Practical Cryptanalysis of k-ary \(C^*\)

Abstract

Recently, an article by Felke appeared in Cryptography and Communications discussing the security of biquadratic \(C^*\) and a further generalization, k-ary \(C^*\). The article derives lower bounds for the complexity of an algebraic attack, directly inverting the public key, under an assumption that the first-fall degree is a good approximation of the solving degree, an assumption that the paper notes requires “greater justification and clarification.”

In this work, we provide a practical attack breaking all k-ary \(C^*\) schemes. The attack is based on differential techniques and requires nothing but the ability to evaluate the public key and solve linear systems. In particular, the attack breaks the parameters provided in CryptoChallenge 11 by constructing and solving linear systems of moderate size in a few minutes.

Appendices

A Algorithms

B The Multiplicative Symmetry

We first derive a modest generalization of [24, Theorem 1].

Lemma 1

Let \(\mathbb {K}\) be an extension of \(\mathbb {F}\), \(f:\mathbb {K}^r\rightarrow \mathbb {K}\) be a polynomial, and \(g:\mathbb {K}^r\rightarrow \mathbb {K}\) be a monomial summand of f. If f is \(\mathbb {F}\)-multilinear, then g is \(\mathbb {F}\)-multilinear.

Proof

Since the discrete differential operator D is linear, we may take the differential with respect to an arbitrary variable, \(x_d\), and obtain

$$ 0=D_{x_d}f=\sum _iD_{x_d}g_i=\sum _ic_i\sum _{j=1}^{\alpha _{i,d}-1}{\alpha _{i,d}\atopwithdelims ()j}a^jx_1^{\alpha _{i,1}}\cdots x_d^{\alpha _{i,d}-j}\cdots x_r^{\alpha _{i,r}}, $$

where the binomial coefficients are computed modulo \(char(\mathbb {K})\). Since necessarily the multidegree of each \(g_i\) is unique, the multidegree of every summand is unique. Therefore, we find that \(D_{x_d}g_i=0\) for all i. Therefore, since all \(c_i\) are nonzero and the monomials \(x^\alpha \), \(\alpha =(\alpha _1,\ldots ,\alpha _r)\), are linearly independent in \(\mathbb {K}[a,x_1\ldots ,x_r]\), we have that for all d and i that \(char(\mathbb {K})\) divides \(\alpha _{i,d}\). Thus by the binomial theorem, every summand \(g_i\) of f is \(\mathbb {F}\)-additive.

Since f is \(\mathbb {F}\)-multilinear, \(f(x_1,\ldots ,ax_d,\ldots ,x_r)=af(x_1,\ldots ,x_r)\) for all d, for all \(a\in \mathbb {F}\) and for all x. Again, by the independence of the monomials \(x^\alpha \), the monomial summand \(g_i\) must satisfy \(g_i(x_1,\ldots ,ax_d,\ldots ,x_r)=ag_i(x_1,\ldots ,x_r)\), and thus \(g_i\) is \(\mathbb {F}\)-linear. As a bonus, considering the exponent of a in this expression shows that \(\alpha _{i,d}\) is a multiple of q, the order of \(\mathbb {F}\), for all i and d.

The usefulness of this result lies in its corollary.

Corollary 1

Let \(f:\mathbb {K}\rightarrow \mathbb {K}\) be a polynomial, and let \(g:\mathbb {K}\rightarrow \mathbb {K}\) be a monomial summand of f. If \(D^nf\) is multilinear, then \(D^ng\) is multilinear.

For simplicity of notation and consistency with previous work, see [24], we call the polynomial in \(\sigma \) on the right hand side of Eq. 2 the separation polynomial.

Lemma 2

Let \(g:\mathbb {K}\rightarrow \mathbb {K}\) be a monomial function. Then g has the multiplicative symmetry. Furthermore, two monomial functions \(g_1\) and \(g_2\) share the same separation polynomial if and only if \(g_1=cg_2\) for some constant c.

Proof

Note that the proof of Theorem 1 applies to any monomial. Further notice that the separation polynomial is of the form

$$ p(\sigma )=\sum _{i=1}^r\sigma ^{q^{\alpha _i}}, $$

where \(g(x)=cx^\alpha =cx_1^{\alpha _1}\cdots x_r^{\alpha _r}\). Clearly the sum of the exponents in p is the multidegree of g, and thus any two monomials \(g_1\) and \(g_2\) sharing the same separation polynomial have the same multidegree, and \(g_1=cg_2\).

Now we can classify all field maps with the general multiplicative symmetry.

Theorem 2

A function \(f:\mathbb {K}\rightarrow \mathbb {K}\) has the multiplicative symmetry if and only if it has a unique summand of maximum q-weight.

Proof

\((\Leftarrow )\) Suppose that f has a unique summand, g, of maximum q-weight k. Given any other monomial summand, h, we have the q-weight condition:

where wt(x, j) is the q-weight of x in j. Thus \(D^{k-1}f=D^{k-1}g\), and f has the multiplicative symmetry with the same separation polynomial as g.

\((\Rightarrow )\) Suppose, by way of contradiction, that f has the multiplicative symmetry and has r distinct monomial summands, \(g_m\), of maximum q-weight k. Then we have

$$\begin{aligned} D^kf=\sum _{m=1}^rD^kg_m. \end{aligned}$$

(4)

By Lemma 2, each monomial summand has a unique separation polynomial, \(p_{g_m}\). Let \(p_f\) represent the separation polynomial of f. Since f has the multiplicative symmetry, we have:

$$\begin{aligned} \begin{aligned} \sum _{i=0}^kD^kf(\sigma ^{\delta _{0i}}x_0,\ldots ,\sigma ^{\delta _{ki}}x_k)&=p_f(\sigma )D^kf(x_0,\ldots ,x_k)\\&=p_f(\sigma )\sum _{m=1}^rD^kg_m(x_0,\ldots ,x_k). \end{aligned} \end{aligned}$$

(5)

On the other hand,

$$\begin{aligned} \begin{aligned} \sum _{i=0}^kD^kf(\sigma ^{\delta _{0i}}x_0,\ldots ,\sigma ^{\delta _{ki}}x_k)&=\sum _{m=1}^r\sum _{i=0}^kg_m(\sigma ^{\delta _{0i}}x_0,\ldots ,\sigma ^{\delta _{ki}}x_k)\\&=\sum _{m=1}^rp_{g_m}(\sigma )D^kg_m(x_0,\ldots ,x_k). \end{aligned} \end{aligned}$$

(6)

Taking the difference of (5) and (6), we obtain:

$$\begin{aligned} \sum _{m=1}^r(p_f-p_{g_m})(\sigma )D^kg_m(x_0,\ldots ,x_k)=0, \end{aligned}$$

(7)

for all \((\sigma ,x_0,\ldots ,x_k)\in \mathbb {K}^{k+2}\). From Lemma 2, we know that each \(D^kg_m\) is a complete symmetric multilinear function, therefore we can rewrite:

$$\begin{aligned} \sum _{m=1}^rc_m(p_f-p_{g_m})(\sigma )\sum _{\alpha }x_0^{q^{\alpha _0}}\cdots x_k^{q^{\alpha _k}}=0. \end{aligned}$$

(8)

Again, since the monomials \(x^\alpha \) are linearly independent in \(\mathbb {K}\left[ x_0,\ldots ,x_k\right] \), for any arbitrary fixed \(\sigma \in \mathbb {K}\), we obtain:

$$\begin{aligned} c_m(p_f-p_{g_m})(\sigma )=0, \end{aligned}$$

(9)

for all \(1\le m\le r\). Since \(c_m\ne 0\) for each m, and \(\sigma \) is arbitrary, we have that \(p_f=p_{g_m}\) for all m. Since the \(g_m\) are distinct, by Lemma 2, r is zero or one. Thus, f has a unique monomial summand of maximum weight.

Again, it seems that the multiplicative symmetry is the differential manifestation of the fact that f, restricted to its highest weight terms is, up to a constant factor, multiplicative.

C The Effect of Projection

Projection proved to be effective, in the quadratic case, in eliminating the symmetry which weakened \(C^{*-}\). We can still prove an analogue of that result in this more general setting.

Theorem 3

Let M be an \(\mathbb {F}_q\)-affine transformation and let \(f:\mathbb {K}\rightarrow \mathbb {K}\) have the multiplicative symmetry. The composition \(f\circ M\) has the multiplicative symmetry if and only if M is a translation of a linear monomial map, i.e. \(M(x)=cx^{q^i}+d\) for some \(i<n\).

Proof

As in [24, Theorem 3], it suffices to consider linear maps. In addition, since all monomials, except that of weight k, disappear in \(D^{k-1}f\) along with the fact that \(D^{k-1}(cf)=cD^{k-1}f\), it suffices to analyze the case when \(f(x)=x^{\sum _{i=0}^{k-1}q^{\alpha _i}}\). In particular, we can even insist that \(\alpha _0=0\), since M composed with the factor \(x^{q^{\alpha _0}}\) remains a monomial function of the same weight.

\((\Leftarrow )\) Suppose M is a linear monomial map, \(M(x)=c_Mx^{q^i}\) for some \(i<n\). Now, \(f\circ M(x)\) is still a monomial of the same weight, since the composition simply changes the exponents of q in the power of x. Thus, as a consequence of Theorem 2, \(f\circ M\) has the multiplicative symmetry.

\((\Rightarrow )\) Let \(\hat{f}=f\circ M\). Since every \(\mathbb {F}_q\)-linear transformation, M, can be written \(M=\sum _{i=0}^{n-1}c_ix^{q^i}\), we have the following:

$$\begin{aligned} \begin{aligned} \hat{f}(x)&=f\circ M(x)\\&=f\circ \sum _{i=0}^{n-1}c_ix^{q^i}\\&=\left( \sum _{i=0}^{n-1}c_ix^{q^i}\right) ^{\sum _{j=0}^{k-1}q^{\alpha _j}}\\&=\sum _{i_0,\ldots ,i_{k-1}<n}c_{i_0}c_{i_1-\alpha _1}^{q^{\alpha _1}}\cdots c_{i_{k-1}-\alpha _{k-1}}^{q^{\alpha _{k-1}}}x^{\sum _{j=0}^{k-1}q^{i_j}}. \end{aligned} \end{aligned}$$

(10)

Assuming that \(\hat{f}\) has the multiplicative symmetry, since all terms have the same weight, only one of the above coefficients is nonzero. Suppose, by way of contradiction, that M has at least two nonzero coefficients, \(c_{k_1}\ne c_{k_2}\).

Setting \(i_0=k_1\), and \(i_j=k_1+\alpha _j\), we can see that the coefficient on the right side of (10) is \(c_{k_1}^{\sum _{i=0}^{k-1}q^{\alpha _i}}\), and therefore this term is nonzero.

On the other hand, we can set \(i_0=k_2\) and \(i_j=k_1+\alpha _j\), and we have another nonzero term. Since, \(\hat{f}\) has only one nonzero term in the expression, these two nonzero terms must have x occurring with the same power, and we therefore have \(k_1+\sum _{j=1}^{k-1}q^{k_1+\alpha _j}=k_2+\sum _{j=1}^{k-1}q^{k_1+\alpha _j}\). Hence, \(k_1=k_2\), a contradiction, and M must be an univariate linear monomial map.

Projection, therefore, removes the multiplicative symmetry from any field map.

D Toy Example

To illustrate the attack, we present a key recovery for a small instance of 4-ary \(C^*\). We simplify the exposition by considering a homogeneous key.

Let \(q=16\) and let a be a generator of \(\mathbb {F}_q^*\). We select the degree \(n=9\) irreducible \(g(x)=x^9+ax^8+a^2x^7+x^6+a^{12}x^5+a^7x^4+a^{10}x^3+a^{14}x^2+a^2x+a^8\) and construct . Let \(b\in \mathbb {K}\) be a fixed root of this irreducible polynomial.

We choose the exponent \(q^3+q^2+q+1\) and compute the multiplicative inverse \(h=18.324.145.204\) modulo \(\vert \mathbb {K}^*\vert \). We then fix the 4-ary \(C^*\) monomial map \(f(x)=x^{q^3+q^2+q+1}\). We further randomly select two invertible \(\mathbb {F}_q\)-linear maps U and T given by the matrices

$$\begin{aligned} \mathbf {U} = \begin{bmatrix} 1 &{} a^{13} &{} a^{5} &{} a^8 &{} a^{10} &{} a^6 &{} 1 &{}a^{13} &{}a^{10}\\ a^5 &{} 1 &{} 1&{} a^5 &{} a^6 &{} 0 &{} a^5 &{}a^{10} &{} 1\\ a^{12} &{} a^8 &{} a^6&{} a^{11} &{} a^7 &{} a &{} a^7 &{} a^8 &{}a^{11}\\ a^{14} &{} a^7 &{} a^2&{} 1 &{} a &{} a^8 &{} 0 &{} a &{} a^5\\ a &{} a^5 &{} a^4&{} a^{10} &{} a^9 &{}a^{13} &{}a^{14} &{}a^{12} &{}a^{12}\\ a^{11} &{} a^3 &{}a^{11}&{} a^4 &{} a^6 &{} a^7 &{} a^7 &{} a^3 &{} a^7\\ a^{11} &{} a^5 &{}a^{11}&{} a^{12} &{}a^{12} &{}a^{11} &{} a^6 &{}a^{11} &{} a^2\\ a &{} a &{} a^7&{} a^{14} &{} a^6 &{} a^3 &{} a^3 &{}a^{13} &{} a^6\\ a^{10} &{} a &{}a^{13}&{} a^9 &{} a^4 &{} a^7 &{}a^{13} &{}a^{14} &{}a^{11}\end{bmatrix} \,\,\mathbf {T} = \begin{bmatrix} a^{12} &{} 1&{}a^{13} &{} a &{}a^8&{} a^{12} &{}a^4&{}a^{10}&{}a^{14}\\ 0 &{} 1 &{}a^8&{}a^{13}&{}a^{12}&{} a^4&{}a^{11}&{} a^7&{} a^6\\ a^{11}&{} a^6&{}a^{13}&{}a^{14}&{} a^6&{} a^5&{} a^4&{}a^{14}&{} a^8\\ a^9&{}a^{13}&{} 0&{} a&{} a^3&{} a^7&{} a^3&{}a^{14}&{} a^5\\ a^{12}&{}a^{12}&{} a^8&{}a^{11}&{} a^3&{} a^6&{} a^3&{}a^{10}&{}a^{11}\\ a^4&{}a^{11}&{} a&{}a^{11}&{}a^{10}&{} a&{}a^{12}&{}a^{13}&{} a^9\\ a^{10}&{}a^{13}&{} a^3&{} a&{} a^4&{}a^{14}&{} 1&{}a^{11}&{} 0\\ a^9&{}a^{11}&{} 1&{} a^3&{}a^{12}&{} a^4&{}a^{14}&{}a^{10}&{} a^8\\ a^9&{} a&{}a^{14}&{} a^3 &{} 0&{}a^{12}&{} a^3&{} a^8&{} a^6\end{bmatrix} \end{aligned}$$

The composition \(T\circ \phi ^{-1}\circ f\circ \phi \circ U\) then produces a quartic public key of 9 equations in 9 variables.

1.1 D.1 Key Recovery

The recovery of an equivalent private key proceeds in three steps. First, we use the differential to recover a linear operator corresponding to a masked multiplication by an extension field element. We then use this map to recover a vector-valued function equivalent to f. Finally, we recover linear input and output transformations such that the composition of all of these maps is equal to the public key.

We construct the polynomial ring \(\mathbb {F}_q[T]\) with \(T=\{t_1,\ldots ,t_{n^2}\}\) and collect the variables into the matrix \(\mathbf {N}_\sigma \). Then we solve the linear system

for \(\mathbf {N}_\sigma \) by imposing the constraints that the first two coordinates of the left hand side are in the span of \(D^3P(\mathbf {x}_1,\ldots ,\mathbf {x}_4)\). There is a two dimensional subspace of solutions from which we choose the random solution

$$ \mathbf {N}_\sigma = \begin{bmatrix}a^{14} &{} a^9 &{}a^{10} &{} a^6 &{} a^7 &{} a^8 &{} a^{13} &{} a^{10} &{} a^{12}\\ a^{10} &{} a &{} a^7 &{} a^3 &{} a^2 &{} a^2 &{} a^{14} &{} a^4 &{} a^{11}\\ a^{14} &{}a^{12} &{}a^{12} &{} a &{} a^{12} &{} a^5 &{} a &{} a^6 &{} 1\\ a^{12} &{} a^3 &{}a^{10} &{} a^4 &{} a^{12} &{} a^6 &{} 0 &{} a^4 &{} a^7\\ a^3 &{}a^{14} &{}a^{10} &{} 0 &{} a &{} a^5 &{} a^{13} &{} 0 &{} a^4\\ a^9 &{} a^8 &{}a^{10} &{}a^{12} &{} a^6 &{} a^2 &{} a^{14} &{} a^{11} &{} a^3\\ a^6 &{}a^{11} &{} a^3 &{} a^7 &{} a^2 &{} a^{14} &{} a^9 &{} 0 &{} a^5\\ a^8 &{} 0 &{} a^6 &{} a^7 &{} a^{13} &{} 0 &{} a^{10} &{} a^{10} &{} a^{11}\\ a^9 &{}a^{10} &{} a^7 &{} 1 &{} a^{14} &{} 1 &{} a^2 &{} 1 &{} 0\end{bmatrix}. $$

From this matrix we solve the equation \(Z_{f(\sigma )}\circ P=P\circ N_\sigma \) linearly for \(Z_{f(\sigma )}\), recovering in matrix form

$$ \mathbf {Z}_{f(\sigma )} = \begin{bmatrix}a^8 &{} a &{} 0 &{} a &{} a^{11} &{} 0 &{} 0 &{} a &{} a^{14}\\ a^4 &{} a^7 &{} a^7 &{} a^{14} &{} a^{13} &{} 0 &{} a^{11} &{} 0 &{} a^{14}\\ a^7 &{} a^{11} &{} a^8 &{} a^{13} &{} a^2 &{} a &{} a^{12} &{} 1 &{} a\\ a &{} a^{12} &{} a^{13} &{} a^8 &{} a^2 &{} a^{10} &{} a &{} 0 &{} a^9\\ a^3 &{} a^4 &{} a^{14} &{} a^6 &{} a^6 &{} a^6 &{} a^{13} &{} a^6 &{} a^5\\ a^3 &{} a^{11} &{} a^{11} &{} a^{14} &{} a^6 &{} a^9 &{} a^2 &{} a^{10} &{} a^{11}\\ a^{13} &{} a^4 &{} a^{13} &{} a^{10} &{} a^7 &{} a^{14} &{} a^{11} &{} 1 &{} 0\\ 0 &{} 0 &{} 1 &{} 0 &{} a^6 &{} a^{13} &{} a^2 &{} a^8 &{} a^{12}\\ a^6 &{} 0 &{} a^3 &{} 1 &{} a^{10} &{} a^{11} &{} a^8 &{} a^6 &{} 0\end{bmatrix}. $$

We next recover a random root of the minimal polynomial of \(\mathbf {N}_\sigma \),

$$ \tau =ab^8 + b^7 + a^{12}b^6 + a^7b^5 + a^3b^4 + a^3b^3 + b^2 + a^2b + a^8, $$

and solve the linear systems

$$\begin{aligned}\begin{gathered} \widehat{\mathbf {U}}\mathbf {N}_\sigma =\mathbf {M}_\tau \widehat{\mathbf {U}} \text{ and } \mathbf {Z}_{f(\sigma )}\widehat{\mathbf {T}}=\widehat{\mathbf {T}}\mathbf {M}_{f(\tau )}, \end{gathered}\end{aligned}$$

where \(\mathbf {M}_\tau \) and \(\mathbf {M}_{f(\tau )}\) are the left multiplication matrices for \(\tau \) and \(f(\tau )\), respectively. We recover the two matrices

$$\begin{aligned} \widehat{\mathbf {U}} = \begin{bmatrix}a^7 &{} 0 &{} a^5 &{} a^3 &{} a^8 &{} a^6 &{} a^{14} &{} a^{12} &{} a^{10}\\ 1 &{} a^{10} &{} a^3 &{} a &{} a^{11} &{} a^3 &{} a^6 &{} a^{12} &{} a^{10}\\ a^{10} &{} a^{11} &{} a^5 &{} a^{11} &{} a^8 &{} a^{13} &{} 1 &{} a^4 &{} a^3\\ a^{12} &{} a^5 &{} a^4 &{} a^7 &{} a^4 &{} a^5 &{} a^6 &{} a &{} a^{11}\\ a^5 &{} a^{11} &{} a^{13} &{} a^5 &{} a^4 &{} a^8 &{} a &{} a^{13} &{} a\\ 0 &{} a^8 &{} a^{12} &{} a^{12} &{} a &{} a^{13} &{} a^6 &{} a^5 &{} 1\\ a^{14} &{} a^9 &{} a^{10} &{} a^7 &{} a^6 &{} a^3 &{} a^7 &{} a^8 &{} a\\ a^3 &{} a^{11} &{} a^{11} &{} a^{13} &{} a^3 &{} a^{10} &{} a^{10} &{} a^{13} &{} a^{11}\\ 1 &{} a^3 &{} a^9 &{} a^{13} &{} a^4 &{} 1 &{} a^3 &{} a^{14} &{} a^9\end{bmatrix}, \widehat{\mathbf {T}}= \begin{bmatrix}a^{12} &{} 0 &{} a^2 &{} a^{10} &{} a^6 &{} a^6 &{} a^{10} &{} 0 &{} a^{14}\\ a^6 &{} a^{12} &{} a^2 &{} a^{14} &{} 1 &{} 0 &{} a^8 &{} a^6 &{} a\\ a^{14} &{} a^8 &{} a^{13} &{} a^4 &{} a^5 &{} a^9 &{} a^{13} &{} a &{} a^7\\ a^3 &{} 0 &{} a^{10} &{} a^{11} &{} 0 &{} a^2 &{} a^{11} &{} a^{14} &{} a^6\\ 1 &{} a &{} a^7 &{} 0 &{} a^5 &{} a^5 &{} a^2 &{} a^3 &{} a^7\\ a &{} a^{14} &{} a^2 &{} a^{11} &{} a^5 &{} a^2 &{} 1 &{} 1 &{} a^{10}\\ a &{} a^{10} &{} a^7 &{} a^{13} &{} a^{14} &{} 0 &{} a^6 &{} a^3 &{} 1\\ a^{13} &{} a^{12} &{} a &{} a^3 &{} a^{11} &{} a^9 &{} a^{12} &{} 0 &{} a^5\\ a^{10} &{} a^4 &{} a^6 &{} a^8 &{} a^{10} &{} a^5 &{} a^{10} &{} a^4 &{} a^{11}\end{bmatrix}. \end{aligned}$$

We construct \(\widehat{F}=\widehat{T}^{-1}\circ P\circ \widehat{U}^{-1}\), which is not only isomorphic to F but also multiplicative. Finally, we randomly select \(\mathbf {x}'=\begin{bmatrix}a^2&a^8&a^2&a^{10}&a^{14}&a^6&a^2&1&a\end{bmatrix}\), set \(\mathbf {y}'=\widehat{F}(\mathbf {x}')\), and compute \(\mathbf {U}'=\mathbf {M_{x'}}^{-1}\widehat{\mathbf {U}}\) and \(\mathbf {T}'=\widehat{\mathbf {T}}\mathbf {M_{y'}}\) recovering

$$\begin{aligned} \mathbf {U}' = \begin{bmatrix}a^{12} &{} a^9 &{} a^3 &{} a^4 &{} a^2 &{} a^{11} &{} a^9 &{} a^{11} &{} a^{11}\\ a &{} a^{12} &{} a^9 &{} a^{11} &{} a^{10} &{} a^5 &{} a^7 &{} a^7 &{} a^2\\ a^7 &{} a^{13} &{} a^{11} &{} a &{} a^4 &{} 1 &{} a^{10} &{} a^{10} &{} a^2\\ a^{10} &{} a^{10} &{} a^3 &{} a^9 &{} a^{10} &{} a^5 &{} a &{} a^3 &{} a^7\\ a^5 &{} a^4 &{} a^3 &{} 0 &{} a^4 &{} a &{} a^{11} &{} a &{} a^{13}\\ a^{13} &{} a^8 &{} a^2 &{} a^5 &{} a^6 &{} 1 &{} a &{} a^{13} &{} a^{10}\\ 1 &{} a^{11} &{} a^7 &{} a^{11} &{} a^{10} &{} a^6 &{} a &{} a^9 &{} a^{11}\\ a^7 &{} a^9 &{} a^9 &{} 1 &{} a^3 &{} a^9 &{} a^2 &{} a^{14} &{} a\\ a^{13} &{} a &{} a^{10} &{} a^7 &{} a^2 &{} a^4 &{} a^5 &{} a^3 &{} a^{12}\end{bmatrix}, \mathbf {T}'= \begin{bmatrix} a^5 &{} a^{14} &{} 0 &{} a^{10} &{} a^{10} &{} a^2 &{} a^9 &{} 0 &{} 0\\ a &{} a^{10} &{} a^{13} &{} a^{10} &{} a^6 &{} a^{11} &{} a^9 &{} a &{} a^{12}\\ a^2 &{} a^3 &{} 1 &{} a^{14} &{} a^{13} &{} a^3 &{} a^4 &{} a^6 &{} a^7\\ a^{14} &{} a^6 &{} a^8 &{} a^{14} &{} a^4 &{} a^8 &{} a^{14} &{} a^4 &{} a^{13}\\ a^{10} &{} 0 &{} a^{12} &{} a^5 &{} 0 &{} a^{13} &{} a^5 &{} a^7 &{} a^2\\ 0 &{} a^{10} &{} a^2 &{} a^9 &{} a^7 &{} a^6 &{} a^{11} &{} 0 &{} a^7\\ a^{11} &{} a^{13} &{} a^{11} &{} a^{10} &{} 0 &{} a^8 &{} a &{} a^4 &{} 1\\ a^{11} &{} 0 &{} a^6 &{} 1 &{} a^9 &{} a^{13} &{} a^6 &{} a^4 &{} a\\ a^{10} &{} a^{14} &{} a^5 &{} a^5 &{} 1 &{} a^6 &{} a^3 &{} a^5 &{} a^{10}\end{bmatrix}. \end{aligned}$$

The public key now satisfies \(P=T'\circ \widehat{F}\circ U'\).