On the key exchange with new cubical maps based on graphs

– Families of edge transitive algebraic graphs F n ( K ) , over the commutative ring K were used for the graph based cryptographic algorithms. We introduce a key exchange protocol deﬁned in terms of bipartite graph A n ( K ) , n ≥ 2 with point set P n and line set L n isomorphic to n -dimensional free module K n . Graphs A ( n,K ) are not vertex and edge transitive. There is a well deﬁned projective limit lim A ( n,K ) = A ( K ) , n → ∞ which is an inﬁnite bipatrtite graph with point set P = lim P n and line set L = lim L n . Let K be a commutative ring contain at least 3 regular elements (not zero divisors). For each pair of ( n,d ) , n ≥ 2 ,n ≥ 1 and sequence of elements α 1 ,α 2 ,...,α 2 d , such that α 1 , α i + α i +1 , i = 1 , 2 ,..., 2 d , i = 1 , 2 ,... 2 d − 1 and α 2 d + α 1 are regular elements of the ring K . We deﬁne polynomial automorphism h n = h n ( d,α 1 ,α 2 ,...,α 2 d ) of variety L n (or P n ). The existence of projective limit lim A n ( K ) guarantees the existence of projective limit h = h ( d,α 1 ,α 2 ,...,α 2 d ) = lim h n , n → ∞ which is cubical automorphism of inﬁnite dimensional varieties L (or P ). We state that the order of h is an inﬁnity. There is a constant n 0 such that h n , n ≥ n 0 is a cubical


Introduction
The Diffie-Hellman key exchange is an important breakthrough in public-key cryptography of the 1970s, invented by Whitfield Diffie and Martin Hellman in their groundbreaking 1976 paper "New Directions in Cryptography". The Diffie-Hellman algorithm allows two users (Alice and Bob) to establish a shared secret key used by encryption algorithms, such as DES or MD5, over an insecure communication channel.
The Diffie-Hellman key exchange uses the discrete logarithm problem for a general finite group G. This issue is dependent on the form of presentation of the group. A know example is the fact that the discrete logarithm problem for the group G = Z * p , p is prime, is difficult and comes down to finding a positive integer x such that the condition g x = b is satisfied, where g, b ∈ G are known. But the Z * p is isomorphic to the abstract linear group Z p−1 where the problem comes down to finding a solution to the linear equation gx = b, which is easy to solve.
We assume that G is a subgroup of S p n which is a group of polynomial bijective transformation of vector space F p n into itself. Obviously |S p n | = p n !, each permutation π can be written in the form of x 1 → f 1 (x 1 , x 2 , . . . , x n ), x 2 → f 2 (x 1 , x 2 , . . . , x n ), . . . , x n → f n (x 1 , x 2 , . . . , x n ), where f i are multivariable polynomials from F p [x 1 , x 2 , . . . , x n ]. The presentation of G as a subgroup of S p n is chosen because the Diffie-Hellman algorithm here will be implemented by the tools of symbolic computations. Another reason is its universality: as it follows from the classical Cayley results each finite group G can be embedded in S p n for appropriate p and n in various ways. However, there is the problem if g ∈ S p n and the degree of g k is a linear function of k. In this case, the discrete logarithm is easy to solve. To avoid such trouble one can look at the element (base) g of S p n such that all its nonidentical powers q k are of small degree f (n), which is independent of parameter k. We refer to such g as the stable element. In the simplest case of prime field F p the source of stable elements is the group AGL n (F p ) of affine transformations. Of course, the degree of each representative of AGL n (F p ) is 1. Affine transformations form an affine group AGL n (F p ) of the order (p n − 1)(p n − p) . . . (p n − p n−1 ) which is a subgroup in the symmetric group S p n of the order (p n )!. In [1] the maximality of AGL n (F p ) in S p n was proven. So we can present each permutation π as a composition of several "seed" maps of the kind τ 1 gτ 2 , where τ 1 , τ 2 ∈ AGL n (F p ) and g is a fixed map of degree ≥ 2. One may choose graph based cubical maps for general prime p ( [2,3,4]).
The method of construction of sequences of stable elements in S p n of nonpseudolinear nature with a large degree and order are considered in paper [4]. Algorithm 1. Symbolic Diffie-Hellman algorithm Suppose Alice and Bob want to agree about a key K AB .
1. The first step is for Alice and Bob to agree about a finite group G, G < S p n and a polynomial map g in G of large order in a group G. The next step is for Alice to pick a secret integer n A that she does not reveal to anyone, while at the same time Bob picks an integer n B that he keeps secret. 2. Bob and Alice use their secret integers to compute A = g n A and B = g n B in S p n , respectively. They use composition of multivariable map g with itself. 3. They next exchange these computed values, Alice sends A to Bob and Bob sends B to Alice. 4. Finally, Bob and Alice again use their secret integers to compute respectively.
Eavesdropper only learns p, g, g n A and g n B , but cannot calculate g n A n B without the computationally difficult discrete logarithm problem of A or B for the group G.
The security of the protocol depends heavily on the choice of the base g. It has to be an element of large order |g|, prime decomposition of |g| is very important.
This scheme of "symbolic Diffie-Hellman algorithm" can be secure if the adversary is not able to compute number n A (or n B ) as functions from degrees for g and h A . An obvious bad example is the following: g sends x i into x i t for each i. In this case n A is simply a ratio of degA and degg.
We generalize the above mentioned problem for the case of Cremona group of the free module K n , where K is an arbitrary commutative ring. So we need to change F n p for a free module K n (Carthesian power of K) and the family and symmetric group S p n for the Cremona group C n (K) of all polynomial automorphisms of K n . The elements of We define new families of cubical polynomial h n from C n (K) such that h = lim n→∞ h n is a well defined projective limit, the order h acting on K ∞ is infinity and the degree of h is 3. This means that the order of T n grows with n. Hence the polynomial of the kind g = τ −1 T n τ , where τ is the affine transformation, can be used as a base for the Diffie-Hellman key exchange.

Graph theoretical preliminaries
A graph G = (V, ϕ) of a binary relation ϕ ∈ V × V is the set of all points (x, y) (called edges) in a coordinate plane such that x is related to y through the binary relation ϕ. Let V (G) and E(G) denote the set of vertices and the set of edges of G, respectively. Then |V (G)| is called the order of G, and |E(G)| is called the size of G. A path in G is called simple if all its vertices are distinct. The sequence of distinct vertices v 0 , v 1 , . . . , v t , such that v i ϕv i+1 for i = 1, . . . , t − 1 is the pass in the graph. The length of a pass is a number of its edges. The distance dist(u, v) between two vertices is the length of the shortest pass between them. The diameter of the graph is the maximal distance between two vertices u and v of the graph. Let C m denote the Pobrane z czasopisma Annales AI-Informatica http://ai.annales.umcs.pl Data: 27/08/2022 21:16:06 If x is related to y through the binary relation ϕ, then we will say that y is the neighbour of the vertex x. The degree of a graph vertex x of a graph G is the number of graph vertices which are in the relationship with the vertex x.
A simple graph G = (V, ϕ) is the graph G of the binary relation ϕ, where ϕ is symmetric and irreflexive. That means a simple graph is an undirected graph containing no graph loops or multiple edges.
The missing definitions of graph-theoretical concepts in the case of simple graphs which appears in this paper can be found in [5].
A regular graph G is the simple graph where each vertex has the same number of neighbours; i.e. every vertex has the same degree, and we say, that G is biregular if all the vertices of G have only two distinct values of degree. A graph G is bipartite i.e. if its vertices can be partitioned into two separable sets is such a way that any two vertices belonging to the same partition set are not in a relationship. The length of the shortest cycle in a graph is called the girth g(G) of the graph G. The edge transitive graphs of large girth and their directed analogue have been used for different cryptographical algorithms [1,2,3,4,6,7,8,9,10,11,12,13]. The paper [14] uses linear maps of large order conjugated by the nonlinear map of small degree for the key exchange. In this paper we use a family of algebraic graphs A(n, K) for the key exchange protocol. The graphs from this family are neither edge transitive nor vertex transitive. Recall that the algebraic graph over the commutative ring K is the graph with a vertex set and an edge set, which are algebraic varieties over K in a the sense of Zarisski topology (see [5] or [6]).

Maps based on incidence structure
The incidence structure is the set V with the partition sets P (points) and L (lines) and the symmetric binary relation I such that the incidence of two elements implies that one of them is a point and another is a line. We shall identify I with the simple graph of this incidence relation (bipartite graph). If the number of neighbours of each element is finite and depends only on its type (point or line), then the incidence structure is a tactical configuration in the sense of Moore (see [15]).
We will often omit the term "bipartite", because all our simple graphs are bipartite. Let P and L be two copies of infinite dimensional free module K ∞ over the finite commutative ring K. The elements of P will be called points and elements of L will be called lines. To distinguish points from lines we use parentheses and brackets. It will also be advantageous to choose two fixed bases and write the follow way where f i , i = 2, 3, . . . , can be any polynomial expressions in variables p 2 , p 2 , . . . , p i−1 , l 1 ,l 2 , . . . , l i−1 over K, a i , b i can be any nonzero elements from K and π((p)),π([l]) is the colour point (p) and line [l], respectively. We will say that it defined an infinite triangular algebraic graph G(K) = (P, L, I) over the commutative ring K, who has the set of vertices P ∪ L and the set of edges containing all pairs {(p), [l]} for which (p)I[l].
For each positive integer n ≥ 2 we obtain a triangular algebraic graph G(n, K) = (P n , L n , I n ) over commutative ring K in the following way. The first P n and L n are obtained from the P and L, respectively, by a simple projection of all vectors on the initial n coordinates. Secondly, the relation of incidence I n is defined by the initial n − 1 and ignoring all the other equations of the relation of incidence I.
There is a homomorphism ∆ n of the graph G(n, K) into G(n − 1, K) mapping point (p 1 , p 2 , . . . , p n ) (line [l 1 , l 2 , . . . , l n ]) into (p 1 , p 2 , . . . , p n−1 ) (line [l 1 , l 2 , . . . , l n−1 ]), respectively. It means that the projective limit lim n→∞ G(n, K) is well defined. It is clear that We define the colour function π for the graph just as a projection of tuples (p) ∈ P and [l] ∈ L onto the first coordinate (p) or [l], respectively. We assume that N c (v) is the operator of taking the neighbour of v of colour π(v) + c in our graph.
We can generate the mapping g over C n (K) using the following algorithms.
Algorithm 2. Let G(n, K) = (P n , L n , I n ) be the finite triangular algebraic graph over the commutative ring K. Let c 1 , c 2 , . . . , c r , where r is even, be a sequence of colours of vertices in our graph. Let us assume that τ is an invertible affine map over K.
We a take general point x = (x 1 , x 2 , . . . x n ) from P and compute the bijective composition of h n = τ −1 N c1 N c2 . . . N cr τ.
The inverse of our map h n is the form h −1 n = τ −1 N −cr N −cr−1 . . . N −c1 τ The vertex h n (x) will be a point if r is even. If r is odd then h n (x) is the line.
So we can consider x → h n (x) as an element of the Cremona group C n (K). It is useful to consider a similar map h = τ −1 N c1 N c2 . . . N cr τ in the infinite graph G(K) = (P, L, I).

Families maps of cubical degree based on alternating graph
Let K be the commutative ring with at least 3 regular elements. Let us consider the following bipartite finite triangular algebraic graph A(n, K) (alternating graph) defined over the commutative ring K. The partition sets P n and L n are two copies of the free module K n . Brackets and parentheses allow us to distinguish point p = (p 1 , p 2 , . . . , p n ) and line l = [l 1 , l 2 , . . . , l n ]. In the case of even n = 2t point p is incident to line l if and only if the following equations hold: 1. l 2s − p 2s = l 1 p 2s−1 for s = 1, 2, . . . t, t = [n/2] 2. l 2s−1 − p 2s−1 = p 1 l 2s−2 for s = 2, 3, . . . , r, where r = t for even n and r = t + 1 if n is odd.
The graph A(n, K) is the triangular algebraic graph over the commutative ring K. This family was defined in [2,16,17].
There is a well defined projective limit lim A(n, K) = A(K), n → ∞ which is an infinite bipatrtite graph with the point set P = lim P n and the line set L = lim L n . The family A(n, K) was defined in [2] as a sequence of homomorphic images for the graphs from the family D(m, K), m ≥ 2. We can prove that the graphs A(n, K), n ≥ 4 are neither vertex-transitive nor edge-transitive Let K be a commutative ring containing at least 3 regular elements (not zero divisors).
The existence of the projective limit lim A(n, K) guarantees the existence of the projective limit h = h(d, α 1 , α 2 , . . . , α 2d ) = lim h n , n → ∞, which is a cubical automorphisms of infinite dimensional variety P (or L).
We introduce here the following statement.
Proposition 1. If we take algorithm 2 for the alternating graph A(n, K) (A(K)) we get the polynomial automorphism of K n onto itself of degree ≤ 3.
The following statement was proven in [2]. The following proposition follows instantly from the lemma 1. Really, the assumption that |h n | is bounded leads to contradiction with Proposition 2.

Corollary 2.
There is a constant n 0 such that for n ≥ n 0 the map h n is a cubical one.
Corollary 3. The degree of polynomial map (h n ) k (composition of h n with itself) from the Cremona group C(K n ) of all polynomial automorphisms of free module K n is bounded by 3.
Really, the concatenation of regular cyclic sequence α 1 , α 2 , . . . , α 2d with itself is also a regular cyclic sequence. Remark 1. If K = F q , q = p n then the order of h n is the power of p. So the order of h n is growing with the growth of p.

On the choice of the base for key exchange protocol
Let τ be affine automorphism of K n , i.e. the element of the Cremona group of degree 1. We suggest a "symbolic" Diffie-Hellman key exchange with the use of a cyclic subgroup of the Cremona group generated by τ −1 h n τ . We can choose parameters n and ring K to make the order of cubic map h as large as we want. After that we can use cubic h as a base for the symbolic Diffie-Hellman key exchange.
OPEN PROBLEM: Let the order ord(H n (K)) of H n (K) be the maximal order of its representative h n ∈ H n (K). Compute ord(H n (K)).