The implementation of cubic public keys based on a new family of algebraic graphs

Families of edge transitive algebraic graphs deﬁned over ﬁnite commutative rings were used for the development of stream ciphers, public key cryptosystems and key exchange protocols. We present the results of the ﬁrst implementation of a public key algorithm based on the family of algebraic graphs, which are not edge transitive. The absence of an edge transitive group of symmetries means that the algorithm can not be described in group theoretical terms. We hope that it licates cryptanalysis of the algorithm. We discuss the connections between the security of algorithms and the discrete logarithm problem. The plainspace of the algorithm is K n , where K is the chosen commutative ring. The graph theoretical encryption corresponds to walk on the bipartite graph with the partition sets which are isomorphic to K n . We conjugate the chosen graph based encryption map, which is a composition of several elementary cubical polynomial automorphisms of a free module K n with special invertible aﬃne transformation of K n . Finally we compute symbolically the


Introduction
We implement the algorithm proposed in [1]. It is based on the family of graphs A(n, K) which were introduced in [2]. The paper [1] discusses properties of the family of graphs related to the performance of the algorithm.
In publications [3], [4] some implementations of stream ciphers and public key algorithms based on an explicit construction of families of algebraic graphs D(n, q) of large girth and their analogs D(n, K) over the commutative ring K were discussed. It was shown that for each finite commutative ring K we can create a cubical polynomial map f of K n onto K n depending on a string of regular elements (non zero divisors (α 1 α 2 , . . . , α t ) (password). If t ≤ (n + 5)/2 then different strings produce different ciphertexts. One can use such a map as a stream cipher. It is possible to combine f with two invertible sparse affine transformations τ 1 and τ 2 and use the composition g = τ 1 f τ 2 as a public rule. A public user is not able to decrypt τ 1 , τ 2 without knowledge and the string (α 1 α 2 , . . . , α t ).
One can set τ 2 as the inverse of τ 1 and use the "symbolic" generator g and the related cyclic group for the Diffie-Hellman key exchange protocol. The girth of graphs D(n, q) grows with the growth of n It means that the order of g with τ 2 = τ 1 −1 grows as a function depending on n. Evaluation of the girth for D(n, q) allows to prove that this is a family of graphs of large girth. Different properties of this family are investigated in [5], [6], [7], [8], [9], [10]. Families of graphs of large girth are an important instrument in Extremal Graph Theory dealing with classical problems of Turan type on the studies of the maximal size of simple graphs without prohibited cycles. Such problems are attractive for mathematicians because they are beautiful and difficult (see [11], [12]). Applications of these problems in Networking [13], Coding Theory and Cryptography (see [7] and further references) may attract the attention of Computer Scientists.
In this paper we use in a similar manner another family of graphs ( A(n, K), where K is one which is the collection of not edge transitive graphs). In the case K = F q a new family is a family of graphs of increasing girth (see [1]). Computer simulations support the conjectures that the graphs A(n, q) form a family of large girth, but the absence of an edge transitive automorphism group complicates theoretical evaluation of the growth of girth with the growth of the parameter n. Computer simulations allow to conjecture that the graphs Pobrane z czasopisma Annales AI-Informatica http://ai.annales.umcs.pl Data: 27/11/2022 19:29:27 U M C S The implementation of cubic public keys based on . . .

129
A(n, K) have an advantage over D(n, K) [1]. For instance, the graphs A(n, Z n ) and A(n, q) are connected contrary to D(n, K).
Section 2 is devoted to the concept of the girth indicator and the family of large girth for digraphs.
In Section 3 we consider the definition of a family of affine algebraic digraphs of increasing girth over commutative rings with special colouring of arrows. Explicit constructions of such families of graphs can be used for the development of public key cryptosystems and key exchange protocols. We discuss the connection of these algorithms with the group theoretical discrete logarithm problem.
In section 4 we use the graphs A(n, K) for the construction of a family of affine algebraic digraphs with the increasing girth indicator with the colouring as in section 3.
Section 5 is devoted to the latest implementation of the public key algorithm based on one of the families described in section 4.
In section 6 we discuss the execution of the decryption procedure for the key holder (Alice) and compare the cases of A(n, K) and D(n, K) based algorithms.

The families of directed graphs of large girth
The missing theoretical definitions of directed graphs can be found in [14]. Let ϕ be an irreflexive binary relation over the set V , i.e., ϕ ∈ V × V and for each v the pair (v, v) is not the element of ϕ.
We say that u is the neighbour of v and write v → u if (v, u) ∈ ϕ. We use the term balanced binary relation graph for the graph Γ of an irreflexive binary relation ϕ over a finite set V such that for each v ∈ V the sets {x|(x, v) ∈ ϕ} and {x|(v, x) ∈ ϕ} have the same cardinality. It is a directed graph without loops and multiple edges. We say that a balanced graph Γ is k-regular if for each vertex v ∈ Γ the cardinality of {x|(v, x) ∈ ϕ} is k.
Let Γ be the graph of binary relation. The path between the vertices a and b is the sequence We say that the pair of paths Without loss of generality we assume that s ≥ t.
We refer to the number max(s, t) as the rank of O s,t . It is ≥ 2, because the graph does not contain multiple edges.
We will count directed cycles as commutative diagrams.
For the investigation of commutative diagrams we introduce girth indicator gi, which is the minimal value for max(s, t) for the parameters s, t of a commutative diagram O s,t , s + t ≥ 3. The minimum is taken over all pairs of vertices (a, b) in the digraph. Notice that two vertices v and u at the distance < gi are connected by the unique path from u to v of the length < gi.
We assume that the girth g(Γ) of a directed graph Γ with the girth indicator d + 1 is 2d + 1 if it contains a commutative diagram O d+1,d . If there are no such diagrams we assume that g(Γ) is 2d + 2.
In the case of a symmetric binary relation gi = d implies that the girth of the graph is 2d or 2d − 1. It does not contain an even cycle 2d − 2. In a general case gi = d implies that g ≥ d + 1. So in the case of the family of graphs with an unbounded girth indicator, the girth is also unbounded. We also have gi ≥ g/2.
In the case of symmetric irreflexive relations the above mentioned general definition of the girth agrees with the standard definition of the girth of simple graph, i.e., the length of its minimal cycle.
We will use the term the family of graphs of large girth for the family of balanced directed regular graphs Γ i of degree k i and order v i such that gi As it follows from the definition g(Γ i ) ≥ c ′ log k i (v i ) for an appropriate constant c ′ . So, it agrees with the well known definition for the case of simple graphs.
The diameter of the strongly connected digraph [14] is the minimal length d of the shortest directed path a = x 0 → x 1 → x 2 · · · → x d between two vertices a and b. Recall that a graph is k-regular, if each vertex of G has exactly k outputs. Let F be the infinite family of k i regular graphs G i of the order v i and the diameter d i . We say that F is a family of small world graphs The definition of small world simple graphs and the related explicit constructions can be found in [15]. For the studies of small world simple graphs without small cycles see [12], [8].

The K-theory of affine graphs with the increasing girth indicator and its cryptographical motivations
We use here the concepts of [16], where reader can find additional examples of affine graphs over rings or fields.
The implementation of cubic public keys based on . . .

131
Let K be a commutative ring. A directed algebraic graph ϕ over K consists of two things, such as the vertex set Q being a quasiprojective variety over K of nonzero dimension and the edge set being a quasiprojective variety ϕ in Q × Q. We assume that (xϕy means (x, y) ∈ ϕ).
The graph ϕ is balanced if for each vertex v ∈ Q the sets Im(v) = {x | vϕx} and Out(v) = {x | xϕv} are quasiprojective varieties over K of the same dimension.
The graph ϕ is homogeneous (or (r, s)-homogeneous) if for each vertex v ∈ Q the sets Im(v) = {x|vϕx} and Out(v) = {x|xϕv} are quasiprojective varieties over F of fixed nonzero dimensions r and s, respectively.
In the case of balanced homogeneous algebraic graphs for which r = s we will use the term r-homogeneous graph. Finally, regular algebraic graph is a balanced homogeneous algebraic graph over the ring K if each pair of vertices v 1 and v 2 is a pair of isomorphic algebraic varieties.
Let Reg(K) be the totality of regular elements (or nonzero divisors) of K, i.e., nonzero elements x ∈ K such that for each nonzero y ∈ K the product xy is different from 0. We assume that the Reg(K) contains at least 3 elements. We assume here that K is finite, thus the vertex set and the edge set are finite and we get a usual finite directed graph.
We apply the term affine graph for the regular algebraic graph such that its vertex set is an affine variety in the Zariski topology.
Let G be a r-regular affine graph with the vertex V (G), such that Out v, v ∈ V (G) is isomorphic to the variety R(K). Let the variety E(G) be its arrow set (a binary relation in V (G) × V (G)). We use the standard term perfect algebraic colouring of edges for the polynomial map ρ from E(G) onto the set R(K) (the set of colours) if for each vertex v different output arrows e 1 ∈ Out(v) and e 2 ∈ Out(v) have distinct colours ρ(e 1 ) and ρ(e 2 ) and the operator N α (v) of taking the neighbour u of vertex v ( v → u) is a polynomial map of the variety V (G) into itself.
We will use the term rainbow-like colouring in the case when the perfect algebraic colouring is a bijection. Let dirg(G) be a directed girth of the graph G, i.e., the minimal length of a directed cycle in the graph. Obviously gi(G) ≤ dirg(G).
Studies of infinite families of directed affine algebraic digraphs over commutative rings K of large girth with the rainbow-like colouring is a nice and difficult mathematical problem. Good news is that such families do exist. In the next section we consider the example of such a family for each commutative ring with more than 2 regular elements.
Here, at the end of section, we consider cryptographic motivations for studies of such families.
1) Let G be a finite group and g ∈ G. The discrete logarithm problem for group G is finding a solution for the equation g x = b where x is an unknown positive number. If the order |g| = n is known we can replace G on a cyclic group C n . So we may assume that the order of g is sufficiently large to make the computation of n unfeasible. For many finite groups the discrete logarithm problem is N P complete (see [17], [18]).
Let K be a finite commutative ring and M be an affine variety over K. Then the Cremona group C(M ) of whole polynomial automorphism of the variety M can be large. For example, if K is a finite prime field F p and M = F p n then Let us consider the family of affine graphs G i (K), i = 1, 2, . . . with the rainbow-like algebraic colouring of edges such that V (G i (K)) = V i (K), where K is a commutative ring, and the colour sets are algebraic varieties R i (K). Let us choose a constant k. The operator N α (v) of taking the neighbour of a vertex v corresponding to the output arrow of colour α are the elements of C i = C(V i (K)) . We can choose a relatively small number k to generate Let us assume that the family of graphs G i (K) is the family of graphs of increasing girth. It means that the girth indicator gi i = gi(G i (K)) and the parameter dirg i = dirg(G i (K)) grow with the growth of i. Notice that |h i | is bounded below by dirg i /k. So there is j such that for i ≥ j the computation of |h i | is impossible. In fact, the fastest growth of girth indicator will be in the case of family of large girth. Finally we can take the base g = u −1 h j u where u is a chosen element of C j to hide the graph up to conjugation. We may use some package of symbolic computations to express the polynomial map g via the list of polynomials in many unknowns. For example, if V j (K) is a free module K n then we can write g in a public mode fashion The symbolic map g can be used for Diffie-Hellman key exchange protocol (see [15] for the details). Let Alice and Bob be correspondents. Alice computes the symbolic map g and sends it to Bob via an open channel. So the variety and the map are known for the adversary (Cezar).
Let Alice and Bob choose the natural numbers n A and n B , respectively. Bob computes g n B and sends it to Alice, who computes (g n B ) n A , while Alice computes g n A and sends it to Bob, who is getting (g n A ) n B . The common secret information is g n A n B given in a "public mode fashion".
Pobrane z czasopisma Annales AI-Informatica http://ai.annales.umcs.pl Data: 27/11/2022 19:29:27 U M C S Bob can be just a public user (no information about the way in which the map g was cooked), so he and Cezar are making computations much more slowly than Alice who has the decomposition g We may modify slightly the Diffie -Hellman protocol using the action of the group on the variety. Alice chooses a rather short password α 1 , α 2 , . . . , α k , computes the public rules for the encryption map g and sends them to Bob via an open channel together with some vertex v ∈ V j (K).
Then Alice and Bob choose the natural numbers n A and n B , respectively. Bob computes v B = g n B (v) and sends it openly to Alice, who computes (g n A )(v B ), while Alice computes v A = g n A (v) and sends it to Bob, who is The common information is the vertex g n A ×n B (v).
In both cases Cezar has to solve one of the equations E n B (u A ) = z or E n A (u B ) = w for the unknowns n B or n A , where z and w are known points of the variety.
2) We can construct the public key map in the following manner: The key holder (Alice) chooses the variety V j (K) and the sequence α 1 , α 2 , . . . , α t of the length t = t(j) to determine the encryption map g as above. Let dim(V j (K)) = n = n(j) and each element of the variety be determined by independent parameters x 1 , x 2 , . . . , x n . Alice presents the map in the form of public rules, such as We can assume (at least theoretically) that the public rule depending on the parameter j is applicable to the encryption of a potentially infinite text (parameter t is a linear function of j now).
For the computation she may use the Gröbner base technique or alternative methods, special packages for the symbolic computation (popular "Mathematica", "Maple" or special fast symbolic software). So Alice can use the decomposition of the encryption map into u −1 , maps of kind N α and u to encrypt fast. For the decryption she can use the inverse graph G j (K) −1 for which V G j (K) −1 = V G j (K) and the vertices w 1 and w 2 are connected by an arrow if and only if w 2 and w 1 are connected by an arrow in G j (K). Let us assume that the colours of w 1 → w 2 in G j (K) −1 and w 2 → w 1 in G j (K) are of the same colour. Let N ′ α (x) be the operator of taking the neighbour of vertex x in G j (K) −1 of colour α. Then Alice can decrypt applying consequently u −1 , N ′ αt , N ′ α t−1 , . . . , N α 1 and u to the ciphertext. So the decryption and the encryption for Alice takes the same time. She can use a numerical program to implement her symmetric algorithm.
Pobrane z czasopisma Annales AI-Informatica http://ai.annales.umcs.pl Data: 27/11/2022 19:29:27 U M C S Bob can encrypt with the public rule but for a decryption he needs to invert the map. Let us consider the case t j = kl, where k is a small number and the sequence α 1 , α 2 , . . . , α t j has the period k and the transformation h = u −1 N α 1 N α 2 . . . N α k u is known for Bob in the form of public key mode. In such a case a problem to find the inverse for g is equivalent to the discrete logarithm problem with the base h in the related Cremona group of all polynomial bijective transformations.
Of course for further cryptanalysis we need to study the information about possible divisors of order of the base of the related discrete logarithm problem, alternative methods to break the encryption. In the next section the family of digraphs RE n (K) will be described.
3) We may study the security of the private key algorithm used by Alice in the algorithm of the previous paragraph but with a parameter t bounded by the girth indicator of graph G j (K). In that case different keys produce distinct ciphertexts from the chosen plaintext. In that case we prove that if the adversary has no access to plaintexts then he can break the encryption via the brut-force search via all keys from the key space. The encryption map has no fixed points.

The family of affine digraph of increasing girth over commutative rings
E. Moore used the term tactical configuration of order (s, t) for biregular bipartite simple graphs with the bidegrees s + 1 and r + 1. It corresponds to the incidence structure with the point set P , the line set L and the symmetric incidence relation I. Its size can be computed as |P |(s + 1) or |L|(t + 1).
Let F = {(p, l)|p ∈ P, l ∈ L, pIl} be the totality of flags for the tactical configuration with the partition sets P (point set) and L (line set) and an incidence relation I. We define the following irreflexive binary relation ϕ on the set F : Let (P, L, I) be the incidence structure corresponding to the regular tactical configuration of order t. Let

135
Below we consider the family of graphs D(k, K), where k > 5 is a positive integer and K is a commutative ring. Such graphs are disconnected and their connected components were investigated in [9] ( for the case when K is a finite field F q see [19]).
Let P and L be two copies of Cartesian power K N , where K is the commutative ring and N is the set of positive integer numbers. Elements of P will be called points and those of L lines.
To distinguish points from lines we use parentheses and brackets. If x ∈ V , then (x) ∈ P and [x] ∈ L. It will also be advantageous to adopt the notation for co-ordinates of points and lines introduced in [20] for the case of general commutative ring K: The elements of P and L can be thought as infinite ordered tuples of elements from K, such that only a finite number of components is different from zero.
We now define an incidence structure (P, L, I) as follows. We say that the point (p) is incident with the line [l], and we write (p)I[l], if the following relations between their co-ordinates hold: We denote this incidence structure (P, L, I) as A(K). We identify it with the bipartite incidence graph of (P, L, I), which has the vertex set P ∪ L and the edge set consisting of all pairs {(p), [l]} for which (p)I[l].
For each positive integer k ≥ 2 we obtain an incidence structure (P k , L k , I k ) as follows. First, P k and L k are obtained from P and L, respectively, by simply projecting each vector onto its k initial coordinates with respect to the above order. The incidence I k is then defined by imposing the first k − 1 incidence equations and ignoring all others. The incidence graph corresponding to the structure (P k , L k , I k ) is denoted by A(k, K).
For each positive integer k ≥ 2 we consider the standard graph homomorphism ϕ k of (P k , L k , I k ) onto (P k−1 , L k−1 , I k−1 ) defined L k by simply projection of each vector from P k and L k onto its k − 1 initial coordinates with respect to the above order.
Let DA n (K) (DA(K)) be the double directed graph of the bipartite graph A(n, K) (A(K), respectively). Remember, that we have the arc e of kind (l 1 , p 1 ) → [l 2 , p 2 ] if and only if p 1 = p 2 and l 1 ̸ = l 2 . Let us assume that the colour ρ(e) of the arc e is l 1 1,0 − l 2 1,0 .
Recall, that we have the arc e ′ of kind [l 2 , p 2 ] → (l 1 , p 1 ) if and only if l 1 = l 2 and p 1 ̸ = p 2 . Let us assume that the colour ρ(e ′ ) of arc e ′ is p 1 1,0 − p 2 1,0 . It is easy to see that ρ is perfect algebraic colouring.
If K is finite, then the cardinality of the colour set is (|K| − 1). Let RegK be the totality of regular elements, i.e., not zero divisors. Let us delete all arrows with colour, which is a zero divisor. We will obtain a new graph RA n (K) (RA(K)) with the induced colouring into colours from the alphabet Reg(K). The vertex set for the graph DA n (K) consists of two copies F 1 and F 2 of the edge set for A(n, K). It means that Group U (n, K) acts regularly on each set If K is finite, then the cardinality of the colour set is (|K| − 1). Let RegK be the totality of regular elements, i.e., non-zero divisors. Let us delete all arrows with colour which is a zero divisor. We can show that a new infinite affine graph A(K) does not contain cycles (see [1]). It means that the directed graph RA(K) does not contain commutative diagrams and the digraphs RA n (K) form a family of digraphs with the increasing girth indicator. In fact computer simulations support the following assumption.
CONJECTURE: The graphs RA n (K) form a family of digraphs of large girth.

The implementation of the public key algorithm based on RA t (K)
The set of vertices of the graph RA n (K) is a union of two copies of the free module K n+1 . So the Cremona group of the variety is the direct product of C(K n+1 ) with itself, expanded by polarity π. In the simplest case of a finite field F p , where p is a prime number C(F p ) is a symmetric group S p n+1 . The Cremona group C(K n+1 ) contains the group of all affine invertible transformations, i.e., transformation of kind x → xA + b, where x = (x 1 , x 2 , . . . , x n+1 ) ∈ C(K n+1 ), b = (b 1 , b 2 , . . . , b n+1 ) is a chosen vector from C(K n+1 ) and A is a matrix of a linear invertible transformation of K n+1 .
The graph RA n (K) is a bipartite directed one. We assume that the plaintext K n+1 is a point (p 1 , p 2 , . . . , p n+1 ). We choose two affine transformations T 1 and T 2 and a linear transformation u will be of kind p 1 → p 1 +a 1 p 2 +a 3 p 3 +· · ·+a n+1 . We will follow a general scheme, so Alice computes symbolically chosen T 1 and T 2 , chooses a string (β 1 , β 2 , . . . , β l ) of colours for RE n (K), such that β i ̸ = −β i+1 for i = 1, 2, . . . , l − 1. She computes N l = N β 1 × N β 2 · · · × N β l . Recall that N α , α ∈ Reg(K) is the operator of taking the neighbour of the vertex v alongside the arrow with the colour α in the graph RA n (K)..
Alice keeps chosen parameters secret and computes the public rule g as the symbolic composition of T 1 , N , and T 2 .
Pobrane z czasopisma Annales AI-Informatica http://ai.annales.umcs.pl Data: 27/11/2022 19:29:27 U M C S In the case K = F q , q = 2 n this public key rule has a certain similarity to the Imai-Matsomoto public rule, which is computed as a composition T 1 ET 2 of two linear transformations T 1 and T 2 of the vector space F 2 n F 2 s , where F 2 s is a special subfield, and E is a special Frobenius automorphism of F 2 n . The public rule corresponding to T 1 ET 2 is a quadratic polynomial map (see [15] and [21] for the detailed description of the algorithm, its cryptanalysis and generalizations by J. Patarin) In the case of RA n (K) the degree of transformation N l is 3, independently of the choice of length l [16]. So the public rule is a cubical polynomial map of the free module K n+1 onto itself.

The time evaluation for the public rule.
Recall that we combine a graph transformation N l with two affine transformations T 1 and T 2 . Alice can use T 1 N l T 2 for the construction of the following public map of y = (F 1 (x 1 , . . . , x n ), . . . , F n (x 1 , . . . , x n )) We have written a program for generating a public key and for encrypting a text using the generated public key. The program is written in C++ and compiled with the gcc compiler.

Private keys based on A(n, K) and D(n, K)
We can see that the graphs A(n, K) and D(n, K) are given by equations which use n − 1 additions (or subtractions) and multiplications. So the algorithms based on these graphs or corresponding digraphs have the same speed evaluations. In fact, for the decryption we can use numerical implementations. Readers can find speed evaluation for the cases of rings Z 8 2 , Z 16 2 and Z 32 2 in [16]. Recently, private keys based on D(n, F q ), q = 2 8 , q = 2 16 and q = 2 32 have been implemented (see [22]). The mixing properties of D(n, Z m 2 ), m = 8, 16, 32 based encryption in combination with special affine transformations were investigated in [20]. At the conference similar studies for mixing properties of A(m, Z q ) based stream cipher (see [23], [24], [1], [25]) are presented.