On the key expansion of D ( n; K ) -based cryptographical algorithm

The family of algebraic graphs D ( n; K ) deﬁned over ﬁnite commutative ring K have been used in diﬀerent cryptographical algorithms (private and public keys, key exchange protocols). The encryption maps correspond to special walks on this graph. We expand the class of encryption maps via the use of edge transitive automorphism group G ( n; K ) of D ( n; K ). The graph D ( n; K ) and related directed graphs are disconnected. So private keys corresponding to walks preserve each connected component. The group G ( n; K ) of transformations generated by an expanded set of encryption maps acts transitively on the plainspace. Thus we have a great diﬀerence with block ciphers, any plaintexts can be transformed to an arbitrarily chosen ciphertex by an encryption map. The plainspace for the D ( n; K ) graph based encryption is a free module P over the ring K . The group G ( n; K ) is a subgroup of Cremona group of all polynomial automorphisms. The maximal degree for a polynomial from G ( n; K ) is 3. We discuss the Diﬃe-Hellman algorithm based on the discrete logarithm problem for the


Introduction
The graph D(n, K), where K is a commutative ring, was used for the development of cryptographical algorithms: (1) Symmetric numerical algorithms Alice and Bob have the same key corresponding to the path in the graph D(n, K) (in the case where K is not a field, the directed graph DD(n, K) defined in terms of D(n, K) was used).
(2) Diffie-Hellman key exchange algorithm, given in the form of public rule: where τ is the affine transformation and N α 1 N α 2 . . . N α k is the graphical transformation. (3) Public key encryption scheme: That means the string (t 1 t 2 . . . t l ) repeats periodically s-times. Such encryption is protected by a discrete logarithm problem. Of course some may get the option of breaking without solution of discrete logarithm problem investigation.
In the paper we propose the extension of the key space for the symmetric algorithm and the expansion of the cubical stable group used for the key exchange problem.
The graph D(n, K) is not connected so we are able to find vertices c and c ′ such that in the old algorithm given in [1] there is no encryption map moving c to c ′ . In the new extended algorithm the problem is solved by using automorphisms, which enables to move between different, connected components of graph D(n, K) (or related DD(n, K)).
The discrete logarithm problem is a critical problem in the number theory, and is similar in many ways to the integer factorization problem. Like the factoring problem, the discrete logarithm problem is believed to be difficult and hard direction of a one-way function. For this reason, it has been the basis of several public-key cryptosystems, including the ElGamal system and DSS.
Although the discrete logarithm problem exists in any group, when used for cryptographic purposes the group is usually Z * n The discrete logarithm problem is the following one: given an element g in a finite group G and another element h ∈ G, find a positive integer x such that g x = h. The problem can be also used in elliptic curve groups.
If C = Z * p or C = Z * pq where p and q are sufficiently large primes then the complexity of discrete logarithm problem justifies the classical Diffie-Hellman key exchange algorithm and RSA public key encryption. In majority of other cases complexity of discrete logarithm problem is not investigated properly. The problem depends on the choice of the base g and the way of presentation of the data on the group. The group can be defined via generators and relations, as the automorphism group of algebraic variety, matrix group, permutation group etc. In this paper we assume that G is a subgroup of S q n which is a group of polynomial bijective transformation of the vector space F q n into itself.
Obviously |S q n | = (q n )!. Let g be a pseudorandomly chosen element from S q n . Then the order of the cyclic group G generated by g is unknown, if g is sufficiently large. It is known that complexity of finding g −1 is d O(n 2 ) , where d is degree of g. So if t is the order of g, then g t−1 is the inverse. Hence finding t takes also time d O(n 2 ) and we have the discrete logarithm problem for the cyclic group of unknown order. We can call them a hidden symbolic discrete logarithm problem because t is unknown (hidden) and g is a polynomial map (symbolic).
It is known that each permutation π can be written in the form of The presentation of G as a subgroup of S q n is chosen because the Diffie-Hellman algorithm here will be implemented by the tools of symbolic computations. Another reason is universality, as it follows from the classical Cayley results each finite group G can be embedded in S q n for appropriate q and n in various ways.
Let F q , where q is prime, be a finite field. The affine group AGL n (F q ) acting on F q n is formed by the affine transformations The order of the affine group AGL n (F q ) is q n (q n − 1)(q n − q) . . . (q n − q n−1 ). Each permutation π can be presented as a composition of several maps of the kind τ 1 gτ 2 , where τ 1 , τ 2 ∈ AGL n (F q ) and g is a fixed map of degree ≥ 2, because the group AGL n (F q ) is maximal in S q n [2].
After choosing the base of F q n we write each permutation π ∈ S q n as a "public rule": The degree of permutation π written in the polynomial form is hard to control. It can be very high, there is no good upper bound on it.

Families of groups of stable degree
A family of the subgroup G = G n , G n < S q n is a family of subgroups with a stable degree, if for all h ∈ G − {e} deg h ≤ c, where c is an independent constant. Of course, cyclic groups are important for the Diffie-Hellman type protocols.
The example of a family of subgroups of stable degree is the affine group AGL n (F q ), n → ∞, where c = 1. If g is a linear diagonalisable element of AGL n (F q ), then the discrete logarithm problem for base g is equivalent to the classical number theoretical problem. Obviously, in this case we lose the flavour of symbolic computations. One can take a subgroup H of AGL n (F q ) and consider its conjugation with the nonlinear bijective polynomial map f . The group H ′ = f −1 Hf will be also a stable group, but for "most pairs" f and H group H ′ will be of degree degf × degf −1 ≥ 4 because of nonlinearity of f and f −1 . Even we conjugate nonlinear C with the invertible linear transformation τ ∈ AGL n (F q ), some of important cryptographical parameters of C and C ′ = τ −1 Cτ can be different. Conjugated generators g and g ′ have the same number of fixed points, the same cyclic structure as permutations, but a number of equal coordinates for the pairs (x, g(x)) and (x , g ′ (x)) may be different. So two conjugate families of stable degree are not quite equivalent because corresponding cryptoanalitical problems may have different complexity.
In [3] we generalized the above mentioned problem for the case of Cremona group of the free module K n , where K is an arbitrary commutative ring K. For the cryptography, the case of finite rings is the most important one. The finite field F q n , n ≥ 1 and cyclic rings Z m (especially m = 2 7 ( ASCII codes), m = 2 8 (binary codes), m = 2 16 (arithmetic), m = 2 32 ( double precision arithmetic)) are especially popular. the case of infinite rings K of characteristic zero (especially Z or C) is an interesting one because of Matijasevich multivariable prime approximation polynomials can be defined there (see, for instance [4] and further references). So it is natural to change a vector space F q n for free module K n (Cartesian power of K) and the family and symmetric group S q n for the Cremona group C n (K) of all polynomial bijections of K n . We repeat our definition of stable group for more general situation of commutative ring.
Let G n , n ≥ 3, n → ∞ be a sequence of subgroups of C n (K). We say that G n is a family of groups of stable degree (or subgroup of degree c) if the maximal degree of representative g ∈ G n is an independent constant c.
Pobrane z czasopisma Annales AI-Informatica http://ai.annales.umcs.pl Data: 09/07/2023 12:15:43 Recall that the cases of degrees 2 and 3 are especially important. The first family of stable subgroups of C n (F q ), K = F q with degree 3 was practically established in [5], where the degrees of polynomial graph based public key maps were evaluated.
Those results are based on the construction of the family D(n, q) of graphs with large girth and the description of their connected components CD(n, q). The existence of infinite families of graphs of large girth was proved by Paul Erdös' (see [6]). Together with known Ramanujan graphs introduced by G. Margulis [7] and investigated in [8] the graphs CD(n, q) are one of the first explicit constructions of such families with unbounded degree. The graphs D(n, q) were used for the construction of LDPS codes and turbocodes which were used in real satellite communications (see [9], [10], [11]), for the development of private key encryption algorithms [12], [1], [13], [14], the option to use them for public key cryptography was considered in [15], [2] and in [16], where the related dynamic system was introduced (see also surveys [17], [4]).
The computer simulation ( [18]) shows that stable subgroups related to D(n, q) contain elements of a very large order but our theoretical linear bounds on the order are relatively weak. We hope to improve this gap in the future and justify the use of D(n, q) for the key exchange.
In [3] we used graphs and related finite automata for the constructions of families of stable subgroups with degree 3 of Cremona group C n (K) over general ring K containing elements of large order (order is growing with the growth of n). The first family of stable groups was obtained in [19] via the studies of simple algebraic graphs defined over F q . For general constructions of stable groups over the commutative ring K we used directed graphs with the special colouring.
The following statement together with construction was proved in [3].
Theorem 1. For each commutative ring K with at least 3 regular elements there is the family Q n of Cremona group C(K n ) of degree 3 such that the projective limit Q of Q n , n → ∞ is well defined, the group Q is of infinite order, it contains elements g of infinite order, such that there exists a sequence g n ∈ Q n n → ∞ of stable elements such that limg n = g.
The family Q n was obtained via explicit constructions. So we may use the finite ring K with at least 3 regular elements of the sequence equivalent to g n for the key exchange. We showed that the growth of the order of g n when n is growing can be bounded from below by a linear function α × n + β. In the case of such a sequence of groups G n = Q n a sequence g i of elements of stable degree Pobrane z czasopisma Annales AI-Informatica http://ai.annales.umcs.pl Data: 09/07/2023 12:15:43 also a sequence of elements of stable degree.

Graphs and incidence system
The missing definitions of graph-theoretical concepts which appear in this paper can be found in [6].
Let G be a simple graph, i.e. a graph without loops and multiple edges. Let V (G) and E(G) denote the set of vertices and the set of edges of G, respectively. Then |V (G)| is called the order of G, and |E(G)| is called the size of G. A path in G is called simple if all its vertices are distinct. When it is convenient, we will identify G with the corresponding anti-reflexive binary relation on V (G), i.e. E(G) is a subset of V (G) × V (G) and write vGu for the adjacent vertices u and v (or neighbours). The sequence of distinct vertices v 1 , . . . , v t , such that v i Gv i+1 for i = 1, . . . , t − 1 is the path in the graph. The length of a path is a number of its edges. The distance dist(u, v) between two vertices is the length of the shortest path between them. The diameter of the graph is the maximal distance between two vertices u and v of the graph. Let C m denote the cycle of length m, i.e. the sequence of distinct vertices v 0 , . . . , v m such that v i Gv i+1 , i = 1, . . . , m − 1 and v m Gv 1 . The girth of a graph G, denoted by g = g(G), is the length of the shortest cycle in G. The degree of vertex v is the number of its neighbours (see [20] or [6]).
The incidence structure is the set V with partition sets P (points) and L (lines)(|P | = |L|) and symmetric binary relation I such that the incidence of two elements implies that one of them is a point and another is a line. We shall identify I with the simple graph of this incidence relation (bipartite graph). If a number of neighbours of each element is finite and depends only on its type (point or line), then the incidence structure is a tactical configuration in the sense of Moore (see [21]). The graph is q-regular if each of its vertices has degree q, where q is a constant. In this section we reformulate results of [22], [23] where the q-regular tree was described in terms of equations over the finite field F q .
Let q be a prime power, and let P and L be two countably infinite dimensional vector spaces over F q . Elements of P will be called points and those of L lines. To distinguish points from lines we use parentheses and brackets: If x ∈ V = P ∪ L, then (x) ∈ P and [x] ∈ L. It will also be advantageous to adopt the notation for the coordinates of points and lines introduced in We now define an incidence structure (P, L, I) in the following way. We say that the point (p) is incident with the line [l], and we write (p)I[l], if the following relations between their coordinates hold: The last four relations are defined for i ≥ 2.) This incidence structure (P, L, I) we denote as D(q).
For each positive integer n ≥ 2 we obtain an incidence structure (P n , L n , I n ) in the following way. First, P n and L n are obtained from P and L, respectively, by simply projecting each vector onto its n initial coordinates. The incidence I n is then defined by imposing the first n−1 incidence relations and ignoring all others. For fixed q, the incidence graph corresponding to the structure (P n , L n , I n ) is denoted by D(n, q). It is convenient to define D (1, q) to be equal to D (2, q). The properties of the graphs D(n, q) that we are concerned with are described in the following theorem:  (n, q) is a q-regular edge-transitive bipartite graph of order 2q n ; (ii) for odd n, g (D(n, q)) ≥ n + 5, for even n, g (D(n, q)) ≥ n + 4 We have a natural one to one correspondence between the coordinates 2, 3, . . . Let η i be the map "deleting all coordinates with numbers > i" from D(q) to D(i, q), and η i,j be map "deleting all coordinates with numbers > i " from D(j, q), j > i into D(i, q).
The following statement follows directly from the above given definitions:
In [22] the following statement was proved.

Proposition 2. Let u and v be vertices from the same component of D(n, q). Then a(u) = a(v). Moreover, for any
Let us consider the following equivalence relation τ : uτ v iff a(u) = a(v) on the set P ∪ L of vertices of D(n, q) (D(q)). The equivalence class of τ containing the vertex v satisfying a(v) = (x) can be considered as the set of vertices for the induced subgraph EQ (x) (n, q) (EQ (x) (q)) of the graph D(n, q) (respectively, D(q)). When (x) = (0, · · · , 0), we will omit the index v and write simply EQ(n, q).
Let CD(q) be the connected component of D(q) which contains (0, 0, . . .). Let τ ′ be an equivalence relation on V (D(n, K)) (D(q)) such that the equivalence classes are the totality of connected components of this graph. Obviously uτ v Pobrane z czasopisma Annales AI-Informatica http://ai.annales.umcs.pl Data: 09/07/2023 12:15:43 U M C S implies uτ ′ v. If char F q is an odd number, the converse of the last proposition is true (see [17] and further references). q be an odd number. Vertices u and v of D(q) (D(n, q)) belong to the same connected component if and only if a(u) = a(v), i.e., τ = τ ′ and EQ(q) = CD(q) (EQ(n, q) = CD(n, q)).

Proposition 3. Let
The condition char F q ̸ = 2 in the last proposition is essential. For instance, the graph EQ(n, 4)), n > 3, contains 2 isomorphic connected components. Clearly EQ(n, 2) is a union of cycles CD(n, 2). Thus neither EQ(n, 2) nor CD(n, 2) is an interesting family of graphs of high girth. But the case of graphs EQ(n, q), q is a power of 2, q > 2 is very important for coding theory.

Corollary 1. (Description of elements of CD(n, F q ))
Let us consider a general vertex

Regular directed graph with special colouring
Directed graph is an irreflexive binary relation ϕ ⊂ V × V , where V is the set of vertices.
Let us introduce two sets as sets of inputs and outputs of vertex v. Regularity means that the cardinality of these two sets (input or output degree) are the same for each vertex. Let Γ be a regular directed graph, E(Γ) be the set of arrows of graph Γ. Let us assume that additionally we have a colouring function, i.e. the map ρ : E → M onto the set of colours M such that for each vertex v ∈ V and α ∈ M there exists a unique neighbour u ∈ V with the property ρ((v, u)) = α. But there might not exist such colouring for every regular graph, hence we need an operator N α (v) := N (α, v) of taking the neighbour u of a vertex v within the arrow v → u of colour α, which is a bijection. In this case we refer to Γ as rainbow-like graph.  , α 2 , . . . , α m ), α i ∈ M we can generate a permutation π which is a composition N αm N α m−1 . . . N α 1 of bijective maps N α i : V (Γ) → V (Γ), i = 1, 2, . . . , m. Let us assume that the map u → N α (u) is a bijection. For a given vertex v ∈ V (Γ) the computation π corresponds to the chain in the graph: Let G Γ be the group generated by permutations π as above. Let

Construction of new stable groups corresponding to rainbow like graphs
Let us consider the double directed graph DD(n, K) for the bipartite graph D(n, K) and the infinite double directed flag graph DD(K) for D(K)(DD(K)) defined over the commutative ring K, Let N = N α,β (v) be the operator of taking the neighbour alongside the output arrows of colours α, β ∈ Reg(K) of vertex v ∈ F 1 ∪ F 2 by the following rule.
We consider the group GF n+1 (K) (GF (K), respectively) generated by all transformations Z(α, β) for nonzero α, β ∈ K acting on the variety K n+1 (K ∞ ). Canonical graph homomorphisms ω n : DD(n, K) → DD(n − 1, K) can be naturally expanded to the group homomorphism GF n+1 (K) onto GF n (K). It means that the group GF (K) is a projective limit of GF n (K). Let δ n be a canonical homomorphism of GF (K) onto GF n (K).
Let Reg(K) be the totality of regular elements of K, i. e. non zero divisors.
We may consider the restriction DD(n, K) of the graph DD(n, K) via the following additional condition: h : J ′ → K Now we can combine it with transformation, given by the chain in the graph of length k, where k is even positive integer: Proposition 6. For the infinite graph D(K), the order of N k = N α 1 N α 2 . . . N α k , where k is even and α i + α i+1 ∈ RegK, α 1 + α 2 ∈ RegK, is infinity.

Proposition 7. If K has at least 3 regular elements (non zero divisors), then the order of T s , acting on vertices of infinite graph, is infinity.
For implementation reasons we project N k , T s and T f,h into n initial coordinates to obtain finally the transformations N n k , T n s and T n f,h , respectively. From Propositions 6 and 7 it follows that the orders of N n k and T n s are growing with the growth of n. Proposition 8. The order of g = T n s T n f,h N n k is the minimal common multiple of T s T n f,h and N k .

Symbolic Diffie-Hellman algorithm
We consider the Diffie-Hellman algorithm for S q n for the key exchange in the case of group. Let g k ∈ S q n be the new public rule obtained via k iterations of g. In general, the algorithm is following. The correspondents Alice and Bob establish g ∈ S q n via an open communication channel, choose positive integers n A and n B , respectively, and exchange public rules h A = g n A and h B = g n B via an open channel. Finally, they compute the common transformation T as h B n A and h A n B , respectively.
The order of g in the symbolic Diffie-Hellman algorithm must be "sufficiently large" and the number n A (or n B )can not be easily computable as functions from degrees for g and h A . The map g which sends x i into x i t for each i obviously is bad choice of the base for the discrete logarithm problem. In this case n A is just a ratio of degh A and degg.
To avoid such trouble we can look at the family of subgroups G n of S q n , n → ∞ such that the maximal degree of its elements equals c, where c is the small independent constant (groups of degree c or groups of stable degree).
Let us discuss the asymmetry of our modified Diffie-Hellman algorithms of the key exchange in detail. The correspondents Alice and Bob have different information for making computation. Alice chooses dimension n, element g n Pobrane z czasopisma Annales AI-Informatica http://ai.annales.umcs.pl Data: 09/07/2023 12:15:43 U M C S We may identify all vertices from P = K ∞ with the union of point-sets for all trees from D(K). Another copy L of K ∞ we will treat as totality of all lines in our forest.
For our Diffie-Hellman key exchange protocol Alice has to go to an infinite magic forest D(K) and do the following lumberjack's business -truncate all trees there by deleting all components with the number ≥ n+1 to get a finite dimensional graph D(n, K), which is a union of isomorphic connected components CD(n, K)-truncated trees. Notice, if you plant a truncated tree CD(n, K) and let n → ∞ then it will grow to an infinite regular tree.