On the family of cubical multivariate cryptosystems based on the algebraic graph over ﬁnite commutative rings of characteristic

– The family of algebraic graphs A ( n ; K ) deﬁned over the ﬁnite commutative ring K were used for the design of diﬀerent multivariate cryptographical algorithms (private and public keys, key exchange protocols). The encryption map corresponds to a special walk on this graph. We expand the class of encryption maps via the use of an automorphism group of A ( n, K ) . In the case of characteristic 2 the encryption transformation is a Boolean map. We change ﬁnite ﬁeld for the commutative ring of characteristic 2 and consider some modiﬁcations of algorithm which allow to hide a ground commutative ring. The compositions F P,t 1 ,t 2 ,n , F L,t (cid:3) 1 ,t (cid:3) 2 ,n of the maps P t 1 ,n , L t 2 ,n and L t (cid:3) 1 ,n P t (cid:3) 2 ,n , re-spectively, are the bijective transformation on the n -dimensional free module K n . We


Introduction
Multivariate cryptography in the narrow sense (see [1]) is the generic term for asymmetric cryptographic primitives based on the multivariate polynomials over finite fields. In certain cases these polynomials could be defined over both a ground and an extension field. If the polynomials have the degree two, we talk about multivariate quadratics. The algorithm of finding a solution of the multivariate polynomial equations system is proven to be NP-Hard or NP-Complete. That is why these schemes are often considered to be good candidates for the post-quantum cryptography, once quantum computers can break the current schemes. Today multivariate quadratics could be used only to 91 dimensional free module K m over F 2 and the multiplication of vectors (x 1 ,x 2 ,...,x m ) and (y 1 ,y 2 ,...,y m ) can be computed as (f 1 ,f 2 ,...,f m ), where f i , i =1 , 2,...,m are the boolean functions in the variables x j , y j , j =1, 2,...m in a special basis.
Some examples of the finite ring of characteristic 2: (i) Boolean ring B m : B m = F 2 m with the multiplication (x 1 ,x 2 ,...,x m )(y 1 ,y 2 ,...,y m )=(x 1 y 1 ,x 2 y 2 ,...,x m y m ), (ii) commutative ring K = F 2 [x]/p(x) , where p(x) is a polynomial from F 2 [x] of degree m.I fp(x) is irreducible, then K is a finite field F q of characteristic 2 containing 2 m elements. In the case p(x)=x m and natural base 1, x, x 2 , ... ,x m−1 the multiplication in K is a usual polynomial multiplication with the specialization x i =0for i = m, m +1, ..., 2m − 2. We denote this ring by N m .
It is clear that in the ring N m or the case of Boolean ring B m we have really "fast" multiplication.
In Section 2 we introduce some definitions needed to describe our algorithms. In Section 3 we recall and define some properties of the family of algebraic graphs A(n, K) over a general commutative ring K, in the case K = F q we have A(n, K)=A(n, q) and define the double directed graphs DA(n, K) of the bipartite graphs A(K). In section 4 we present the groups automorphism of these graphs. In Section 5, we show how to generate the bijective Boolean transformation based on the graphs A(n, K) and DA(n, K) over the finite commutative ring K with charK =2from the above mentioned class of rings.
We formulate some properties of the generated boolean functions related to cryptographical applications.
In Section 6 we present the multivariate public key cryptosystem using the results from the previous sections.
Let us use traditional characters in Cryptography: Alice is the holder of the key, Bob -the public user (see [5]).

Graph theoretical preliminaries and some open problems
The missing definitions of graph-theoretical concepts in the case of simple graphs which appears in this paper can be found in [14], [15].
All graphs under consideration are simple graphs, i. e. undirected without loops and multiple edges. Let V (Γ) and E(Γ) denote the set of vertices and the set of edges of Γ, respectively. |V (Γ)| is called the order of Γ, and |E(Γ)| is called the size of G. A path in Γ is called simple path if all its vertices are distinct. When it is convenient, we shall identify Γ with the corresponding antireflexive binary relation on V (Γ), i.e. E(Γ) is a subset of V (Γ) × V (Γ). A graph Γ is bipartite if its vertices can be partitioned into two sets in such a way that no edge joins two vertices in the same set.
The length of a path is a number of its edges. The girth of a graph Γ, denoted by g = g(Γ) is the length of the shortest cycle in Γ. Let g x = g x (Γ) be the length of the minimal cycle through the vertex x from the set V (Γ) of vertices in graph Γ. We refer to Cind(Γ) = max{g x ,x∈ V (Γ)} as cycle indicator of the graph Γ.
If Γ i is a family of connected k-regular graphs of increasing order with the increasing cycle indicator for which projective (or inductive) limit Γ = lim Γ i , i →∞is well defined, then Γ is a tree.
If Γ i is a family of connected k-regular graphs of increasing order with the increasing cycle indicator for which projective (or inductive) limit Γ = lim Γ i , i →∞is well defined, then Γ is a tree.
Recall, that a family of regular graphs Γ i of degree k i and increasing order v i is the family of graphs of large girth if g(Γ i ) ≥ clog ki (v i ) for an independent constant c, c>0. This family plays an important role in Extremal Graph Theory, Theory of LDPC codes and Cryptography [16], [9], [17]. The family of graphs of a large girth of bounded degree is hard to be constructed. This fact is a serious motivation for the studies of infinite families of graphs of a large cycle indicator, which are generalisations of families of graphs of a large girth.
We refer to a family of regular simple graphs Γ i of degree k i and order v i as a family of graphs of a large cycle indicator,i f Cind(Γ i ) ≥ clog ki (v i ) for an independent constant c, c>0. We refer to the maximal value of c satisfying the above mentioned inequality as a speed of growth of the girth indicator for the family of graphs Γ i .
3 The algebraic graphs A(n, K) over a finite commutative ring K In papers [18], [19] were discussed the importance of finite automata related to the algebraic graph B(S, K) over the commutative ring K defined by the system S of quadratic equations for the variety P n ∪ L n , P n = K n , L n = K n in the following manner.
The point (x 1 ,x 2 ,...,x n ) and line [y 1 ,y 2 ,...,y n ] are connected by an edge if and only if the following system S of relations holds.
Such graphs over fields play an important role in the theory of geometries associated with Simple Lie Algebras (see [20] and further references).
In this paper we will use the family of graphs A(n, K). We can write the equations as follows; Pobrane z czasopisma Annales AI-Informatica http://ai.annales.umcs.pl Data: 04/06/2022 01:34:01 with the last equation y n − x n = y 1 x n−1 , in the case of n even or the last equation y n − x n = x 1 y n−1 , in the case of n odd. So, A(n, K) is a graph of the kind B(S, K). We use the notation A(n, q) for the graph A(n, F q ) over the finite field F q . Another example is a family of Wenger graphs W (n, K) defined by the system of equations As it was proven in [21] for the fixed K = F q the family W (n, K) is the family of small world graphs without small cycles. The stream cipher based on the Wenger graphs was proposed in [21].
Historically, the graph A(n, K) appears as homomorphic images of the graphs D(n, K) or CD(n, K), defined via the root system of Lie AlgebraÃ 1 [20]. Positive roots of this system can be identified with the formal pairs (i, i), (i +1,i),and(i, i +1), where i =1, 2,... (see [20], [12] and further references). So, we can use double indices in the definition of our graphs. First of all we define an infinite family of graphs A(K).
Let P and L be two copies of a infinite-dimensional free module K N , where K is the field commutative ring and N is the set of positive integer numbers.The elements of P will be called points and those of L lines. To distinguish points from lines we use parentheses and brackets. If x ∈ V , then (x) ∈ P and [x] ∈ L. It will be also advantageous to adopt the notation for coordinates of points and lines. So, we take the following notation . The elements of P and L can be thought as infinite ordered tuples of elements from K, such that only a finite number of components is different from zero. We now define an incidence structure (P, L, I) as follows. We say the point (p) is incident with the line [l], and we write (p)I[l], if the following relations between their coordinates hold: For each positive integer n ≥ 2 we obtain an incidence structure (P n ,L n ,I n ) as follows. P n and L n are obtained from P and L, respectively, by simply projecting each vector into its n initial coordinates with respect to the above order. The incidence I n is then defined by imposing the first n−1 incidence equations and ignoring all others. The incidence graph corresponding to the structure (P n ,L n ,I n ) is denoted by A(n, K). It is clear, that A(n, K) is a |K|-regular bipartite graph of the order 2|K| n , where |K| denotes the cardinality of ring K.
For each positive integer n ≥ 2 we consider the standard graph homomorphism φ n of (P n ,L n ,I n ) onto (P n−1 ,L n−1 ,I n−1 ) defined as simple projection of each vector from P n and L n onto its n − 1 initial coordinates with respect to the above mentioned order.
To show how interesting are our graphs, we present them in small rings in Figs 1-4 and some of their properties in Table 1. For computer simulation in this paper there were used the Matlab and SAGE. Table 1. Some properties of graphs A(n, K) over finite rings K of characteristic 2, e.g. F4, F8, B2 and N2, respectively.

Properties
A We define the colour function π for the graph A(n, K) as a projection of tuples (p) ∈ P n and [l] ∈ L n onto the first coordinate (p) or [l], respectively. So, the set of colours is K.
Let P t,n be the operator of taking the neighbour of point of colour p 0, .. are computed consequently from the above written equations.
Notice, that P n = L n = K n . So, we can think that P t,n and L t,n are bijective operators on the n-dimensional free module K n .
We use the term multiplicative set M for the subset M without zero of the ring K, such that x ∈ M, y ∈ M implies xy ∈ M . We say that {t 1 ,t 2 ,...,t s } is a set of multiplicative generators if its closure under multiplication is a multiplicative set, i. e. it does not contain zero.
The following statement is presented in [13].
On the family of cubical multivariate cryptosystems... Theorem 1. Let K be a finite commutative ring K with M ⊂ K, where M is a multiplicative set of cardinality larger than 2. Let us assume that (t 1 ,t 2 ,...,t k ) ∈ K k . Then (i) each nonidentical transformation F Pn,t1,t2,...,t k ,n , which is a composition of maps P t1,n , L t2,n , ..., P t k−1 ,n , L t k ,n for an even number k or P t1,n , L t2,n , ..., L t k−1 ,n , P t k ,n for an odd number k is a cubical map of P n onto P n and P n onto L n , respectively. (ii) each nonidentical transformation F Ln,t1,t2,...,t k ,n , which is a composition of maps L t1,n , P t2,n , ..., L t k−1 ,n , P t k ,n for the set t 1 ,t 2 ,...,t k , where k is an even number, or L t1,n , P t2,n , ..., P t k−1 ,n , L t k ,n , for an odd number k is a cubical map of L n onto L n and L n onto P n , respectively. (iii) for nonidentical transformations F Pn,t1,t2,...,t k ,n and F Ln,t1,t2,...,t k ,n , corresponding to the string t 1 ,t 2 ,...,t k with t i + t i+1 ∈ M ,i =1, 2,...,k− 1 and t 1 + t k ∈ M (k is even), the order goes to infinity with the growth of n.
From the computer simulation and from the fact, that the family of graphs A(n, q) over the finite field F q is neither edge nor vertex transitive, when n>5 and q =2 , there raises the following problem: Problem 1. Is the family of graphs A(n, q) of a large girth?
Basically, just two explicit constructions of the families of graphs of a large girth for k i = k, i =1 , 2,... (k is the independent constant) for the general case of arbitrary large k with the unbounded girth are known: the family of Ramanujan graphs with c =3 /4 introduced by G. Margulis approximately 40 years after the appearance of Erdős probabilistic construction (see [22]); the family of algebraic graphs D(n, q) with c =1defined over the arbitrary finite field F q , their connected components CD(n, q) with c =3/4 and regular version of polarity graphs for D(n, q) or CD(n, q) introduced by F. Lazebnik, V. A. Ustimenko and A. J. Woldar (see [23]). In 1995 A. Lubotzky [24] presented the following known problem which is still open. The family A(n, q) is the family of graphs of large cycle indicator for which the maximal possible speed of growth c =2 . The family of algebraic graphs A(n, q) is not edge transitive, then if Problem 1 had a positive solution, it would have to be c<2 and therefore would be an example of the family of algebraic graphs such that Cind(A(n, q)) >g (A(n, q)).
In the case of K = F q Theorem 3 is the corollary of Theorem 1.

Theorem 3. [25]
The family of graphs A(n, q), when q =2, is the family of small world graphs.
Let DA(n, K) be the double directed graphs of the bipartite graphs A(K). The vertex set for the graph DA(n, K) consists of two copies F 1 and F 2 of the edge set for A(n, K). Let us assume that the colour ρ(e ) of arc e is p 1 1,0 − p 2 1,0 . We consider two families of bijective nonlinear polynomial transformations of the kind:P t,n+1 : F 1 →F 2 L t,n+1 : F 2 →F 1 , n =3 , 4,..., t ∈ K. It is easy to see that F 1 = F 2 = K n+1 , so we may treatP t,n+1 andL t,n+1 as automorphisms of K n+1 q . Of course,L t,n+1 (v) is the operator of taking the neighbour of v ∈F 2 of colour t belonging to F 2 andP t,n+1 (u) is the operator of taking the neighbour of u ∈F 1 of colour t belonging to F 2 .
The following statement is equivalent to the previous theorem.

The map ξ b
(1,0) changes every coordinate of a point (p) and a line [l] as follows:

=3.
Mathematical induction can be used to prove the following statement.

Application of algebraic graphs in Cryptography
In this section we present our multivariate public key cryptosystem using the results from the previous sections. Our cryptosystem will work over the general finite commutative ring K. The plainspace of the algorithm is K n , the graph theoretical encryption corresponds to a path on the bipartite graph A(n, K) with the partition sets, which are isomorphic to K n . We can identify the graph A(n, K) with the corresponding symmetric binary relation on the vertex set K n ∪ K n . Each neighbour of the point (line) v can be obtained as u = F Pn,t,n (v) (u = F Ln,t,n (v), respectively), t ∈ K. So, we put the colour t on the arrow between v and u and the colour −t on the reverse arrow between u and v.
For simplicity we assume that the encryption path has even length and the starting vertex is always a point. If the path corresponds to the sequence of colours t 1 ,t 2 ,...,t k and the starting point is v belonging to P n (L n , respectively) , then the ending point can be computed as F Pn,t1,t2,...,t k (v) ( F Ln,t1,t2,...,t k (v), respectively). We will treat v as a variable (potentially plaintext), using the term password for the sequence (t 1 ,t 2 ,...t k ) and refering to the map v → F Pn,t1,t2,...,t k (v) (v → F Ln,t1,t2,...,t k (v), respectively) as the encryption map that is based on a simple graph.
The slightly modified idea is to use the directed graph DA(n, K). Recall that the vertex set of this graph is K n+1 ∪ K n+1 . Let vertex v be an element of F 1 ( F 2 , respectively) then v and u are connected by arrow if and only if u =P F1,t,n+1 (v) (u =L F2,t,n+1 (v), respectively) for uniquely determined t ∈ K. We put the colour t for the arrow from v to u. If the path of even length corresponds to the sequence of colours t 1 ,t 2 ,...,t k and the starting vertex is v from F 1 (F 2 , respectively), then the ending point can be computed asF F1,t1,t2,...,t k (v) (F F2,t1,t2,...,t k (v), respectively). We refer to the map v →F F1,t1,t2,...,t k (v) (v →F F2,t1,t2,...,t k (v) , respectively) as the encryption map that is based on the directed graph.
Let K be a finite commutative ring K with M ⊂ K, where M is a multiplicative set of cardinality larger than 2.
Private-key algorithms.