=Paper=
{{Paper
|id=Vol-3896/paper11
|storemode=property
|title=Jordan-Gauss graphs and quadratic public keys of Multivariate Cryptography
|pdfUrl=https://ceur-ws.org/Vol-3896/paper11.pdf
|volume=Vol-3896
|authors=Vasyl Ustimenko,Oleksandr Pustovit
|dblpUrl=https://dblp.org/rec/conf/ittap/UstimenkoP24
}}
==Jordan-Gauss graphs and quadratic public keys of Multivariate Cryptography==
https://ceur-ws.org/Vol-3896/paper11.pdf
Jordan-Gauss graphs and quadratic public
keys of Multivariate Cryptography
Vasyl Ustimenko1,2,†, Oleksandr Pustovit2,∗,†
1
Royal Holloway University of London, United Kingdom, Egham Hill, Egham TW20 0EX, United Kingdom
2
Institute of telecommunications and global information space, NAS of Ukraine, Chokolivsky Boulevard 13, Kyiv,
02000, Ukraine
Abstract
Jordan-Gauss graphs are bipartite graphs given by special quadratic equations over the commutative
ring K with unity with partition sets K n and K m such that the neighbour of each vertex is defined by
the system of linear equation given in its row-echelon form. We use families of this graphs for the
construction of new quadratic surjective multivariate maps F of affine spaces over K with the
trapdoor accelerator T which is a piece of information which allows to compute the reimage of F in
polynomial time.
In particular for each quadratic automorphism F of K[x1, x2,..., xn] with the trapdoor accelerator T we
construct the quadratic surjective map F’ of Kt, t=n 2+n onto K t-s, s≥0 with the trapdoor accelerator T’,
T’>T.
So we can introduce enveloping trapdoor accelerator for Matsumoto-Imai cryptosystem over finite
fields of characteristic 2, for the Oil and Vinegar public keys over Fq or quadratic multivariate public
keys defined over Jordan-Gauss graphs D(n, K),where K is arbitrary finite commutative ring with the
nontrivial multiplicative group
Keywords
Multivariate Cryptography, Jordan – Gauss graphs, Projective Geometries, Largest Schubert Cells,
Symbolic Computations 1
1. Introduction
This paper presents the generalisations of the quadratic multivariate public key given in [23]
and defined via special walks on projective geometries over finite fields and their natural
analogues defined over general commutative rings. Multivariate cryptography is one of the five
main directions of Post-Quantum Cryptography.
The progress in the design of experimental quantum computers is speeding up lately.
Expecting such development the National Institute of Standardisation Technologies of USA
announced in 2017 the tender on standardisation best known quantum resistant algorithms of
asymmetrical cryptography. The first round was finished in March 2019, essential part of
1
ITTAP’2024: 4th International Workshop on Information Technologies: Theoretical and Applied Problems, October 23-
25, 2024, Ternopil, Ukraine, Opole, Poland
∗
Corresponding author.
†
These authors contributed equally.
Vasyl.Ustymenko@rhul.ac.uk (V. Ustimenko); sanyk_set@ukr.net (O. Pustovt)
0000-0002-2138-2357 (V. Ustimenko); 0000-0002-3232-1787 (O. Pustovit)
Copyright © 2024 for this paper by its authors. Use permitted under Creative Commons License Attribution 4.0 International (CC BY 4.0).
CEUR
ceur-ws.org
Workshop ISSN 1613-0073
Proceedings
�presented algorithms were rejected. In the same time the development of new algorithms with
postquantum perspective was continued. Similar process took place during the 2, 3 and 4th
rounds.
The last algebraic public key «Unbalanced Oil and Vinegar on Rainbow like digital
signatures» (ROUV) constructed in terms of Multivariate Cryptography was rejected in 2021
(see [2], [3]). The first 4 winners of this competition was announced in 2022, they are developed
in terms of Lattice Theory.
Noteworthy that NIST tender was designed for the selection and investigation of public key
algorithms and in the area of Multivariate Cryptography only quadratic multivariate maps were
investigated. We have to admit that general interest to various aspects of Multivariate
Cryptography was connected with the search for secure and effective procedures of digital
signature where mentioned above ROUV cryptosystem was taken as a serious candidate to
make the shortest signature.
Let us summarize the outcomes of mentioned above NIST tender.
There are 5 categories that were considered by NIST in the PQC standardization (the
submission date was 2017; in July 2022, the 4 winners and the 4 final candidates were proposed
for the 4th round - this is the current official status. However, the current 8 final winners and
candidates only belong to the following 4 different mathematical problems (not the 5 announced
at the beginning):- lattice-based,- hash-based,- code-based, - supersingular elliptic curve isogeny
based.
The standards are partially published in 2024.
Its interesting that new obfuscation ‘’TUOV: Triangular Unbalanced Oil and Vinegar’’ were
presented to NIST (see
https://csrc.nist.gov/csrc/media/Projects/pqc-dig-sig/documents/round-1/spec-files/TUOV-
spec-web.pdf) by principal submitter Jintaj Ding.
Further development of Classical Multivariate Cryptography which study quadratic and
cubic endomorphisms of Fq[x1, x2,…, xn] is reflected in [14]. Current research in Postquantum
Cryptography can be found in [4], [5], [6], [7], [8], [9], [10], [11], [12]. [13], [15], [16], [17], [27],
[28], [29], [30]
We use the concept of quadratic accelerator of the endomorphism σ of K[x1, x2,…, xn] which
is the piece of information T such that its knowledge allows us to compute the reimage of (σ, Kn)
in time O(n 2). Symbol K stands here for an arbitrary commutative ring with unity. Our
suggestion is to use for public key the pairs (σ, T) such that σ has a polynomial density, i. e.
number of monomial terms of σ(xi), i=1,2,…,n. Some examples of such public keys the reader can
find in [1], [22]
For each pair (K, n), n>1 we present quadratic automorphism σ of K[x1, x2,…, xn] with the
trapdoor accelerator T defined via totality of special bipartite Jordan-Gauss graphs with the
partition sets isomorphic to Kn. We discuss the possible use of these transformation in the case
of finite fields and arithmetical rings Zq where q is a prime power.
In this paper we suggest new quadratic multivariate public rules defined in terms of
Projective Geometry. Recall that multivariate public rule G has to be given in its standard form
xi →gi(x1, x2, … , xn), where polynomials gi are given via the lists of monomial terms in the
lexicographical order.
We consider the bipartite induced subgraphs J(F) of projective geometry over the field F
which partition sets are the largest Schubert cells. The incidence of points and lines of these
�graphs is given by the system of quadratic equations such that the neighbourhood of each
vertex is a solution set of the system of linear equation written in its row-echelon form.
Straightforward change of the finite field F for the general commutative ring with unity gives
the definition of cellular Schubert graph J(K) (see [23]). We use graphs J(K[x1, x2,…., xn])) for the
construction of trapdoor accelerators, which are surjective multivariate maps F of Kn onto Kn’
written in their standard form together with the piece of information T such that the knowledge
of this information allows to compute the reimage for the given value of F.
The first cryptosystem based on such trapdoor accelerator where proposed in 2015 (see [31]),
cryptanalysis for the system is still unknown. The obfuscations of these cryptosystems was
suggested in [32]. They were seriously generalized in [23] where walks on general cellular
Schubert graphs were used.
In this article we suggest a wide class of generalization of previously proposed trapdoor
accelerators based on Jordan-Gauss graphs. The main idea is to use algebraic temporal graphs.
Such graphs are given via the system of algebraic equations which depends on the time of the
computation.
In the Section 2 we define cellular Schubert graphs. These Jordan-Gauss graphs will be used
in the constructions of quadratic multivariate transformations of the affine spaces together with
the corresponding trapdoor accelerators for the computation of reimages of these maps (se
Section 4).
Section 3 is dedicated to constructions of trapdoor accelerators for the polynomial maps
defined in terms of temporal linguistic graphs, i. e. special sequences of linguistic graphs. In
general case the degree of constructed maps can be essentially higher than 2.
Section 5 presents some methods of constructions of new trapdoor accelerators in terms of
known ones. In Section 6 we discuss the possible impact of proposed algorithms.
2. Schubert cellular graphs over the fields
commutative ring
The missing definitions of graph-theoretical concepts which appear in this paper can be found
in [17], [18] or [19]. All graphs we consider are simple graphs, i.e. undirected without loops and
multiple edges. Let V(G) and E(G) denote the set of vertexes and the set of edges of G
respectively. When it is convenient, we shall identify G with the corresponding anti-reflexive
binary relation on V(G), i.e. E(G) is a subset of V(G)∙V(G) and write v G u for the adjacent
vertexes u and v (or neighbours). We refer to |{ x ϵ V(G)| xGv }| as degree of the vertex v. The
incidence structure is the set V with partition sets P (points) and L (lines) and symmetric binary
relation I such that the incidence of two elements implies that one of them is a point and another
one is a line. We shall identify I with the simple graph of this incidence relation or bipartite
graph. The pair x,y, xϵP, yϵL such that x I y is called a flag of incidence structure I. Projective
geometry n-1PG(Fq) of dimension n-1 over the finite field Fq, where q is a prime power, is a totality
of proper subspaces of the vector space V=(Fq) n of nonzero dimension.
This is the incidence system with type function t(W)=dim(W), W ϵ n-1 PG(Fq) and incidence
relation I defined by the condition W1IW2 if and only if one of these subspaces is embedded in
another one. We can select standard base e1, e2,…, en of V and identify n-1PG(Fq) with the totality of
linear codes in (Fq)n.The geometry n-1ℾ(q)= n-1PG(Fq) is a partition of subsets n-1ℾ(q) i consisting of
�elements of selected type i, i=1,2, …, n-1. We assume that each element of V is presented in the
chosen base as column vector (x1, x1, … , xn). Let U stands for the unipotent subgroup of
automorphism group PGLn(Fq) consisting of lower unitriangular matrices. 5
Let us consider orbits of the natural action of U on the projective geometry n-1PG(Fq). They
are known as large Schubert cells. Each of orbits on the set ℾm(Fq) contains exactly one
symplectic element spanned by elements ei(1), ei(2), ..., ei(m). So the number of orbits of (U, ℾm(Fq))
equals to binomial coefficient Cmn (n,m). Noteworthy that the cardinality of n-1 ℾm(Fq) is
expressed by Gaussian binomial coefficient. Unipotent subgroup U is generated by elementary
transvections xi,j(t), in and surjective map L’2 of affine space Km onto Km’, m≥m’ and get surjective map
L’1 F L’2 of affine space Kn’ onto Km’.
1) Algorithm 2.
Let us assume that s>r. We select the linguistic graph Im(K) of type (s, r, m) with symbolic
scheme S and graphs 1Im(K) of type (r, s, m), 2Im(K) of type (s, r, m),..., graph 2tIm of type r, s, m
with the symbolic schemes iS, i=1, 2,..., 2t. Similarly to algorithm 1 we consider the graphs
Im(K[z1, z2, ..., zs+m]) together with
j
Im(K[z1, z2,..., zm+s]) , j ≥ 1 and select the polynomial tuples
0
H=(0h1(z1, z2,..., zs), 0h2(z1, z2, ..., zs), ..., 0hs(z1, z2, ..., zs)),
0
G=( 0g1(z1, z2, ..., zs), 0g2(z1, z2, ..., zs),..., 0gr(z1, z2, ..., zs)),
1
H=(1h1(z1, z2,..., zs), 1h2(z1, z2, ..., zs), ..., 1hr(z1, z2, ..., zs)),
1
G= ( 1g1(z1, z2, ..., zs), 1g2(z1, z2, ..., zs),..., 1gs(z1, z2, ..., zs)),
2
H=(2h1(z1, z2,..., zs),2h2(z1, z2, ..., zs), ..., 2hs(z1, z2, ..., zs)),
2
G= ( 2g1(z1, z2, ..., zs), 2g2(z1, z2, ..., zs),..., 2gr(z1, z2, ..., zs)),
...,
2t
H=(2h1(z1, z2,..., zs),2h2(z1, z2, ..., zs), ..., 2hs(z1, z2, ..., zs)),
2t
G= ( 2tg1(z1, z2, ..., zs), 2tg2(z1, z2, ..., zs),..., 2tgr(z1, z2, ..., zs)),
H=H2t+1=(h1(z1, z2,..., zs), h2(z1, z2, ..., zs), ..., hr(z1, z2, ..., zs)).
As in the algorithm 1 we take a special point (z1, z2 , ..., zs, zs+1, zs+2,..., zm+s)=(z) and compute
1
Jb(0) ((z)) = 0(z) in the graph Im(K[z1, z2, ..., zs+m]) with b(0)= 0H,
Nc(0) (0(z))= 0([u]) in Im(K[z1, z2, ..., zs+m]) with c(0)= 0G,
1
Jb(1) (0([u]))=1([z]) in the graph 1Im(K[z1, z2,..., zm+s]) with b(1)= 1H,
1
Nc(1) (1([z]))= 1(u) in the graph 1Im(K[z1, z2,..., zm+s]) with c(1)= 1G,
1
Jb(2) ( 1(u))=2(z) in the graph 2Im(K[z1, z2,..., zm+s]) with b(2)= 2H,
2
Nc(2) ( (z))= (u)
2 2
in the graph 2Im(K[z1, z2,..., zm+s]) with c(2)2= 2G,
…..
1
Jb(2t) (2t-1([u]))=2t([z]) in the graph 2tIm(K[z1, z2,..., zm+s]) with b(2t)= 2tH,
� 1
Nc(2t) (2t([z]))= 2t(u) in the graph 2tIm(K[z1, z2,..., zm+s]) with c(2t)= 2tG.
Finally we compute u as 2Jb (2t(u)) with b=H.
Assume that u=(h1(z1, z2,..., zs), h2(z1, z2,...,zs),..., hr(z1, z2,...., zs), gs+1(z1, z2,..., zs, zs+1, zs+2,..., zs+m),
gs+2(z1, z2,..., zs, zs+1, zs+2,..., zs+m), ..., gs+m(z1, z2,..., zs, zs+1, zs+2,..., zs+m)).
We consider the polynomial map F of Ks+m to Kr+m itself given by the following rule
(z1, z2,..., zs, zs+1, zs+2,..., zs+m)→(h1(z1, z2,..., zs), h2(z1, z2,..., zs),..., hs(z1, z2,...., zr), gs+1(z1, z2,..., zs,
zs+1, zs+2,..., zs+m),
gs+2(z1, z2,..., zs, zs+1, zs+2,..., zs+m), ..., gs+m(x1, x2,..., xs, xs+1, xs+2,..., x s+m).
The transformation F is defined via the sequence of linguistic graphs
of consecutively adjacent types Im(K)=0Im(K), 1Im(K), 2Im(K), ...,2tIm(K) and listed above
sequences of tuples iH, i=0, 1, ..., 2t+1 and iG, i=0, 1, 2, ..., 2t with coordinates from K[z1, z2, ..., zs]
of length s or r.
Proposition 3 [22]. Let ( z1 , z2, …, zs)→( h1(z1, z2,..., zs), h2(z1, z2,..., zs),..., hr(z1, z2,...., zs) be a
surjective map B from Ks onto Kr. Then transformation F=F(jIm(K), jG, iH), j=0, 1, …, 2m+1, i=0, 1,
…, 2m+2 is a surjective map of Ks+m to Kr+m .
Proposition 4 [22]. Let the conditions of the Proposition 1.1 holds and the polynomial map
B has a trapdoor accelerator.
Assume that L’1 and L’2 are surjective affine maps of affine space Kn’ onto Kn, n’>n and
affine space Km onto Km’, m≥m’ respectively . Then polynomial surjective map L’1 F L’2 of affine
space Kn’ onto Km’ also has a trapdoor accelerator.
Below we present a modification of Algorithm 1.
Let Im(K) be a linguistic graph of type (s, r, m). We
define its digraph cover D(Im(K)) as the following directed graph.
The set of vertexes of D(Im(K)) is subdivided into two blocks.
3The first one PLm(K) is the totality of ordered flags of kind ((p) , [l]) of the incidence
structure Im(K) where (p)=(p1, p2,..., ps, ps+1,..., ps+2,..., ps+m), [l]=[l1, l2,..., lr, lr+1, lr+2,..., lr+m] such that
(p)I[l] and the totality
LPm (K) of ordered flags of kind [[l], p] and binary relation ψ which is defined via the
conditions
((p), [l])ψ[[l’], (p’)] if [l]=[l’] and (p)≠(p’), [[l],(p)]ψ((p’), [l])) if
(p)=(p’), [l] ≠[l’].
We refer to pair of tuples <(p1, p2,..., ps), [l1, l2, ..., lr]> of ((p), [l]) from PLm(K) as the colour of
the flag. We say that (p1,p2,…,ps) and [l1,l2,…,ls] are internal and external colours of the flag ((p),
[l]). The information on the flag can be given by the tuple (p1, p2, ..., ps, ps+1 , ps+2,..., ps+m, l1, l2, ..., lr).
Dual presentation of ((p), [l]) is (p1, p2,…, ps, l1, lr+2,…, lr+m, l1, l2,…, lr)* given via the coordinates of
line.
Similarly we say that [l1, l2,...,lr] and (p1,p2,…,ps) are internal and external colours of [[l],(p)].
The information on this flag can be given by the tuple [l1,l2,..., lr, lr+1, lr+2,..., lr+m, p1, p2,..., ps] or dual
presentation [l1,l2,..., lr, ps+1, ps+2,..., ps+m, p1, p2,..., ps]*.
� We introduce operator of change the colour 1JCa, a=(p’1, p’2,..., p’s, l’1, l’2,..., l’r) [(p), [l])]= (p1’,
p’2, ..., p’s, ps+1, ps+2,..., ps+m, l’1, l’2,..., l’r) acting on PLm(K) and operator 2JCa , a=(l1’, l’2,...., l’r, p’1,
p’2,..., p’s), 2JCa([[l],(p)]) [l’1, l’2,..., l’r, lr+1 ,lr+2, ..., lr+m, p’1, p’2 ,...p’s] acting on the set LPm(K).
Algorithm 3.
Alice takes the sequence of graphs D(Im(K)), D( lIm(K)), l=1,2,…,t. She will work with the
multivariate ring K’=K[z1, z2,…, zs, zs+1, zs+2,…, zs+m, z1s+m+1, zs+m+2, …, zs+m+r ] and graphs
D(Im(K’)),D( lIm (K’)).
Alice selects the tuple 0H=(h1, h2,…, hs, g1, g2,…, gr) , H’=(h’1, h’2,…, h’s, g’1, g’2,…, g’r) and
i
H=(ih1, ih2,…, ihs, ig1, ig2,…, igr) from (K’)s+r . She takes the flag (z)=( z1, z2,…, zs, zs+1, zs+2,…, zs+m,
zs+m+1, zs+m+2, …, zs+m+r ) of Im(K’).
Assume that for ((p),[ l]) from j PL(Im(K’)), j=1.2,…,t-1 symbol ((p),[ l])*
means ([l], (p)) from j+1PL(Im(K’)). If ((p),[ l]) is a flag from tPL(Im(K’)) then ((p),[ l])* is ([l], (p))
from t-1PL(Im(K’)).
Alice uses operator 1Ja, a= 0H and computes 1z =1Ja(z)=( h1, h2,…, hs, z s+1, zs+2,…, zs+m, g1, g2,…
gr) in the graph D(Im(K)). She computes (1u)=(1z)*= [ g1, g2,… gr, z’ s+1, z’s+2,…, zs’+m, h1, h2,…, hs] of
the graph 1Im (K’) where [ g1, g2,… gr, z’ s+1, z’s+2,…, zs’+m] is the neighbour of ( h1, h2,…, hs, z s+1,)
zs+2,…, zs+m) in Im(K’).
2Next Alice uses 1Ja(1), a(1)= 1H and computes 1Ja(1)(1u)= 2z in the graph 1Im (K’) and
( u)=( 2z)* from 2Im (K’).
2
She continue this procedure and constructs (iu), i=3.4,…, t. Alice takes (tu) from tIm (K’)
and uses 2Jb, b= H’ for the computation of u=1J(tu) of kind ( h’1, h’2,…, h’s, v1, v2, …, vm, g’1,
g’2,…, g’r) or (g’1, g’2,…, g’r, v1, v2, …, vm, h’1, h’2, …, h’s) dependently on t mod 2.
She uses the following map G= G=G(jIm(K), iH, H’), i=0,1,…,t as the output of the algorithm.
z1→h’1(z1, z2,…, zs, zs+m+1, zs+m+2, …, zs+m+r),
z2→h’2(z1, z2,…, zs, zs+m+1, zs+m+2, …, zs+m+r),
…
zs→h’s(z1, z2,…, zs, zs+m+1, zs+m+2, …, zs+m+r),
zs+1→v1(z1, z2,…, zs, zs+1, zs+2,…, zs+m, zs+m+1, zs+m+2, …, zs+m+r),
zs+2→ v2(z1, z2,…, zs, zs+1, zs+2,…, zs+m, zs+m+1, zs+m+2, …, zs+m+r),
…,
zs+m→vm(z1, z2,…, zs, zs+1, zs+2,…, zs+m, zs+m+1, zs+m+2, …, zs+m+r),
z1+s+m→g’1(z1, z2,…, zs zs+m+1, zs+m+2, …, zs+m+r),
z2+s+m→g’2(z1, z2,…, zs, zs+m+1, zs+m+2, …, zs+m+r),
…
zr+s+m→g’r(z1, z2,…, zs,, zs+m+1, zs+m+2, …, zs+m+r).
Proposition 5 [22]. Let z1 →h’1(z1, z2,..., zs zs+m+1, zs+m+2, …, zs+m+r), z2 → h’2(z1, z2,..., zs , zs+m+1,
zs+m+2, …, zs+m+r),..., zs→ h’s,(z1, z2mzs, zs+m+1, zs+m+2, …, zs+m+r), z1+s+m→g’1(z1, z2,…, zs zs+m+1, zs+m+2, …,
zs+m+r), z2+s+m→g’2(z1, z2,…, zs zs+m+1, zs+m+2, …, zs+m+r), …, ), zr+s+m→g’r(z1, z2,…, zs , zs+m+1, zs+m+2, …,
zs+m+r)
be a bijective map B from Ks+r onto Ks+r. Then transformation G=G(jIm(K), iH, H’), j=0, 1, …, t is
a bijective map of Ks+r+m to itself.
� Proposition 6 [22]. Let the conditions of the Proposition 3 holds and the polynomial map B
has a trapdoor accelerator. Then the standard form F of L1GL2 where L1 and L2 are affine
transformations from AGLn(K), n=s+r+m has a trapdoor accelerator.
The justification of this statement can be obtained via the modification of the procedure in
the proof of Proposition 2.
4. On the examples of Schubert cellular graphs, their
symplectic quotients and cryptographic algorithms
Let us consider graphs m,m-1CS m+k-1(F) over the field F which are induced subgraphs of projective
geometry PGm+k-1(F) with vertices from the largest Schubert cells on the totalities of
m=dimensional and m-1 dimensional subspaces of the vector space Fm+k. They can be defined as
totalities of points (x)=(x1, x2,…,xk, x1,1, x1,2,….,x k,m-1 ) and lines [y]=[y1, y2,…,ym-1, x1,1, x1,2,….,x k,m-1]
from F k(m-1)+kand F k(m-1)+m-1 where indexes of coordinates of kind i,j for` i=1,2,…,k and j=1,2,…,
m-1 are 1ordered lexicographically and the point (x) is incident to the line [y] if and only if the
conditions for each pair i,j.
Thesymbolic type S of this graph is the triple (k, m-1, k(m-1)) and the list of Li,j={xi yj} ordered
lexicographically. Let K be commutative ring with the unity then graph m,m-1CS m+k-1(K) is defined
via the change of F for K.
Let Ik(m-1)(K) be the Jordan-Gauss graph over K symbolically equivalent to m,m-1CS m+k-1(K) then
corresponding equations are ai,jxi,j- bijyi,j= ci,jxiyj where ai,j and bij are elements of multiplicative
group K* and ci,j are elements from K-{0}.
We can see that arbitrary nonempty subset M of {(11),(1,2),…, (m-1, m-1)} is define the
symplectic quotient IM of Ik(m-1)(K).
Other special case of cellular Schubert graph is m,1CSm(F) of type (m-1, m-1, 1) when we have
points and lines of kind (x1, x2,…, xm) and [y1, y2, …., ym] and equation xm-ym=x1y1 +x2y2+…
+xm-1ym-1. Symbolically equivalent to m,1CSm(F) will be Jordan-Gauss graph of type (m-1, m-1, 1)
with the incidence given by an equation of kind axm-bym=c1x1y1 +c2x2y2+…+cm-1xm-1ym-1 with a and
b from the multiplicative group K* and ci from K-{0}.
Let us consider special homomorphisms of linguistic graphs and corresponding semigroups.
Let I(K) be linguistic graph over commutative ring K defined in section and M = {m(1), m(2),…,
m(d)} be a subset of {1, 2, …, m} (set of indexes for equations). Assume that equations indexed by
elements from M of the following kind
am(1)+s xm(1) -bm(1)ym(1)+r=fm(1)(x1, x2 , …, xs ,y1, y2, … , yr)
am(2)xm(2)+s -bm(2)ym(2)+r= fm(2)(x1, x2, … ,xs,xm(1)+s,y1, y2, … , yr,, ym(1)+r)
)…
am(d)xm(d)+s -bm(d)ym(d)+r =fm(d) (x1, x2, … , xs,, ,xm(1)+s, xm(2)+s,… , xm (d-1)+s, y1, y2, … , yr,, ym(1)+r, ym(2)+r,,… , ym (d-1)+r)
define other linguistic incidence structure IM..
Then the natural projections δ1,: (x)→(x1, x2, … , xs,, xm(1)+s, xm(2)+s,… , xm(d)+s) and δ2: [y]→[y1, y2, … ,
yr, ym(1)+r,ym(2)+r,… , y m(d)+r] of free modules define the natural homomorphism δ of incidence
structure I onto I’=IM.. We will use the same symbol ρ for the colouring of linguistic graph IM..
It is clear, that δ is colour preserving homomorphism of incidence structures (bipartite
graphs). We refer to δ as symplectic homomorphism and graph IM as symplectic quotient of
�linguistic graph I. In the case of linguistic graphs defined by infinite number of equations we
may consider symplectic quotients defined by infinite subset M (see [22] where symplectic
homomorphism was used for the cryptosystem construction).
As it follows from the definition the symplectic quotient of Jordan-Gauss graph is also
Jordan-Gauss graph.
For each linguistic graph I and M={1, 2,…,d}, d1 as maximal degree of its
coordinates as multivariate polynomials.
Proposition 7 [22]. Let the condition of Proposition 1 holds, graph jIm(K), j=0,1, …, 2t +1 are
symbolically equivalent to l,kCSn(K) or its dual graph and deg(jH)+deg(jG)≤2, j=1,2,…, 2t+1,
deg(H)=2. Then transformation G=F(jIm(K)j, jG, iH), j=0, 1, …, 2t+1, i=0, 1, …, 2m+2 is a bijective
quadratic map of Ks+m to itself.
So under the conditions of Proposition 7 the construction of Proposition 2 is a bijective
quadratic transformations with the trapdoor accelerator.
Proposition 8 [22]. Let the condition of Proposition 3 holds, graph jIm(K), j=0,1, …, 2t are
symbolically equivalent to l,kCSn(K) or its dual graph and deg(jH)+deg(jG)≤2, j=1,2,…, 2t,
deg(H’)=2. Then transformation G=F(jIm(K), jG, iH), j=0, 1, …, 2t, i=0, 1, …, 2m+1 is a surjective
quadratic map of Ks+m to Kr+m itself.
So under the conditions of Proposition 8 the construction of Proposition 4 is a surjective
quadratic transformations with the trapdoor accelerator.
Proposition 9 [22]. Let the condition of Proposition 7 holds, graph jIm(K), j=0,1, …, t are
symbolically equivalent to l,kCSn(K) or its dual graph and deg(jh1, jh2, ,,,, jhs)+deg( jg1, jg2, ,,,, jgr)≤2,
j=0,1,2,…, t, and deg (H’)=2. Then the transformation G=G(jIm(K)j, iH, H’), j=0, 1, …, t is a bijective
quadratic map of Ks+r+m to itself.
So under the conditions of Proposition 9 the construction of Proposition 6 is a bijective
quadratic transformations with the trapdoor accelerator.
Remark. We can substitute graphs jIm(K) of the propositions 7, 8 and 9 for the nontrivial
symplectic quotients of these Jordan-Gauss graphs.
�5. On the extensions of known trapdoor accelerators
Let us discuss Algorithm 1 in the case when the conditions of Proposition 2 and Proposition 7
hold. So graph jIm(K), j=0,1, …, 2t +1 are symbolically equivalent to l,kCSn(K) or its dual graph and
deg(jH)+deg(jG)≤2, j=1,2,…, 2t+1, and deg(H)=2 and the transformation B has a trapdoor
accelerator T. We suggest the following two options for the construction of the pair (B, T).
1.We take the triangular transformation Q:x1→a1x1+b1, x2→a2x2+f2(x1), x3→a3x3+f3(x1, x2),…,
xs→ asxs+fs(x1, x2,…,xs-1) where ai, i=1, 2,…, s are elements from K* and deg fi=2, i=2,3,…,s together
with two elements D1wn and D2 from AGLs(K) and define B as D1QD2.
So the standard form of B and the decomposition of B into D1QD2 will be used as a trapdoor
accelerator.
2. In [1] authors constructed multivariate quadratic cryptosystem based on Jordan-Gauss
graphs D(s, K), s>4 of type (1, 1, s). Corresponding trapdoor accelerator is a standard form of
automorphism of K[z1, z2,…, zs] and trapdoor accelerator which provides1 the knowledge on the
graph D(s,K) and the tuple of ring elements of length O(n2). We may assume that the knowledge
on the graph is publicly known.
3. We can use the procedure of Algorithm 1 under the conditions of Proposition 2 and
Proposition 7 in the case of graph s,kCSs, kn=k+m and the affine space Km+r-1 onto Km’, m+r-1≥m’ respectively. Then
she computes the standard form G of polynomial surjective map L’1 F L’2 of affine space Kn’ onto
Km’ and sends it to Bob.
Assume that Alice and Bob gets the hash value (c1, c2, …., cm’).
Alice creates the intermediate tuple of variables u=(u1, u2,…ur-1, ur, ur+1, …, ur+m-1) and writes
the system of linear equations L’2 (u)=c. So she gets the solution *u=(*u1, *u2,…, *ur-1 , *ur, *ur+1,
…, *ur+m-1) and considers the quadratic equations B(z1, z2,..., zk)=*u =(*u1, *u2,…, *ur-1). The
knowledge on the trapdoor accelerator of B allows Alice to get a solution z*=(*z1, *z2,…, *zk).
So Alice computes 2tG= ( 2tg1(*z1, *z2, ..., *zk), 2tg2(*z1, *z2, ...,* zk),..., 2t
gr-1(*z1, *z2, ...,
*zk))=b(2t),
2t
H=(2h1(*z1, *z2,..., *zk),2h2(*z1, *z2, ..., *zk), ..., 2hk(*z1, *z2, ..., *zk))=a(2t),…,
2
G= ( 2g1(*z1,* z2, ..., *zk), 2g2(*z1, *z2, ..., *zk),..., 2gr-1(*z1,*z2, ..., *zk))=b(2),
2
H=(2h1(*z1, *z2,..., *zk),2h2(*z1,* z2, ..., *zk), ..., 2hk(*z1,* z2, ...,* zk))=a(2),
� 1
G= ( 1g1(*z1, *z2, ..., *zk), 1g2(*z1,*z2, ..., *zk),..., 1gk(*z1,* z2, ..., *zk))=b(1),
1
H=(1h1(*z1, *z2,..., *zk), 1h2(*z1, *z2, ..., *zk), ..., 1hr-1(*z1, *z2, ..., *zk))=a(1),
-
0
G=( 0g1(*z1, *z2, ..., *zk), 0g2(*z1, *z2, ..., *zk),..., 0gr-1(*z1, *z2, ..., *zk))=b(0),
0
H=(0h1(*z1, *z2,..., *zk), 0h2(*z1, *z2, ..., *zk), ..., 0hk(*z1, *z2, ..., *zk)))=a(0).
Alice considers the graph 2tIm(K) with the line *u and computes 2Jb(2t)(*u)=u2t. She
takes the point Na(2t)(u2t)=v2t.
Alice treats v2t as the line of the graph 2t-1Im(K) and computes 2Jb(2t-1)=u2t-1. Alice forms the
vertex
Na(2t-1)=v2t-1 of graph 2t-1Im(K).
She treats v2t-1 as vertex of 2t-2Im(K) and computes 2Jb(2t-2)=u2t-2.
Alice takes the neighbour Na(2t-2)(u2t-2)=v2t-2.
She continues this process.
Alice takes the vertex v1 of the graph 1Im (K). She treat it as the line of the graph 0Im(K).
Alice computes 2Jb(0)((v1)=u0.
She computes Na(0)(u0)=v0 .
Finally Alice computes v=1Jz*(v0).
So she gets v=(v1, v2,…., vk, vk+1, vk+2,…,vk+m).
Alice writes the system of linear equations
L’1(y1, y2, …., yn’)=v and gets the solution *y= (*y1, *y2, …., *yn’).
She sends *y to Bob. He checks that G(*y)=c.
6. Conclusion
6.1. Some remarks
Below we present some heuristic arguments supporting the conjecture that the complexity to
find the reimage of quadratic map of algorithms 1 and 2 without the knowledge of described
trapdoor accelerator is nonpolynomial.
Let us consider the case when Alice does not use endomorphisms L1 and L2 of degree 1.
Assume that she use only one cellular Schubert graphs s,kCSm(K) with the operator of
changing colour and the operator to compute the neighbour of chosen vertex. We can consider
the graph ψ of the binary relation “ colours of vertexes x and y of different type can be changed
to make recoloured vertexes adjacent in s,kCSm(K). Then input x and output y vertexes of
�algorithm 1 or 2 will be connected by the walk in ∙ψ. Dijkstra algorithm will allow us to find the
walk between x and y and recover the reimage of y in time vln (v) where v is the order of graph.
Let d , d>3 be the order of finite commutative ring K and n be the maximal dimension of the
space of the partition sets of ψ. Then v>dn and the complexity of Dijkstra algorithm of finding
the path between the input and the output of the algorithm is exponential one. We can expect
that with the temporal graph defined via the sequence of Jordan-Gauss graphs j Im(K), j=0, 1, 2,…
the complexity of finding the path will be higher.
Temporal Jordan-Gauss graphs can be used for the constructions of new platforms of
Noncommutative Cryptography (see [36], [37], [38], [39], [40], [41], [42] and new cryptanalytic
results [43],[ 44], [45], [46], [47], [48], [49]). These platforms are special semigroups or groups of
degree bounded by constant (2 or 3) of the Cremona semigroup of all endomorphisms of K[x1,
x2,…, xn] over the selected K. Examples of such platforms can be found in [33], [22].
6.2. The summary
Multivariate Cryptography (MC) is one of the five core directions of Postquantum
cryptography. It is specially important for creation of fast digital signatures procedures. Despite
the fact currently announced by National Standards of Information Technology (NIST, USA)
standards of postquantum cryptography are constructed in the terms of alternative to MC
approaches the intensive research on new multivariate cryptosystem is continue. When it
comes to digital signatures, NIST has developed two standards. The first is called Module-
Lattice-Based Digital Signature Algorithm (ML-DSA for short) and defines a general digital
signature algorithm.
The second one is called Stateless Hash-Based Digital Signature Algorithm (SLH-DSA for
short). It is a digital signature algorithm based on the hash technique. Essentially shorter
signatures can be obtained with the multivariate cryptosystem ’’TUOV: Triangular Unbalanced
Oil and Vinegar’’ algorithm were presented to NIST (see
https://csrc.nist.gov/csrc/media/Projects/pqc-dig-sig/documents/round-1/spec-files/TUOV-
spec-web.pdf) by principal submitter Jintaj Ding.
Our paper presents several new multivariate digital signatures. Some of them are the
generalisations of schemes [31] known since 2015 for which the cryptanalysis is still unknown.
Proposed methods allow us to construct obfuscations of arbitrary selected multivariate
cryptosystem such as mentioned above TUOV, old Matsumoto-Imai system, various variants of
Oil and Vinegar system and others. Additionally new method gives an option to create algebraic
cryptosystems over the finite commutative rings K different from finite fields such as
arithmetical or Boolean rings. We believe that Multivariate K-theory for which the main
instrument is an element of Cremona semigroup of endomorphisms of K[x1, x2,…, xn] (see [25],
[26]) has a capacity to provide efficient digital signatures. Suggested algorithms in case of finite
fields and arithmetical rings can be already used for the protection of Information systems.
Acknowledgements
This research is supported by British Academy Fellowship for Researchers under Risk 2022 and
by British Academy and partially supported by the British Academy award LTRSF\100333.
�References
[1] Vasyl Ustimenko, Aneta Wróblewska, On extremal algebraic graphs, quadratic
multivariate public keys and temporal rules, FedCSIS 2023: 1173-1178 (see also IACR,e-print
archive 2023/738).
[2] Ward Beullens, Improved Cryptanalysis of UOV and Rainbow, In Eurocrypt 2021, Part 1, pp.
348-373.
[3] Anne Canteaut, François-Xavier Standaert (Eds.), Eurocrypt 2021, LNCS 12696, 40th
Annual In-ternational Conference on the Theory and Applications of Cryptographic
Techniques, Zagreb, Croatia, October 17–21, 2021, Proceedings, Part I, Springer.
[4] Ding and A. Petzoldt, "Current State of Multivariate Cryptography," in IEEE Security &
Privacy, vol. 15, no. 4, pp. 28-36, 2017, doi: 10.1109/MSP.2017.3151328.
[5] Smith-Tone, D. (2022), 2F - A New Method for Constructing Efficient Multivariate
Encryption Schemes, Proceedings of PQCrypto 2022: The Thirteenth International
Conference on Post-Quantum Cryptography, virtual, DC, US.
[6] Daniel Smith Tone, New Practical Multivariate Signatures from a Nonlinear Modifier, IACR
e-print archive, 2021/419.
[7] Daniel Smith-Tone and Cristina Tone, A Nonlinear Multivariate Cryptosystem Based on a
Random Linear Code, https://eprint.iacr.org/2019/1355.pdf
[8] Jayashree, Dey, Ratna Dutta, Progress in Multivariate Cryptography: Systematic Review,
Challenges, and Research Directions, ACM Computing Survey, volume 55, issue 12,No.246,
pp 1-34, https://doi.org/10.1145/3571071.
[9] Cabarcas Felipe, Cabarcas Daniel, and Baena John. 2019. Efficient public-key operation in
multivariate schemes. Advances in Mathematics of Communications 13, 2 (2019), 343.
[10] Cartor Ryann and Smith-Tone Daniel. 2018. EFLASH: A new multivariate encryption
scheme. In Proceedings of the International Conference on Selected Areas in
Cryptography. Springer, 281–299.
[11] Casanova Antoine, Faugère Jean-Charles, Macario-Rat Gilles, Patarin Jacques, Perret
Ludovic, and Ryckeghem Jocelyn. 2017. Gemss: A great multivariate short signature.
Submission to NIST (2017).y. Springer, Singapore, 209–229.
[12] Chen Jiahui, Ning Jianting, Ling Jie, Lau Terry Shue Chien, and Wang Yacheng. 2020. A
new encryption scheme for multivariate quadratic systems. Theoretical Computer Science
809 (2020), 372–383.
[13] Chen Ming-Shing, Hülsing Andreas, Rijneveld Joost, Samardjiska Simona, and Schwabe
Peter. 2018. SOFIA: MQ-based signatures in the QROM. In Proceedings of the IACR Inter-
national Workshop on Public Key Cryptography. Springer, 3–33.
[14] Ding Jintai, Petzoldt Albrecht, and Schmidt Dieter S.. 2020. Multivariate Public Key Cryp-
tosystems, Second Edition. Advances in Information Security. Springer.
[15] Dung H. Duong, Ha T. N. Tran, Willy Susilo, and Le Van Luyen. 2021. An efficient
multivariate threshold ring signature scheme. Computer Standards & Interfaces 74.
[16] Jean-Charles Faugère, Gilles Macario-Rat, Jacques Patarin, and Ludovic Perret. 2022. A new
perturbation for multivariate public key schemes such as HFE and UOV. Cryptology ePrint
Archive (2022).
[17] N. Biggs, Algebraic graphs theory, Second Edition, Cambridge University Press, 1993.
[18] A. Brower, A. Cohen, A. Nuemaier, Distance regular graphs, Springer, Berlin, 1989.
�[19] B. Bollob´as, Extremal Graph Theory, Academic Press, London, 1978
[20] V. Ustimenko, Maximality of affine group, hidden graph cryptosystem and graph's stream
ciphers, Journal of Algebra and Discrete Mathematics, 2005, v.1, pp 51-65
[21] V. Ustimenko, On small world non Sunada twins and cellular Voronoi diagams, Algebra
and Discrete Mathematics, vol. 30, N1 (2020), pp. 118-142.
[22] V. Ustimenko. 2022. Graphs in terms of Algebraic Geometry, symbolic computations and
secure communications in Post-Quantum world, UMCS Editorial House, Lublin, 2022, 198.
[23] V. Ustimenko, 2023, Schubert cells and quadratic public keys of Multivariate Cryptography.
CEUR Workshop Proceedings ITTAP , https://ceur-ws.org/Vol-3628/.
[24] N. Bourbaki, Lie Groups and Lie Algebras, Chapters 1 - 9, Springer, 1998-2008.
[25] M. Noether,{\em Luigi Cremona}, Mathematische Annalen, 59 (1904), pp. 1-19.
[26] V. L. Popov, Roots of the affine Cremona group, in: Affine Algebraic Geometry, Seville,
Spain, June 1821, 2003, Contemporary Mathematics, Vol. 369, American Mathematical
Society, Providence, RI, 2005, pp. 12-13.
[27] Markku Juhani Saarinen, Daniel Tony Smith (editors), Post Quantum Cryptography, 15th
International Workshop, PQCrypto 2024,Oxford, UK, June 12-14, 2024, Proceedings, Part 1.
[28] Markku Juhani Saarinen, Daniel Tony Smith (editors), Post Quantum Cryptography, 15th
International Workshop, PQCrypto 2024,Oxford, UK, June 12-14, 2024, Proceedings, Part 2.
[29] Tsuyoshi Takagi, Masato Wakayama, Keisuke Tanaka, Noboru Kunihiro, Kazufumi
Kimoto, Yasuhiko Ikematsu (editors), International Symposium on Mathematics, Quantum
Theory, and Cryptography, Proceedings of MQC 2019, Open Access, 2021
[30] Kohei Arai (editor), Advances in Information and Communication,Proceedings of the 2024
Future of Information and Communication Conference (FICC), Volume 1-3, Lecture Notes
in Networks and Systems, (LNNS, volume 919 -921) , Springer, 2024.
[31] V. Ustimenko, On Schubert cells in Grassmanians and new algorithms of multivariate
cryptography, Proceedings of the Institite of Mathematics, Minsk, 2015, Volume 23, N 2, pp.
137-148 (Proceedings of international conference “Discrete Mathematics, algebra and their
applications”, Minsk, Belarus, September 14-18, 2015, dedicated to the 100th anniversary of
Dmitrii Alexeevich Suprunenko).
[32] V. Ustimenko, Linear codes of Schubert type and quadratic public keys of Multivariate
Cryptography,
IACR e-print archive, 2023/175.
[33] v. ustimenko, On computations with double Schubert automaton and stable maps of
multivariate cryptography, Interdisciplinary Studies of Complex SystemsNo. 19 (2021) 18–
32.
[34] I. Gelfand, R. MacPherson,Geometry in Grassmanians and generalisation of the
dilogarithm, Adv. in Math., 44 (1982), 279-312.
[35] I. Gelfand, V. Serganova, Combinatorial geometries and torus strata on homogeneous
compact manifolds, Soviet Math. Surv. 42 (1987), 133-168.
[36] D. N. Moldovyan and N.A. Moldovyan, A New Hard Problem over Non-commutative Finite
Groups for Cryptographic Protocols, International Conference on Mathematical Methods,
Models, and Architectures for Computer Network Security, MMM-ACNS 2010: Computer
Network Security pp 183-194.
�[37] L. Sakalauskas, P. Tvarijonas and A. Raulynaitis, Key Agreement Protocol (KAP) Using
Conjugacy and Discrete Logarithm Problem in Group Representation Level,
INFORMATICA, 2007, vol. 18, No 1, 115-124.
[38] V. Shpilrain, A. Ushakov, The conjugacy search problem in public key cryptography:
unnecessary and insufficient, Applicable Algebra in Engineering, Communication and
Computing, August 2006, Volume 17, Issue 3–4, pp 285–289.
[39] Delaram Kahrobaei and Bilal Khan, A non-commutative generalization of ElGamal key
exchange using polycyclic groups, In IEEE GLOBECOM 2006 - 2006 Global
Telecommunications Conference [4150920] DOI: 10.1109/GLOCOM.2006.
[40] Alexei Myasnikov; Vladimir Shpilrain and Alexander Ushakov (2008), Group-based
Cryptography, Berlin: Birkhäuser Verlag.
[41] Zhenfu Cao (2012), New Directions of Modern Cryptography. Boca Raton: CRC Press,
Taylor & Francis Group. ISBN 978-1-4665-0140-9.
[42] Benjamin Fine, et. al. "Aspects of Non abelian Group Based Cryptography: A Survey and
Open Problems", arXiv:1103.4093.
[43] V. A. Roman'kov, A nonlinear decomposition attack, Groups Complex. Cryptol. 8, No. 2
(2016), 197-207.27.
[44] V. Roman'kov, An improved version of the AAG cryptographic protocol, Groups, Complex.,
Cryptol, 11, No. 1 (2019), 35-42.
[45] A. Ben-Zvi, A. Kalka and B. Tsaban, Cryptanalysis via algebraic span, In: Shacham H. and
Boldyreva A. (eds.) Advances in Cryptology - CRYPTO 2018 - 38th Annual International
Cryptology Conference, Santa Barbara, CA, USA, August 19-23, 2018, Proceedings, Part I,
Vol. 10991, 255{274, Springer, Cham (2018).
[46] B. Tsaban, Polynomial-time solutions of computational problems in noncommutative-
algebraic cryptography, J. Cryptol. 28, No. 3 (2015), 601-622.
[47] V. Roman’kov, Cryptanalysis of a new version of the MOR scheme, arXiv:1911.00895
[cs.CR].
[48] V. Roman’kov, Cryptanalysis of two schemes of Baba et al. by linear algebra methods. CoRR
abs/1910.09480 (2019).
[49] Adi Ben-Zvi, Arkadius G. Kalka, Boaz Tsaban, Cryptanalysis via Algebraic Spans. CRYPTO
(1) 2018: 255-274
�