#### Abstract

The main purpose of this paper is to introduce stream ciphers with the nonbijective encryption function of multivariate nature constructed in terms of algebraic graph theory. More precisely, we describe the two main symmetric algorithms for creation of multivariate encryption transformations based on three families of bipartite graphs with partition sets isomorphic to , where is selected as the finite commutative ring. The plainspace of the algorithm is The second algorithm is a generalization of the first one with using the jump operator, where generalized encryption map has an essentially higher degree in comparison with the previous version. Moreover, the degree of this generalized map is not bounded by some constant. This property guarantees resistance of the cipher to linearization attacks.

#### 1. Introduction

This paper is an extension of article [1] reflecting our talk at the 5th International Conference on Cryptography and Security Systems (one of the events of Federated Conference on Computer Science and Information Systems, 2018). We expand our work by adding the generalization of our symmetric cipher of multivariate nature. Generalized encryption map has essentially higher degree in comparison with previous version. The degree is not bounded by some constant. This property insures resistance of the cipher to linearization attacks.

Graph theory is applicating in diverse fields such as linguistics, biochemistry, coding theory, cryptography, communication networks, etc. The history of the use of sparse algebraic graphs in symmetric cryptographical algorithms was described in [1] with the full list of references which begins with the ideas of V. Ustimenko presented in the article from 1998 (see [2]). In this paper, we present only a short version of this history related to work of V. Ustimenko and his team. The reader can find also more general survey on some applications of Graph Theory in Cryptography in [3].

The following known graphs defined over finite commutative ring were used: (see [2]; for graphs were defined in [4]), (Wenger graphs defined in [5]), graphs introduced in [6], and graphs of [7]. Popular choices of are finite fields , , , , and and rings modular arithmetic , , and . This research history is presented in the next section. Section 2 observes graph based stream ciphers which use bijective encryption function of multivariate nature. In fact, multivariate cryptography uses nonbijective maps and a private key decryption is also given in each case of this type. However, the vast majority of stream ciphers is defined via bijective encryption. In each case of nonbijective symmetric encryption there is a deterministic decryption process that has to be described in clear way. In Section 3 we discuss the class of nonbijective multivariate maps defined in terms of Euler theorem for arithmetical rings , where is a composite number. Such a map has a special subset (domain) of affine space isomorphic to , such that the restriction of onto is injective (). It is important that is unknown to the adversary, who knows only cipherspace . Correspondents use their knowledge on the password to obtain a description of . They are able to compute bijective map from onto which is a decryption procedure; i.e., the composition of with is identity map on . The definition of multivariate nonlinear map uses Eulerian map of with and , where is Euler function.

An adversary does not have access to , , or . A hidden Eulerian equation of kind gives a heuristic support to resistance of symmetric algorithm to attacks with interception of pairs plaintext/ciphertext. Notice that, in the case of classical RSA algorithm large decomposable into two primes is known, parameter is given. Security of RSA rests on the complexity of finding decomposition or finding multiplicative inverse of . In practical cases of multivariate encryption with hidden Eulerian equation (like ) Eulerian function is easy to compute, but multiplicative inverse of is hard to find because the adversary simply does not know . In fact, in our examples the degree of multivariate map on sending to codomain heavily depends on parameter . Decryption map of into is induced by nonbijective multivariate map and degree of degree . So “Eulerian parameters” and are very essential for cryptanalysis. This approach is illustrated by 3 “toy examples” of graph based symbolic computations (see at the end of Section 3 with items , , and ).

A linearization attack has to disclose codomain , determine the standard form of polynomial encryption map with its degree, and construct a polynomial map , such that is identity function. If one of the parameters or is unbounded (or it is a large constant) then linearization tasks are infeasible. Of course, a cryptanalyst has to try alternative approaches like distinguish, Time Memory Data trade-off attacks, and guess-and-determine attack. These methods are constructed for investigation of stream ciphers with bijective encryption. Authors believe that in the case of multivariate nonbijective encryption such attacks have to be seriously modified for the practical implementation.

This approach is illustrated by three “toy examples” of graph based encryption. In Section 4 we introduce a class of bivariate graphs containing all the above-mentioned graphs. Such concept is convenient for uniform description of the encryption scheme and observation of common properties of graphs from this class (Sections 5 and 8). General Algorithm No. 1 is described in Section 5 presents symmetric cipher based on nonbijective maps. Implementation results are presented in Table 1. The Algorithm No. 2, presented in Section 8, is a generalization of the first one with using the jump operator, where generalized encryption map has an essentially higher degree in comparison with the previous version. Moreover, the degree of this generalized map is not bounded by some constant. This property guarantees resistance of the cipher to linearization attacks. We compare graphs and related algorithms corresponding to different families (, , , and ) in Sections 6 and 9.

Last section is the conclusion where we discuss the choice of our model. Here the reader can find remarks on multivariate cryptography and its connections with cryptographical applications of algebraic graph theory.

RSA is one of the most popular cryptosystems. It is based on a number factorization problem and on Euler’s Theorem. Peter Shor discovered that the factorization problem can be effectively solved by using a theoretical quantum computer. This means RSA could not be a security tool in the future postquantum era. One of the research directions leading to a postquantum secure public key is the multivariate cryptography, which uses a polynomial maps of affine space defined over a finite commutative ring into itself as encryption tools (see [8]). This is a young promising research area because of the current lack of known cryptosystems with the proven resistance against attacks with the use of Turing machines. Another important direction of Postquantum Cryptography is the study of Hyperelliptic Curves Cryptosystems. We have to say that classical elliptic curves encryption will be not secure in the postquantum era.

Applications of algebraic graphs to cryptography started with symmetric algorithms based on explicit constructions of extremal graph theory and their directed analogues. The main idea is to convert an algebraic graph in a finite automaton and to use the pseudorandom walks on the graph as encryption tools. This approach can also be used for the key exchange protocols. Nowadays the idea of “symbolic walks” on algebraic graphs, when the walk on the graph depends on parameters given as special multivariate polynomials in variables depending from plainspace vector, appears in several public key cryptosystems.

Multivariate cryptography started from the study of potential for the special quadratic encryption multivariate bijective map of , where is an extension of finite field of characteristic 2. One of the first such cryptosystems was proposed by Imai and Matsumoto and cryptanalysis for that system was invented by J. Patarin. A survey on various modifications of this algorithm and corresponding cryptanalysis can be found in [8] or [9].

One of the first uses of nonbijective map of multivariate cryptography was in the* oil and vinegar* cryptosystem proposed in [10] and analyzed in [11]. Nowadays, this general idea is strongly supported by publication [12] devoted to security analysis of direct attacks on modified unbalanced oil and vinegar systems. It looks like such systems and rainbow signature schemes may lead to promising Public Key Schemes of Multivariate Encryption defined over finite fields. Nonbijective multivariate sparse encryption maps of degree 3 and based on walks on algebraic graphs defined over general commutative ring and their homomorphic images were proposed in [13]. Security of the corresponding cryptosystem rests on the idea of hidden discrete logarithm problem. U. Romańczuk-Polubiec and V. Ustimenko combine the idea of “oil and vinegar signature cryptosystem” with the idea of linguistic graph based map with partially invertible decomposition to introduce a new cryptosystem [13]. This algorithm can be implemented with the use of families and and natural homomorphism between them. Finally, in [14] “hidden RSA multivariate encryption” based on graphs were proposed.

In this paper we modify the encryption map (private key) of the above-mentioned cryptosystem in terms of family of bivariate graphs defined over the commutative ring . These maps have multivariate nature despite the “numerical implementation” in symmetric ciphers mode with the plainspace isomorphic to .

#### 2. Implementation of Algorithms Based on Bijective Maps

We worked on a software package that enables us to investigate strongly symmetric cases of stream ciphers based on graphs , , , and , where is the arithmetic ring. Some cases are already implemented by our team at the level of prototype model.

Few algorithms have been implemented in the past for very special cases under supervision of V. Ustimenko. The history of implementation of these algorithms was described in [1] with the full list of references. Below we present only a short version of this history.

The first implementation of encryption was done in 2000 at the University of South Pacific (USP, Fiji Islands). The research team was composed by Professor V. Ustimenko, PhD Dharmendra Sharma (currently professor of University of Canberra), and postgraduate students V. Gounder and R. Prasad. The work was supported by the University Research Committee of the University of South Pacific (USP) grant. During this work the implementation of asymmetric mode was investigated with the chosen case for was , with 127 being the closest prime to the size of ASCII code alphabet. It means that one has to delete just the* delete* service symbol and can encrypt arbitrary text files. The chosen string was , where are elements of the ring chosen in pseudorandom fashion. So that was a case of shifting encryption.

The affine transformations and were simply identities. The implemented cipher on ordinary PC was rather robust in performance, but with average mixing properties. It has been used at USP digital network working for campuses and USP centers located in 11 island countries of South Pacific region. The package was also used by ORACLE based system of the bursary office. Recently group of students from Okanagan College (affiliated with the University of British Columbia) implemented that stream cipher on a cluster network of PC for a large data encryption.

Another case with and graph was implemented under the Research Committee of Sultan Qaboos University (SQU, Oman) grant. The research team was composed of Professors Vasyl Ustimenko and Abderezak Tousane and students Rahma Al Habsi and Huda Al Naamani. The software uses one to one correspondence between elements of and symbols of binary alphabet. It allows encryption of various file types (with extension , , , , , ) in a way that encrypted file is presented in the same format as the plaintext. The symmetric algorithm was used in academic networks of SQU and Kiev Mohyla Academy.

The systematic study of shifting encryption for cases of shifting encryptions of was conducted at UMCS (Lublin, Poland). J. Kotorowicz used arithmetical rings , , for the implementation with various affine transformation and (see [15]). The encryption was essentially faster than in all previously known cases. The selected affine transformation leads to an encryption with very good mixing properties: the change of a single character of the plaintext or the change of a single character of the encryption string causes the change of at least 98% of the ciphertext characters. In the case of it can be proved that the order of and based encryption map grows with the growth of parameter . The comparison of orders was completed through the study of cycle structures of and encryptions. The obtained results showed similarity in both cases.

M. Klisowski implemented and shifting encryption on symbolic level in the cases of finite fields , , . In [16] A. Wróblewska proved that shifting encryption is given by a cubical multivariate map (see also [17]). Computer simulation results allow estimating time of generation of these maps as functions of parameter and densities of such multivariate cubic encryption and decryption maps. Similar results for cases of Boolean rings of sizes , , , and are obtained via computer simulations.

The PhD thesis of M. Klisowski [18] contains the first results on and based multivariate maps which are not defined via shifting encryptions. He used symbolic strings of kind , with constants for special fields in which has unique solution. It was shown that such a choice makes direct linearization attacks impossible.

The first implementation for the case of Wenger graph based encryption was completed at the University of Sao Paolo (USP, Brasil) (see [19] and further references). Professors V. Futorny and V. Ustimenko chose field of which size is the closest from below prime to the size of binary alphabet. This research was partially supported by FAPESP foundation (grant for international cooperation with USP). Computer simulation demonstrated high speed of encryption. In [19] authors evaluated the diameter of graph and proved that the family of these graphs , is a family of small world graphs.

Professor Routo Terada (USP, Brasil) suggested to investigate the behaviour of these algorithms under linearization attacks. Computer simulation supports the conjecture on a good resistance of the encryption scheme to such attacks.

The idea of using graphs in cryptography was proposed by U. Romańczuk-Polubiec and V. Ustimenko in [6].

Some stream ciphers defined via graphs were proposed by M. Polak and V. Ustymenko in [7]. Furthermore, M. Polak compared LDPC codes corresponding to , , and in [20].

#### 3. On the Idea of Nonbijective Maps Based on Eulerian Equations and Some Toy Examples

Let us consider the case of commutative ring , where is composite number.

Classical scheme of multivariate bijection map on affine space is of the form , where and are bijective maps of kind where is nonsingular matrix with entries from and is a nonlinear bijective polynomial map of kind , . Leonard Euler investigated maps , . He discovered that if x is a regular ( and is mutually prime with the order of multiplicative group of , then the preimage of is unique. Eulerian theorem states that the solution of is , where is multiplicative inverse of in the group , i.e., . Map defined on the set of positive integers is known as* Euler function*. Everybody knows that the security of RSA encryption rests on the Eulerian Theorem.

The general idea of hidden Eulerian equation [21] suggests to use , where is monomial map , where is some permutation. Nonlinear map is Eulerian map given by rule , where , and .

It is easy to see that Eulerian map from one variable , is far from being a bijection in the case of composite number. For example if and , we have , , , , , , , and . However, we can use as encryption function on the plainspace . Notice that and preserve the subset of the affine space . The restriction of composition onto is a bijection. So sends plaintext to intermediate vector . The image of coincides with . For decryption, the correspondent applies to the ciphertext to obtain and then the plaintext as . Notice that, for the computation of , the correspondent has to use Euler theorem. As you see the plainspace of this scheme is smaller than cipherspace like in the well-known El Gamal method. The encryption map sends the Domain onto of the same size, but the location of these codomains is hidden from adversaries, because the map is hidden from him/her. The encryption scheme described above can be generalized in various ways. For instance, one can define Eulerian map as . Some modifications are suggested in [21] where even more general definition of Eulerian map is given and nonlinear multivariate bijection is used instead of affine map .

Another idea is based on deformations of bijective nonlinear multivariate map of kind , . We assume that correspondents are able to solve for and refer to such multivariate transformation as the map with one-dimensional invariant subspace.

We consider a map of kind , , where and .

Obviously, sends to of the same size. We consider the encryption map of kind , where and is an affine map of kind , , , , .

So correspondents can use the plainspace . The map sends plaintext to the tuple .

The map transforms into with . Finally affine map sends to the ciphertext . Decryption process: correspondent computes as . He/she solves equation and gets . He investigates the map , , . Under the assumption that correspondents can compute the preimages of they can get and the plaintext .

Formally, our encryption map can be expressed as , where is the map , . Clearly, representation of in polynomial map can be a hard task.

In order to be able to use the above encryption, Alice has to compute the standard form of kind . She has to prove that is computable in polynomial time. To hide parameter Alice can select with . Notice that in RSA algorithm the ring and parameter of the map , are known. So one can use term* hidden RSA* for the presented scheme of multivariate public key algorithm. It means that correspondents may use decomposed not only into two large prime numbers, but also into other composite modules.

Let us assume that correspondents are going to use for private key symmetric encryption. Then they do not need to compute and share the polynomial form of . So in this case requirement is immaterial. Alice and Bob keep parameters , and together with matrices and as part of their private key. They have to present for everybody the algorithm of computation for the value of in a given point .

Of course the polynomial form of is important to study the adversary attacks in the case of interception of many pairs of kind plaintext/ciphertxt (linearization, distinguish, TMD, and guess-and-determine attacks). Known methods of cryptanalysis dealing with bijective encryption have to be modified for attacks on nonbijective multivariate maps.

Notice that(i) defined on has one-dimensional invariant subspace of tuples of kind .(ii)The restriction of onto is an injective map.

So the map of kind , where nonlinear satisfies (i) and (ii) can be used as encryption tool for the plainspace . The cryptosystem of this kind with defined in terms of algebraic graphs is proposed in [14].

In this paper we used described above scheme with different core function to define family of graph based nonbijective stream ciphers. Finally we propose the following generalization of nonbijective encryption bases on the map with the properties (i) and (ii). Instead of (ii) we consider the following property:(iii)The restriction of onto is a bijective map.

In fact, the totality of all maps satisfying (i) and (iii) is a semigroup and the restrictions of elements from onto form a group.

For example, the above defined map is an element of in the case of .

It is easy to see that a map of kind , with nonlinear where and satisfies properties (i) and (ii). It means that can be used for nonbijective multivariate encryption.

Let us consider a toy example of generation of bijective maps with one-dimensional invariant subspace and transformations with properties (i) and (ii) and elements from via symbolic walks on algebraic graphs.

Let us consider a commutative ring and bipartite graph with the partition sets and and incidence relation . We define colour of the vertex via rules and . It is easy to see that for each vertex there is exactly one neighbour () of chosen colour . So let us consider the walk in the graph with starting point of length (number of edges). The information on the walk can be given by sequence of elements , , , , which are colours of vertices of the walk. The walk consists of vertices , , , , . If for , then the walk does not contain consecutive edges. The walks with starting line can be described in similar way. Notice that the description of walks is written uniformly for any commutative ring .

To introduce “symbolic walks” in the graph we need the infinite graph where is the ring of polynomials in variables with coefficients from . Points and lines of new graph are triples , , and , , .

We consider walks started from special point , where are generic elements of . Let , , , be special colours of vertices from the walk, taken from . The walk contains , , , , . The final vertex of the walk is a triple of kind where pair stands for brackets in the case of even and parentheses in the case of odd .

We join corresponding coordinates of initial and last vertex of the above symbolic walk by arrows , , and and obtain the standard form of the transformation of into itself. We use symbol for the map corresponding to the sequence of colours . Notice that for the computation of this map we use only operations +, −, and of commutative ring .

Obviously, affine subspace is an invariant subset for the action of .

We can check the following:(A)In the case of bijective map the transformation is also bijective map. In fact the preimage of can be computed fast as the final vertex of the following walk in the graph . Let be a solution of . , , , , , .(B)If and is chosen as where and then the map satisfies the property (ii). Let and . Then can be computed as solution of , i. e. where . The point can be computed as final vertex of the walk described above.(C)If and is chosen as where and then the map satisfies the property (iii).(D)If for then is a bijective cubical map. You can play with “Sage” and check that property (D) holds for instance in the cases and 5.(E)If where is prime integer then the map does not have fixed points if , . Let us treat as “encryption map” on with the password . Then different passwords produce distinct ciphertext. These properties follow from the fact that the girth (length of minimal cycle) of the graph is eight.(F)Let us consider the encryption map , where is linear map that sends to without change of and . Then, changing a single character in the plaintext causes changing of vast majority of ciphertext characters. Similarly, changing a single character of the password causes the change of most characters of ciphertext.(G)Let us consider some nonbijective Eulerian deformations for encryption scheme (F):(G.1)Let us take with composite m instead of and where , , instead of and denote this map as . We consider encryption map on the plainspace .(G.2)Let us consider Eulerian map , , and change for .(G.3)Let us consider Eulerian map , , , and consider encryption .

Assume that ring elements and integers are internal parameters of encryption algorithms working with the same plainspace and the same keyspace of tuples . Symbolic computation with “Sage” allows to compare degrees of maps . Computer simulations demonstrates the similarity of mixing properties of , , with mixing properties of .

#### 4. On the Class of Bivariate Graphs

Let be a commutative ring. We define as a bipartite graph with the set of vertices , . We call a set of points and a set of lines (two copies of a Cartesian power of are used). We will use two types of brackets to distinguish points and lines :, () are elements of . We say that vertex (point ) is incident with the vertex (line ) and we write , if the following relations between their coordinates hold:where , , . So the incidence relations for graph are given by condition . The set of edges consists of all pairs for which . Let us consider the case of finite commutative ring , with . As it instantly follows from the definition, the order of our bipartite graph is and the number of edges is . Graphs are -regular. In fact, the neighbour of a given point is given by the above equations, where parameters are fixed elements of the ring and symbols are variables. It is easy to see that if we set then the choice uniformly establishes values . So each point has precisely neighbours. In a similar way we observe that the neighbourhood of any line also contains neighbours. Notice that the order and degree of our graph defined via strings , , , , , where , does not depend on the strings.

Let us consider some examples.

##### 4.1. Wenger Graphs

In 1991 Wenger defined the family of bipartite, -regular graphs , where is prime number [5]. In [4] Lazebnik and Ustimenko introduced straight forward generalization of these graphs via change of to , where is a prime power. They used special Lie algebra and proved that the family of bipartite, -regular graphs , . Graphs are defined for all prime powers and are defined only for primes.

The set of vertices of infinite incidence structure is and the set of edges consists of all pairs for which . Bipartite graphs have partition sets (collection of points) and (collection of lines) isomorphic to vector space , where . Let us use the following notations for points and lines in graph : The point is incident with the line , and we write , if the following relations between their coordinates hold:for . The graphs have cycles of length 8.

One can change finite field for general commutative ring and work with graph .

##### 4.2. Graphs

Graphs are formally appearing as tools for the study of properties by V. Ustimenko. Later on the graphs were presented with another name as an independent family for the first time in [6] for cryptographic applications.

Let us use the following notations for points and lines in the graph : The point is incident with the line , and we write , if the following relations between their coordinates hold:for .

##### 4.3. Graphs

The following interpretation of a family of graphs in case can be found in [4]. By we denote the incidence relation for this graph. Let us use the following notations for points and lines: Two types of brackets allow us to distinguish points from lines. Points and lines are elements of two copies of the vector space over . Point is incident with the line , and we write , if the following relations between their coordinates hold:where .

The set of vertices is and the set of edges consists of all pairs for which . Bipartite graphs have partition sets (collection of points) and (collection of lines) isomorphic to vector space , where .

##### 4.4. Graphs

Formal definitions for the family of graphs were presented in [7].

Construction of projective limits graphs of appears in papers motivated by results on embeddings of Chevalley group geometries in the corresponding Lie algebras and construction of blow-up for an incidence system of Weyl groups. Moreover, this structure is the base for construction of family of graphs (see [7]).

Let us use the analogical notations for points and lines in graph :

In the incidence structure the point is incident with the line , and we write , if the following relations between their coordinates hold:for .

Graphs from families and are bipartite, -regular, where . The girth of graphs from the described families increases with the growth of . In fact is a family of graphs of large girth and there is a conjecture that is another family of graphs of a large girth.

All graphs from the considered families are -regular and bipartite and the set of vertices is , . They are sparse graphs.

It is clear that there is a natural homomorphism of onto of “deleting the last coordinate” that sends to and to . It means that there is a well-defined projective limit of graphs , . Bivariate graphs form a special subclass of so called* linguistic graphs* for which natural projective limits are defined in a similar way.

Recall that the girth of the graph is the length of its minimal cycle.

Let us assume that the girth of graphs is unbounded. The obvious inequality holds. It means that projective limit has to be a -regular forest. We have such situation in cases of graphs and . If then is a single tree presented by the above equations. Graph is an infinite forest containing infinitely many trees.

Projective limit of Wenger graphs is an infinite connected graph containing cycles of length 8.

#### 5. General Encryption Algorithm No. 1

We can convert graph to finite automaton in the following way. Let (or ) and be the operator of taking neighbour of vertex where the first coordinate is : where . The remaining coordinates can be determined uniquely using relations describing the chosen graph .

We convert to finite automaton via joining an by directed arrow with weight . We assume that all vertices of the graph are accepting states.

A bit more interesting object is a symbolic bivariate automaton. Let be a string of elements from (totality of polynomials in variable with coefficients from ).

We introduce operator , where is a point or a line with coordinates , of taking the last vertex of the path , , , …, .

We refer to as a computation of the symbolic automaton with the string, , and initial state (or ). We can consider as a map on .

It is easy to see that the restriction of this map on is a polynomial transformation of into (parameter is even) or (parameter is odd) of kind

Notice that generally is not a bijection. Let us consider an invertibility condition for .

Proposition 1. *Let the equations of kind , have exactly one solution. Then map is invertible.*

*Proof. *It is easy to check that if then . It is easy to see that . Let be some point from and (point or line). Then the equation has a unique solution . So we can compute , , , .

We can compute the chain , , , , , with . So is a bijection.

Notice that for of kind , , , , is a composition of , , , . In this case invertibility of each , , guarantees the bijectivity of . We refer to such case as* recurrently defined string*.

Let and be sparse affine bijective transformation of the affine space (free module in other terminology) where and are matrices with . It is clear that