggested in [1], the matrix A ( Z ) is a 4 × 4 matrix, so the characteristic polynomial has degree 4 and therefore has at most four distinct roots. Actually, with the particular matrix A ( Z ) (see aforementioned paragraphs), the characteristic polynomial is λ 2 ( λ 2 2 ( z 0 + z 2 ) λ + ( z 0 + z 2 ) 2 μ ( z 1 + z 3 ) 2 ) , so it has a root λ = 0 of multiplicity 2.

Then, one can compute the Jordan form A ˜ ( Z k ) = C 1 A ( Z k ) C of A ( Z k ) . Suppose A ˜ ( Z ) contains a cell of the following form:

ρ 1 0 ρ .

Then A ˜ ( Z k ) contains the corresponding cell of the form

ρ k k ρ k 1 0 ρ k .

If ρ 0 , then one immediately recovers k = k ρ k 1 ρ ( ρ k ) 1 .

If ρ = 0 , then a cell in A ˜ ( Z k ) with ρ on the diagonal vanishes if k v , where v is the size of the cell. Since there are only a few values of k with k < v , these values can be checked directly.

If in the matrix A ˜ ( Z ) all other cells with nonzero diagonal entries are one dimensional, we obtain a set of equations of the form ρ i k = ν i , where ρ i are nonzero diagonal elements of A ˜ ( Z ) . That is, we obtain simultaneous discrete logarithm problems in a finite extension of the ground field F .

Thus, either each of the schemes A and B is vulnerable to a “classical” (i.e., not quantum) algebraic attack, or it can be attacked by the well-known quantum algorithm for computing the discrete logarithm [10].□

A similar analysis, but for different cryptographic schemes, was done in [11] (see also [12]).

## 5 A quantum attack

Let Z k denote the free abelian group of rank k . We say that a function f : Z k { 0 , 1 } n hides a subgroup H of Z k if for any x ¯ , y ¯ Z k the following holds:

f ( x ¯ ) = f ( y ¯ ) x ¯ y ¯ H .

The hidden subgroup problem is an algorithmic problem of finding a subgroup H (i.e., finding a generating set of H ) hidden by a given function f .

## Lemma 5.1

Consider A , B , L , A , B , L Σ such that

• L , L are global left-sided units,

• A B = L and A B = L ,

• N Σ of local order q .

Then for any s , t Z

B N s A = B N t A s t mod q .

## Proof

The right-to-left implication follows from the assumption that N has local order q . Conversely,

B N s A = B N t A A B N s A B = A B N t A B L N s L = L N t L N s L = N t L N s L N = N t L N N s + 1 = N t + 1 s t mod q .

## Proposition 5.2

Let x and q be as defined in the beginning of Section 3. Then the function f ( i , j ) = Y i T Z j hides the subgroup of Z 2 generated by

q gcd ( x , q ) , 0 , ( 0 , q ) , ( 1 , x ) .

## Proof

Indeed, f ( i , j ) = Y i T Z j = ( B N x A L ) i T ( B N A ) j = B N i x + j A , and therefore,

f ( i , j ) = f ( i , j ) i x + j = i x + j ( mod q ) ( by Lemma (5.4) ) ( i i ) x + ( j j ) = 0 ( mod q ) ( i i , j j ) g p q gcd ( x , q ) , 0 , ( 0 , q ) , ( 1 , x ) ,

where the latter notation is for “group generated by listed elements.”□

## Corollary 5.3

There is a polynomial-time quantum algorithm that for a given public key ( Y , Z , T ) finds private x and q.

## Proof

The algorithm solves, in polynomial time, the hidden subgroup problem for the function f ( i , j ) introduced in Proposition 5.2 by using the general quantum algorithm from [2]. It then finds a particular generating set of this subgroup. Note that every nontrivial subgroup of Z 2 is either cyclic or two-generated, and in our case, it is actually two-generated. Computing the row-style Hermite normal form (an analogue of the reduced row-echelon form for matrices over Z ) of the 2 × 2 matrix of generators of H should produce the matrix whose rows are ( 1 , x ) and ( 0 , q ) , thus revealing x and q .□

## Proposition 5.4

Knowledge of x allows the attacker to forge signatures for the scheme A.

## Proof

To forge a signature for a plaintext M perform the following:

• Compute e = F h ( M ) .

• Since we know x , for any choice of k 1 , we can find i , j 1 satisfying k = i x + j ( mod q ) . In this case, one has f ( i , j ) = Y i T Z j = B N k A . This is our V .

• Then we compute v and s as in the algorithm in Section 3.1.

Obviously, so constructed pair ( v , s ) will be accepted by the verifier.□

## 6 Conclusion

In this article, we have reported polynomial-time quantum algorithms that successfully attack two digital signature schemes offered in [1]. We have also shown that in many cases these schemes are vulnerable even to “classical” algebraic attacks.

Similar digital signature schemes including [4] and [5] can be attacked using the same approach. In particular, the signature scheme in [4] is a special case of the scheme B described in our Section 3.2.

## Acknowledgments

The research of the first author was partially funded through the Institute of Mathematics of the Siberian Branch of the Russian Academy of Sciences, project FWNF-2022-0003.

1. Funding information: The research of the Vitaly Roman’kov was partially funded through the Institute of Mathematics of the Siberian Branch of the Russian Academy of Sciences, project FWNF-2022-0003.

2. Conflict of interest: Prof. Vladimir Shpilrain is a member of the Editorial Board of the Journal of Mathematical Cryptology but was not involved in the review process of this article.

## References

[1] Moldovyan D, Moldovyan A, Sklavos N. Post-quantum signature schemes for efficient hardware implementation. In: Proceedings of the 10th IFIP International Conference on New Technologies, Mobility and Security (NTMS 2019), IEEE; 2019. p. 1–5. 10.1109/NTMS.2019.8763858Search in Google Scholar

[2] Kitaev A. Quantum measurements and the Abelian stabilizer problem. Preprint. 1995. http://arxiv.org/abs/quant-ph/9511026. Search in Google Scholar

[3] Vyalyi M, Kitaev A, Shen A. Classical and quantum computation. American Mathematical Society; 2002. 10.1090/gsm/047Search in Google Scholar

[4] Moldovyan A, Moldovyan N. Post-quantum signature algorithms based on the hidden discrete logarithm problem. Comput Sci J Moldova. 2018;26:301–13. Search in Google Scholar

[5] Moldovyan D, Moldovyan A, Moldovyan N. Digital signature scheme with doubled verification equation. Comput Sci J Moldova. 2020;28:80–103. 10.52190/2073-2600_2021_2_30Search in Google Scholar

[6] Moldovyan D, Moldovyan N. A new hard problem over non-commutative finite groups for cryptographic protocols. In: Computer network security. Berlin Heidelberg: Springer; 2010. p. 183–94. 10.1007/978-3-642-14706-7_14Search in Google Scholar

[7] Kuzmin AS, Markov VT, Mikhalev AA, Mikhalev AV, Nechaev AA. Cryptographic algorithms on groups and algebras. J Math Sci. 2017;223:629–41. 10.1007/s10958-017-3371-ySearch in Google Scholar

[8] Goldwasser S, Micali S, Rivest R. A digital signature scheme secure against adaptive chosen-message attacks. SIAM J Comput. 1988;17:281–308. 10.1137/0217017Search in Google Scholar

[9] Menezes A, van Oorschot P, Vanstone S. Handbook of applied cryptography. Boca Raton, Florida: CRC Press, 1996. Search in Google Scholar

[10] Shor P. Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM J Comput. 1997;26(5):1484–509. 10.1137/S0097539795293172Search in Google Scholar

[11] Roman’kov V. Cryptanalysis of a combinatorial public key cryptosystem. Groups Complexity Cryptol. 2017;9(2):125–35. 10.1515/gcc-2017-0013Search in Google Scholar

[12] Roman’kov V. Essays in algebra and cryptology: algebraic cryptanalysis. Omsk: Omsk State University; 2018. Search in Google Scholar