MST3 Cryptosystem Based on a Generalized Suzuki 2- Groups Gennady Khalimov1 [0000-0002-2054-9186], Yevgen Kotukh2 [0000-0003-4997-620X], Svitlana Khalimova3 [0000-0001-7224-589X] 1Kharkiv National University of Radioelectronics, Kharkiv, Ukraine hennadii.khalimov@nure.ua 2University of Customs and Finance, Dnipro, Ukraine yevgenkotukh@gmail.com 3Kharkiv National University of Radioelectronics, Kharkiv, Ukraine svitlana.khalimova@nure.ua Abstract. The article describes a new implementation of MST3 cryptosystems based on the generalized Suzuki 2 - groups. The main difference in the presented implemen- tation is the presence of many-stage recovery of parts of the message from the en- crypted text. The presented implementation of a cryptosystem has lower costs of key data. The complexity of the cryptanalysis and the size of the message for encryption depend of the power a generalized Suzuki 2 - groups. Keywords: MST cryptosystem, logarithmic signature, random cover, generalized Su- zuki 2 - groups 1 Introduction Current is the development of efficient cryptographic cryptosystems that can with stand quantum attacks. It is believed that the advent of quantum computers and the presence of quantum algorithms for factoring integers and discrete logarithms will lead to hack- ing of known cryptosystems with a public key. The idea of constructing public-key cryptosystems on the basis of an intractable word problem was proposed by Wagner and Magyarik in [1]. The basis is the use of permutation groups. Since the 2000s, several dozen cryptosystems in group construc- tions have been proposed [2÷5]. The development of the idea of Wagner and Magyarik is the proposal of Magliveras [6]. Magliveras proposed a symmetric cryptosystem based on a special type of factori- zation of finite groups named logarithmic signatures for finite permutation groups. The idea of using a logarithmic signature was investigated by Lempken et al. and developed in the construction for random covers in [7]. In this scheme, the public key consists of a tame logarithmic signature as well as some random numbers, and the secret key is design of random cover and sandwich transformation of the cover [8]. The intractability assumptions of this scheme are group factorization problem on nonabelian groups. Copyright © 2020 for this paper by its authors. Use permitted under Creative Commons License Attribution 4.0 International (CC BY 4.0). ICST-2020 Magliveras cryptosystem based on the Suzuki group is known as MST3. Further improvements to this scheme were made by Svaba and van Trung in [9]. They intro- duced a secret cover of a random cover. A digital signature scheme based on MST3 cryptosystems was proposed and explored in [Hong]. Using two Suzuki parametric groups to build the MST3 cryptosystem leads to se- curity and complexity of the assessment, proportional to the square of the measurement of the final field. A further increase in security is possible by expanding the group. The MST3 cryp- tosystem based on the three-parameter group of automorphisms of the functional field of the Hermite curve [14] and the small Ri group has security and complexity estimates proportional to the cube of the dimension of the finite field [15]. In this paper will be presentation MST3 cryptosystems based on the multi-parame- ter generalized Suzuki 2 - groups. 2 The generalized Suzuki 2 - groups The construct a generalizations of Suzuki 2-groups was proposed by Hakai in [16] at research conjugacy classes and characters for a family of groups satisfying Bannai con- dition. Construction of groups. Let Fq , q = 2n is the finite field, and  is an automorphism of F . Define for a positive integer l and a1 , a2 ,..., al  F the following matrix 1     a1 1  a a1 1  S (a1 , a2 ,..., al ) =  2   M l +1 ( F )  a3 a2 a1 2 1   ... ... ... ... ...     al al −1 al − 2 2 ... a1 l −1 1  and Al (n,  ) = S (a1 , a2 ,..., al ) | ai  Fq  . The each element of Al ( n,  ) can be expressed uniquely and it follows that Al (n, ) = 2nl and Al ( n,  ) define a group of order 2 nl . If l = 2 , this group is isomor- phic to a Suzuki 2-group A( n,  ) . Group operation is defined as a product of two matrices S (a1 , a2 ,..., al ) S (b1 , b2 ,..., bl ) = S (a1 + b1 , a2 + (a1 )b1 + b2 , a3 + (a2 )b1 + (a1 2 )b2 + b3 , ..., al + (al −1 )b1 + ... + (a1 l −1 )bl −1 + bl ). Identity element is unit diagonal matrix S (01 , 0,..., 0) .The inverse element is deter- mined by the inverse of the matrix. The direct calculations can to show that S (a1 ,a2 ,a3 ,..., al ) −1 = S (a1 ,a2 + a1 a1 ,a3 + a2 a1 + a1 2 (a2 + a1 a1 ),..., al + al −1 a1 + ...). Put G = Al (n,  ) . The group G is nonabelian group and has nontrivial center  Z ( G ) = S (0,0,..., c) c  Fq .  Since the center Z ( G ) is elementary abelian of order q, it can be identified with the additive group of the field Fq . Assume that  is the Frobenius automorphism of F ,  : x → x 2 . All the involutions of G are in the center Z ( G ) . Define Gi = S (0,..., 0, ai , ai +1 ,..., al ) . The elements g  Gi have order 2l − i . Let 𝐺/𝐺𝑖 ≙ 𝐴𝑖−1 (𝑛, 𝜃). Thus Gi is a normal subgroup of Al ( n,  ) . Simple show that group Gi for i  (l + 1) / 2 is abelian. This holds by direct calculations. Let   F  , λ is a generator of F  and is fixed and define mapping   : Al (n,  ) → Al (n,  ) by   ( S (a1 , a2 ,..., al ) ) = S (1a1 , 2 a2 ,..., l al ) where 1 =  , 2 =  2 , 3 =  (  2 ) , …, i =  2 +1 . 2 i −1 Then mapping   is an automorphism of Al ( n,  ) and if ( n, i ) = 1 , then   permutes Gi / Gi +1 − Gi +1 A ( n,  ) transitively. For the fixed finite field, the group l order is greater than classical Suzuki 2 - group. A larger group order gives an advantage to cryptosys- tem secrecy, and definition over small fields gives an advantage for the implementation in general. 3 MST cryptosystems The basic idea of MST cryptosystems is to surjective mapping input message into an element of group using a conversion key. Formalization of computations is given by the following definition [12]. Definition 1 (cover (logarithmic signature) mappings). Let  =  A1 ,..., As  be a cover (logarithmic signature) of type (r1 , r2 ,..., rs ) for G with Ai =  ai ,1 , ai ,2 ,..., ai , ri  , where m =  is=1 ri . Let m1 = 1 and mi = ij−=11 rj for i = 2,..., s . Let  denote the canonical bijection 𝜏: ℤ𝑟1 × ℤ𝑟2 ×. . .× ℤ𝑟𝑠 → ℤ𝑚 , s  ( j1 , j2 ,..., js ) =  ji  mi . i =1 Then the surjective (bijection) mapping 𝛼′: ℤ𝑚 → 𝐺 induced by is  ' ( x ) = a1 j1  a2 j2  asjs where ( j1 , j2 ,..., js ) =  −1 ( x ) . More generally, if  =  A1 ,..., As  is a logarithmic signature (cover) for, then each element g  G ∈ can be expressed uniquely (at least one way) as a product of the form g = a1  a2  as , for ai  Ai [7]. Let G is ultimate nonabelian group with nontrivial center Z , such that G does not decompose over Z . Suppose that Z is quite large, such that the search is over Z is computational impracticable. The cryptographic hypothesis, which is the basis for the cryptosystem, is that if  = [A1 , A 2 ,..., A s ] := ( ai , j ) – accidental cover for a "large" matrices S at G , then search for the layout g = a1 j1 a2 j2  asjs for any element g  G relatively  is, in gen- eral, not a solvable problem. There are several encryption algorithms for MST cryp- tosystems. One of the latest versions of MST3 presented in [13] has the following im- plementation.The main steps of the encryption algorithm. Public and private key cal- culation step: • generating a tame logarithmic signatures  = [ B1 , B2 ,..., Bs ] := (b ij ) the class (r1 ,r2 ,...,rs ) for ℤ; • generating a random cover  = [A1 , A 2 ,..., A s ] := ( ai , j ) the same class as і  for some subset J from G such that A1 ,..., A s  G \ Z ; • generating a set of elements t0 , t1 ..., t s  G \ Z ; • definition of the homomorphism to calculate𝑓: 𝐺 → ℤ; • calculating  := (hij ) = (ti −1 f (aij )bij ti ) for i = 1,..., s , j = 1,..., ri . −1 Will get public key – ( = (aij ),  = (hij ), f ) and private key – (  = (bij ),(t 0 ,...., t s )) Encryption step. Set a random number R  Z . Let the message to be encrypted x  Z Z . Calculate y1 =  '( R )  x , y2 =  ( R ) = t0−1 f ( '( R ))b '( R )t s . Transmit y = ( y1 , y2 ) . Decryption step. For decryption we have the cipher text y = ( y1 , y2 ) , private key (  = (bij ),(t 0 ,...., t s )) and the function of the homomorphism f : G → . Let's calculate  ( R) = y2 ts f ( y1 ) t0 . Checking is determined by the fact that −1 −1 y2 =  ( R) = t0−1 f (a1 j1 ( R))b1 j1 ( R)t1  ts−−11 f (asjs ( R))bsjs ( R)ts = b1 j1 ( R)t0−1 f (a1 j1 ( R))t1  bsjs ( R)ts−−11 f (asjs ( R))ts =  ( R)t0−1 f ( ( R))ts =  ( R )t0−1 f ( y1 )t s Recover R with  ( R ) using  −1 , because  is simple. Calculate x =  '( R ) −1  y1 . Complexity analysis.The main costs of implementation in the MST3 cryptosystem are determined by the volume a logarithmic signature over the finite field of the group representation. The long-term key is defined by a logarithmic signature array  and vectors t0 , t1 ..., t s  G \ Z . Let type a logarithmic signatures over the finite field Fq , q = 2n is ( r1 ,..., rs ) and is=1 ri = 2n . Suppose that the values ri are approximately equal ri = 2 n / s , then the size V of the logarithmic signature will have an estimate s 2n / s . For q = 2512 and s = 25 , 26 , 27 , 28 we obtain, respectively, V = 2 21 , 214 , 211 , 210 of the 512 bit strings. The large size of the logarithmic signature is a drawback to the practical implementation of the MST3 cryptosystem. On the other hand, the large size of the logarithmic signature determines the potentially very large entropy of the long-term key for cryptographic transformations. Security Analysis. Message x masked by a logarithmic signature on the arrays  = ( aij ) ,  = ( hij ) which is calculated for a random number R . The function of the homomorphism 𝑓: 𝐺 → ℤ moves the group element to the center of the group. The random values R are actually a session keys. Calculation  ( R) = y2ts−1 f ( y1 ) −1 t0 and the subsequent recovery of R is possible due to the commutativity of the center. Commutative calculations in the center reduce the secrecy of the MST3 cryptosystem based on Suzuki 2-group to evaluate  (q 2 ) . 4 MST3 cryptosystems based on the generalized Suzuki 2 - groups We apply the above construction to build the MST3 cryptosystem based on the gener- alized Suzuki group. Very large generalized Suzuki groups can be constructed over a finite field of fixed dimension. This allows to achieve a compromise between practical implementation and the cryptosystem secrecy. Description of the Scheme. Let’s consider basic encryption steps in MST3 cryptosystem based on the generalized Suzuki group. Key Generation: Input: a large group Al (n,  ) = S (a1 , a2 ,..., al ) | ai  Fq  , q = 2n with the center Z Output: a public key  f , ( k ,  k ) with corresponding private key   k , ( t0( k ) ,..., ts ( k ) )  , k = 1, l / 2 .   Choose a tame logarithmic signatures  k =  B1( k ) ,..., Bs ( k )  = ( bij ) = S ( 0,.., 0, bij (l / 2 + k ) , 0,..., 0 ) of type ( r1( k ) ,..., rs ( k ) ) , i = 1, s , k j = 1, ri ( k ) , bij (l / 2 + k )  Fq , k = 1, l / 2 . The tame logarithmic signature is defined as a bi- jective and factorizable map of  k ( R ) . Select a random cover  k =  A1( k ) ,..., As ( k )  = ( aij )k = S ( 0,..., 0, aij(1)( k ) , 0,..., 0, aij(2)(l/ 2 + k ) , 0,..., 0 ) of the same type as  , where aij  Al (n,  ) , aij(1)( k ) , aij(2)( k )  Fq \ 0 , i = 1, s , j = 1, ri ( k ) , k = 1, l / 2 . Choose t0( k ) , t1( k ) ,..., ts ( k )  Al (n,  ) \ Z , ti ( k ) = S (ti1( k ) ,..., til (k) ) , tij (k)  F  , i = 0, s , j = 1, l , k = 1, l / 2 . Let’s ts( v ) = t0( v +1) , v = 1, l / 2 − 1 . Construct a homomorphism f defined by f ( S (a1 ,..., al ) ) = S (0,..., 0, a 'l / 2 +1 = a1 ,..., a 'l = al / 2 ) . Compute  k =  h1( k ) ,..., hs ( k )  = hij (( a ) ) (b ) t , i = 1, s , j = 1, r , ( ) =t k −1 ( i −1)( k ) f ij k ij k i ( k ) i k = 1, l / 2 , where f ( ( a ) ) ( b ) = S ( 0,..., 0, ( a ) ij k ij k + (b ) , 0,..., 0 ) . (1) ij ij l / 2 + k l / 2+ k ( Output public key  f , ( k ,  k )  , and private key   k , t0 ( k ) ,..., ts ( k )  , k = 1, l / 2 . ) Encryption: Input: a message x  Gl / 2 +1 , and the public key  f , ( k ,  k )  , k = 1, l / 2 . Output: a ciphertext ( y1 , y2 ) of the message x . Choose a random R = ( R1 , R2 ,..., Rl / 2 ) , 𝑅1 , 𝑅2 , . . . , 𝑅𝑙/2 ∈ ℤ|𝐹𝑞 | . 𝑙 Compute: y1 =  ' ( R )  x = 1 ' ( R1 )   2 ' ( R2 )   3 ' ( R3 )   l / 2 ' ( Rl / 2 )  x = S ( a1(1) ( R1 ) , a2(1) ( R2 ) + ,..., al(1)/ 2 ( Rl / 2 ) + , al(2) / 2 +1 ( R1 ) + xl / 2 +1 + ,..., al (2) ( Rl / 2 ) + xl + ) . The components of ( ) in the formula are determined by cross-calculations in the group operation of the product. Compute: y2 =  ' ( R ) =  1 ' ( R1 )   2 ' ( R2 )   l / 2 ' ( Rl / 2 ) = S (, ,..., , al(1)/ 2 +1 ( R1 ) + l / 2 +1 ( R1 ) + ,..., al(1) ( Rl / 2 ) + l ( Rl / 2 ) + ) . Here, the ( ) components are determined by cross-calculations in the group opera- tion of the product of t0 ( k ) ,..., ts ( k ) , k = 1, l / 2 . Output ( y1 , y2 ) . Decryption: ( Input: a ciphertext ( y1 , y2 ) and private key   k , t0 ( k ) ,..., ts ( k )  , k = 1, l / 2 . ) Output: the message x  Gl / 2 +1 corresponding to ciphertext ( y1 , y2 ) . To decrypt a message x , we need to restore random numbers R = ( R1 , R2 ,..., Rl / 2 ) The parameter a1(1) ( R1 ) is known from the y1 as the first parameter and it is included in the l / 2 + 1 component of y 2 , because al(1)/ 2 +1 ( R1 ) = a1(1) ( R1 ) . Compute: D (1) ( R1 , R2 ,..., Rl / 2 ) = t0(1)  y2ts−(1l / 2) = S ( 0,..., 0, al(1)/ 2 +1 ( R1 ) + l / 2 +1 ( R1 ) ,..., al(1) ( Rl / 2 ) + l ( Rl / 2 ) ) . D ( R) = D (1) ( R1 , R2 ,..., Rl / 2 ) f ( y1 ) = S ( 0,..., 0, l / 2 +1 ( R1 ) , al(1)/ 2 + 2 ( R2 ) + l / 2 + 2 ( R2 ) + ,...) . Restore R1 with  l / 2 +1 ( R1 ) using l / 2 +1 ( R1 ) , because  is simple. −1 For further calculations, it is necessary to remove the components of the arrays 1 ' ( R1 ) and  1 ' ( R1 ) from ciphertext ( y1 , y2 ) . Compute: y1(1) = 1 ' ( R1 )  y1 =  2 ' ( R2 )   3 ' ( R3 )   l / 2 ' ( Rl / 2 )  x −1 = S ( 0, a2(1) ( R2 ) , a3(1) ( R3 ) + ,..., al(1)/ 2 ( Rl / 2 ) + , / 2 + 2 ( R2 ) + xl / 2 + 2 + ,..., al xl / 2 +1 + , al(2) (2) ( Rl / 2 ) + xl + ) y2(1) =  1 ' ( R1 ) y2 =  2 ' ( R2 )   l / 2 ' ( Rl / 2 ) −1 = S (, ,..., , al(1)/ 2 + 2 ( R2 ) + l / 2 + 2 ( R2 ) + ,..., al(1) ( Rl / 2 ) + l ( Rl / 2 ) + ) . Repeat the calculations D(2) ( R2 ,..., Rl / 2 ) = t0(2)  y2 ts−(1l / 2) = S ( 0,..., 0, al(1)/ 2 + 2 ( R2 ) + l / 2 + 2 ( R2 ) ,..., al(1) ( Rl / 2 ) + l ( Rl / 2 ) ) D ( R) = D(2) ( R2 ,..., Rl / 2 ) f ( y1(1) ) = S ( 0,..., 0, l / 2 + 2 ( R2 ) , al(1)/ 2 +3 ( R3 ) + l / 2 +3 ( R3 ) + ,...) . Restore R2 with  l / 2 + 2 ( R2 ) using l / 2 + 2 ( R2 ) . −1 Repeating iteratively calculating after l / 2 steps, we obtain the recovery of R = ( R1 , R2 ,..., Rl / 2 ) and the message x from y1 . Example. We will show the correctness of the obtained expressions in the following simple example. Fix the generalized Suzuki group G = A4 (n,  ) over the finite field Fq , q = 210 . Assume that  is the Frobenius automorphism of Fq ,  :  →  2 . Let’s define A4 (n, ) = S (a1 , a2 , a3 , a4 ) | ai  Fq  . Group operation is defined as a product of two matrices S (a1 , a2 , a3 , a4 ) S (b1 , b2 , b3 , b4 ) = S (a1 + b1 , a2 + a12b1 + b2 , a3 + a2 2b1 + a14b2 + b3 , a4 + a32b1 + a2 4b2 + a18b3 + b4 ). The inverse element is determined as S (a1 , a2 , a3 , a4 ) −1 = S (a1 ,a2 + a12 a1 ,a3 + a2 2 a1 + a14 (a2 + a12 a1 ), a4 + a32 a1 + a2 4 (a2 + a12 a1 ) + a18 (a3 + a2 2 a1 + a14 (a2 + a12 a1 ))) = S (a1 ,a2 + a13 ,a3 + a2 2 a1 + a14 a '2 , a4 + a32 a1 + a2 4 a '2 + a18 a '3 ) where a '2 = a2 + a13 , a '3 = a3 + a2 2 a1 + a14 a '2 . Let`s construct a tame logarithmic signatures ( ) ( )  k =  B1( k ) ,..., Bs ( k )  = bij k = S 0,.., 0, bij (l / 2 + k ) , 0,..., 0 of type ( r1( k ) ,..., rs ( k ) ) , i = 1, s , j = 1, ri ( k ) , bij (l / 2 + k )  Fq , k = 1, l / 2 . We have l = 4 , k = 1, 2 . Let`s define two arrays as follows 1 =  B1(1) ,..., Bs (1)  = ( bij )1 = S ( 0, 0, bij (3) , 0 ) ,  2 =  B1(2) ,..., Bs (2)  = ( bij )2 = S ( 0, 0, 0, bij (4) ) and bij (3) , bij (4)  Fq . Logarithmic signatures 1 and  2 in a group representations define bij (3) and bij (4) coordinates. Types ( r1( k ) ,..., rs ( k ) ) and logarithmic signatures 1 and  2 are chosen in- dependently. Let`s logarithmic signatures 1 and 2 have a same type ( r ,..., r ) = ( r ,..., r ) . 1( k ) s(k ) 1 s As an example, ( r1 ,..., rs ) = ( 22 , 22 , 23 , 23 ) . Arrays bij (3) , bij (4) consist of four subar- rays with a number of rows equal to ri . You can select any fragmentation of arrays with the condition  is=1 ri = q . In our case we have is=1 ri = 210 . Each row bij it`s an element of the field Fq . The construction of arrays of logarithmic signatures is presented in [17]. First stage is to generate a tame logarithmic signature with the dimension of corre- sponding selected type ( r1( k ) ,..., rs ( k ) ) and finite field Fq . In our case ( r ,..., r ) = ( 2 , 2 , 2 , 2 ) , 1( k ) s(k ) 2 2 3 3 q = 210 and  k =  B1( k ) , B2( k ) , B3( k ) , B4( k )  . Since 1 and 2 have a same type ( r ,..., r ) = ( r ,..., r ) we will get the same  , k = 1, 2 on the first stage. 1( k ) s(k ) 1 s k Let's set a tame logarithmic signature with entries Bi. β(1)= B1 00 00 000 000 10 00 000 000 01 00 000 000 11 00 000 000 B2 00 00 000 000 00 10 000 000 00 01 000 000 00 11 000 000 B3 00 00 000 000 00 00 100 000 00 00 010 000 00 00 110 000 00 00 001 000 00 00 101 000 00 00 011 000 00 00 111 000 B4 00 00 000 000 00 00 000 100 00 00 000 010 00 00 000 110 00 00 000 001 00 00 000 101 00 00 000 011 00 00 000 111 Let R = 673 . We obtain the following basis factorization for a given type ( 1( k ) ,..., rs ( k ) ) = ( 22 , 22 , 23 , 23 ) in the form of R = ( R1 , R2 , R3 , R4 ) = (1, 0, 2,5) , where r R1 + R2 22 + R3 24 + R4 27 = 673 . Let`s calculate the vector of the logarithmic signature  ( R ) = B1 ( R1 ) + B2 ( R2 ) + B3 ( R3 ) + B4( k ) ( R4 ) = 1000000000 + 0000000000 + 0000010000 + 0000000101 = 1000010101 To calculate  ( R ) −1 it is enough to select groups of bits in the vector according to the type  ( R ) = 10 00 010 101 = ( R1 , R2 , R3 , R4 ) = (1, 0, 2,5 ) −1 and recover R . Bits positions in a logarithmic signature vector  ( R ) are uniquely associated with subarrays Bi ( k ) and bit values at these positions with the row number of the subarray Bi ( k ) . To increase the security of arrays  k various cryptographic transformations can be used. For example, simple ones like adding noise vectors, permutations of strings in subarrays Bi , merge of arrays Bi , their permutation, matrix transformations. In our example, we use noising of β(1) and merge of arrays Bi . This allows to con- struct two different logarithmic signatures 1 and  2 . Perform random noising of β(1) in accordance with the above mentioned rule β(2)= B1 00 00 000 000 10 00 000 000 01 00 000 000 11 00 000 000 B2 11 00 000 000 10 10 000 000 10 01 000 000 01 11 000 000 B3 10 10 000 000 01 11 100 000 01 00 010 000 00 10 110 000 11 01 001 000 10 01 101 000 01 11 011 000 00 10 111 000 B4 01 00 110 000 00 11 010 100 11 00 011 010 10 01 000 110 01 10 101 001 01 10 010 101 00 11 100 011 11 01 001 111 Here the noise bits are in bold. For R = (1, 0, 2,5 ) we get the logarithmic signature vector  ( R ) = B1 ( R1 ) + B2 ( R2 ) + B3 ( R3 ) + B4 ( R4 ) = 1000000000 + 1100000000 + 0100010000 + 0110010101 = 0110000101 Let`s define a highest group of bits in the vector for the calculation of  ( R ) −1 in accordance with type  ( R ) = 0110 000 101 → ( , , ,5 ) and by the combination of −1 101 we will recover R4 . Select the sixth row from the array B4 and deduct it from the original vector  ( R ) = 0110000101 + 0100010000 = 0010 010 101 → ( , , 2,5 ). −1 Repeat this procedure until the last subarray of the logarithmic signature and restore ( R1 , R2 , R3 , R4 ) = (1, 0, 2,5 ) . Apply the merge procedure for the subarrays B1 , B2 , B3 , B4 within a rule of C1 = ( B1 , B4 ) , C2 = B2 , C3 = B3 . The first logarithmic signature 1 has the type ( r1(1) ,..., rs (1) ) = ( 25 , 2 2 , 23 ) and imagine these permutations on the next map 1 2 3 4  1 =   . In the field representation 1 has the following form  4 1 2 3 β1= B1(1) {25,103,380,332,666,173,820,814,385,525,195, 261,787,364,151,830,81,908,528,765,612,47, 588,442,258,705,330,846,751,397,989,136} B2(1) {77,154,10,957} B3(1) {154,232,309,620,849,654,578,404} The numerical values of arrays determine the degree indicators of the generating element of the field  =  i , whose binary representation are strings β1. Representation of 0 defines single element  0 of the field Fq . Similarly, we construct the second log- arithmic signature  2 . We represent these permutations by a mapping of the form 1 2 3 4  2 =   . We got a new type ( r1(2) ,..., rs (2) ) = ( 2 , 2 , 2 ) of a logarithmic 2 5 3 1 4 2 3  signature  2 .  2 has the following form in the field representation β2= B1(2) {00,0,1,77} B2(2) {258,705,330,846,751,397,989,136,577,45, 1009,592,704,921,941,187,680,667,643,84, 295,869,978,903,233,214,468,548,852,465, 333,475} B3(2) {154,232,309,620,849,654,578,404} Arrays of logarithmic signatures 1 and  2 in the group representation, defines the coordinates bij (3) and bij (4) , respectively 1 =  B1(1) ,..., Bs (1)  = ( bij )1 = S ( 0, 0, bij (3) , 0 ) ,  2 =  B1(2) ,..., Bs (2)  = ( bij )2 = S ( 0, 0, 0, bij (4) ) . Construct random covers  k , for the same type as 1 и  2 1 =  A1(1) ,..., As (1)  = ( aij )1 = S ( aij(1)(1) , 0, aij(1)(3) , 0 )  2 =  A1(2) ,..., As (2)  = ( aij )2 = S ( 0, aij(2)(2) , 0, aij(2)(4) ) , where aij  Al (n,  ) , aij(1)( k ) , aij(2)( k + 2)  Fq \ 0 , i = 1, s , j = 1, ri ( k ) , k = 1, 2 . Each cover  k defined by only two arrays aij ( k ) , aij ( k + 2) (1) (2) ( ) with non-zero entries. Let`s generate random covers  1 ,  2 . α1= A1(1) {(15,40),(3,400),(215,82),(990,633), (1017,597),(212,67),(788,14),(101,35), (876,505),(12,15),(21,44),(72,590), (4,319),(161,431),(41,30),(181,1008), (87,938),(427,713),(112,37),(611,147), (8,42),(188,652),(98,744),(366,96), (251,388),(349,726),(170,833),(110,897), (429,616),(331,647),(298,801),(221,529)} A2(1) {(717,101),(21,95),(977,1344),(170,195)} A3(1) {(454,865),(335,550),(881,677),(458,704), (644,233),(689,439),(329,934),(188,457)} and α2= A1(2) {(111,1010),(51,349),(756,953),(337,527)} A2(2) {(210,243),(309,833),(221,133),(889,126), (535,129),(909,565),(728,441),(572,375), (15,637),(71,228),(215,9),(108,553), (473,240),(348,570),(369,731),(213,416), (648,799),(451,606),(713,587),(909,436), (520,314),(19,52),(564,871),(11,531), (449,277),(392,688),(265,1002),(78,93), (223,924),(558,748),(372,975),(513,185)} A3(2) {(204,882),(69,633),(779,354),(988,754), (2277,553),(419,894),(291,632),(551,15)} Choose random t0( k ) , t1( k ) ,..., ts ( k )  Al (n,  ) \ Z , s = 3 , l = 4 , k = 1, 2 and t3(1) = t0(2) . Let for the first logarithmic signature we have t0(1)=(117,960,531,471) t-10(1)=(117,541,917,223) t1(1)=(332,801,14,522) t-11(1)=(332,158,398,295) t2(1)=(158,432,254,173) t-12(1)=(158,19,206,894) t3(1)=(1003,389,195,56) t-10(1)=(1003,329,199,962) and for the second logarithmic signature  2 t0(2)=(1003,389,195,56) t-10(2)=(1003,329,199,962) t1(2)=(448,674,345,179) t-11(2)=(448,689,655,108) t2(2)=(221,33,309,992) t-12(2)=(221,15,1021,692) t3(2)=(649,712,760,702) t-13(2)=(649,23,656,14) The next step is to calculate the arrays  1 и  2 . By the condition of the example, we obtain ( )  1 =  h1(1) ,..., h3(1)  = ( hij )1 = t(−i1−1)(1) f ( aij )1 ( bij )1 ti (1)  2 =  h1(2) ,..., h3(2)  = ( hij )2 = t(−i1−1)(2) f (( a ) ) (b ) t ij 2 ij 2 i (2) Construct a homomorphism f defined by f ( S (a1 , a2 , a3 , a4 ) ) = S (0, 0, a1 , a2 ) . For example, let R1 = ( R1(1) , R2(1) , R3(1) ) = (1,1,5 ) = 673 and  1 ( 673) = h1(1) (1) h2(1) (1) h3(1) ( 5 ) = S ( 516,578,850,374 ) . Let R2 = ( R1(2) , R2(2) , R3(2) ) = ( 2, 6, 2 ) = 354 . Compute  2  2 ( 354 ) = h1(2) ( 2 ) h2(2) ( 6 ) h3(2) ( 2 ) = S ( 487, 227, 651,318 ) . Encryption Input: a message x  G3 , x = S ( 0, 0, x3 , x4 ) , and the public key  f , ( k ,  k )  , k = 1, 2 . Output: a ciphertext ( y1 , y2 ) of the message x . Let x = S ( 0, 0, 299,824 ) . Choose a random R = ( R1 , R2 ) , R1 , R2 , Fq . Let R1 = 673 и , R2 = 354 . Compute y1 =  ' ( R )  x = 1 ' ( R1 )   2 ' ( R2 )  x = S (139,814,393, 699 ) y2 =  ' ( R ) =  1 ' ( R1 )   2 ' ( R2 ) = S ( 30, 766, 734,871) . Output y1 = (139,814,393, 699 ) , y2 = ( 30, 766, 734,871) . Decryption ( Input: a ciphertext ( y1 , y2 ) and private key   k , t0 ( k ) ,..., ts ( k )  , k = 1, 2 . ) Output: the message x  G3 corresponding to ciphertext ( y1 , y2 ) . To decrypt a message x , we need to restore random numbers R = ( R1 , R2 ) . Compute D (1) ( R1 , R2 ) = t0(1) y2 t s−(2) 1 = t0(1) S ( 30, 766, 734,871) t s−(2) 1 = S ( 0, 0, 459, 233 ) . D ( R) = D (1) ( R1 , R2 ,..., Rl / 2 ) f ( y1 ) = S ( 0,..., 0, l / 2 +1 ( R1 ) , al(1)/ 2 + 2 ( R2 ) + l / 2 + 2 ( R2 ) + ,...) S ( 0, 0, 459, 233) S ( 0, 0,139,814 ) = S ( 0, 0, 235,950 ) . We get 1 ( R1 ) =  235 = (0 0 0 0 1 1 1 1 0 0) . Recovery of R1 was done earlier R = ( R1 , R2 , R3 ) = (1,1,5 ) . For further calculations, it is necessary to remove the components of the arrays 1 ' ( R1 ) and  1 ' ( R1 ) from ciphertext ( y1 , y2 ) . Compute: y2(1) =  1 ' ( R1 ) y2 = S ( 516,578,850,374 ) S ( 30, 766, 734,871) = −1 −1 S ( 516,97,108,579 ) S ( 30, 766, 734,871) = S ( 487, 227, 651,318 ) Repeat the calculations D (2) ( R2 ) = t0(2) y2 (1) ts−(2) 1 = t0(2) S ( 487, 227, 651,318 ) ts−(1l / 2) = S ( 0, 0, 0, 233) y1(1) = 1 ' ( R1 )  y1 = S (139, 27,959,977 ) S (139,814,393, 699 ) = −1 −1 S (139, 787, 0,148 ) S (139,814,393, 699 ) = S ( 0, 693, 299, 784 ) D ( R) = D (2) ( R2 ) f ( y1(1) ) = S ( 0, 0, 0, 233) f ( S ( 0, 693, 299, 784 ) ) = S ( 0, 0, 0, 233) S ( 0, 0, 0, 693) = S ( 0, 0.0, 444 ) Restore R2 with  2 ( R2 ) =  444 = (1 1 1 1 1 1 0 0 1 1) . Perform inverse calculations  2 ( R2 ) . Select bit groups in vector  ( R ) according −1 to type ( r1(2) ,..., rs ( k 2 ) = ( 22 , 22 , 23 , 23 ) . We use the same calculations as in the example for 1 ( R1 ) , and we get −1 11|11|110|011 R2=(*,*,*,6) 00|11|100|011 row from β(2) 11|00|010|000 R2= (*,*,2,6) 01|00|010|000 row from β(2) 10|00|000|000 R2= (*,0,2,6) 11|00|000|000 row from β(2) 01|00|000|000 R2= (2,0,2,6)  2 ( R ') = 11 00 010 011 = ( R1 ', R2 ', R3 ', R4 ' ) = ( 2, 0, 2, 6 ) . −1 The resulting vector along with the concatenation of array entries B2(2) , B4(2) due to their merging, we write in the following bit representation  2 ( R ') := 2 ( 2, 0, 2, 6 ) → ( 2, 6 0, 2 ) = ( 01, 01100, 010 ) . −1 The transition from bit to numeric gives the desired value R2 = ( R1(2) , R2(2) , R3(2) ) = ( 2, 6, 2 ) . Receive a message x =  ' ( R ) y1 =  2 ' ( R2 )  1 ' ( R1 )  y1 −1 −1 −1 = S ( 0, 693, 0, 418) S (139, 787, 0,148) S (139,814, 393, 699 ) = S ( 0, 0, 299,824 ) . Output: the message x = ( 0, 0, 299,824 ) . Security Analysis. An attack on the cryptosystem is possible by solving the  ( R1 , R2 ,..., Rl / 2 ) = t0(1)  y2 ts−(1l / 2) f ( y1 ) equation by selecting t0( k ) and ts ( k ) vectors. There are l / 2 such vectors. The success of an attack is determined by the selection of t0( k ) and ts ( k ) vectors and has complexity proportional to the l / 2 power of the group Al ( n,  ) due to the non- commutativity of the generalized Suzuki group. Brute force attack is possible by selection R1 , R2 ,..., Rl / 2l  Fq . The complexity is determined by the value l / 2 , finite field power Fq in proportion to l / 2 Fq . Complexity analysis. Fix the generalized Su- zuki group G = Al (n,  ) and the logarithmic signature for the type ( r1 ,..., rs ) over the finite field Fq , q = 2n . Suppose that the values ri are approximately equal ri = 2 n / s . Early show that the size of the logarithmic signature has the estimate V = ls Al (n,  ) . For q = 264 , Al (n,  ) = 2512 , l = 8 and s = 23 , 24 , 25 we obtain, 1/ ls respectively, V = 214 , 211 , 210 of the 64 bit strings. 5 Conclusions The proposed design of the MST3 cryptosystem based on the generalized Suzuki group provides potentially higher privacy and optimizes the cost of key data. The differ- ence from the well-known MST3 construction is the iterative key recovery from calcu- lations in the large normal subgroup of the generalized Suzuki group. References 1. N.R. Wagner and M.R. Magyarik, “A public-key cryptosystem based on the word problem”, Proc. Advances in Cryptology – CRYPTO 1984, LNCS 196, Springer-Verlag (1985), pp. 19–36. 2. 2K.H. Ko, S.J. Lee, J.H .Cheon, J.W .Han, J. Kang, and C. Park, “New public-key cryp- tosystem using braid groups”, in Advances in cryptology—CRYPTO 2000 ,vol.1880of Lec- ture Notes in Computer Science , pp. 166–183, Springer, Berlin, Germany, 2000. 3. B. Eick and D. Kahrobaei, “Polycyclic groups: a new platform for cryptology”, http://arxiv.org/abs/math/0411077. 4. V. Shpilrain and A. Ushakov, “Thompsons group and public key cryptography”, in Applied Cryptography and Network Security, vol. 3531 of Lecture Notes in Computer Science, pp. 151–164, 2005. 5. 5D. Kahrobaei, C. Koupparis, and V. Shpilrain, “Public key exchange using matrices over group rings”, Groups, Complexity, and Cryptology ,vol.5,no.1,pp.97–115,2013. 6. S.S. Magliveras, “A cryptosystem from logarithmic signatures of finite groups”, in Proceed- ings of the 29th Midwest Symposium on Circuits and Systems , pp. 972–975, Elsevier Pub- lishing, Amsterdam, The Netherlands, 1986. 7. W. Lempken, S.S. Magliveras, Tran van Trung and W. Wei, “A public key cryptosystem based on non-abelian finite groups”, J. of Cryptology, 22 (2009), 62–74. 8. S.S.Magliveras, D.R.Stinson, and T.vanTrung, “New approaches to designing public key cryptosystems using one-way functions and trapdoors in finite groups”, Journal of Cryptol- ogy , vol. 15, no. 4, pp. 285–297, 2002. 9. S.S. Magliveras, P. Svaba, T. Van Trung, and P. Zajac, “On the security of a realization of cryptosystem MST3”, Tatra Mountains Mathematical Publications ,vol.41,pp.65–78,2008. 10. H.Stichtenoth, “Über die Automorphismengruppe eines algebraischen Funktionenkörpers von Primzahlcharakteristik” I, II, Arch. Math. 24, pp.524–544 and pp.615–631, 1973. 11. A. Garcia, H. Stichtenoth, C.-P.Xing, “On Subfields of the Hermitian Function Field”, Kluwer Academic Publishers, Compositio Mathematica 120: pp.137–170, 2000. 12. W. Lempken and T. van Trung, “On minimal logarithmic signatures of finite groups”, Ex- perimental Mathematics,vol.14, no. 3, pp. 257–269, 2005. 13. H.Hong, J.Li, L.Wang, Y. Yang, X.Niu “A Digital Signature Scheme Based on MST3 Cryp- tosystems” Hindawi Publishing Corporation, Mathematical Problems in Engineering ,vol 2014, 11 pages, http://dx.doi.org/10.1155/2014/630421 14. G.Khalimov, Y. Kotukh, S.Khalimova “MST3 cryptosystem based on the automorphism group of the hermitian function field”, 2019 2019 IEEE International Scientific-Practical Conference: Problems of Infocommunications Science and Technology, PIC S and T 2019 – Proceedings 15. G. Khalimov, T.T.Simon, A.M.Adrees, E.Kotukh “MST3 cryptosystem based on a small Ree groups” 3rd IEEE international conference advanced information and communication technologies-2019 “Next-generation networking for the Internet of Things: 5g, sdn, nfv and cloud computing” 2~6 july, 2019 ,Lviv, Ukraine 16. A.Hanaki “A CONDITION ON LENGTHS OF CONJUGACY CLASSES AND CHARACTER DEGREES” Osaka J. Math. 33 pp.207-216, 1996 17. P. Svaba, “Covers and logarithmic signatures of finite groups in cryptography”, Dissertation, https://bit.ly/2Ws2D24