Dynamical systems as the main instrument for the constructions of new quadratic families and their usage in cryptography

– Let K be a ﬁnite commutative ring and f = f ( n ) a bijective polynomial map f ( n ) of the Cartesian power K n onto itself of a small degree c and of a large order. Let f y be a multiple composition of f with itself in the group of all polynomial automorphisms, of free module K n . The discrete logarithm problem with the "pseudorandom" base f ( n ) (solve f y = b for y ) is a hard task if n is "suﬃciently large". We will use families of algebraic graphs deﬁned over K and corresponding dynamical systems for the explicit constructions of such maps f ( n ) of a large order with c = 2 such that all nonidentical powers f y are quadratic polynomial maps. The above mentioned result is used in the cryptographical algorithms based on the maps f ( n ) – in the symbolic key exchange protocols and public keys algorithms.


Introduction
The sequence of subgroups G l of Cremona group C(K l ), l →∞is a family of stable groups if the degree of each g, g ∈ G l , is bounded by the constant c independent of l. The construction of large stable subgroups G l with c ≥ 2 of the Cremona group is an interesting mathematical task. Obviously the subgroup AGL n (F p ) of all affine bijective maps xA +b, where x and b are the row vectors from V and A is a nonsingular square matrix, is of the order p n (p n − 1)(p n − p) ...(p n − p n−1 ). The affine transformations form a family of subgroups of stable degree with c =1 . There is an easy way to construct stable subgroups via conjugation of AGL l (K) with the nonlinear polynomial maps f l ∈ C(K l ). Let us refer to such families as the pseudolinear groups. Degrees of f l and f l −1 are at least two. So, in the case of "pseudorandom" polynomials f l , such that max(f l ,f l −1 ) is bounded by constant, we obtain a stable family with c ≥ 4.
Algorithm for fast generation of nonlinear pairs (f l ,f l −1 ) is introduced in [1] and [2].
Let τ be a Singer cycle from AGL l (F p ) of the order p n −1, f l and f l −1 are the nonlinear maps. Then g = f l −1 τf l looks as the appropriate base for the hidden symbolic discrete logarithm problem. Notice, that the degree of f l −1 τf l , where deg(τ )=1and f l is the pseudorandom polynomial map of the degree ≥ 2, will be ≥ 4. So, the case of families of stable degree with c ∈{2, 3} is the most interesting. The family of large stable subgroups of C(K l ) over the general commutative ring K containing at least 3 regular elements (non zero divisors), with c =3is constructed in [3] via the studies of encryption maps from [4] and the evaluation of their degrees [5]. In this paper we propose a similar result for the case of c =2.
Those results are based on the construction of the family D(n, q) of graphs with large girth and the description of their connected components CD(n, q). The existence of infinite families of graphs of large girth was proven by Paul Erdös' (see [6]). Together with the common Ramanujan graphs, introduced by G. Margulis ([7], [8]), the graphs CD(n, q) form one of the first explicit constructions of such families with the unbounded degree. The graphs D(n, q) were used for the construction of LDPS codes and turbocodes which were used in real satellite communications (see [9], [10], [11]), for the development of private key encryption algorithms [12], [4], [13], [2], the option to use them for public key cryptography was considered in [14], [15] and in [16], where the related dynamical system was introduced (see also surveys [17], [18]).
The computer simulation ( [1]) shows that the stable subgroups related to D(n, q) contain elements of a very large order but our theoretical linear bounds on the order are relatively weak. We hope to improve this gap in the future and justify the use of D(n, q) for the key exchange.
In Section 2 we discuss the discrete logarithm problem for the symmetric group S p n considered as a totality of all polynomial bijective maps of n-dimensional vector space over F p . We also consider a more general case of the Cremona group of the whole polynomial automorphism of the free module K n over the general commutative ring K.
Section 3 is devoted to the explicit construction of the quadratic polynomial maps with the properties given above.
In Section 4 we present the cryptograpical application of the quadratic polynomial maps in the public key algorithm and the key exchange protocol. The discrete logarithm problem is a critical problem in the number theory. Like the factorization problem, the discrete logarithm problem is believed to be difficult and also to be the hard direction of a one-way function. For this reason, it has been the basis of several public-key cryptosystems, including the ElGamal system and DSS. Although the discrete logarithm problem exists in any group, when used for cryptographic purposes the group is usually Z * n . The group theoretical discrete logarithm problem is the following: an element g in a finite group G and another element h ∈ G are given, find a positive integer x such that g x = h.
If C = Z * p or C = Z * pq where p and q are sufficiently large primes, then the complexity of discrete logarithm problem justifies the classical Diffie-Hellman key exchange algorithm and the RSA public key encryption. In the majority of other cases complexity of discrete logarithm problem is not investigated properly. The problem consists in the choice of the base g and the way of the data representation on the group. A group can be defined via generators and relations, as an automorphism group of algebraic variety, as a matrix group, as a permutation group etc. The following example demonstrates the importance of the way of abstract group G representation.
The multiplicative groups Z p * are isomorphic to the additive group of the ring Z p−1 , if p is "sufficiently large" then the discrete logarithm problem is known as a hard one, but for Z p−1 the problem is equivalent to solving of a linear equation.
Let us discuss the case of the symmetric group S p n of the order p n ! presented as the Cremona group of all bijective polynomial automorphisms of n-dimensional vector space V = F p n over the finite prime field F p .
Let us choose the standard base of V . It is well known that each permutation π from the symmetric group S p n can be written in the form of "public rule" g: x 1 → g 1 (x 1 ,x 2 ,...,x n ),x 2 → g 2 (x 1 ,x 2 ,...,x n ),...,x n → g n (x 1 ,x 2 ,...,x n ), where g i are multivariable polynomials from F p [x 1 ,x 2 ,...,x n ].
Notice that there is no good bound on the order of g. Usually the order of nonlinear polynomial map g k (composition of g with itself, responding to the permutation π k ) increases with the increasing of k. The computation of the order t of "pseudorandom" g is a difficult task. Really, if t is known then the inverse map for g is g t−1 , but the best known algorithm of finding g −1 has complexity d O(n) , where d is the degree of g (see [?]).The efficient general algorithm of finding g −1 is known only in the case the degree of g is one, i. e. g is the affine map xA +b, where x and b are the row vectors from V and A is the nonsingular square matrix. So, there is a serious complexity gap between linearity and nonlinearity.
The discrete logarithm problem for the cyclic group generated by the "pseudorandom" polynomial map g ∈ S p n , i. e. the problem of finding solution for the equation g x = b, seems to be very hard. If x is known then g t−x = b −1 , but the computation of b−1 takes d O(n) . So, in the case of "pseudorandom" polynomial base g we can use the term hidden symbolic discrete logarithm problem, word hidden is taken because Pobrane z czasopisma Annales AI-Informatica http://ai.annales.umcs.pl Data: 06/11/2022 20:41:27 U M C S of the order t of the cyclic group is unknown, symbolic is taken because generation of the polynomial maps g and b can be done via tools of symbolic computations (popular "Maple" or "Mathematica" operating on the polyomial maps or special fast programs of Computer Algebra).
The above mentioned arguments on the complexity of discrete logarithm problem are valid for the Cremona groups C(K n ) of all polynomial automorphisms of the free module K n over the general commutative group. Recall that automorphism of K n is a bijective polynomial map f : K n → K n such that f −1 is also a polynomial map.
Even in the case of fields, the importance of the requirement on polynomiality of f −1 is essential as demonstrated by the following example: for n =1and K = R (real numbers) map x → x 3 is a polynomial map but its inverse is y → y 1/3 (rational map). As follows from the definition, C(z p n ) is isomorphic to S p n . The group C(K n ) is an important object of algebraic geometry. There are many open questions about this group. For instance, let AGl n (K) be the totality of all invertible affine maps of K n onto itself. Describe proper subgroups X of C(K n ) containing AGL n (K) as proper subgroups. If K = F p and n ≥ 3 then AGL n (F p ) is a maximal subgroup of S p n ,s oX as above does not exist. For the majority of other rings the question is open.
3 Explicit construction of the quadratic polynomial maps

Graph theoretical base
The missing definitions of graph-theoretical concepts which appear in this paper can be found in [6]. All graphs under consideration are simple, i.e. undirected without loops and multiple edges. Let V (G) and E(G) denote the set of vertices and the set of edges of G, respectively. Then |V (G)| is called the order of G, and |E(G)| is called the size of G. A path in G is called simple if all its vertices are distinct. When it is convenient, we shall identify G with the corresponding anti-reflexive binary relation on V (G), i.e. E(G) is a subset of V (G) × V (G) and write vGu for the adjacent vertices u and v (or neighbours). The sequence of distinct vertices v 1 ,...,v t , such that v i Gv i+1 for i =1 ,...,t− 1 is the pass in the graph. The length of a pass is a number of its edges. The distance dist(u, v) between two vertices is the length of the shortest pass between them. The diameter of the graph is the maximal distance between two vertices u and v of the graph. Let C m denote the cycle of the length m, i.e. the sequence of distinct vertices v 1 ,...,v m such that v i Gv i+1 , i =1,...,m− 1 and v m Gv 1 . The girth of a graph G, denoted by g = g(G), is the length of the shortest cycle in G. The degree of vertex v is the number of its neighbuors (see [19]o r [ 6]).
The incidence structure is the set V with partition sets P (points) and L (lines) and symmetric binary relation I such that the incidence of two elements implies that one of them is a point and another one is a line. We shall identify I with the simple graph of this incidence relation (bipartite graph). If the number of neighbours of each element Pobrane z czasopisma Annales AI-Informatica http://ai.annales.umcs.pl Data: 06/11/2022 20:41:27 U M C S is finite and depends only on its type (point or line), then the incidence structure is a tactical configuration in the sense of Moore (see [20]). The graph is k-regular if each of its vertices has degree k, where k is a constant. In this section we reformulate the results of [21], [3] where the q-regular tree was described in terms of equations over the finite field F q .
Let q be a prime power, and let P and L be two countably infinite dimensional vector spaces over F q . The elements of P will be called points and those of L lines.T o distinguish points from lines we use parentheses and brackets: If x ∈ V , then (x) ∈ P and [x] ∈ L. It will also be advantageous to adopt the notation for the coordinates of points and lines introduced in We now define an incidence structure (P, L, I) as follows. We say that the point (p) is incident with the line [l], and we write (p)I[l], if the following relations between their coordinates hold: The last four relations are defined for i ≥ 2.) This incidence structure (P, L, I) is denoted D(q). Now we refer to the incidence graph of (P, L, I), which has the vertex set P ∪ L and the edge set consisting of all pairs {(p), [l]} for which (p)I[l].
For each positive integer k ≥ 2 we obtain an incidence structure (P k ,L k ,I k ) as follows. P k and L k are obtained from P and L, respectively, by simply projecting each Pobrane z czasopisma Annales AI-Informatica http://ai.annales.umcs.pl Data: 06/11/2022 20:41:27 U M C S vector onto its k initial coordinates. The incidence I k is then defined by imposing the first k −1 incidence relations and ignoring all others. For fixed q, the incidence graph corresponding to the structure (P k ,L k ,I k ) is denoted by D(k, q). It is convenient to define D(1,q) to be equal to D(2,q). The properties of the graphs D(k, q) that we are concerned with are described in the following theorem: Theorem 1. [3] Let q be a prime power, and k ≥ 2. Then (i) D(k, q) is a q-regular edge-transitive bipartite graph of the order 2q k ; (ii) for odd k, g(D(k, q)) ≥ k +5, for even k, g(D(k, q)) ≥ k +4.
In [21] the following statement was proved. Let us consider the following equivalence relation τ : uτ v iff a(u)=a(v) on the set P ∪ L of the vertices of D(k, q) (D(q)). The equivalence class of τ containing the vertex v satisfying a(v)=( x) can be considered as the set of vertices for the induced subgraph EQ (x) (k, q) (EQ (x) (q)) of the graph D(k, q) (respectively, D(q)). When (x)=(0, ··· , 0), we will omit the index v and write simply EQ(k, q).
Let CD(q) be the connected component of D(q) which contains (0, 0,...). Let τ be an equivalence relation on V (D(k, q)) (V (D(q))) such that the equivalence classes are the totality of connected components of this graph. Obviously uτ v implies uτ v. If char F q is an odd number, the converse of the last proposition is true (see [18] and further references).

Proposition 2.
Let q be an odd number. The vertices u and v of D(q) (D(k, q)) belong to the same connected component if and only if a(u)=a(v), i.e., τ = τ and EQ(q)=CD(q) (EQ(k, q)=CD(k, q)).
The condition charF q =2in the last proposition is essential. For instance, the graph EQ(k, 4)), k>3, contains 2 isomorphic connected components. Clearly EQ(k, 2) is a Pobrane z czasopisma Annales AI-Informatica http://ai.annales.umcs.pl Data: 06/11/2022 20:41:27 U M C S union of cycles CD(k, 2). Thus neither EQ(k, 2) nor CD(k, 2) is an interesting family of graphs of high girth. But the case of graphs EQ(k, q), q is the power of 2, q>2 is very important for the coding theory.
Notice, that P n = L n = K n . So, we can think that P D,t,n and L D,t,n are the bijective operators on the free module K n .
Theorem 2. For each commutative ring K transformations P D,t,n and L D,t,n of K n form the symmetric bipartite dynamical system SB D (K) of large girth with c =1 /2, such that t = −t, t ∈ K and nonidentical transformation of the kind F D P ,t1,t2,...,t l ,n or F D L ,t1,t2,...,t l ,n , where (t 1 ,t 2 ,...,t l ) ∈ K l is a cubical map.
Since we have fixed the first coordinate, the operators P D,t,n and L D,t,n of K n make the coordinates c 1 ,p 1,1 ,p 1,2 ,p 2,1 ,p 2,2 ,p 2,2 ,p 2,3 ,...,p s,s linear maps. The coordinates l ss and p ss , which are quadratic maps, are made invisible. The last two coordinates p s,s+1 and p s+1,s are also quadratic.

Public key cryptography and key exchange protocol
We may assume that g is a private key encryption map corresponding to the numerical string (x 1 ,x 2 ,...,x s ) (the key). It is clear that the inverse map corresponds to the reverse string (x s ,x s−1 ,...,x 1 ).
We implement the public key encryption and the symbolic version of the Diffie-Hellman key exchange corresponding to the quadratic maps f 1 g n f 2 and f 1 −1 g n f 1 with the fixed sparse affine transformations f 1 and f 2 .
The typical choice of f i is a linear transformation x 1 → x 1 + r 2 x 2 + ···+ r n x n , where the parameters r j are taken consecutively from the infinite pseudorandom sequences of the regular elements r i ,i =2, 3,....
Public key and key exchange algorithms are implemented on the level of symbolic computations while decryption f 2 −1 g n f 1 −1 will be done by numerical algorithm A = A(f 1 ,f 2 ) with the key space (x 1 ,x 2 ,...,x s ) of variable dimension s. Obviously we can use A independently as the symmetric private key algorithm. Notice, that in the case of f 2 = f 1 −1 and the periodic password obtained via repetition of the word (a, b, α 1 ,α 2 ,...,α 2s ), where −α 2s + a and −α 2s + b are the regular elements of the ring K, the security of public rule and related stream cipher is connected with the studies of discrete logarithm problem in the Cremona group (the base is f 1 gf 1 −1, where g is the encryption map corresponding to string (a, b, α 1 ,α 2 ,...,α 2s )).
To use these results in the public key cryptography over K = F q , let us combine the quadratic polynomial transformations N l (given in 3.2) with two affine transformation T 1 and T 2 . Alice can use T 1 N l T 2 for the construction of the following public map of y = (F 1 (x 1 ,...,x n ),...,F n (x 1 ,...,x n )) F i (x 1 ,...,x n ) are the polynomials of n variables written as the sums of monomials of the kind x m1 i1 x m2 i2 with the coefficients from K = F q , where i 1 ,i 2 ∈ 1, 2,...,n and m 1 ,m 2 are positive integers such that m 1 + m 2 ≤ 2. As mentioned before, the polynomial equations y i = F i (x 1 ,x 2 ,...,x n ),i=1 , 2 ...n, which are made public, are of Pobrane z czasopisma Annales AI-Informatica http://ai.annales.umcs.pl Data: 06/11/2022 20:41:27 U M C S degree 2. Hence the process of an encryption and a decryption can be done in the polynomial time O(n 3 ). But the cryptoanalyst Cezar, having only a formula for y, has a very hard task to solve the system of n equations of n variables of degree 2. It can be solved in the exponential time O(2 n 2 ) by the general algorithm based on the Gröbner basis method. Anyway the studies of specific features of our polynomials could lead to effective cryptanalysis. This is an open problem for specialists.
We consider the Diffie-Hellman algorithm for S q n for the key exchange in the case of group. Let g k ∈ S q n be the new public rule obtained via k iterations of g. In general, the algorithm is following. The correspondents Alice and Bob establish g ∈ S q n via the open communication channel, choose positive integers n A and n B , respectively, and exchange the public rules h A = g n A and h B = g n B via the open channel. Finally, they compute common transformation T as h B n A and h A n B , respectively.
The order of g in the symbolic Diffie-Hellman algorithm must be "sufficiently large" and the number n A (or n B ) can not be easily computable as functions from degrees for g and h A . The map g which sends x i into x i t for each i obviously is a bad choice of the base for the discrete logarithm problem. In this case n A is just a ratio of degh A and degg.
To avoid such trouble we can look at the family of subgroups G n of S q n , n →∞ such that the maximal degree of its elements equals c, where c is a small independent constant (groups of degree c or groups of stable degree).
Let us discuss the asymmetry of our modified Diffie-Hellman algorithms of the key exchange in detail. The correspondents Alice and Bob have different information for making computation. Alice chooses dimension n, element g n as in the above theorem, element h ∈ Q n and affine transformation τ ∈ AGL n (K). So she obtains the base b = τ −1 h −1 g n hτ and sends it in the form of the standard polynomial map to Bob.
Our groups Q n are defined by the set of their generators and Alice can compute the words h −1 g n h, b and its powers very fast. So Alice chooses rather a large number n A computes c A = b n A and sends it to Bob. On his turn Bob chooses his own key n B and computes c B = b n B . He and Alice get the collision map c as c A n B and c B n A , respectively.
Notice that the position of adversary is similar to Bob's position. He (or she) needs to solve one of the equations b x = c B or b x = c A . The algorithm is implemented in the cases of finite fields and rings Z m for the family of groups Q n .