On Multivariate Cryptosystems Based on Computable Maps with Invertible Decomposition

– Let K be a commutative ring and K n be an aﬃne space over K of dimension n . We introduce the concept of a family of multivariate maps f ( n ) of K n into itself with invertible decomposition. If f ( n ) is computable in polynomial time then it can be used as the public rule and the invertible decomposition provides a private key in f ( n ) based public key infrastructure. Requirements of polynomial ity of degree and density for f ( n ) allow to estimate the complexity of encryption proce-dure for a public user. The concepts of a stable family and a family of increasing order are motivated by the studies of discrete logarithm problem in the Cremona group. The statement on the existence of families of multivariate maps of polynomial degree and polynomial density of increasing order with the invertible decomposition is proved. The proof is supported by explicite construction which can be used as a new cryptosystem. The presented multivariate encryption maps are induced by special walks in the algebraically deﬁned extremal graphs A ( n,K ) and D ( n,K ) of increasing girth.

Recall that the Cremona group C(K n ) is a totality of invertible maps f of affine space K n over a Commutative ring K into itself, such that the inverse map f −1 is also a polynomial one.
Let us refer to the sequence of maps f (n) from C(K n ), n = 1, 2, . . . as a family of polynomial degree, if the degree of each transformation is a parameter s of the size O(n t ).
We say that a family f (n) is a family of linear degree in the case t = 1. We refer to a family f (n) as a family of bounded degree if t = 0. Let us assume that a transformation f = f (n) is written in the form: x i → f i (x 1 , x 2 , . . . , x n ), i = 1, 2, . . . , n, where each f i ∈ K n is determined by the list of their monomial terms with respect to a chosen order.
We refer to the sequence f (n) ∈ C(K n ) as a family of polynomial density d if the total quantity of all monomial expressions within all f i is given as O(n d ) for an independent constant d.
Proposition 1. Let f (n) be a family of polynomial degree s and of polynomial density d. Then the value of f (n) in the point x ∈ K n can be computed by O(n s+d ) elementary steps.
A family of elements f (n) ∈ C(K n ), n > 1 is called stable if each nonidentity multiple iteration of f (n) with itself has the same degree with f (n). Let |g| be the order of g ∈ C(K n ). We say, that f (n) is a family of the increasing order if |f (n)| for n.
Let us consider the discrete logarithm problem for a stable family f n of the increasing order. We have to solve the equation f (n) y = b(n) with respect to an integer unknown y. Notice that deg(f (n)) = deg(b(n)). It means that studies of degrees (f (n)) k , k = 1, 2, . . . do not bring us new information for the task execution. If the order of element f (n) grows fast with the growth of n, then the discrete logarithm problem can be N P -hard. We say that a family f (n) ∈ C(K n ) has an invertible decomposition of speed d if f (n) can be written as a composition of elements f 1 (n), f 2 (n), . . . , f k(n) (n) and this decomposition will allow us to compute the value of y = f (x) and the re-image of a given y in time k(n)O(n d ) (see the author's extended abstract for Central European Conference on Cryptology 2014). In the case d = 1 we say that invertible decomposition is of linear speed. The complexity of computation of the value of each f i (n) in a given point x is O(n d ). We say that the function u : Z + → Z + is computationally equivalent to n s , s ≥ 0 and write u(n s ) if C 1 n s ≤ u(n) ≤ C 2 n s for some positive constants C 1 and C 2 .
In section 4 we prove that for each commutative ring K, char(K) ̸ = 2 and each The proof of this theorem is obtained via studies of multivariate maps related to explicite construction of Extremal Graph Theory ( see [2,3,4,5]) given in terms of nonlinear equations over finite fields F q and their analogas defined over general commutative ring.
The examples of stable families f (n) ∈ C(K n ) of the constant degree and the increasing order defined in terms of algebraic graph theory are given in [6,7,8,9]. An example of stable transformations of linear degree and increasing order is proposed in [10], the idea of usage of stable maps with compression is considered in [11].

Extremal Algebraic Graphs Corresponding to Special Families of Multivariate Maps
Recall that the girth is the length of minimal cycle in the simple graph. The studies of maximal size ex(C 3 , C 4 , . . . , C 2m , v) of the simple graph on v vertices without cycles of length 3, 4, . . . , 2m, i. e. graphs of girth > 2m, form an important direction of Extremal Graph Theory.
As it follows from the famous Even Circuit Theorem by P. Erdős' we have inequality: where c is a certain constant. The bound is known to be sharp only for n = 4, 6, 10.
The first general lower bounds of the kind ex(v, C 3 , C 4 , . . . C n ) = Ω(v 1+c/n ), where c is some constant < 1/2 were obtained in the fifties by Erdős' via the studies of families of graphs of large girth, i.e. infinite families of simple regular graphs Γ i of degree k i and order v i such that g(Γ i ) ≥ clog ki v i , where c is the independent of i constant. Erdős' proved the existence of such a family with the arbitrary large but bounded degree k i = k with c = 1/4 by his famous probabilistic method.
Only two explicit families of regular simple graphs of large girth with unbounded girth and arbitrarily large k are known: the family X(p, q) of Cayley graphs for P SL 2 (p), where p and q are the defined primes by G. Margulis [12] and investigated by A. Lubotzky, Sarnak [13] and Phillips and the family of algebraic graphs, CD(n, q) [14]. The graphs CD(n,q) appear as connected components of the graphs D(n, q) defined via the system of quadratic equations. The best known lower bound for d ̸ = 2, 3, 5 was deduced from the existence of the above mentioned families of graphs Recall that the family of regular graphs Γ i of degree k i and the increasing order v i is a family of graphs of small world if diam(Γ i ) ≤ clog ki (v i ) for an independent constant c, c > 0, where diam(Γ i ) is diameter of graph G i . The graphs X(p.q) form a unique known family of large girth which is a family of small world graphs at the same time. There is a conjecture known from 1995 that the family of graphs CD(n, q) for odd q is another example of such kind. Currently. it is proven that the diameter of CD(n, q) is bounded from the above by the polynomial function d(n), which does not depend on q.
Pobrane z czasopisma Annales AI-Informatica http://ai.annales.umcs.pl Data: 16/07/2023 03:02:08 U M C S Expanding properties of X(p, q) and D(n, q) can be used in Coding Theory (magnifiers, superconcentrators, etc). The absence of short cycles and high girth property of both families can be used for the construction of LDPC codes [15]. This class of error correcting codes is an important tool of security for satellite communications. The usage of CD(n, q) as the Tanner graphs producing LDPC codes leads to better properties of the corresponding codes compared to the usage of Cayley -Ramanujan graphs (see [16]).
Both families X(p, q) and CD(n, q) consist of edge transitive graphs. Their expansion properties and the property to be graphs of large girth hold also for random graphs, which have no automorphisms at all. To make better deterministic approximation of random graph we can look at regular expanding graphs of large girth without the edge transitive automorphism group.
We consider below the optimization problem for simple graphs which is similar to problem of finding maximal size for graph on v vertices with the girth ≥ d.
Let us refer to the minimal length of a cycle, through the vertex of a given vertex of the simple graph Γ as cycle indicator of the vertex. The cycle indicator of the graph Cind(Γ) will be defined as a maximal cycle indicator of its vertices. Regular graph will be called cycle irregular graph if its indicator differs from the girth (the length of minimal cycle). The solution of the optimization problem of computation of maximal size e = e(v, d) of the graph of the order v with the size larger than d, d > 2 has been found very recently.
It turns out that: and this bound is always sharp (see [15] or [16] and further references). We refer to the family of regular simple graphs Γ i of degree k i and order v i as family of graphs of large cycle indicator, if for an independent constant c, c > 0. We refer to the maximal value of c satisfying the above inequality as speed of growth of the cycle indicator for the family of graphs Γ i . As it follows from the above written evaluation of e(v, d), the speed of growth of the cycle indicator for the family of graphs of constant but arbitrarily large degree is bounded above by 2.
We refer to such a family as a family of cyclically irregular graphs of large cycle indicator if almost all graphs from the family are cycle irregular graphs.
The following theorem was proven in [16]: There is a family of almost Ramanujan cyclically irregular graphs of large cycle indicator with the speed of cycle indicator 2, which is a family of graphs of small word graphs.
Pobrane z czasopisma Annales AI-Informatica http://ai.annales.umcs.pl Data: 16/07/2023 03:02:08 The explicit construction of the family A(n, q) like in the previous statement is given in [15,16]. Notice that members of the family of cyclically irregular graphs are not edge transitive graphs. The LDPC codes related to new families are presented in [19], computer simulations demonstrate essential advantages of new codes in comparison to those related to CD(n, q) and D(n, q).
The graphs D(n, q) and CD(n, q) have been used in symmetric cryptography together with their natural analogs D(n, K) and CD(n, K) over general finite commutative rings K since 1998 (see [6]). The theory of directed graphs and language of dynamical system were very useful for the studies of public key and private key algorithms based on graphs D(n, K), CD(n, K) and A(n, K) (see [16], [17], [15], [19] and further references).
There are several implementations of symmetric algorithms for cases of fields (starting from [7]) and arithmetical rings ( [19], in particular). Comparison of public keys based on D(n, K) and A(n, K) are considered in [18].

On the Cryptosystems Corresponding to Special Families of Multivariate Maps
(1) We can use families of elements f (n) with invertible decomposition of speed d of the Increasing order for purposes of symmetric cryptography. We assume that the variety K n is a plainspace of the encryption algorithm, the list of (f (n, i), i = 1, 2, . . . , k(n), is a password. Then the computation of the value c of encryption function f (n, 1)f (n, 2) . . . f (n, k(n)) in the given plaintext p ∈ K n and the reimage of the ciphertext c require time O(n d ). Usually the parameter k(n) can be chosen free.
In fact, in practical cases k(n) is either a constant or linear function invariable n (see surveys [17]. [20], [22] on the use of the graph based on multivariate functions as symmetric encryption functions). To hide the graph nature of f (n) correspondents (Alice and Bob) can create a new encryption map h(n) as a conjugation of f (n) with special invertible affine transformation τ = τ (n) (degree equals 1) of K n . In the case of private keys both correspondents know the invertible decompositions and family τ (n) of affine transformation as part of the key.
(2) Let f (n) ∈ C(K n )) be a family of transformations of polynomial degree s and polynomial density d with an invertible decomposition of speed t. The following public key can be implemented. Alice chooses a parameter n. She knows the decomposition f (n) = f (n, 1) f (n, 2) . . . f (n, k(n)). Notice that transformations f (n, i) can not be a bijective. Additionally, she chooses an invertible monomial linear transformations τ L of the kind where π is a permutation on the set {1, 2, . . . , n}. Alice takes also an affine transformation τ R of the kind x → xA + b, where A is a non-singular matrix.
She computes the transformation G = τ L f (n)τ R in the Cremona group and writes it in the standard form x i → g i (x 1 , x 2 , . . . , x n ), i = 1, 2, . . . , n.
Pobrane z czasopisma Annales AI-Informatica http://ai.annales.umcs.pl Data: 16/07/2023 03:02:08 U M C S Let us assume that public rules g i are governed by the lists of monomial terms, written in a chosen order.
Notice that the applications of the transformations τ L and τ R from the left and right , respectively, do not change the degree: deg(G) = degf (n). The left application of τ L does not change the number of monomial terms. The right application of τ R can increase number of monomial terms in n times. So, the density den A public user (Bob) gets symbolic transformation G = G(n) in the form of the public rule x i → g i (x 1 , x 2 , . . . , x n ). He can encrypt for O(n s+d+1 ) by computation of the value of G on his plaintext (x 1 , x 2 , . . . , x n ).
Alice keeps the decomposition f (n) = f (n, 1)f (n, 2) . . . f (n, k(n)) as deep secret. It allows her to decrypt Bob's ciphertext for k(n)O(n t ). If Bob does not have additional information on the transformation G, then he can only use general algorithm of computation G −1 . The complexity of such efforts is O(n sn ).
Remark 1. Let f (n) ∈ C(K n ) be a family of transformations of the increasing order and τ L = τ R −1 . Then the transformations G(n) also form the family of the increasing order.

Remark 2. Let f (n) be a stable family of transformations of the restricted degree
r. Let us assume that the information on stability is known to one of public users. He or she can use the fact that deg(G) = deg(G) −1 and conduct linearisation attacks, which allow to break a system for O(n 2r+1 ) It means that for the generation of public key we have to use families of stable transformations of non-stable degree or stable families with linear or superlinear degree.

On the Explicit Constructions
The graph A(n, K), where K is a finite commutative ring, is defined in the following way. This is a bipartite graph with the point set P = {x 1 , x 2 , . . . , x n )|x i ∈ K} = K n and the line set L = {[y 1 , y 2 , . . . , y n ]|y i ∈ K|} = K n and such that a point x = (x 1 , x 2 , . . . , x n ) is incident to a line y = [y 1 , y 2 , . . . , y n ] if and only if the equations x i − y i = y 1 x 1 hold for even i and the relations x j − y j = x 1 y j hold for an odd j, j ≥ 3. We identified such an incidence relation with the corresponding bipartite graph I = A(n, K). We refer to the first coordinate x 1 = ρ(x) of a point x and the first coordinate y 1 = ρ(y) of a line y as the colour of the vertex (point or line). The following property holds for the graph: there exists a unique neighbour N t (v) of a given vertex v of a given colour t ∈ K.
The transformationẼ which shifts a flag {(x), [y]} into its image for the map Additionally, we assume that the system of equations φ k (z 1 , z 2 ) = a , ψ k (z 1 , z 2 ) = b has exactly one solution independent of the choice of a and b (boundary requirement). The above written condition ensures that the reimage of {x ′ , [y ′ ] forẼ is uniquely determined. In fact, the parameters x 1 and y 1 are determined by the system of equations.
The simplest example for which the boundary requirements hold is a linear system of equations, i. e. the case of φ k = d 1 z 1 + d 2 z 2 and ψ k = c 1 z 1 + c 2 z 2 such that the matrix formed by the rows (d 1 , d 2 ) and (c 1 , c 2 ) is invertible over the commutative ring K. Notice that φ j and ψ j for j < k can be non-linear expressions from K[z 1 , z 2 ]. If the equation of the kind y 3 = a has a unique solution in K, we can change the linear phi k and ψ k for the expressions d 3 z1 + d 2 z 2 and c 1 z 1 3 + c 2 z 2 , respectively. The other option corresponds to the pair (d 3 . It allows us to compute each expression of the kind φ i (x 1 , y 1 ) and ψ j (x 1 , y 1 ) and to obtain the reverse walk in the graph with the origin x ′ and the final point x. So, we get the original flag (x), [y] with [y] = N y1 (x). The code of our flag is (x 1 , x 2 , . . . , x n , y 1 ).
Let f = f n be the transformation of the affine space K n+1 into itself which maps the flag (x 1 , x 2 , . . . , x n , y 1 ) into the image forẼ defined by the family of bivariate polynomials from K[z 1 , z 2 ]. Let us assume that f n is written in the standard form x i → f i (x 1 , x 2 , . . . , x n , y 1 ), i = 1, 2, . . . , n, y 1 = f n+1 (x 1 , x 2 , . . . , x n , y 1 ).
Let g n i : K n+1 → K n+1 be the transformation moving z = (z 1 , z 2 , . . . , z n , u 1 ) into N P φi z 1 ,u 1 (z) and h n j be the transformation moving z into N L ψj z 1 ,u 1 (z). Obviously, Pobrane z czasopisma Annales AI-Informatica http://ai.annales.umcs.pl Data: 16/07/2023 03:02:08 U M C S f = g n 1 h n 2 g n 2 h n 2 . . . g n k h n k is the invertible decomposition of f of speed O(n). Notice that generally speaking it is not true that each g n i or h n i is invertible. It is known that if φ j (z 1 , z 2 ) = z 1 + a j and ψ j (z 1 , z 2 ) = z 2 + b j for some constants a j , b j , then the transformation f n : K n+1 → K n+1 is cubical (see [19]). It means that we have O(n 4 ) monomial terms for the map.
Recall that M is a multiplicative subset of commutative ring K if it is closed under multiplication and does not contain zero. Let us consider the following special choice of coefficients a j and b j . If a i+1 − a i ∈ M , b i+1 − b i ∈ M for i = 1, 2, . . . , k − 1 and a 1 ∈ M , b 1 ∈ M for some multiplicative subset of K, the transformationẼ, F A(K) is a cubical map of an infinite order. The cycle C containing flag {(0, 0, . . . ), [0, 0, . . . , 0]} contains infinitely many elements. So, (Ẽ, F A(K)) has an infinite order and the order of finite permutation (Ẽ, F A(n, K)) is going to infinity with the growth of parameter n ( see [17] or [19]).
Let us deformate the functions φ i and ψ i as above in the following way φ ′ (z 1 , z 2 ) = α j z 1 s(j,n) z 2 s ′ (j,n) + a j , ψ j = βz 1 r(j,n) z 2 r ′ (j,n) = b j , where s(j, n) and s ′ (j, n) are the polynomials in variable n with the highest terms t 1 (j)n cj and t ′ 1 (j)n c ′ j , r(j, n) and r ′ (j, n) are the polynomials with the highest terms t 2 (j)n dj and t ′ 2 (j)n d ′ j with nonnegative values of the parameters t 1 (j), t 2 (j), c j d j and t ′ 1 (j), t ′ 2 (j), c ′ j d ′ j . Recall that we have to care about the boundary.
The transformationẼ 1 corresponding to the "deformatedśpecialization z 1 = x 1 , z 2 = y 1 has also density O(n 4 ). It acts on elements of the cycle C in the same way asẼ. So, E 1 |C =Ẽ|C. It means that (Ẽ 1 , F A(K) is an infinite transformation and the order of finite permutation (Ẽ 1 , F A(n, K)) is increases with the increase of n. The degree of transformation (Ẽ 1 , F A(n, K)) can be estimated as 3 plus sum of values deg(φ ′ j − φ ′ j−1 ), j = 1, 2, . . . , k and deg(ψ ′ j − ψ ′ j−1 ), j = 1, 2, . . . , k. We assume that char(K) ̸ = 2, M = {1, −1}, α i − α j−1 ̸ = 0 and β j ̸ = β j−1 ̸ = 0 for each j. So, our explicit construction supports the following statement. Theorem 1. Let K be a commutative ring of char(K) ̸ = 2. For each non-negative integer parameter s there exists a family f n ∈ C(K n ) of unstable multivatiate maps of polynomial density O(n 4 ) and polynomial degree d, d <=> n s of the increasing order.

□
We say that the multivariate maps g n form a symmetrically invertible family id degf n −1 = degf n .

Remark 3.
If we chose φ k (z 1 , z 2 ) and ψ k (z 1 , z 2 ) as expressions of the kind az 1 + b and cz 2 + d, where a and b are regular elements of the ring, then the above constructed map f n is symmetrically invertible.
Other boundary conditions can give us an example of the family which is not a symmetrically invertible: Pobrane z czasopisma Annales AI-Informatica http://ai.annales.umcs.pl Data: 16/07/2023 03:02:08 U M C S Example 1. Let K be a commutative ring such that for some odd t, t > 1 the equations z t = a do not have more than one solution. Then boundary conditions of the kind φ k (z 1 , z 2 ) = z 1 +b, ψ k (z 1 , z 2 ) = z 2 t +d (or φ k (z 1 , z 2 ) = z 1 t +b, ψ k (z 1 , z 2 ) = z 2 t +d) lead to maps which are not symmetrical.

Remark 4.
We can change the graphs A(n, K) for D(n, K) in the above written construction and obtain another explicit construction of multivariate maps of polynomial density and degree.

Conclusions
The known methods of symmetric encryption according to chosen walks on the flags of bipartite graphs A(n, K) and D(n, K) use special colouring of their points and lines. The composition of operators changing flag F = {v 1 , v 2 } for the adjacent flag F ′ = {v 2 , v 3 } such that the colours ρ(v 3 ) of v 3 and ρ(v 1 ) of v 1 differ for a chosen constant α is a stable cubical encryption map on the flag space K n+1 . The increasing girth and good expansion properties of these graphs lead to good mixing properties of the stream cipher. The weakness of such method is an option of cubical linearisation attacks based on the fact that the decryption map is also cubical (complexity of the attack is O(n 10 ).
We introduce a modified method such that seed maps shifting flag F = {v 1 , v 2 } into is a monomial term for variables x 1 = ρ(v 1 ) and y 1 = ρ(v 2 ) plus the parameter α ∈ K.
The new method can produce symmetrically invertible multivariate encryption maps of unbounded polynomial degree and density O(n 4 ) of the increasing order or multivariate maps of increasing order, polynomial degree, density O(n 4 ) and with an unknown degree for the inverse maps.
It means that straightforward linearisation attacks are not applicable to such encryption maps. We may compute the standard form of these maps (list of monomial terms in some order) and use it as a public rule. We hope that a new class of multivariate cryptosystems can be an interesting subject of cryptanalytical studies.
In the case of ψ j = z 1 + c j and φ j = z 2 + c j the algorithm of generation of the multivariate map has been implemented (see [21]). Let us assume that τ L and τ R are monomial transformations. Then change of z i , i = 1, 2 for z i 3 in a few cases of parameter j practically does not change the execution type. So, in my opinion, in the cases of sparce expressions ψ j and φ j and special sparce affine transformations the algorithm can be practically implemented.