A.4.1 Elementary matrices (Chevalley generators) for twisted orthogonal groups O�ð Þ 2l; k

In this section, we describe row-column operations for twisted Chevalley groups. These groups are also known as the Steinberg groups. An element

g ∈ O�ð Þ 2l; k is denoted as g ¼ A<sup>0</sup> X Y E AB F CD 0 B@ 1 CA, where A, B, C, and <sup>D</sup> are

ð Þ� l � 1 ð Þ l � 1 matrices, X and Y are 2 � ð Þ l � 1 matrices, E and F are ð Þ� l � 1 2 matrices, and A<sup>0</sup> is a 2 � 2 matrix. In the Gaussian elimination algorithm that we discuss, we reduce X, Y, E, F, B, and C to zero and A and D to diagonal matrices.

However, unlike the previous cases, we were unable to reduce A<sup>0</sup> to an identity matrix. However, for odd characteristics we were able to reduce A<sup>0</sup> to a twoparameter subgroup.

<sup>x</sup>1ð Þ¼ <sup>t</sup>; <sup>s</sup> <sup>I</sup> <sup>þ</sup> ð Þ <sup>t</sup> � <sup>1</sup> <sup>e</sup>1, <sup>1</sup> � ð Þ <sup>t</sup> <sup>þ</sup> <sup>1</sup> <sup>e</sup>�1,�<sup>1</sup> <sup>þ</sup> s eð Þ �1, <sup>1</sup> <sup>þ</sup> <sup>ϵ</sup>e1,�<sup>1</sup> ; t<sup>2</sup> <sup>þ</sup> <sup>ϵ</sup><sup>s</sup>

The MOR Cryptosystem in Classical Groups with a Gaussian Elimination Algorithm…

no such reduction is possible, and we included the matrix t p

generators with the condition that the determinant is 1.

in the list of elementary matrices in Table A7. In the case of even characteristics,

The elementary matrices for O�ð Þ 2l; k depend on the characteristics of k. We describe them separately in the following table. Let α be an Arf-invariant, 2 ≤i, j≤l

Let us note the effect of multiplying g by elementary matrices. Elementary matrices for the twisted orthogonal group in even characteristics differ from that of odd characteristics, so in the following tables (Tables A8 and A9), we made that distinction and listed them separately in different rows according to the

ER1 (both) ith↦ith þ tjth row and �jth↦ � jth � tð Þ �i th row ER2 (both) ith↦ith þ tð Þ �j th row and jth↦jth � tð Þ �i th row ER3 (both) �ith↦ � ith � tjth row and �jth↦ � jth þ tith row

ER4 (odd) 1st↦1st � tð Þ �i th row and ith↦ith þ 2t1st � t

ER5 (odd) 1st↦1st þ tith row and ð Þ �i th↦ð Þ �i th � 2t1st � t

ER8 (even) 1st↦1st þ tð Þ �i th row and ith↦ith þ tð Þ �1 th þ αt

wi (both) Interchange ith and ð Þ �i th row

ER9 (even) ð Þ �1 th↦ð Þ �1 th þ tð Þ �i th row and ith↦ith þ t1st þ αt

EC1(both) jth↦jth þ tith column and �ith↦ � ith � tð Þ �j th column EC2 (both) �ith↦ � ith � tjth column and �jth↦ � jth þ tith column EC3 (both) jth↦jth þ tð Þ �i th column and ith↦ith � tð Þ �j th column EC4 (odd) 1st↦1st þ 2tith column and ð Þ �i th↦ð Þ �i th � t1st � t

EC6 (odd) ð Þ �1 th↦ð Þ �1 th þ ð Þ 2εt ith column and ð Þ �i th↦ð Þ �i th � tð Þ �1 th � εt

EC7 (odd) ð Þ �1 th↦ð Þ �1 th � 2εtð Þ �i th column and ith↦ith þ tð Þ �1 th � εt

EC8 (even) ð Þ �1 th↦ð Þ �1 th þ tith column and ð Þ �i th↦ð Þ �i th þ t1st þ αt

EC9 (even) 1st↦1st þ tith column and ð Þ �i th↦ð Þ �i th þ tð Þ �1 th þ αt

wi (both) Interchange ith and (�i)th column

EC5 (odd) 1st↦1st � 2tð Þ �i th column and ith↦ith þ t1st � t

ER6 (odd) ð Þ �1 th↦ð Þ �1 th � tð Þ �i th row and ith↦ith þ 2εtð Þ �1 th � εt

ER7 (odd) ð Þ �1 th↦ð Þ �1 th þ tith row and ð Þ �i th↦ð Þ �i th � 2εtð Þ �1 th � εt

Row operations

Column operations

x<sup>2</sup> ¼ I � 2e�1,�1,

DOI: http://dx.doi.org/10.5772/intechopen.84663

and t∈K and ξ∈ k�.

characteristics of k.

Table A8.

Table A9.

111

The column operations for O�ð Þ 2l; k .

The row operations for O�ð Þ 2l; k .

<sup>2</sup> <sup>¼</sup> <sup>1</sup>,

r s in the list of

<sup>2</sup>ð Þ �<sup>i</sup> th row

<sup>2</sup>ith row

<sup>2</sup>ð Þ �<sup>i</sup> th row

<sup>2</sup>ith column

<sup>2</sup>ith column

<sup>2</sup>ð Þ �<sup>i</sup> th column

<sup>2</sup>ith column

<sup>2</sup>ith column

<sup>2</sup>ð Þ �<sup>i</sup> th column

<sup>2</sup>ð Þ �<sup>i</sup> th row

<sup>2</sup>ð Þ �<sup>i</sup> th row

<sup>2</sup>ith row

We now talk about the output of the algorithm. In the output we will have a <sup>2</sup> � 2 block (also called <sup>A</sup>0) which will satisfy TA0β0A<sup>0</sup> <sup>¼</sup> <sup>β</sup>0, where <sup>β</sup><sup>0</sup> <sup>¼</sup> 1 0 0 ϵ for odd characteristics and ε is a non-square. Then A<sup>0</sup> is a orthogonal matrix given by the bilinear form <sup>β</sup>0. Now if we write <sup>A</sup><sup>0</sup> <sup>¼</sup> a b c d , then we get the following equations:

$$a^2 + c^2 \epsilon = \mathbf{1}, \quad ab + cd\epsilon = \mathbf{0}, \quad b^2 + d^2 \epsilon = \epsilon.$$

Considering the fact that detð Þ¼� A<sup>0</sup> 1, one more equation ad � bc ¼ �1 and this leads to two cases either a ¼ d and b ¼ �cϵ or a ¼ �d and b ¼ cϵ. Recall that, since ϵ is not a square, d 6¼ 0. Then if c ¼ 0, then there are four choices for A<sup>0</sup> and these are <sup>A</sup><sup>0</sup> <sup>¼</sup> �1 0 0 �1 .

To summarize, the output of the algorithm A<sup>0</sup> will have one of the following forms

$$
\begin{pmatrix} t & -s\epsilon \\ s & t \end{pmatrix} \text{or} \quad \begin{pmatrix} t & s\epsilon \\ s & -t \end{pmatrix},
\text{where} \quad t^2 + s^2\epsilon = \mathbf{1},\tag{A.6}
$$

and t∈k�, s ∈k, and ϵ are non-square. There are now two ways to describe the algorithm: one is to leave A<sup>0</sup> as it is in the output of the algorithm, and the other is to include these matrices as generators. For the purpose of uniform exposition, we chose the latter and included the following two generators


#### Table A7. Elementary matrices for O�ð Þ 2l; k .

The MOR Cryptosystem in Classical Groups with a Gaussian Elimination Algorithm… DOI: http://dx.doi.org/10.5772/intechopen.84663

$$\begin{aligned} \varkappa\_1(t,s) &= I + (t-1)e\_{1,1} - (t+1)e\_{-1,-1} + s(e\_{-1,1} + \epsilon e\_{1,-1}); \quad t^2 + \epsilon s^2 = 1, \\ \varkappa\_2 &= I - 2e\_{-1,-1}, \end{aligned}$$

in the list of elementary matrices in Table A7. In the case of even characteristics, no such reduction is possible, and we included the matrix t p r s in the list of generators with the condition that the determinant is 1.

The elementary matrices for O�ð Þ 2l; k depend on the characteristics of k. We describe them separately in the following table. Let α be an Arf-invariant, 2 ≤i, j≤l and t∈K and ξ∈ k�.

Let us note the effect of multiplying g by elementary matrices. Elementary matrices for the twisted orthogonal group in even characteristics differ from that of odd characteristics, so in the following tables (Tables A8 and A9), we made that distinction and listed them separately in different rows according to the characteristics of k.


#### Table A8.

However, unlike the previous cases, we were unable to reduce A<sup>0</sup> to an identity matrix. However, for odd characteristics we were able to reduce A<sup>0</sup> to a two-

We now talk about the output of the algorithm. In the output we will have a <sup>2</sup> � 2 block (also called <sup>A</sup>0) which will satisfy TA0β0A<sup>0</sup> <sup>¼</sup> <sup>β</sup>0, where <sup>β</sup><sup>0</sup> <sup>¼</sup> 1 0

for odd characteristics and ε is a non-square. Then A<sup>0</sup> is a orthogonal matrix given

<sup>ϵ</sup> <sup>¼</sup> <sup>1</sup>, ab <sup>þ</sup> cd<sup>ϵ</sup> <sup>¼</sup> <sup>0</sup>, b<sup>2</sup> <sup>þ</sup> <sup>d</sup><sup>2</sup>

Considering the fact that detð Þ¼� A<sup>0</sup> 1, one more equation ad � bc ¼ �1 and this leads to two cases either a ¼ d and b ¼ �cϵ or a ¼ �d and b ¼ cϵ. Recall that, since ϵ is not a square, d 6¼ 0. Then if c ¼ 0, then there are four choices for A<sup>0</sup> and

To summarize, the output of the algorithm A<sup>0</sup> will have one of the following

and t∈k�, s ∈k, and ϵ are non-square. There are now two ways to describe the algorithm: one is to leave A<sup>0</sup> as it is in the output of the algorithm, and the other is to include these matrices as generators. For the purpose of uniform exposition, we

, where t

wi I � ei,i � e�i,�<sup>i</sup> þ ei,�<sup>i</sup> þ e�i,i 2≤i≤ l

xA<sup>0</sup> <sup>I</sup> <sup>þ</sup> ð Þ <sup>t</sup> � <sup>1</sup> <sup>e</sup>1, <sup>1</sup> <sup>þ</sup> ð Þ <sup>s</sup> � <sup>1</sup> <sup>e</sup>�1,�<sup>1</sup> <sup>þ</sup> pe1,�<sup>1</sup> <sup>þ</sup> re�1, <sup>1</sup> ts <sup>þ</sup> pr <sup>¼</sup> <sup>1</sup>

x1ð Þ t; s I þ ð Þ t � 1 e1, <sup>1</sup> � ð Þ t þ 1 e�1,�<sup>1</sup> þ s eð Þ �1, <sup>1</sup> þ εe1,�<sup>1</sup> t

<sup>2</sup> <sup>þ</sup> <sup>s</sup> 2

<sup>i</sup> 6¼ <sup>j</sup>

i , j

i , j

<sup>2</sup>e�i,i <sup>2</sup>≤i<sup>≤</sup> <sup>l</sup>

<sup>2</sup>ei,�<sup>i</sup> 2≤i≤ l

<sup>2</sup>e�i,i <sup>2</sup>≤i<sup>≤</sup> <sup>l</sup>

<sup>2</sup>ei,�<sup>i</sup> <sup>2</sup>≤i<sup>≤</sup> <sup>l</sup>

<sup>2</sup>ei,�<sup>i</sup> <sup>2</sup>≤i<sup>≤</sup> <sup>l</sup>

<sup>2</sup>ei,�<sup>i</sup> <sup>2</sup>≤i<sup>≤</sup> <sup>l</sup>

<sup>2</sup> <sup>þ</sup> <sup>ε</sup><sup>s</sup> <sup>2</sup> <sup>¼</sup> <sup>1</sup>

t sϵ s �t 

c d 

by the bilinear form <sup>β</sup>0. Now if we write <sup>A</sup><sup>0</sup> <sup>¼</sup> a b

Modern Cryptography – Current Challenges and Solutions

.

or

chose the latter and included the following two generators

Char(k) Elementary matrices

Both xi,�<sup>j</sup>ð Þt I þ t ei,�<sup>j</sup> � ej,�<sup>i</sup>

Odd x�1,ið Þt I þ tð�e�1,�<sup>i</sup> þ 2εei,�<sup>1</sup>Þ � εt

Even x�1,�<sup>i</sup>ð Þt I þ te�1,�<sup>i</sup> þ tei, <sup>1</sup> þ αt

xi,jð Þt I þ t ei,j � e�j,�<sup>i</sup>

x�i,jð Þt I þ t e�i,j � e�j,i

xi, <sup>1</sup>ð Þt I þ t eð Þ� <sup>1</sup>,i � 2e�i, <sup>1</sup> t

x1,ið Þt I þ tð�e1,�<sup>i</sup> þ 2ei, <sup>1</sup>Þ � t

xi,�<sup>1</sup>ð Þt I þ t eð �1,i � 2εe�i,�<sup>1</sup>Þ � εt

x<sup>2</sup> I � 2e�1,�<sup>1</sup> x1,�<sup>i</sup>ð Þt I þ te1,�<sup>i</sup> þ tei,�<sup>1</sup> þ αt

<sup>a</sup><sup>2</sup> <sup>þ</sup> <sup>c</sup> 2

0 �1 

> t �sϵ s t

0 ϵ 

, then we get the following

ϵ ¼ 1, (A.6)

ϵ ¼ ϵ:

parameter subgroup.

these are <sup>A</sup><sup>0</sup> <sup>¼</sup> �1 0

equations:

forms

Table A7.

110

Elementary matrices for O�ð Þ 2l; k .

The row operations for O�ð Þ 2l; k .


#### Table A9.

The column operations for O�ð Þ 2l; k .

Note that any isometry <sup>g</sup> satisfies Tgβ<sup>g</sup> <sup>¼</sup> <sup>β</sup>. The main reason the following algorithm works is the closed condition Tgβ<sup>g</sup> <sup>¼</sup> <sup>β</sup> which gives the following relations:

$$\prescript{T}{}{A}\_{0}\beta\_{0}A\_{0} + \prescript{T}{}{F}\mathbf{E} + \prescript{T}{}{E}\mathbf{F} = \beta\_{0},\tag{A.7}$$

Step 7: Using elementary matrix xA<sup>0</sup> , we can reduce g to

The MOR Cryptosystem in Classical Groups with a Gaussian Elimination Algorithm…

Lemma A.2 Let k be a field of characteristics 2 and let g ¼

Recall that for a column vector x ¼ x1; x�1; x2; …; xl ð Þ ; x�2; …; x�<sup>l</sup>

Proof. Let e1;e�1;e2; …;el f g ;e�2; …;e�<sup>l</sup> be the standard basis of the vector space V.

<sup>1</sup> <sup>þ</sup> <sup>x</sup><sup>2</sup> �1

x21⋯x<sup>2</sup>ð Þ <sup>l</sup>�<sup>1</sup>

<sup>2</sup> <sup>þ</sup> <sup>t</sup> <sup>þ</sup> <sup>α</sup> is irreducible over k t½ �. Thus, <sup>x</sup>2<sup>i</sup> <sup>¼</sup> 0 for all 2 <sup>≤</sup>i<sup>≤</sup> <sup>l</sup> and hence

!

<sup>2</sup> <sup>þ</sup> <sup>t</sup> <sup>þ</sup> <sup>α</sup> is irreducible over k t½ �. By definition, for any <sup>g</sup> <sup>∈</sup> <sup>O</sup>�ð Þ <sup>2</sup>l; <sup>k</sup> , we have

x2<sup>i</sup> ¼ 0 then we can see that x1<sup>i</sup> ¼ 0. Suppose x2<sup>i</sup> 6¼ 0 for some i, then we rewrite the

<sup>þ</sup> <sup>x</sup>1<sup>i</sup> x2i

We establish that the worst-case time complexity of the above algorithm is

Step 1: We make A a diagonal matrix by row-column operations that has

Step 3: In odd-orthogonal group and twisted orthogonal group, we clear

Step 4: This step has only a few operations that is independent of l.

Then clearly, the time complexity of our algorithm is O l

Step 2: In making both C and B zero matrix, we multiply two rows by a field element and additions. In the worst case, it has to be done Oð Þl times and done

We have implemented the above algorithms in Magma [25]. For details of that implementation along with performance analysis of our algorithm, we refer to

<sup>3</sup> � �.

<sup>2</sup> � �.

x2i � �<sup>2</sup>

A ¼ diag 1ð Þ ; 1; …; 1; λ , be an element of O�ð Þ 2l; k then X ¼ 0.

puting Qge ð Þ¼ ð Þ<sup>i</sup> Q eð Þ<sup>i</sup> for all 2≤<sup>i</sup> <sup>≤</sup>l, we can see that <sup>α</sup> <sup>x</sup><sup>2</sup>

A<sup>0</sup> X Y E AB F 0 D

be a 2 � ð Þ l � 1 matrix. Com-

1

, the action of the

CA, where

0

B@

<sup>1</sup><sup>i</sup> <sup>þ</sup> <sup>x</sup><sup>2</sup> 2i � � <sup>þ</sup> <sup>x</sup>1ix2<sup>i</sup> <sup>¼</sup> 0. If

<sup>3</sup> � �.

þ α ¼ 0, which is a contradiction to the

� � <sup>þ</sup> <sup>x</sup>1x�<sup>1</sup> <sup>þ</sup> … <sup>þ</sup> xlx�l, where

t

diag I2; 1; …; λ; 1; …; λ�<sup>1</sup> � �.

DOI: http://dx.doi.org/10.5772/intechopen.84663

quadratic form <sup>Q</sup> is given by Q xð Þ¼ <sup>α</sup> <sup>x</sup><sup>2</sup>

equation by dividing it by x2<sup>i</sup> as α <sup>x</sup>1<sup>i</sup>

complexity O l

Bhunia et al. ([24], Section 8).

O l

<sup>3</sup> � �.

Qgx ð Þ¼ ð Þ Q xð Þ for all <sup>x</sup>∈V. Let <sup>X</sup> <sup>¼</sup> <sup>x</sup>11⋯x1ð Þ <sup>l</sup>�<sup>1</sup>

A.5 Time complexity of the above algorithms

<sup>3</sup> � �. We mostly count the number of field multiplications.

<sup>2</sup> � � many times. So the complexity is O l

X, Y, E, F, this clearly has complexity O l

αt

fact that αt

X ¼ 0. •

O l

113

$${}^{T}\mathbf{A}\_{0}\boldsymbol{\theta}\_{0}\mathbf{X} + {}^{T}\mathbf{F}\mathbf{A} + {}^{T}\mathbf{E}\mathbf{C} = \mathbf{0},\tag{A.8}$$

$${}^{T}A\_{0}\boldsymbol{\beta}\_{0}\mathbf{Y} + {}^{T}\mathbf{F}\mathbf{B} + {}^{T}\boldsymbol{E}\mathbf{D} = \mathbf{0},\tag{A.9}$$

$$\mathbf{^T X} \beta\_0 \mathbf{X} + \mathbf{^T C} \mathbf{A} + \mathbf{^T A C} = \mathbf{0},\tag{A.10}$$

$$\mathbf{T}^T \mathbf{X} \boldsymbol{\beta}\_0 \mathbf{Y} + \mathbf{T}^T \mathbf{C} \mathbf{B} + \mathbf{T}^T \mathbf{A} \mathbf{D} = \mathbf{I}\_{l-1}.\tag{A.11}$$
