On New Examples of Families of Multivariate Stable Maps and their Cryptographical Applications

(cid:21) Let K be a general (cid:28)nite commutative ring. We refer to a family g n , n = 1 , 2 ,... of bijective polynomial multivariate maps of K n as a family with invertible decomposition g n = g 1 n g 2 n ...g kn , such that the knowledge of the composition of g in allows computation of g in for O ( n s ) ( s > 0 ) elementary steps. A polynomial map g is stable if all non-identical elements of kind g t , t > 0 are of the same degree. We construct a new family of stable elements with invertible decomposition. This is the (cid:28)rst construction of the family of maps based on walks on the bipartite algebraic graphs de(cid:28)ned over K , which are not edge transitive. We describe the application of the above mentioned construction for the development of stream ciphers, public key algorithms and key exchange protocols. The absence of edge transitive group essentially complicates cryptanalysis.


Introduction
Post Quantum Cryptography could not use many security tools based on Number Theory, because of the factorization algorithm developed by Peter Shor.This fact and the fast development of Computer Algebra make multivariate cryptography (see [ ] and [#]) an important els of research.The Quantum Computer is a special random computational machine.Recall that computation in the Turing machine can be formalised with the concept of nite automaton as a walk in the graph with th arrows labelled by special symbols.andom computation¢an be dened as a random walk in the random graph.So, we are looking for the deterministic approximation of random graphs by extremal algebraic graphs.It is known that the explicit solutions for optimization graphs have properties similar to random graphs.The probability of having rather short cycle in the walking process on a random graph is zero.So, the special direction of Extremal Graph Theory of the studies of graphs of the order v (the variable) without short cycles of maximal size (number of edges) can lead to the discovery of good approximations for random graphs.In the paper we introduce the explicit constructions of sequences of elements of the stable degree c for each commutative ring K containing at least 3 elements and each c ≥ 2. Special cases of c = 3 and c = 2 were obtained in [!$] and [!#].We discuss the implementation of related key exchange and public key algorithms.It is interesting that in the case of c ≥ 4, the use of special afne bijections leads to sparse polynomial transformation with O(n 3 ) monomial terms.These results are based on the construction of the family D(n, q) of graphs with large girth (together with their generalisations D(n, K) where K is a commutative ring) and the description of their connected components CD(n, q) (CD(n, K), respectively).The existence of innite families of graphs of large girth was proved by Paul Erdös' (see []).Together with the famous Ramanujan graphs introduced by G. Margulis ["] and investigated in ['] the graphs CD(n, q) are one of the rst explicit constructions of such families with an unbounded degree.The graphs D(n, q) were used for the construction of LDPS codes and turbocodes which were applied in real satellite communications ([!] and further references), for the development of private key encryption algorithms ([ ], [ !]), the option to use them for public key cryptography was considered in [ "], [ '] and in [ &], where the related dynamic system was introduced.Notice, that many applications of graph stable polynomial maps are connected with the development of stream ciphers (see [$], [%], [&] for recent fast implementations and key exchange protocols (see [$], [%], [!#], [!$] and further references).The idea to use recurrencies in the construction of public key based on the family of multivariate maps is considered in ['].
Section 2 is devoted to the concept of multivariate family of stable map of the increasing order with polynomial density and invertible decomposition.The ideas of application of such families for the construction of key exchange protocols, private and public keys are given there.The method of protection of large network of users based on the special family of graph based maps was given in [!'].We describe its generalisation in the case of general family of stable maps with invertible decompositions considered in Section 3. Section 4 contains preliminaries on incidence structures and their polarities.Section 5 is devoted to the graphs of large girth D(n, q), their generalisations D(n, K) for the case of general commutative ring and special automorphisms of these graphs.
In Section 6 we introduce the algebraic technique of ¢ompressionóf graphs D(n, K) which allows to eliminate some variables and decreases the number of connected components.Notice that the rst example of cubical family of stable multivariate maps was introduced in [ "], but the degree of members of this family was computed in of the constant degree ≥ 4 is not a dicult problem itself.It becomes an interesting and practical task if we add the condition of existence of invertible decomposition.A higher degree of stable encryption transformation corresponds to a better resistance to linearisation attacks.In the case of the family of stable maps of unbounded degree, the linearisation attacks are not feasible, but for the creation of ecient public rule one needs polynomiality requirements on the density.The rst example of such a family was given in [!&] (see also [!']).Section 7 is devoted to the method of construction of new families of stable maps of polynomial density of bounded or unbounded degree with invertible decomposition obtained from the graphs D(n, K) and corresponding to them polarity graphs by the ¢ompression"method.

On the Concept of Multivariate Families of Stable Maps and its Cryptographic Applications
Recall that Cremona group C(K n ), where K is a commutative ring, is a totality of all bijective polynomial transformations g of K n such that g −1 is also a polynomial map.We say that the sequence g n , n ≥ 3, n → ∞ of polynomial bijective maps of free module K n over the commutative ring K is a sequence of stable degree if the degree of g n is c = O(n) and each map of the kind g k n (iteration of g with itself in the Cremona group) has a degree ≤ c.We refer to the family g n ∈ C(K n ) as the family with invertible decomposition if each g n is a composition of several elementary polynomial maps g i n , i = 1, 2, . . .k n of K n such that their inverses can be computed for O(n s ) elementary steps, where s > 0 is a constant.We say that the sequence g n ∈ C(K n ) forms a family of maps of the increasing order if the order |g n | is ≥ cn for an independent positive constant c.We refer to g n as a family of polynomial density if d(g n ) = O(n t ) for an independent constant t.
The plainspace of the encryption algorithm (public or private) is K n , where K is the chosen nite commutative ring.
We assume that each map g n from the stable family of polynomial density of the increasing order is a composition of several elementary polynomial automorphisms g i n , i = 1, 2, . . .k n of K n such that their inverses can be computed for O(n s ) elementary steps, where s > 0 is a constant.We refer to a family g n with such decomposition as a family of maps with invertible decomposition.
We create an encryption map h n as a conjugation of g n with the special invertible ane transformation τ = τ n (degree equals 1) of K n .In the case of private keys both correspondents Alice and Bob know the decompositions g n = g 1 n g 2 n . . .g kn n , and the family τ n of ane transformation.
For the creation of a public key encryption, Alice uses her knowledge on the decompositions g n = g 1 n g 2 n . . .g kn n and the family τ n and computes symbolically the corresponding polynomial map h = τ −1 g n τ of K n onto K n in its standard form Remark 1. Notice, that the family h n is automatically the family of stable maps of increasing order, but in the case of creating the public rule Alice needs special choice of τ n for making public rules of polynomial density.As it follows from the denitions of stable family, the inverse for h n has a degree ≤ deg(h n ).So, for resistance of public key against linearisation attacks we need the conditions deg(h n ) ≥ cn and deg(h n ) −1 ≥ cn, where c is a positive independent constant.The family of stable transformations h n of the polynomial density and the increasing order with the small constant degree k, can also be used as a base of the group theoretical Die-Hellman key exchange algorithm for the Cremona group C(K n ) of all regular automorphisms of K n .The specic feature of this method is that the order of the base may be unknown for the adversary because of the complexity of its computation.The exchange can be implemented by the tools of Computer Algebra (symbolic computations).The adversary can not use the degree of righthandside in b x = d to evaluate unknown x in this form for the discrete logarithm problem.Remark 2. Notice, that for the practical use of Die -Hellman algorithms families of stable maps h n such that deg(h n ) ≤ c, where c is a positive independent constant have a serious preference.The property to be a family with invertible decomposition is immaterial in the case of key exchange protocols.
Let τ = τ n , n = 1, 2, . . .be a family of ane maps and h n be a general family of nonlinear maps of polynomial density.We say that τ makes a left (right) polynomial shift for h n if the sequence τ h n (h n τ , respectively) is also a family of polynomial density.We may convert the encryption map h n of private or public key algorithms into the shifted map τ n h n (h n τ n ) if τ makes left (right, respectively) polynomial shift of nonlinear sequence.Notice, that the shifted stable family of maps is not usually stable.If deg(h n ) is bounded by the independent of n constant then each family of ane maps τ n produces polynomial shift from the right and from the left.

Multivariate Private-Key Algorithm for Multiuser's Network
Let S k = (B k , J k ), k = 1, 2, . . ., N be the pairs of users.Alice provides each pair with the seed triple C k , f S k , D k , where C k and D k are linear or ane transformations of the plainspace K n of large order (like the maps conjugated with the Singer cycles of the order q n − 1 in the case of K = F q ) and also gives them f −1 The pair (J k , B k ) can take quite close primes p 1 , p

U M C S and develop the collision triple
During the session they use the encryption and decryption nonlinear maps is known to the trusted third party (Alice), but the triple h 1 , h 2 , h 3 is an individual private password for Bob and Jennifer.There is no need to compute a new encryption map symbolically, the users just apply D h3 k , f h2 B k and C h1 k consecutively to the plainspace vector.During the next session of the key exchange Bob and Jennifer can get a new triple h ′ j ∈ Z pj * , j = 1, 2, 3 and use the numbers h ′′ j = h ′ j h j mod p j for the modication of the multivariate encryption map.This approach leads to dependence of the algorithm on the prehistory of communications.
The use of key exchange protocols as tools of protection against linearisation attacks a standard one (see [ ]).

Preliminaries on Graphs and Incidence Structures and their Polarities
The missing denitions of graph-theoretical concepts which appear in this paper can be found in [].All graphs we consider are simple, i.e. undirected without loops and multiple edges.Let V (G) and E(G) denote the set of vertices and the set of edges of G, respectively.Then |V (G)| is called the order of G, and |E(G)| is called the size of G.A path in G is called simple if all its vertices are distinct.When it is convenient, we shall identify G with the corresponding anti-reexive binary relation on and write vGu for the adjacent vertices u and v (or neighbours).The sequence of distinct vertices v 1 , . . ., v t , such that v i Gv i+1 for i = 1, . . ., t − 1 is a pass in a graph.The length of a pass is a number of its edges.The distance dist(u, v) between two vertices is the length of the shortest pass between them.The diameter of the graph is the maximal distance between two vertices u and v of the graph.Let C m denote the cycle of length m, i.e. the sequence of distinct vertices v 1 , . . . ,v m such that v i Gv i+1 , i = 1, . . ., m − 1 and v m Gv 1 .The girth of a graph G, denoted by g = g(G), is the length of the shortest cycle in G.The degree of vertex v is a number of its neighbors (see []).
The incidence structure is the set V with the partition sets P (points) and L (lines) and the symmetric binary relation I such that the incidence of two elements implies that one of them is a point and another onr is a line.We shall identify I with the simple graph of this incidence relation (bipartite graph).If a number of neighbours of each element is nite and depends only on its type (point or line), then the incidence structure is a tactical conguration in the sense of Moore (see [#]).
The graph is k-regular if each of its vertices has a degree k, where k is a constant.
In the next section we reformulate the results of [], [] where the q-regular tree was described in terms of equations over the nite eld F q .
Let us assume that Alice administers large a multi-user information system (eparlament, university quality support system, etc).The system is used by many pairs (J k , B k ) , k = 1, 2, . . . of users (or groups of users, B and J stand for Bob and Jennifer).Alice has to develop symmetric tools for communications of each pair of users (J k , B k ) involved in the activities of the information system.Alice makes a decision to work with a stable polynomial family g(n, K) J , |J| = s of the increasing order of polynomial density with the invertible decomposition g(n, K) = g 1 (n, K)g 2 (n, K) . . .g kn (n, K).
Additionally, she takes a family of bijective ane transformation τ 1 and τ 2 = τ 1 −1 and forms the left and right shifts of the family g(n, K) by the map τ 1 and τ 2 .Let f (n, K) = τ 1n g(n, K)τ 2n .Alice has f (n, K) −1 because of the existence of invertible decomposition.
She gets the encryption map as a non-linear pseudopublic rule:

Polarities of Incidence Structures and Related Polarity Graphs
Let P and L be disjoint sets, the elements of which we call points and lines, respectively.A subset I of P × L is called an incidence relation on the pair (P, L).The incidence graph Γ of geometry (P, L, I) is dened to be the bipartite graph with the vertex set P ∪ L and the edge set {{p, l}|p ∈ P, l ∈ L, (p, l) ∈ L}.
Let π : P ∪ L → P ∪ L be a bijection for which the following holds: (i) We call such π a polarity of the incidence structure (P, L, I).Note that π induces an automorphism of the incidence graph Γ of order 2, which interchanges the partition sets P and L. We shall use the term "polarity¡nd the notation "π"for the graph automorphism as well.
We now dene the polarity graph Γ π of the structure (P, L, I) with the respect to the polarity π.It is the graph with the vertex set V (Γ π ) = P and the edge set Finally, we call point p ∈ P an absolute point of the polarity π provided (p, p π ) in I.
Let N π denote the number of absolute points of π.
Proposition 1. (see, for instance [13] and further references) Let π be be a polarity of the nite incidence structure (P, L, I) and let Γ and Γ π be the correspondent incidence and polarity graphs.

Polarities
Let K be a commutative ring, and let P and L be two countably innite dimensional free modules over K.The elements of P will be called points and those of L lines.To distinguish points from lines we use parentheses and brackets: If x ∈ V , then (x) ∈ P and [x] ∈ L. It will also be advantageous to adopt the notation for the coordinates of points and lines introduced in ["]: ( We now dene an incidence structure (P, L, I) as follows.We say the point (p) is incident with the line [l], and we write (p)I[l], if the following relations between their coordinates hold: (The last four relations are dened for i ≥ 2.) This incidence structure (P, L, I) we denote as D(K).We speak now of the incidence graph of (P, L, I), which has the vertex set P ∪ L and edge set consisting of all pairs {(p), [l]} for which (p)I[l].
For the case K = F q , where q is a prime power, the graph D(q) = D(F q ) was dened in [], for the general K see [ ].It was shown that a graph in the graph D(q) is a q-regular forest.
To facilitate notation in the future results, it will be convenient for us to dene , and to rewrite (1) in the form : Notice that for i = 0, the four conditions (1) are satised by every point and line, and, for i = 1, the rst two equations coincide and give l 1,1 − p 1,1 = l 1 p 1 .

U M C S
For each positive integer k ≥ 2 we obtain an incidence structure (P k , L k , I k ) as follows.First, P k and L k are obtained from P and L, respectively, by simply projecting each vector onto its k initial coordinates.The incidence I k is then dened by imposing the rst k−1 incidence relations and ignoring all others.For xed q, the incidence graph corresponding to the structure (P k , L k , I k ) is denoted by D(k, q).It is convenient to dene D(1, q) to be equal to D(2, q).The properties of the graphs D(k, q) we are concerned with are described in the following theorem.Theorem 1. [10] Let q be a prime power, and k ≥ 2. Then: (i) D(k, q) is a q-regular edge-transitive bipartite graph of the order 2q k ; (ii) for odd k, g(D(k, q)) ≥ k + 5, for even k, g(D(k, q)) ≥ k + 4

□
We have a natural one to one correspondence between the coordinates 2, 3, . . ., n, . . . of tuples (points or lines) and equations.It is convenient for us to rename by i + 2 the coordinate which corresponds to the equation with the number i and write [l] = [l 1 , l 2 , . . ., l n , . ..] and (p) = (p 1 , p 2 , . . ., p n , . ..) (line and point in natural coordinates).
Let η i be the map deleting all coordinates with numbers > i from D(K) to D(i, K), and η i,j be map "deleting all coordinates with the numbers > i "from D(j, K), j > i into D(i, K).
The following statement follows directly from the denitions: Proposition 2. (see, [10]) The projective limit of D(i, K), η i,j , i → ∞ is an innite graph D(K).

Invariants of Connected Components
Let us investigate the connected components of the graphs.
Proposition 3. Let u and v be vertices from the same component of D(k, q).Then a(u) = a(v).Moreover, for any t − 1 eld elements x i ∈ F q , 2 ≤ t ≤ [(k + 2)/4], there exists a vertex v of D(k, q) for which: of the connected component CD(n, K), which contains a chosen vertex v.Then, the coordinates x i,i , x i,i+1 , x i+1,i can be chosen independently as free parameters from K and x ′ i,i could be computed successively as the unique solution of the equations The following statement was given in [13] for K = F q (see [28] for the case of general commutative ring) Proposition 4. The map π given by the close formula: is a polarity of D(2n, K).It preserves blocks of the equivalence relation τ .
Let RD(2n, K) be a regular folding graph corresponding to the parallelotopic polarity π induced on the vertices of the graph C(2n, K), i. e. a graph of binary relation I ′ such that p 1 I ′ p 2 for p 1 , p 2 ∈ P if and only if p 1  1,0 ̸ = p 2 1,0 and p 1 Iπ(p 2 ).If K is a nite ring, then RD(2n, K) is a |K| − 1 -regular subgraph of polarity graph of D(2n, K) (see [13] for K = F q and ) Notice, that polarity π preserves blocks of the equivalence relation τ .It means that, if points p 1 and p 2 are in the same connected components of the graph RD(2n, K), then a i (p 1 ) = a i (p 2 ) for i = 2, 3, . . ., t(2n).

On the Compressions of Graphs D(n, K) and Related Polarity Graphs
Let us consider the following equivalence relation ⇔ on the vertices of the graphs D(n, K) and RD(2n, K): As it was proven in [30] in the case of charK ̸ = 2 blocks of the above dened equivalence relation are connected components of the graph D(n, K).In the case of K = F 2 and K = F 4 such blocks contain at least 2 connected component of the graphs (see [21]).

Pobrane z czasopisma
. . ,b s ) be the subset of all vertices v of D(n, K) satisfying the conditions a j1 (v) = b i , i = 1, 2, . . ., s.This is a disjoint union of several connected components of the graph.Let CD J (n, K) be the graph of the restriction of incidence relation on the subset T .
We dene the compressed graph CD ′ J (n, K) of CD J (n, K) with the points: and the lines: without the coordinates p ′ ii and l ′ ii , i ∈ J.The incidence I ′ is dened by the conditions (1) without the equations

The expressions for l ′
ii (p ′ ii ), i ∈ J in the remaining equations have to be substituted by , where e = 0 if the parameters l ii (p ′ ii ) appear as a sum of a i (l) (a i (p)), respectively) with the coecient +1 and e = 1 in the opposite case (coecient is −1).As it follows immediately from the denitions, the graph CD J (n, K) is an incidence structure (P ′ , L ′ , I ′ ), where the varieties P ′ and L ′ are isomorphic to K n−|J| .The compression procedure ∆ J is an isomorphism of CD J (n, K) onto In the case of a maximal possible J = {2, 3, . . ., t(n)} we write simply CD(n, K) and CD ′ (n, K) and use ∆ instead of ∆ J .
Let p = (p 1,0 , p 11 , . . . ) and l = [l 0,1 , l 1,1 , . . .] be a point and a line of one of the graphs D(K), CD(K), CD J (n, K), D(n, K), CD(n, K).We refer to the rst coordinates ρ(p) = p 1,0 of p and ρ(l) = l 0,1 of l as colours of point and line respectively.The colouring ρ as above satises the parallelotopic property (see [ ] or [ !]), i. e. for each vertex of the graph there is a unique neighbour of chosen colour.It is easy to see that ∆ J is a colour preserving graph homomorphism, i. e. ρ(v) = ρ(∆ J (v)).
Let Γ be one of the graphs D(K), CD(K), CD ′ J (n, K), D(n, K), CD ′ (n, K) with the colouring ρ.We consider the operator N Γ β of taking the neighbour of vertex v (point or line) of the colour Notice that the polarity π acts naturally on the vertices of CD J (2n, K).The induced permutation is a polarity of this graph.So, we can consider a polarity graph CD J π (2n, K) and a regular folding graph RD J (2n, K) .Notice, that ∆ J maps T ∩ P (T ∩ L) onto itself.Let M = M α be the operator of taking the neighbour of colour α in the graph D π (2n, K).We assume that M T α (v) = v if v is an absolute point in the polarity graph.We denote by M ′ α the operator of taking the neighbour in CD ′ π J (2n, K).In particular, we introduce the operator M ′ α for the graph CD ′ π (2n, K).Let L D,n,β k be the operator of taking the neighbour of point:
Similarly, P D,n,α k is the operator of taking the neighbour of line: of a kind where the parameters p 1,1 , p 1,2 , p 2,1 , p 2,2 ,. .., p i,i , p i,i+1 , p i+1,i , . . .are computed consequently from the equations in denition of D(n, K) and all p ′ i,i for i = 2, 3, . . .are computed using the equation describing the connected component.

Let us consider the restriction F
The map F ′′ J n,α,β is a transformation of the point set K n−J for CD ′ J (n, K) of the degree The following statement follows instantly from the results [32], [33].
Let Q be a multiplicative subset of K.If each Then the order of F ′′ J n,α,β is going to ∞ when n → ∞ and arbitrary J.

□
The following statement is announced in [38] (it is proven in [39]).Let F ′′ J (n, K) correspond to the strings α 1 , α 2 , . . .α k and β 1 , β 2 , . . . ,β k , where k is an independent constant.Let us assume that this map is written in standard form x i → F i (x 1 , x 2 , . . ., x n ), i = 1, 2, . . ., n.Then density of each multivariate polynomial From the statements of this section immediately follows The maps F ′′ J (n, K) for |J| ≥ cn, where c is an independent constant, satisfying conditions of previous statement form a family of stable maps of the unbounded degree and unbounded order with invertible decomposition and polynomial density.
The following statements can be deduced from theorem 2 and its corollaries.Theorem 4. The transformation G J (n, k) = N J α1 N J α2 , . . ., N J α k is a stable map of the degree O(n) of polynomial density with invertible decomposition.If cardinality of J is an independent constant, then the degree of G J (n, K) is also bounded by the constant, which is independent of n.

The inverse map for
The following statement is formulated in [32], [33].
Let Q be the multiplicative set of a ring K. Let us assume that α i + α i+1 ∈ Q for i = 1, 2, . . ., k − 1 and α 1 + α k ∈ Q.Then the order of transformation Notice, that the inverse map for H ′ J (n, K) corresponds to the reverse walk in the polarity graph.
The maps H ′ J (n, K) for |J| ≥ cn, where c is an independent constant, satisfying conditions of the previous statement from a family of stable maps of unbounded degree and unbounded order with invertible decomposition and polynomial density.

□
Let M α (v) (M J α (v)), α ̸ = 0 be an operator of taking neighbour of vertex v of the graph RD(2n, K) (RD ′ J (2n, K), respectively) with the colour ρ(v) + α.For each sequence α 1 , α 2 , . . ., α k such that α The transformation S J (n, k) = M J α1 M J α2 , . . ., M J α k is a stable map of the degree O(n) of polynomial density with invertible decomposition.If cardinality of J is an independent constant, then the degree of S J (n, K) is also bounded by the constant which is independent of n. □ Remark 4.
The inverse map for S J (n, K) is the transformation S Let Q be a multiplicative subset of K.
Then the order of S ′ J (n, α, β) is going to ∞ when n → ∞ and arbitrary J. □ Corollary 6.The maps S ′ J (n, K) for |J| ≥ cn, where c is an independent constant, satisfying the conditions of the previous statement from a family of stable maps of unbounded degree and unbounded order with invertible decomposition and polynomial density.

□ 6 An Example with Complexity Estimates
Let us consider the cryptosystem based on the family of stable maps of the increasing order based on the polarity graph D π (2n, K).The advantage of this example in comparison with D(n, K) based encryption is the absence of vertex transitive or edge transitive automorphism group for the graph.Notice that the vertex set (the plainspace) is K 2n .If x and y are a pair of vertices such that x is an absolute point and y is not, then there is no group automorphism which shifts x onto y.The key holder Alice choses the multiplicative subset Q of the ring K and the sequences α 1 , α 2 , . . ., α k , α i ∈ Q and β 1 , β 2 , . . ., β k , β i ∈ Q , such that β i − β i+1 ∈ Q for i = 1, 2, . . ., k − 1 , where k is an independent of n constant.She chooses the parameters d 2 , d 3 , . . ., d [(n+1)/2]+1 to work with the vertices v satisfying the equations a 2 (v) = d 2 , a 3 (v) = d 3 , . . . ,a [(n+1)/2]+1 (v) = d [(n+1)/2]+1 to make the compression of this block for the equivalence relation τ .
She generates the map H ′ on K 2n−[(n+1)/2] described in the previous section in the standard form: The time of generation of H ′ is comparable with that of stable map related to D(2n, K) (see tables with the time estimates in ["]).Alice takes the monomial transformation τ 1 of the kind x i → l i x i , where l i are regular elements of the ring for i = 1, 2, . . ., d and the invertible ane transformation x → xA + b, where A is the matrix of invertible ane transformation of K d and b is a chosen vector.
She forms the composition G = τ 1 H ′ τ 2 in the standard form: ( Notice that the total number of monomial expressions in f i , i = 1, 2, . . ., d is O(n 4 ).The linear transformation τ 1 does not change the number of monomials.The composition with the ane transformation τ 2 from the right can increase the total number of transformations in n times.So, the total number of monomials from all g i can be estimated as O(n 5 ).It means that the computation of value of G in a given point x can be done in the polynomial time.Thus, Alice may present the map G for the public user (Bob).Each monomial costs O(n) elementary operations to compute.
So, Bob may compute the value of the public rule in time O(n 6 ).

Corollary 1 .
Let us consider a general vertex:

( 21 )
and compute the inverse walks corresponding to N −1 for the time O(n).

where the Pobrane z czasopisma Annales AI-Informatica http://ai.annales.umcs.pl
On New Examples of Families of Multivariate Stable Maps... monomial terms h i (i = 1, 2, . . ., n) are listed in the lexicographical order.The public user, Bob has only the public rule h in the above written form.
innity with the increase of integer n.On New Examples of Families of Multivariate Stable... written in the standard form x i → F i (x 1 , x 2 , . . ., x n ), i = 1, 2, . . ., n.Then density of each multivariate polynomial F i is O(n 3 ).
These facts do not allow the usage of the group theoretical technique for cryptanalysis of related cryptosystem.