On the usage of postquantum protocols deﬁned in terms of transformation semigroups and their homomophisms

We suggest new applications of protocols of Non-commutative cryptography defined in terms of subsemigroups of Affine Cremona Semigroups over finite commutative rings and their homomorphic images to the constructions of possible instruments of Post Quantum Cryptography. This approach allows to define cryptosystems which are not public keys. When extended protocol is finished correspondents have the collision multivariate transformation on affine space 𝐾 𝑛 or variety ( 𝐾 * ) 𝑛 where 𝐾 is a finite commutative ring and 𝐾 * is nontrivial multiplicative subgroup of 𝐾 . The security of such protocol rests on the complexity of word problem to decompose element of Affine Cremona Semigroup given in its standard form into composition of given generators. The collision map can serve for the safe delivery of several bijective multivariate maps 𝐹 𝑖 (generators) on 𝐾 𝑛 from one correspondent to another. So asymmetric cryptosystem with nonpublic multivariate generators where one side (Alice) knows inverses of 𝐹 𝑖 but other does not have such a knowledge is possible. We consider the usage of single protocol or combi-nations of two protocols with platforms of different nature. The usage of two protocols with the collision spaces 𝐾 𝑛 and ( 𝐾 * ) 𝑛 allows safe delivery of two sets of generators of different nature. In terms of such sets we define an asymmetric encryption scheme with the plainspace ( 𝐾 * ) 𝑛 , cipherspace 𝐾 𝑛 and multivariate non-bijective encryption map of unbounded degree 𝑂 ( 𝑛 ) and polynomial density on 𝐾 𝑛 with injective restriction on ( 𝐾 * ) 𝑛 . Algebraic cryptanalysis faces the problem to interpolate a natural decryption transformation which is not a map of polynomial density.


Introduction
Investigations of continuous nonlinear transformation of vector spaces   and   in term of dynamic systems theory and other method of Chaos Studies have application to Cryptography.The usual scheme use ''discretisation" of continuous.map, i.e. finding of its natural discrete analog (see [1], [2], [3], [4], [5]).Other approach is connected with studies of -theory of affine Cremona semigroup of all polynomial maps of affine space   into itself, where  is a commutative ring.This is the search for instruments for the constructions of nonlinear maps defined over arbitrary K with special properties.One of the examples is dynamical system of large girth (or large cycle indicator) considered in [6], [7] which allows to introduce large subgroups of cubical transformation on free module   .Notice that independently from choice of commutative ring composition of two cubic maps in ''general position" will have degree 9.So these subgroups are very special sets of transformations.Noteworthy that in the case of commutative ring of characteristic 0 (like fields  and ) there are bijective polynomial maps such that their inverse are not an elements of (  ).One of the simplest examples is the map  →  3 of one dimena vasyl@hektor.umcs.lublin.plsional affine space .So the family of large subgroups of cubical transformations of   ,  > 2 over arbitrary commutative ring is an interesting mathematical object.We believe that studies of corresponding infinite algebraic graphs of large girth defined over commutative rings of characteristic zero is an interesting topic for future investigation, the first results in this direction are presented in [8].
Let symbol (  ) stands for the affine Cremona semigroup (see [38]) of all polynomial transformation of   .Studies of stable subsemigroups of (  ) which are totalities oftransformations of affine space   of degree bounded by small constant  are motivated by their cryptographic applications.The cases  = 2, 3 are of special interest.Notice that  = 1 corresponds to general affine semigroup   () of all transformations of   of degree 1. Cryptographic algorithms based on cubical stable semigroups include stream ciphers (see [29] and further references), multivariate Diffie-Hellman key exchange protocols and corresponding El Gamal cryptosystems (see [34] and further references), algorithms of noncommutative cryptography with multivariate platforms ( [16], [28], [35], [36]).
Notice that direct usage of cubical transformations from stable semigroups as public encryption instruments does not make sense because the inverse map is also cubical one.One can use ( 3 ) pairs of kind plaintext/corresponding ciphertext and interpolate decryption map in time ( 10 ).Anyway for the construction of public keys one can use transformations of stable semigroup in a combination with special unstable transformations (see [9], [10], [26], [27]).For instance in [9] author together with the subgroup of stable cubical subgroup uses other distinguished object which is a totality  () of nonlinear monomial transformations moving each variable   to a single monomial term ( 1 ,  2 , . . .,   ) (algorithms work in the cases  =   and  =   .In fact subsemigroups of  () together with stable subsemigroup can be used in secure inverse key exchange protocol in which each correspondents get one element from the pair of polynomial transformations (, ′ ) from   preserving ( * )  such that  ′ acts on ( * )  as identity.Such a protocol developed in a spirit of Noncommutative Cryptography (NC), see [17]- [24]).It is very important that Non-Commutative cryptography is well supported by new modern achievements in Cryptanalysis (see [40] - [48]).
In difference with common for NC usage of generators and relation we use standard way of Multivariate Cryptography of presenting each element of (  ) by its standard form given by lists of monomial terms.Correspondents can use ( * )  as plainspace and   as cipherspace.So it is an interesting postquantum instrument alternative to public key cryptography stimulated recently by the U.S. NIST step toward mitigating the risk of quantum attacks via the announcement the PQC standardisation process [11].In March 2019, NIST published a list of candidates qualified to the second round of the PQC process.We notice that in the cited above studies of usage of stable subsemigroups of (  ) for security applications were overlooked.For instance not only inverse but directed tahoma protocols with stable and monomial platforms in tandem can be used for establishment of multivariate asymmetric procedure.We fill this gap in the section 2.
Public keys [9], [10] with the usage of semigroup  () and stable subgroups can be used in the case of general commutative ring  (finite or infinite)with nontrivial multiplicative group.This algorithm can be enhanced via algorithms of generation pairs  , −1 from  () with the usage of linguistic graphs defined over commutative group  * .New version of this cryptosystem is given in section 4. It uses the following scheme.Let as assume that  is a large stable subgroup of (  ) with the constant degree .We generate the composition  =  , where  is a member of mentioned above pair,  ′ =    ′ where  ∈ ,  and  ′ are invertible affine transformation from   (), as public key rules of kind   ( 1 ,  2 , . . .,   ) ∈ [ 1 ,  2 , . . .,   ],  = 1, 2, . . .,  in the cases when ground commutative ring  has quite large multiplicative group  * .In particular we can generate a polynomial transformation  on real vector space   ,  > 2 of linear degree and prescribed polynomial density   which preserves ( * )  and acts as bijectively on this set (see section 4 of this paper where  elements are introduced).Let us assume that commutative ring  is finite and Alice is able to compute  −1 and  −1 in polynomial time.Public user Bob works with the map of linear degree in variable  which has density ( +1 ) (number of monomial terms in all public rules, which coincides with the density of map  ′ of degree ).This facts guarantee the feasibility of encryption process which consist of computation  = () for element  from the plainspace ( * ).Alice in difference with Bob has the factorisation of  into composition of  am  ′ .She computes ( ′ ) −1 () =  ′ and restores the plaintext as  −1 ( ′ ).Notice that unknown for Bob inverse map ( ′ ) −1  −1 has unbounded degree and exponential density.Thus suggested schemes can be considered in future as candidates for Post Quantum Cryptography (PQC) usage.Notice that this is an algorithm of Multivariate Cryptography with general reference on the complexity to solve nonlinear system of equations.The corresponding system has unbounded degree and corresponding multivariate map is not a bijection.Cryptanalytics can try to factorize this map in a form   where  is monomial map from  () and  has bounded degree  but general algorithms even subexponential complexity for the completion of this task are unknown.For proper investigation of these public key algorithms they have to be compared with other known candidates for postquantum usage (like algorithms of the second round of NIST competition).We discover and alternative option.No need in the announcement of standard form of z publicly because there is a secure way (protocol) for delivery of this multivariate encryption tool for one correspondents to another.In fact instead of  any multivariate map  with injective restriction on ( * )  of linear degree and polynomial density (  ),  = 1, 2, 3 can be transported safely from Alice to Bob.Other option is use a separate delivery of  and  as above which makes the computations faster.Description of the implementations of these delivery algorithms in terms of directed tahoma protocol is given in section 6.In fact the author of ( [14]) noticed that usage of large groups  and  () allows to create natural secure inverse protocol with usage of doubled platform for secure delivery of pairs  −1 ,  −1 (for Alice) and  ,  for Bob where  and  written above maps.It means that we can postpone public announcement of  .The security of these two solutions with directed and inverse protocols rests on the complexity of decomposition of element of non-commutative subgroup  of affine Cremona semigroup or semigroup  () into the product of several generators given by their standard forms.This is known word problem which is unsolvable in polynomial time with usage of Turing machine or Quantum Computer.The first usage of the complexity of word problem for abstract groups was considered in [15].The further step is presented in section 5 and 6, it brings the option to deliver several bijective multivariate transformations of degree 1, 2 and 3 and conduct algorithm with a governing formal word and hidden multivariate generators.Stable part of double inverse platforms of [14] constructed in terms of algebraic graphs of geometrical nature, monomial part is defined in terms of parabolic subsemigroup of  () in the cases  =   and  =   .In this paper we use double directed tahoma protocol which uses cubical stable groups (section 3) related to constructions of Extremal Group Theory which already were used for the construction of stream ciphers (see [25] and further references) and new subsemigroups of  () (section 4) defined in terms of linguistic graphs over nontrivial multiplicative group  * of general commutative ring defined in section 3.

Some protocols of noncommitative cryptography with multivariate platforms
Let  ′ < (  ) be a subsemigroup of affine Cremona semigroup and  be a homomorphism from  ′ onto semigroup  < (  ),  > .
Alice computes  as  (ℎ −1 ℎ) −1 .So Alice and Bob when the protocol ends have collision transformation of the affine space   .Examples of the implemetations of this algorithm can be found in [16].

Protocol 2.2.
Let us consider above algorithms in the case when semigroup  consists of toric elements and  <  () and  =  ′ .Alice forms ℎ and ℎ −1 from  () together with pair  ,  −1 from  () and proceed with the modification of previous algorithm.Alice selects elements  1 ,  2 , . . .,   ,  > 1 of semigroups  and computes (  ) −1 =   .She takes invertible elements ℎ and  to form pairs (  = ℎ  ℎ −1 ,   =     −1 and sends them to Bob.The rest of the algorithm is identical to case of procedure 2.1.After the completion of this protocol Alice and Bob have common maps  acting on the variety ( * )  .
SECURITY BASE: The adversary has to solve the word problem for the subsemigroup  ′ , i. e., find the decomposition of  from  ′ into generators   ,  = 1, 2, . . ., .The general algorithm to solve this problem in polynomial time for the variable  is unknown, as well as a procedure to get its solution in terms of quantum computations.The problem depends heavily on the choice of a group.REMARK.Of course in each case alternative ways of computation of the value () of isomorphism  between semigroup <  1 ,  2 , . . .,   > and group <  1 ,  2 , . . .,   > given by the rule (  ) =   have to be investigated.They use ( * )  as plainspace and   as cipherspace.To encrypt Alice maps her message  in the alphabet  * to  −1 () =  and then she computes the ciphertext  =  −1 ().Bob decrypts via application of  to  and computation of (()).Similarly Bob encrypts  via consecutive computation of  and (()).Alice applies  −1 to ciphertext  and computes the plaintext as  −1 ( −1 ()).

On platforms
REMARK.Encryption and decryption functions of the above algorithm can be treated as polynomial maps of   to   because elements of  () act naturally on   .Between encryption and decryption functions there is a density gap because decryption map is not a transformation of polynomial density.Such pairs can be used as non-bijective stream ciphers in a spirit of [25].In the tandem procedure interception of plaintexts with corresponding ciphertext attacks are unfeasible without the computation of ().

Algorithm 2.3.2.
Alice and Bob can use algorithm 2.2 with collision map  on ( * )  as leading procedure.Supporting procedure is algorithm of kind 2.1 with the same commutative ring  and parameter .Alice creates elements  and  −1 of  ().She takes  of kind   →   ( 1 ,  2 , . . .,   ),  = 1, 2, . . .,  and forms the tuple ( 1  1 ,  2  2 , . . .,     ) to send it to Bob.He uses his knowledge on  to compute .Alice sets pairs (  ,   ) to start supporting protocol 2.1.She sends   ( −1 ) which has polynomial density to Bob.He uses his knowledge on  and computes   .Correspondents execute protocol 2.1 and get collision stable map .Alice uses platform of 2.1 to generate mutually invertible transformations  and  −1 acting on   .She keeps  −1 for herself and sends  +  to Bob.He subtracts  and gets .As in previous algorithm Alice and Bob use plainspace ( * )  and ciphertext   .To encrypt Alice maps her message  in the alphabet  * to  −1 () =  and then she computes the ciphertext  =  −1 ().

On linguistic and extremal graphs
and stable nonlinear subgroups of affine Cremona group

Some definitions of extremal graph theory
All graphs we consider are simple ones, i. e. undirected without loops and multiple edges.When it is convenient, we shall identify Γ with the corresponding antireflexive binary relation on  (Γ), i.e. (Γ) is a subset of  (Γ) ×  (Γ).The girth of a graph Γ, denoted by  = (Γ), is the length of the shortest cycle in Γ.The diameter  = (Γ) of the graph Γ is the maximal length of the shortest pass between its two vertices.Let   =   (Γ) be the length of the minimal cycle through the vertex  from the set  (Γ) of vertices in graph Γ (see [29]).We refer to Cind(Γ) = max(  | ∈  (Γ)) as cycle indicator of the graph.
The family Γ  of connected -regular graphs of constant degree is a family of small world graphs if (Γ  ) ≤ log  (  ), for some constant , > 0.
Recall that family of regular graphs Γ  of degree  and increasing order   is a family of graphs of large girth if (Γ  ) ≥ log  (  ), for some independent constant ,  > 0.
We refer to the family of regular simple graphs Γ  of degree  and order   as family of graphs of large cycle indicator, if Cind(Γ  ) ≥ log  (  ) for some independent constant ,  > 0.
Notice that for vertex-transitive graph its girth and cycle indicator coincide.Defined above families plays an important role in Extremal Graph Theory, Theory of LDPC codes and Cryptography.(see [30], [33] and further references).

The algebraic graphs 𝐴(𝑛, 𝐾) and 𝐷(𝑛, 𝐾), some results and open questions
Below we consider the family of graphs (, ) and (, ), respectively where  > 5 is a positive integer and  is a commutative ring.In the case of  =   we use symbols (, ) and (, ) for these graphs to define them as homomorphic images of infinite bipartite graphs () and () for which partition sets  and  formed by two copies of Cartesian power   , where  is the commutative ring and  is the set of positive integer numbers.Elements of  will be called points and those of  lines.To distinguish points from lines we use parentheses and brackets.
The description is based on the connections of these graphs with Kac-Moody Lie algebra with extended diagram  1 .The vertices of () are infinite dimensional tuples over .We write them in the following way () = ( 0,1 , Similarly we define graphs () on the vertex set consisting of points and lines We consider graphs (,  * ) and (,  * ) with partition sets isomorphic to ( * )  given by equations of (, ) and (, ) where operation" ˘''is changed for division /.
For each positive integer  ≥ 2 we consider subsets () and () containing first  + 1 elements of  and  with respect to the above orders.
Graph () = (  ) is a -regular forest.Its quotients (, ) are edge-transitive graphs.So their connected components are isomorphic.Symbol (, ) stands for the graph which is isomorphic to one of such connected components.
The question ''Whether or not (, ) is a family of small world graphs" is still open.
Graph (),  > 2 is a -regular tree.Graphs (, ) are not vertex transitive.They form a family of graphs with large cycle indicator, which is q-regular family of small world graphs [32].
The question ''Whether or not (, ),  = 2, 3, . . . is a family of large girth" is still open.We hope that introduced above graphs (,   * ) and (,   * ) possess interesting extremal and spectral properties Groups (, ) and (, ) of cubical transformations of affine space   associated with graphs (, ) and (, ) are interesting objects of algebraic transformation group theory because of composition of two maps of degree 3 for vast majority of pairs will have degree 9. Constructions and applications of these families of transformations groups are recently observed in [33] where some extensions of these groups are introduced.
We introduce well defined operator  (, ) of computing the neighbour of vertex  of colour  ∈  and colour jump operator (, ) sending point or line  = ( 1 ,  2 , . . .,   ) to  = (,  2 ,  3 , . . .,   ).Let (  ) stands for the Cremona semigroup of polynomial transformations of free module   and (  ) be affine Cremona group of invertible elements of (  ) with the polynomial inverse.These algebraic structures are important objects of algebraic geometry.One of the difficult problem is about constructions of families of stable subgroups   of (  ) (or semigroup   of (  ) i. e groups of polynomial transformation with maximal degree equals to constant .Notice that for the majority of pairs ,  ∈ (  ) of degrees  and  their composition has degree .So this problem is difficult, it has strong cryptographical motivations.
More general form of this statement is proven in [14].We refer to Γ  as linguistic compression map.If  is finite then the map converts totality of potentially infinite strings into finite semigroup.THEOREM 1.If Γ is one of graphs (, ) and (, ), then Γ (Σ()) is stable subgroup of (  ) of degree 3.
LEMMA 3. Let  ∈ ( * ) then rev() is an element of kernel of  .
Generalisation of lemma 1 for the case of general linguistic graph over commutative group is proposed in [14].

On Eulerian groups and semigroups
and multiplicative linguistic graphs
Let  () stand for Eulerian group of invertible transformations from  ().It is easy to see that the group of monomial linear transformations   is a subgroup of  ().So semigroup  () is a highly noncommutative algebraic system.Each element from  () can be considered as transformation of a free module   .
We refer to Γ * as linguistic multiplicative compression map.
We refer to  (, ) as Jordan-Gauss multiplicative transformation or simply JG element.It is an invertible element of  () with the inverse of kind  (, ) such that (, )(, ) = 1 (mod ).Notice that in the case  =   straightforward process of computation of the inverse of JG element is connected with the factorization problem of integer .If  = 1 and  is a product of two large primes  and  the complexity of the problem is used in RSA public key algorithm.We introduced Generalized Jordan Gauss elements (GJG-transformations)of (  ) in the case of arbitrary commutative ring with nontrivial multiplicative group.For this task we consider the totality () of Eulerian positive integers  such that equation   =  where  ∈  * ,  ∈  * has a unique solution and change condition ((1, 1), ) = 1, ((2, 2), ) = 1, . . ., ((, ), ) = 1 in the definition of JG element for (, ) ∈ ().Noteworthy that such generalization is especially productive in the case of infinite rings.We refer to the composition of several GJG elements as computationally tame multiplicative transformation.Let   ′ () stands for the group of computationally tame elements from  ().

On general linguistic graphs over
commutative groups and generating procedure of mutually inverse transformations of ( * )  .

Asymmetric schemes of multivariate cryptography on safe eulerian mode
Let  ,  −1 be an asymmetric multivariate encryption scheme like one of various modifications of Imai-Matsumoto MIC cryptosystem or another known bijective quadratic multivariate scheme.Assume that multivariate encryption rule  is given in its standard form.Note that procedure of computation of  −1 1 in the given point can be given as numerical algorithms.Alice selects  from,  () given by the rule ( 1 ,  2 , . . .,   ) and computes  −1 .She sends ''deformed " (see [16] and examples in [41]) in the form of tuple ( 1 ( ) 1 ,  2 ( ) 2 , . . .,   ( )  ) together with  ( −1 ) in its standard form.Bob is notified on the form of ''deformation rule".So he restores the map  .
Correspondents works with the plainspace ( * )  and cipherspace   .Bob writes his massage , transforms it to  ′ =  () and creates the ciphertext as  ( ′ ) = .Alice computes  −1 () =  ′ and restores the plaintext as  −1 ( ′ ).Adversary is not able to apply known methods of Algebraic Cryptology, because of encryption multivariate map  =  ( ) is not a bijective transformation of   , it has unbounded degree.Task of finding of  ′ on   such that ( ′ ) acts on ( * )  as identity is unfeasible task because of standard form for  ′ is not a rule of polynomial density.
Supporting procedure is algorithm of kind 2.1 with the same commutative ring Kand parameter .Alice creates elements  and  −1 Implementation of 2.3.2 on the base of platform (, ) and homomorphism of this group onto transformation group (, ) is very similar to the case of the inverse Tahoma protocol presented in [14].The difference is that the outcome of directed protocol is a collision element  from (, ), recall that uis a cubic map.

Conclusion
Let us consider totality  () of elements  of Cremona semigroup of polynomial degree (  ) and polynomial density (  ) such that the re-striction  ′ of  onto ( * )  is an injective map and there is a polynomial algorithm of computation of reimage of element from Im( ′ ) =  (( * )  ).We assume that element of  () is given via its standard form.In fact we are interested only in the usage of  ′ .It means that we can substitute each syllable  1  of each monomial term for  1  mod (| * |).So without loss of generality we may assume that  = 1.
We assume that commutative ring  with unity has nontrivial multiplicative group  * .Noteworthy that variety   () contains all bijective maps of (  ) of bounded degree for which a polynomial procedure to compute reimage x of F(x) is available.Wide class of such maps is formed by explicit constructions of Multivariate cryptography designed as potential candidates for a secure public keys or stream ciphers of multivariate nature.For us existence of effective cryptanalysis for such candidates is immaterial.Some examples of non-bijective elements of   () for special rings are given in [26] or [27].
(1) Construction of group  () allows to generate pair of mutually inverse elements ,  −1 of the group and to transfer selected  from   () into new map  →  =  (()) from   ().Really both  ′ and  ′ () have degree ().
(2) So the owner of the pair (Alice) can announce  written in standard form as new public key cryp-tosystem with the plainspace ( * )  and ciphertext   .
(3) Alternatively Alice and her correspondent (Bob) can use cryptosystem of El Gamal type based on subsemigroups of  () and  () (see [28]).Security of this cryptosystem is based on the word problem.Notice that together of algorithm of the section 4.3 inverse protocol can be used in the wide case of finite commutative ring with nontrivial multiplicative group.
So correspondents elaborate pair ,  −1 where  belongs to Alice and  −1 is in the possession of Bob.
Notice that this algorithm is asymmetrical.Bob does not have ''local inverse"  ′ of  for which  ′  acts identically on the variety ( * )  .
(4) For safe delivery of  to Bob correspondents may use direct Tahoma protocol with two platforms  () and (, ).So they elaborate  ∈   () and  ∈ (, ) for Alice and Bob.Alice sends  + () to Bob.He restores  () via subtraction of .The remaining part of such algorithm is same with previous one.
Correspondents can use symmetric scheme because Alice can deliver  and  on secure mode via schemes of section 6.
Known methods of algebraic cryptanalysis with the usage of Shirshov-Grobner algorithms are not applicable to suggested above cryptosystems especially in the cases of alternative form to public key cryptosystems.