On the Constructions of New Symmetric Ciphers Based on Nonbijective Multivariate Maps of Prescribed Degree

Ustimenko, Vasyl; Romańczuk-Polubiec, Urszula; Wróblewska, Aneta; Polak, Monika Katarzyna; Zhupa, Eustrat

doi:https://doi.org/10.1155/2019/2137561

Security and Communication Networks

On this page

Abstract Introduction Conclusion Data Availability Conflicts of Interest References Copyright Related Articles

Research Article | Open Access

Volume 2019 | Article ID 2137561 | https://doi.org/10.1155/2019/2137561

On the Constructions of New Symmetric Ciphers Based on Nonbijective Multivariate Maps of Prescribed Degree

Vasyl Ustimenko,¹Urszula Romańczuk-Polubiec,²Aneta Wróblewska,¹Monika Katarzyna Polak,³and Eustrat Zhupa⁴

Guest Editor: Pawel Szalachowski

Received12 Oct 2018

Revised31 Dec 2018

Accepted21 Feb 2019

Published01 Apr 2019

Abstract

The main purpose of this paper is to introduce stream ciphers with the nonbijective encryption function of multivariate nature constructed in terms of algebraic graph theory. More precisely, we describe the two main symmetric algorithms for creation of multivariate encryption transformations based on three families of bipartite graphs with partition sets isomorphic to , where is selected as the finite commutative ring. The plainspace of the algorithm is The second algorithm is a generalization of the first one with using the jump operator, where generalized encryption map has an essentially higher degree in comparison with the previous version. Moreover, the degree of this generalized map is not bounded by some constant. This property guarantees resistance of the cipher to linearization attacks.

1. Introduction

This paper is an extension of article [1] reflecting our talk at the 5th International Conference on Cryptography and Security Systems (one of the events of Federated Conference on Computer Science and Information Systems, 2018). We expand our work by adding the generalization of our symmetric cipher of multivariate nature. Generalized encryption map has essentially higher degree in comparison with previous version. The degree is not bounded by some constant. This property insures resistance of the cipher to linearization attacks.

Graph theory is applicating in diverse fields such as linguistics, biochemistry, coding theory, cryptography, communication networks, etc. The history of the use of sparse algebraic graphs in symmetric cryptographical algorithms was described in [1] with the full list of references which begins with the ideas of V. Ustimenko presented in the article from 1998 (see [2]). In this paper, we present only a short version of this history related to work of V. Ustimenko and his team. The reader can find also more general survey on some applications of Graph Theory in Cryptography in [3].

The following known graphs defined over finite commutative ring were used: (see [2]; for graphs were defined in [4]), (Wenger graphs defined in [5]), graphs introduced in [6], and graphs of [7]. Popular choices of are finite fields , , , , and and rings modular arithmetic , , and . This research history is presented in the next section. Section 2 observes graph based stream ciphers which use bijective encryption function of multivariate nature. In fact, multivariate cryptography uses nonbijective maps and a private key decryption is also given in each case of this type. However, the vast majority of stream ciphers is defined via bijective encryption. In each case of nonbijective symmetric encryption there is a deterministic decryption process that has to be described in clear way. In Section 3 we discuss the class of nonbijective multivariate maps defined in terms of Euler theorem for arithmetical rings , where is a composite number. Such a map has a special subset (domain) of affine space isomorphic to , such that the restriction of onto is injective (). It is important that is unknown to the adversary, who knows only cipherspace . Correspondents use their knowledge on the password to obtain a description of . They are able to compute bijective map from onto which is a decryption procedure; i.e., the composition of with is identity map on . The definition of multivariate nonlinear map uses Eulerian map of with and , where is Euler function.

An adversary does not have access to , , or . A hidden Eulerian equation of kind gives a heuristic support to resistance of symmetric algorithm to attacks with interception of pairs plaintext/ciphertext. Notice that, in the case of classical RSA algorithm large decomposable into two primes is known, parameter is given. Security of RSA rests on the complexity of finding decomposition or finding multiplicative inverse of . In practical cases of multivariate encryption with hidden Eulerian equation (like ) Eulerian function is easy to compute, but multiplicative inverse of is hard to find because the adversary simply does not know . In fact, in our examples the degree of multivariate map on sending to codomain heavily depends on parameter . Decryption map of into is induced by nonbijective multivariate map and degree of degree . So “Eulerian parameters” and are very essential for cryptanalysis. This approach is illustrated by 3 “toy examples” of graph based symbolic computations (see at the end of Section 3 with items , , and ).

A linearization attack has to disclose codomain , determine the standard form of polynomial encryption map with its degree, and construct a polynomial map , such that is identity function. If one of the parameters or is unbounded (or it is a large constant) then linearization tasks are infeasible. Of course, a cryptanalyst has to try alternative approaches like distinguish, Time Memory Data trade-off attacks, and guess-and-determine attack. These methods are constructed for investigation of stream ciphers with bijective encryption. Authors believe that in the case of multivariate nonbijective encryption such attacks have to be seriously modified for the practical implementation.

This approach is illustrated by three “toy examples” of graph based encryption. In Section 4 we introduce a class of bivariate graphs containing all the above-mentioned graphs. Such concept is convenient for uniform description of the encryption scheme and observation of common properties of graphs from this class (Sections 5 and 8). General Algorithm No. 1 is described in Section 5 presents symmetric cipher based on nonbijective maps. Implementation results are presented in Table 1. The Algorithm No. 2, presented in Section 8, is a generalization of the first one with using the jump operator, where generalized encryption map has an essentially higher degree in comparison with the previous version. Moreover, the degree of this generalized map is not bounded by some constant. This property guarantees resistance of the cipher to linearization attacks. We compare graphs and related algorithms corresponding to different families (, , , and ) in Sections 6 and 9.

Last section is the conclusion where we discuss the choice of our model. Here the reader can find remarks on multivariate cryptography and its connections with cryptographical applications of algebraic graph theory.

RSA is one of the most popular cryptosystems. It is based on a number factorization problem and on Euler’s Theorem. Peter Shor discovered that the factorization problem can be effectively solved by using a theoretical quantum computer. This means RSA could not be a security tool in the future postquantum era. One of the research directions leading to a postquantum secure public key is the multivariate cryptography, which uses a polynomial maps of affine space defined over a finite commutative ring into itself as encryption tools (see [8]). This is a young promising research area because of the current lack of known cryptosystems with the proven resistance against attacks with the use of Turing machines. Another important direction of Postquantum Cryptography is the study of Hyperelliptic Curves Cryptosystems. We have to say that classical elliptic curves encryption will be not secure in the postquantum era.

Applications of algebraic graphs to cryptography started with symmetric algorithms based on explicit constructions of extremal graph theory and their directed analogues. The main idea is to convert an algebraic graph in a finite automaton and to use the pseudorandom walks on the graph as encryption tools. This approach can also be used for the key exchange protocols. Nowadays the idea of “symbolic walks” on algebraic graphs, when the walk on the graph depends on parameters given as special multivariate polynomials in variables depending from plainspace vector, appears in several public key cryptosystems.

Multivariate cryptography started from the study of potential for the special quadratic encryption multivariate bijective map of , where is an extension of finite field of characteristic 2. One of the first such cryptosystems was proposed by Imai and Matsumoto and cryptanalysis for that system was invented by J. Patarin. A survey on various modifications of this algorithm and corresponding cryptanalysis can be found in [8] or [9].

One of the first uses of nonbijective map of multivariate cryptography was in the oil and vinegar cryptosystem proposed in [10] and analyzed in [11]. Nowadays, this general idea is strongly supported by publication [12] devoted to security analysis of direct attacks on modified unbalanced oil and vinegar systems. It looks like such systems and rainbow signature schemes may lead to promising Public Key Schemes of Multivariate Encryption defined over finite fields. Nonbijective multivariate sparse encryption maps of degree 3 and based on walks on algebraic graphs defined over general commutative ring and their homomorphic images were proposed in [13]. Security of the corresponding cryptosystem rests on the idea of hidden discrete logarithm problem. U. Romańczuk-Polubiec and V. Ustimenko combine the idea of “oil and vinegar signature cryptosystem” with the idea of linguistic graph based map with partially invertible decomposition to introduce a new cryptosystem [13]. This algorithm can be implemented with the use of families and and natural homomorphism between them. Finally, in [14] “hidden RSA multivariate encryption” based on graphs were proposed.

In this paper we modify the encryption map (private key) of the above-mentioned cryptosystem in terms of family of bivariate graphs defined over the commutative ring . These maps have multivariate nature despite the “numerical implementation” in symmetric ciphers mode with the plainspace isomorphic to .

2. Implementation of Algorithms Based on Bijective Maps

We worked on a software package that enables us to investigate strongly symmetric cases of stream ciphers based on graphs , , , and , where is the arithmetic ring. Some cases are already implemented by our team at the level of prototype model.

Few algorithms have been implemented in the past for very special cases under supervision of V. Ustimenko. The history of implementation of these algorithms was described in [1] with the full list of references. Below we present only a short version of this history.

The first implementation of encryption was done in 2000 at the University of South Pacific (USP, Fiji Islands). The research team was composed by Professor V. Ustimenko, PhD Dharmendra Sharma (currently professor of University of Canberra), and postgraduate students V. Gounder and R. Prasad. The work was supported by the University Research Committee of the University of South Pacific (USP) grant. During this work the implementation of asymmetric mode was investigated with the chosen case for was , with 127 being the closest prime to the size of ASCII code alphabet. It means that one has to delete just the delete service symbol and can encrypt arbitrary text files. The chosen string was , where are elements of the ring chosen in pseudorandom fashion. So that was a case of shifting encryption.

The affine transformations and were simply identities. The implemented cipher on ordinary PC was rather robust in performance, but with average mixing properties. It has been used at USP digital network working for campuses and USP centers located in 11 island countries of South Pacific region. The package was also used by ORACLE based system of the bursary office. Recently group of students from Okanagan College (affiliated with the University of British Columbia) implemented that stream cipher on a cluster network of PC for a large data encryption.

Another case with and graph was implemented under the Research Committee of Sultan Qaboos University (SQU, Oman) grant. The research team was composed of Professors Vasyl Ustimenko and Abderezak Tousane and students Rahma Al Habsi and Huda Al Naamani. The software uses one to one correspondence between elements of and symbols of binary alphabet. It allows encryption of various file types (with extension , , , , , ) in a way that encrypted file is presented in the same format as the plaintext. The symmetric algorithm was used in academic networks of SQU and Kiev Mohyla Academy.

The systematic study of shifting encryption for cases of shifting encryptions of was conducted at UMCS (Lublin, Poland). J. Kotorowicz used arithmetical rings , , for the implementation with various affine transformation and (see [15]). The encryption was essentially faster than in all previously known cases. The selected affine transformation leads to an encryption with very good mixing properties: the change of a single character of the plaintext or the change of a single character of the encryption string causes the change of at least 98% of the ciphertext characters. In the case of it can be proved that the order of and based encryption map grows with the growth of parameter . The comparison of orders was completed through the study of cycle structures of and encryptions. The obtained results showed similarity in both cases.

M. Klisowski implemented and shifting encryption on symbolic level in the cases of finite fields , , . In [16] A. Wróblewska proved that shifting encryption is given by a cubical multivariate map (see also [17]). Computer simulation results allow estimating time of generation of these maps as functions of parameter and densities of such multivariate cubic encryption and decryption maps. Similar results for cases of Boolean rings of sizes , , , and are obtained via computer simulations.

The PhD thesis of M. Klisowski [18] contains the first results on and based multivariate maps which are not defined via shifting encryptions. He used symbolic strings of kind , with constants for special fields in which has unique solution. It was shown that such a choice makes direct linearization attacks impossible.

The first implementation for the case of Wenger graph based encryption was completed at the University of Sao Paolo (USP, Brasil) (see [19] and further references). Professors V. Futorny and V. Ustimenko chose field of which size is the closest from below prime to the size of binary alphabet. This research was partially supported by FAPESP foundation (grant for international cooperation with USP). Computer simulation demonstrated high speed of encryption. In [19] authors evaluated the diameter of graph and proved that the family of these graphs , is a family of small world graphs.

Professor Routo Terada (USP, Brasil) suggested to investigate the behaviour of these algorithms under linearization attacks. Computer simulation supports the conjecture on a good resistance of the encryption scheme to such attacks.

The idea of using graphs in cryptography was proposed by U. Romańczuk-Polubiec and V. Ustimenko in [6].

Some stream ciphers defined via graphs were proposed by M. Polak and V. Ustymenko in [7]. Furthermore, M. Polak compared LDPC codes corresponding to , , and in [20].

3. On the Idea of Nonbijective Maps Based on Eulerian Equations and Some Toy Examples

Let us consider the case of commutative ring , where is composite number.

Classical scheme of multivariate bijection map on affine space is of the form , where and are bijective maps of kind where is nonsingular matrix with entries from and is a nonlinear bijective polynomial map of kind , . Leonard Euler investigated maps , . He discovered that if x is a regular ( and is mutually prime with the order of multiplicative group of , then the preimage of is unique. Eulerian theorem states that the solution of is , where is multiplicative inverse of in the group , i.e., . Map defined on the set of positive integers is known as Euler function. Everybody knows that the security of RSA encryption rests on the Eulerian Theorem.

The general idea of hidden Eulerian equation [21] suggests to use , where is monomial map , where is some permutation. Nonlinear map is Eulerian map given by rule , where , and .

It is easy to see that Eulerian map from one variable , is far from being a bijection in the case of composite number. For example if and , we have , , , , , , , and . However, we can use as encryption function on the plainspace . Notice that and preserve the subset of the affine space . The restriction of composition onto is a bijection. So sends plaintext to intermediate vector . The image of coincides with . For decryption, the correspondent applies to the ciphertext to obtain and then the plaintext as . Notice that, for the computation of , the correspondent has to use Euler theorem. As you see the plainspace of this scheme is smaller than cipherspace like in the well-known El Gamal method. The encryption map sends the Domain onto of the same size, but the location of these codomains is hidden from adversaries, because the map is hidden from him/her. The encryption scheme described above can be generalized in various ways. For instance, one can define Eulerian map as . Some modifications are suggested in [21] where even more general definition of Eulerian map is given and nonlinear multivariate bijection is used instead of affine map .

Another idea is based on deformations of bijective nonlinear multivariate map of kind , . We assume that correspondents are able to solve for and refer to such multivariate transformation as the map with one-dimensional invariant subspace.

We consider a map of kind , , where and .

Obviously, sends to of the same size. We consider the encryption map of kind , where and is an affine map of kind , , , , .

So correspondents can use the plainspace . The map sends plaintext to the tuple .

The map transforms into with . Finally affine map sends to the ciphertext . Decryption process: correspondent computes as . He/she solves equation and gets . He investigates the map , , . Under the assumption that correspondents can compute the preimages of they can get and the plaintext .

Formally, our encryption map can be expressed as , where is the map , . Clearly, representation of in polynomial map can be a hard task.

In order to be able to use the above encryption, Alice has to compute the standard form of kind . She has to prove that is computable in polynomial time. To hide parameter Alice can select with . Notice that in RSA algorithm the ring and parameter of the map , are known. So one can use term hidden RSA for the presented scheme of multivariate public key algorithm. It means that correspondents may use decomposed not only into two large prime numbers, but also into other composite modules.

Let us assume that correspondents are going to use for private key symmetric encryption. Then they do not need to compute and share the polynomial form of . So in this case requirement is immaterial. Alice and Bob keep parameters , and together with matrices and as part of their private key. They have to present for everybody the algorithm of computation for the value of in a given point .

Of course the polynomial form of is important to study the adversary attacks in the case of interception of many pairs of kind plaintext/ciphertxt (linearization, distinguish, TMD, and guess-and-determine attacks). Known methods of cryptanalysis dealing with bijective encryption have to be modified for attacks on nonbijective multivariate maps.

Notice that(i) defined on has one-dimensional invariant subspace of tuples of kind .(ii)The restriction of onto is an injective map.

So the map of kind , where nonlinear satisfies (i) and (ii) can be used as encryption tool for the plainspace . The cryptosystem of this kind with defined in terms of algebraic graphs is proposed in [14].

In this paper we used described above scheme with different core function to define family of graph based nonbijective stream ciphers. Finally we propose the following generalization of nonbijective encryption bases on the map with the properties (i) and (ii). Instead of (ii) we consider the following property:(iii)The restriction of onto is a bijective map.

In fact, the totality of all maps satisfying (i) and (iii) is a semigroup and the restrictions of elements from onto form a group.

For example, the above defined map is an element of in the case of .

It is easy to see that a map of kind , with nonlinear where and satisfies properties (i) and (ii). It means that can be used for nonbijective multivariate encryption.

Let us consider a toy example of generation of bijective maps with one-dimensional invariant subspace and transformations with properties (i) and (ii) and elements from via symbolic walks on algebraic graphs.

Let us consider a commutative ring and bipartite graph with the partition sets and and incidence relation . We define colour of the vertex via rules and . It is easy to see that for each vertex there is exactly one neighbour () of chosen colour . So let us consider the walk in the graph with starting point of length (number of edges). The information on the walk can be given by sequence of elements , , , , which are colours of vertices of the walk. The walk consists of vertices , , , , . If for , then the walk does not contain consecutive edges. The walks with starting line can be described in similar way. Notice that the description of walks is written uniformly for any commutative ring .

To introduce “symbolic walks” in the graph we need the infinite graph where is the ring of polynomials in variables with coefficients from . Points and lines of new graph are triples , , and , , .

We consider walks started from special point , where are generic elements of . Let , , , be special colours of vertices from the walk, taken from . The walk contains , , , , . The final vertex of the walk is a triple of kind where pair stands for brackets in the case of even and parentheses in the case of odd .

We join corresponding coordinates of initial and last vertex of the above symbolic walk by arrows , , and and obtain the standard form of the transformation of into itself. We use symbol for the map corresponding to the sequence of colours . Notice that for the computation of this map we use only operations +, −, and of commutative ring .

Obviously, affine subspace is an invariant subset for the action of .

We can check the following:(A)In the case of bijective map the transformation is also bijective map. In fact the preimage of can be computed fast as the final vertex of the following walk in the graph . Let be a solution of . , , , , , .(B)If and is chosen as where and then the map satisfies the property (ii). Let and . Then can be computed as solution of , i. e. where . The point can be computed as final vertex of the walk described above.(C)If and is chosen as where and then the map satisfies the property (iii).(D)If for then is a bijective cubical map. You can play with “Sage” and check that property (D) holds for instance in the cases and 5.(E)If where is prime integer then the map does not have fixed points if , . Let us treat as “encryption map” on with the password . Then different passwords produce distinct ciphertext. These properties follow from the fact that the girth (length of minimal cycle) of the graph is eight.(F)Let us consider the encryption map , where is linear map that sends to without change of and . Then, changing a single character in the plaintext causes changing of vast majority of ciphertext characters. Similarly, changing a single character of the password causes the change of most characters of ciphertext.(G)Let us consider some nonbijective Eulerian deformations for encryption scheme (F):(G.1)Let us take with composite m instead of and where , , instead of and denote this map as . We consider encryption map on the plainspace .(G.2)Let us consider Eulerian map , , and change for .(G.3)Let us consider Eulerian map , , , and consider encryption .

Assume that ring elements and integers are internal parameters of encryption algorithms working with the same plainspace and the same keyspace of tuples . Symbolic computation with “Sage” allows to compare degrees of maps . Computer simulations demonstrates the similarity of mixing properties of , , with mixing properties of .

4. On the Class of Bivariate Graphs

Let be a commutative ring. We define as a bipartite graph with the set of vertices , . We call a set of points and a set of lines (two copies of a Cartesian power of are used). We will use two types of brackets to distinguish points and lines :, () are elements of . We say that vertex (point ) is incident with the vertex (line ) and we write , if the following relations between their coordinates hold:where , , . So the incidence relations for graph are given by condition . The set of edges consists of all pairs for which . Let us consider the case of finite commutative ring , with . As it instantly follows from the definition, the order of our bipartite graph is and the number of edges is . Graphs are -regular. In fact, the neighbour of a given point is given by the above equations, where parameters are fixed elements of the ring and symbols are variables. It is easy to see that if we set then the choice uniformly establishes values . So each point has precisely neighbours. In a similar way we observe that the neighbourhood of any line also contains neighbours. Notice that the order and degree of our graph defined via strings , , , , , where , does not depend on the strings.

Let us consider some examples.

4.1. Wenger Graphs

In 1991 Wenger defined the family of bipartite, -regular graphs , where is prime number [5]. In [4] Lazebnik and Ustimenko introduced straight forward generalization of these graphs via change of to , where is a prime power. They used special Lie algebra and proved that the family of bipartite, -regular graphs , . Graphs are defined for all prime powers and are defined only for primes.

The set of vertices of infinite incidence structure is and the set of edges consists of all pairs for which . Bipartite graphs have partition sets (collection of points) and (collection of lines) isomorphic to vector space , where . Let us use the following notations for points and lines in graph : The point is incident with the line , and we write , if the following relations between their coordinates hold:for . The graphs have cycles of length 8.

One can change finite field for general commutative ring and work with graph .

4.2. Graphs

Graphs are formally appearing as tools for the study of properties by V. Ustimenko. Later on the graphs were presented with another name as an independent family for the first time in [6] for cryptographic applications.

Let us use the following notations for points and lines in the graph : The point is incident with the line , and we write , if the following relations between their coordinates hold:for .

4.3. Graphs

The following interpretation of a family of graphs in case can be found in [4]. By we denote the incidence relation for this graph. Let us use the following notations for points and lines: Two types of brackets allow us to distinguish points from lines. Points and lines are elements of two copies of the vector space over . Point is incident with the line , and we write , if the following relations between their coordinates hold:where .

The set of vertices is and the set of edges consists of all pairs for which . Bipartite graphs have partition sets (collection of points) and (collection of lines) isomorphic to vector space , where .

4.4. Graphs

Formal definitions for the family of graphs were presented in [7].

Construction of projective limits graphs of appears in papers motivated by results on embeddings of Chevalley group geometries in the corresponding Lie algebras and construction of blow-up for an incidence system of Weyl groups. Moreover, this structure is the base for construction of family of graphs (see [7]).

Let us use the analogical notations for points and lines in graph :

In the incidence structure the point is incident with the line , and we write , if the following relations between their coordinates hold:for .

Graphs from families and are bipartite, -regular, where . The girth of graphs from the described families increases with the growth of . In fact is a family of graphs of large girth and there is a conjecture that is another family of graphs of a large girth.

All graphs from the considered families are -regular and bipartite and the set of vertices is , . They are sparse graphs.

It is clear that there is a natural homomorphism of onto of “deleting the last coordinate” that sends to and to . It means that there is a well-defined projective limit of graphs , . Bivariate graphs form a special subclass of so called linguistic graphs for which natural projective limits are defined in a similar way.

Recall that the girth of the graph is the length of its minimal cycle.

Let us assume that the girth of graphs is unbounded. The obvious inequality holds. It means that projective limit has to be a -regular forest. We have such situation in cases of graphs and . If then is a single tree presented by the above equations. Graph is an infinite forest containing infinitely many trees.

Projective limit of Wenger graphs is an infinite connected graph containing cycles of length 8.

5. General Encryption Algorithm No. 1

We can convert graph to finite automaton in the following way. Let (or ) and be the operator of taking neighbour of vertex where the first coordinate is : where . The remaining coordinates can be determined uniquely using relations describing the chosen graph .

We convert to finite automaton via joining an by directed arrow with weight . We assume that all vertices of the graph are accepting states.

A bit more interesting object is a symbolic bivariate automaton. Let be a string of elements from (totality of polynomials in variable with coefficients from ).

We introduce operator , where is a point or a line with coordinates , of taking the last vertex of the path , , , …, .

We refer to as a computation of the symbolic automaton with the string, , and initial state (or ). We can consider as a map on .

It is easy to see that the restriction of this map on is a polynomial transformation of into (parameter is even) or (parameter is odd) of kind

Notice that generally is not a bijection. Let us consider an invertibility condition for .

Proposition 1. Let the equations of kind , have exactly one solution. Then map is invertible.

Proof. It is easy to check that if then . It is easy to see that . Let be some point from and (point or line). Then the equation has a unique solution . So we can compute , , , .
We can compute the chain , , , , , with . So is a bijection.

Notice that for of kind , , , , is a composition of , , , . In this case invertibility of each , , guarantees the bijectivity of . We refer to such case as recurrently defined string.

Let and be sparse affine bijective transformation of the affine space (free module in other terminology) where and are matrices with . It is clear that

Let be a polynomial map of to itself. We refer to as affine deformation of .

5.1. Symmetric Cipher No. 1

We can use the data on the graph , the symbolic computation given by the string of polynomials , , , , where is a bijective map of to itself and affine transformations and in the following encryption scheme.

Correspondents Alice and Bob agree on a private encryption key and keep the key in secret. Messages are written using characters from the alphabet . So the plainspace is and its elements must be treated as points (or lines) of the graph. To encrypt they use the composition Notice that the computation has to be executed in numerical level:(1)Correspondent Alice writes plaintext and computes and treats as point of the bivariate graph .(2)She computes parameters for .(3)She computes as , as , as , , as .(4)She computes the ciphertext as

Alice and Bob can use their knowledge about triple (, , ) for the decryption. Let us assume that Bob receives the ciphertext from Alice. To decrypt the ciphertext Bob proceeds as follows:(1)He has to compute as .(2)He treats the string of coordinates of this tuple as a vertex of the graph, which is a point in case of even or the line in case of odd with coordinates , , , .(3)Bob must find a solution of and form a string , , , , .(4)He computes as , as , , as .(5)He computes the plaintext as .

Remark 2. In the case of identity maps and one can try Dijkstra’s algorithm for finding the shortest path between plaintext and ciphertext. Notice that its complexity is , but here is exponential . Therefore we get worse complexity even than brute force search via the key space.

In the case of recurrently defined symbolic computation as above the encryption bijective map is . As we already see, this encryption transformation is equivalent to , where . Recurrently defined symbolic computation is an example of the polynomial map with an invertible decomposition. It has various applications in the development of multivariate key exchange protocols and asymmetric multivariate algorithm. The most popular case of implementation is related to graphs and (see [15, 17, 18]), where is a finite field of arithmetical rings and strings of kind , , , , where , are regular elements of the ring . We refer to such case as shifting encryption.

Let us consider the case of strong symmetric encryption, when the function is , with regular (invertible) element of . In this case it is easy to show that degrees of encryption map and decryption map are the same. The advantage of this case is its universality. One can implement it in case of arbitrary chosen finite ring .

6. On Properties of Bivariate Graph Based Bijective Encryption Maps

The girth of simple graph is the length of its shortest cycle. It is a known fact that the girth of the graph is . So in the case of shifting encryption the map with the password , , , , the encryption map has no fixed points. So ciphertext is always different from the plaintext. Let us consider deformed shifting encryption of kind . We assume that affine maps and are fixed. Correspondents are able to change string for another one.

We assume that for . Such choice means that encryption map corresponds to the path of length . The inequality implies that different strings of length produce different ciphertexts. So even in the case when and are known to adversary the complexity of attacks without an access to unencrypted information is bounded from below by .

Let be a multiplicative subset of general commutative ring , i.e., is closed under the ring multiplication and it does not contain . We say that a string is -regular if for . It was proven that different -regular strings of length produce distinct ciphertexts from the same plaintext. So in the case of , the resistance to attacks without access to unencrypted data is bounded from below by .

It was proven that graphs form a family of graphs of increasing girth that tends to infinity as grows. The speed of growth of needs further evaluation. It was proven also that different -regular strings of length produce different encryption maps.

Results on -regular strings of length restricted maps are obtained in terms of dynamical systems corresponding to graphs and .

Let us assume that maps and are identities and consider the groups of transformations and generated by shifting encryption maps corresponding to strings of even length. In [16] it was proven that all elements of are cubical transformations of affine spaces and . Similar result for is stated in [6]. As it follows instantly from this result transformation and its inverse are cubical transformations.

The cryptanalytic corollary of this statement is justification of linearization attacks on stream ciphers corresponding to stream ciphers based on graphs and .

Let correspondents use the transformation . The adversary has knowledge on the general scheme of open algorithm but not on the data for and or on the shifting string. So he knows about cubic nature of encryption. We assume that he has access to the unencrypted information and is able to intercept quite many pairs of kind , where is plaintext and corresponding ciphertext.

Then adversary writes , which is a formal cubical map in standard form with the unknown coefficients in front of monomial terms. He or she is able to solve system of equations of kind and restore the map . So adversary could control the communication channel. The complexity of such direct linearization attack is .

7. On the Implementation of Graph Based Stream Cipher Based on Nonbijective Maps

Let us describe an implemented algorithm, which can run in the case of arbitrary commutative ring and arbitrary bivariate graph . We slightly modify the above described symmetric algorithm based on bivariate graphs which is not a case of shifting encryption. Firstly, we take a symbolic computation for string , with , where is mutually prime with the order of . So equation , has at most one solution. We take as an affine bijective transformation of kind , , , , , where are linear functions from . Correspondents will use the plainspace

They will use as encryption map. To execute computation in time they take finite parameter and use loaded tables for , (one-dimensional arrays , ). So they will compute , form sequence , and compute recurrently , . They form the ciphertext as .

To decrypt they will take as and find a solution for the equation . Loaded table of values for will allow to find fast. Next they form a string , , , , . So users take string , , , . Finally they get plaintext as .

The case of this symmetric algorithm appears as a private key for a cryptosystem introduced in [14] with the plainspace .

We selected string of polynomials as , , and special linear transformations and , given by the lists of linear forms.

We can theoretically evaluate degrees of encryption and decryption . In cases of graphs and , these parameters are bounded below by some constants depending from parameters , . We can select string of parameters and get large enough to make cryptanalysis a difficult task. In case the degrees are even larger; they have size . Notice that direct linearization attacks are formally impossible because the encryption map is not a bijective one.

The implementation of the algorithms in the present work was done using the Python programming language, in particular version 2.7. The code does not use any out-of-the-box libraries for facilitating operations with matrices. The tests for measuring the processing time have been executed on a machine with Intel Core2 Duo CPU 9600 1.60GHz x 2, RAM memory 4.8 GB, operating with Ubuntu 16.04 LTS. The complexity of the algorithms is of order , where is the length of the password. In particular, we implemented this stream cipher for the case and ( and ), without using loaded tables for functions. Table 1 represents encoding and decoding time for three types of graphs and for different files size and length of passwords. A description of the implementation of “nonlinear part” of encryption process; i.e., computation of is given in [1]. We recommend a password for which and , are regular elements of the ring.

8. General Encryption Algorithm No. 2 with the Usage of Nonlinear Colour Jump Function

We generalize Encryption Algorithm No. 1 for creation of multivariate transformation of based on the bivariate graph and its extension over .

The extension of graph is , which has two partition sets (points) and (lines) isomorphic to . In this infinite graph the incidence relation are given by the same equation as in the graph but over the ring .

Let us consider a special vertex of the graph kind , where , , are generations of over . We use the colour jump operator, which transforms point to point from .

We create the jump fusion of nonlinear colour jump operator with modification previously defined in the following way:

(1) First step, we use to point : and we treat as the point of the graph .

(2) In the next steps of jump fusion, we modified differently in the cases of even and odd parameter

(2.1) If , we use symbolic key defined by polynomials , , , , , , , where and is a bijection.

(2.2) If , we use symbolic key defined by polynomials , , , , , , where and is a bijection.

(3) We form a path in the graph of where , i=1,2,…,s.

(4) Final vertex of the path is where .

The jump fusion is the map

If the jump is trivial, i.e., then

In the case of affine deformation of by affine bijective transformation and of our map where .

8.1. Symmetric Cipher No. 2 with the Jump Operator

Let be bivariate graph with partition sets (points) and (lines) isomorphic to . We consider the colour jump operator , in the set if points , which transforms to point .

Let us modify Symmetric Cipher No. 1 in the following way. The correspondents Alice and Bob use the data on the graph , with the colour jump operator , the symbolic computation given by the string of polynomials , , , , where is a bijective map of to itself and affine transformations and in the following encryption scheme.

Thus, correspondents Alice and Bob agree on the private encryption key where polynomials , , , are defined differently depending on the length of the password , i.e., (i)if then , , , , , , and ,(ii)if then , , , , , , and

Notice that the computation has to be executed in numerical level also in this scheme:(1)Correspondent Alice writes plaintext and computes(2)In the next step she uses the colour jump operator and computes and treats as point of the bivariate graph .(3)She computes parameters for with properly defined .(4)She computes as , as , , as .(5)Finally, she computes the ciphertext as

Alice and Bob can use knowledge about their private key (, , , ) for the decryption.

Let us assume that Bob receives the ciphertext from Alice. To decrypt the ciphertext Bob proceeds as follows:(1)He has to compute as .(2)He treats the string of coordinates of this tuple as a vertex of the graph, which is a point in case of even or the line in case of odd with coordinates , , , .(3)Bob must find a solution of and form a string , , , , .(4)He computes as , as , , as .(5)Next, he computes (6)Finally, he computes the plaintext as .

9. On the Implementation of Graph Based Stream Cipher Based on Nonbijective Maps with the Use of Nonlinear Colour Jump Operator

In this section we describe an implementation of general Encryption Algorithm No. 2 with the use of nonlinear colour jump function in the case of rings and and graph .

We take a bijective transformation , (), which is computable in time . For example linear forms , , , can be chosen. We select as bijective affine transformation computable in time .

9.1. Case I: Let Be an Odd Number

To define jump of the colour correspondents can take an arbitrary . The value of on given element of commutative ring is computable for elementary steps. According to the point (2.1) in Section 8, they select as , as , , , , , , , where for and for . Correspondents are working with the plainspace in the case and in which the encryption map is a bijection. We assume that parameters , , are regular ring elements.

Decryption. Correspondent Bob takes obtained ciphertext and computes . He solves the equation in unknown . Let be the solution. Bob computes , , , , .

He forms the path , , , , , with and next he uses jump operator . Finally Bob computes the plaintext as .

9.2. Case II: Let Be an Even Number

Correspondents take to conduct jump operator , where for and for and is regular element of . They select , where is an arbitrary element of of degree , e.g., . They work also with , and , (see the point (2.2) in Section 8). Similarly to previous case, parameters , , are regular ring elements.

Decryption. Correspondent Bob takes obtained ciphertext and computes . He solves the equation . Let be the solution. He computes , , , , , .

Bob computes the path , , , , , , and next he uses the jump operator . Finally Bob computes the plaintext as .

Example 3. Let s=3 (case I). Correspondents will use the plainspace and private encryption key where , , with and . Notice that , , and is regular element. Let and be an identity map. Let us use graph and users should do all calculations in modular arithmetic defined for . (1)Alice writes plaintext ( since ) and computes .(2)She computes and(3), and .(4)She gets .(5)Finally, is the ciphertext. Bob knows the key and the encryption scheme. Bob can decrypt the ciphertext in the following steps: (1)He computes .(2) is odd and Bob treats as a vertex (line) in the graph .(3)He writes the equation and then rewrites it as (3, are regular; left side is from so has to be regular). He writes (regular) and uses the Euler theorem to find (a multiplicative inverse of , i.e., ). Then is the unique solution. He forms a string of elements , and .(4)He gets .(5)He computes(6)Finally, he computes the plaintext .

9.3. Degree Estimates

In the cases and the implementations of Algorithm No. 1 and Algorithm No. 2 use encryption map of degree .

The encryption and decryption map have multivariate nature. Let us assume that (odd ) and (even ) are given by linear function of kind , . Then in the case of graphs and the degrees of encryption and decryption maps are bounded below by and bounded above by because the shifting encryption is a cubical map.

10. Summary

The paper presents a class of stream ciphers defined in terms of graphs given by equations over the finite commutative ring . The algorithm has multivariate nature: plaintext is a tuple from the free module , key string is also an element of , and the encryption map is polynomial transformation of into itself. Users have options to vary parameters and and ring . If the parameter is bounded by a constant, then the speed of numerical recurrent of encryption is . The key can be given as a sequence of polynomials in a single variable . We observe results on simplest case of key strings , , , obtained by theoretical studies and via computer simulation in case of finite fields or arithmetical rings of kind . In case of graphs and simple conditions on ensure that different keys produce distinct ciphertexts and allow estimating the complexity of adversary attacks without access to plaintext. In the above-mentioned case encryption and decryption maps are cubical and adversary after the interception of pairs of kind plaintext-ciphertext can conduct a linearization attack in time . In case of the degree of both maps grows linearly with the growth of parameter , which makes the search for the inverse map via linearization attacks a difficult task. Additionally, authors started investigation of bijective and nonbijective encryption maps with keys of kind , , , , where .

In the nonbijective case the plainspace is large subset of and the adversary has to restore the multivariate encryption transformation and search for polynomial map such that fixes each plaintext. Known methods do not allow to solve this task in polynomial time. Special case with high degree is implemented. Loaded tables for allow a fast encryption of text even in case of large parameter .

Our general Algorithm No. 2 uses encryption and decryption procedures of polynomial nature. Both procedures are approximated by maps of unbounded degree. This fact leads to resistance of the cipher to linearization attacks by an adversary.

11. Conclusion

The main purpose of this paper is to introduce stream ciphers with nonbijective encryption function of multivariate nature constructed in terms of algebraic graph theory. This class of encryption transformation has already been used as a tool of multivariate cryptography for the construction of public key candidates to be used in postquantum era. The idea of “hidden Eulerian equation” melted in large variety of coefficients of multivariate public rules was used as heuristic argument of security. We apply this idea in Symmetrical Cryptography which is not endangered by appearance of Quantum Cryptography and introduces robust stream ciphers resistant to linearization attacks. Authors agree that for practical uses further research is needed. Statistical evaluation of mixing properties via measuring of avalanche effect has to be done. We have to compare such properties in the case of Algorithm No. 1 and Algorithm No. 2 and bijective multivariate graph based encryption. Besides linearization attacks other tools have to be used like distinguish, Time Memory Data trade-off attacks, guess-and-determine attack, and various attacks of algebraic nature. Authors believe that the above-mentioned attacks which were developed to investigate bijective encryption have to be seriously modified to work with nonbijective ciphers. We hope that our algorithms will attract attention of cryptanalysts and they will test cryptanalytical instruments on such new families of ciphers. We have to compare such properties in the case of Algorithms No. 1 and No. 2 and bijective multivariate graph based encryption. Besides linearization attacks, other tools have to be used like Distinguishing attack, Time/memory/data trade-off attack, Guess-and-Determine attack, Resynchronization attack, and various attacks of algebraic nature (see [22–30]).

Data Availability

Some parts of data (Table 1; General Algorithm No. 1) used to support the findings of this study are included within the article. This paper is an extension of our article no. 1 which reflects our talk at the 5th International Conference on Cryptography and Security Systems, 2018 (one of the events of Federated Conference on Computer Science and Information Systems, FedCSIS 2018).

Conflicts of Interest

The authors declare that they have no conflicts of interest.

References

V. Ustimenko, U. Romańczuk-Polubiec, A. Wróblewska, M. Polak, and E. Zhupa, “On the implementation of new symmetric ciphers based on non-bijective multivariate maps,” in Proceedings of the 2018 Federated Conference on Computer Science and Information Systems, M. Ganzha, L. Maciaszek, and M. Paprzycki, Eds., vol. 15, pp. 397–405, ACSIS, 2018.
View at: Publisher Site | Google Scholar
V. Ustimenko, “Coordinatisation of trees and their quotients,” in The Voronoj’s Impact on Modern Science, vol. 2, pp. 125–152, Institute of Mathematics, Kiev, Ukraine, 1998.
View at: Google Scholar
P. L. Priyadarsini, “A survey on some applications of graph theory in cryptography,” Journal of Discrete Mathematical Sciences & Cryptography, vol. 18, no. 3, pp. 209–217, 2015.
View at: Publisher Site | Google Scholar | MathSciNet
F. Lazebnik and V. A. Ustimenko, “Some algebraic constructions of dense graphs of large girth and of large size,” in Expanding Graphs, vol. 10 of DIMACS series in Discrete Mathematics and Theoretical Computer Science, pp. 75–93, 1993.
View at: Publisher Site | Google Scholar | MathSciNet
R. Wenger, “Extremal graphs with no C4, C6 and C10s,” Journal of Combinatorial Theory, Series B, vol. 52, no. 1, pp. 113–116, 1991.
View at: Publisher Site | Google Scholar | MathSciNet
U. Romańczuk and V. Ustimenko, “On the key exchange with matrices of large order and graph based nonlinear maps,” Albanian Journal of Mathematics, vol. 4, no. 4, pp. 203–211, 2010.
View at: Google Scholar | MathSciNet
M. Polak and V. Ustimenko, “On stream cipher based on a family of graphs D(n,q) of increasing girth,” Albanian Journal of Mathematics, vol. 8, no. 2, pp. 37–45, 2014.
View at: Google Scholar | MathSciNet
J. Ding, J. E. Gower, and D. S. Schmidt, Multivariate Public Key Cryptosystems, vol. 25 of Advances in Information Security, Springer, 2006.
View at: MathSciNet
L. Goubin, J. Patarin, and B.-Y. Yang, “Multivariate cryptography,” in Encyclopedia of Cryptography and Security, pp. 824–828, 2nd edition, 2011.
View at: Google Scholar
J. Patarin, “The oil i vinegar digital signatures,” in Dagstuhl Workshop on Cryptography, 1997.
View at: Google Scholar
A. Kipnis and A. Shamir, “Cryptanalysis of the oil and vinegar signature scheme,” in Advances in Cryptology - Crypto 96, vol. 1462 of Lecture Notes in Computer Science, pp. 257–266, Springer, 1998.
View at: Publisher Site | Google Scholar | MathSciNet
S. Bulygin, A. Petzoldt, and J. Buchmann, “Towards provable security of the Unbalanced Oil and Vinegar signature scheme under direct attacks,” in Progress in cryptology-INDOCRYPT, G. Gong and K. C. Gupta, Eds., vol. 6498 of Lecture Notes in Computer Science, pp. 17–32, Springer, 2010.
View at: Publisher Site | Google Scholar | MathSciNet
U. Romańczuk-Polubiec and V. Ustimenko, “On two windows multivariate cryptosystem depending on random parameters,” Algebra and Discrete Mathematics, vol. 19, no. 1, pp. 101–129, 2015.
View at: Google Scholar | MathSciNet
V. Ustimenko, “On algebraic graph theory and non-bijective multivariate maps in cryptography,” Algebra and Discrete Mathematics, vol. 20, no. 1, pp. 152–170, 2015.
View at: Google Scholar | MathSciNet
J. S. Kotorowicz, Kryptograficzne algorytmy strumieniowe oparte na specjalnych grafach algebraicznych [Ph.D. thesis], Institute of Fundamental Technological Research, Polish Academy of Sciences, 2014.
A. Wróblewska, “On some properties of graph based public keys,” Albanian Journal of Mathematics, vol. 2, no. 3, pp. 229–234, 2008, NATO Advanced Studies Institute: "New challenges in digital communications".
View at: Google Scholar | MathSciNet
A. Wróblewska, Lingwistyczne układy dynamiczne oparte na grafach algebraicznych i ich zastosowanie w kryptografii [Ph.D. thesis], Institute of Fundamental Technological Research, Polish Academy of Sciences, 2016.
M. Klisowski, Zwiekszenie bezpieczeństwa kryptograficznych algorytmów wielu zmiennych bazujacych na algebraicznej teorii grafów [Ph.D. thesis], Czestochowa University of Technology, 2014.
V. Futorny and V. Ustimenko, “On small world semiplanes with generalised Schubert cells,” Acta Applicandae Mathematicae, vol. 98, no. 1, pp. 47–61, 2007.
View at: Publisher Site | Google Scholar | MathSciNet
M. Polak, On the applications of algebraic graph theory to coding [Ph.D. thesis], Maria Curie-Sklodowska University, 2016.
V. A. Ustimenko, “On new multivariate cryptosystems based on hidden Eulerian equations,” Reports of the National Academy of Sciences of Ukraine, no. 5, pp. 17–24, 2017.
View at: Publisher Site | Google Scholar | MathSciNet
G. G. Rose and P. Hawkes, “On the applicability of distinguishing attacksagainst stream ciphers,” in Proceedings of the 3rd NESSIE Workshop, p. 6, 2002.
View at: Publisher Site | Google Scholar | MathSciNet
M. E. Hellman, “A cryptanalytic time-memory trade-off,” Institute of Electrical and Electronics Engineers Transactions on Information Theory, vol. 26, no. 4, pp. 401–406, 1980.
View at: Publisher Site | Google Scholar | MathSciNet
P. Hawkes and G. G. Rose, “Guess-and-determine attacks on snow,” in Selected Areas in Cryptography, SAC 2002, I. Nyberg and H. Heys, Eds., vol. 2595 of Lecture Notes in Computer Science, pp. 37–46, Springer, 2003.
View at: Publisher Site | Google Scholar | MathSciNet
F. Armknecht, J. Lano, and B. Preneel, “Extending the resynchronization attack,” in Selected Areas in Cryptography, H. Handschuh and A. Hasan, Eds., vol. 3357 of Lecture Notes in Computer Science, pp. 19–38, Springer, 2004.
View at: Publisher Site | Google Scholar | MathSciNet
J. D. Golić, “Linear cryptanalysis of stream ciphers,” in Fast Software Encryption, FSE 1994, B. Preneel, Ed., vol. 1008 of Lecture Notes in Computer Science, Springer, Berlin, Heidelberg, Germany, 1995.
View at: Google Scholar
N. Courtois, A. Klimov, J. Patarin et al., “Efficient algorithms for solving overdefined systems of multivariate polynomial equations,” in Proceedings of the Advances in Cryptology - EUROCRYPT 2000, B. Preneel, Ed., vol. 1807 of Lecture Notes in Computer Science, pp. 392–407, Springer-Verlag, Bruges, Belgium, 2000.
View at: Publisher Site | Google Scholar | MathSciNet
N. T. Courtois and J. Pieprzyk, “Cryptanalysis of block ciphers with overdefined systems of equations,” in Advances in Cryptology - ASI-ACRYPT 2002, Y. Zheng, Ed., vol. 2501 of Lecture Notes in Computer Science, pp. 267–287, Springer, Berlin, Germany, 2002.
View at: Publisher Site | Google Scholar
N. T. Courtois, “Fast algebraic attacks on stream ciphers with linear feedback,” in Advances in cryptology—CRYPTO 2003, D. Boneh, Ed., vol. 2729 of Lecture Notes in Comput. Sci., pp. 176–194, Springer, Berlin, Germany, 2003.
View at: Publisher Site | Google Scholar | MathSciNet
F. Armknecht, “Improving fast algebraic attacks,” in Fast Software Encryption, vol. 3017 of Lecture Notes in Computer Science, pp. 65–82, Springer, Berlin, Heidelberg, Germany, 2004.
View at: Publisher Site | Google Scholar

Copyright

Copyright © 2019 Vasyl Ustimenko et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

897

Downloads

1292

Citations