On the cryptosystems based on two Eulerian transformations defined over the commutative rings Z2s, s>1

Authors

  • Vasyl Ustymenko

DOI:

https://doi.org/10.20535/tacs.2664-29132024.1.317960

Abstract

We suggest the family of ciphers sEn, n = 2, 3, ... with the space of plaintexts (Z2^s)^n, s > 1, such that the encryption map is the composition of kinds G = G1 A1 G2 A2, where Ai are the affine transformations from AGLn(Z2^s) preserving the variety (Z*2^s)^n. Eulerian endomorphisms Gi, i = 1, 2, of K[x1, x2, ..., xn] move xi to the monomial term M x1^d(1) x2^d(2) ... xn^d(n), M in Z2^s, and act on (Z2^s)^n as bijective transformations. The cipher is converted to a protocol-supported cryptosystem. Protocols of Noncommutative Cryptography implemented on the platform of Eulerian endomorphisms are used for the delivery of Gi and Ai from Alice to Bob. One can use twisted Diffie-Hellman protocols, which security rests on the complexity of the Conjugacy Power problem, or the hidden tame homomorphism protocol, which security rests on the word decomposition problem. Instead of delivering Gi, Alice and Bob can elaborate these transformations via the inverse twisted Diffie-Hellman protocol, implemented on the platform of tame Eulerian transformations of (Z*2^s)^n. The cost of a single protocol is O(n^3), and the cost of computing the reimage of the used nonlinear map is O(n^2). So, the verification of nt, t ≥ 1, signatures takes time O(nt + 2). Instead of the inverse twisted Diffie-Hellman protocol, correspondents can use the inverse hidden tame homomorphism protocol, which rests on the complexity of word decomposition for tame Eulerian transformations. We use natural bijections between Z2^s and Z2^(s-1), Z2^s and finite field F2^(s-1), and Z2^s and Boolean ring B(s-1) of order 2^(s-1) to modify the family of ciphers or cryptosystems via the change of AGLn(Z2^s) for AGLn(K), where K is one of the rings Z2^(s-1), F2^(s-1), or B(s-1). New ciphers are defined via the multiplication of two different commutative rings Z2^s and K. This does not allow treating them as stream ciphers of multivariate cryptography and using corresponding cryptanalytic techniques. An adversary is not able to use known cryptanalytical methods such as linearization attacks. We discuss the option of changing the elements of AGLn(Z2^s) or AGLn(K) for nonlinear multivariate transformations F of (Z2^s)^n or K^n with a symmetric trapdoor accelerator T, i.e., a piece of information such that the knowledge of T allows computing the value F(p) for an arbitrarily chosen p in P in time O(n^2) and solving the equation of the form F(x) = c for each c in C in time O(n^2).

Downloads

Published

2024-12-16

Issue

Section

Theoretical and cryptographic problems of cybersecurity