K[x1, x2, ..., xn] which sends each variable xi, i = 1, 2, ..., n to a monomial term. Some other protocols of Noncommutative Cryptography with the platform nES(K) are given in [1].

For each positive integer d, d≥2 we present the multivariate map of degree d with the trapdoor accelerator. In fact we present the iterative process of expansion of initial map F0 which can be a bijective multivariate nonlinear map of degree at most d on Kn with the trapdoor accelerator T or an element of general affine group AGLn(K). The input parameters are positive integers m( 1 ), m( 2 ), ..., m(k), k≥2. The step i, i = 1, 2, ..., k of the algorithm produces the multivariate map Gi of degree d on the Kn+m( 1 )+m( 2 )+...+m(i) with the trapdoor accelerator Ti.

Similarly we can take polynomial surjective map F0 of Kn onto Kr of degree at most d with the trapdoor accelerator T and get the sequence of surjective polynomial multivariate maps of Kn+m( 1 )+m( 2 )+...+m(i) onto Kr+m( 1 )+m( 2 )+...+m(i) of degree d with the trapdoor accelerators.

So we can use known construction of multivariate cryptography over the general maps with trapdoor accelerators or linear maps on affine spaces for the construction of new maps together with the polynomial algorithm to compute reimage.

We define the density of the multivariate polynomial in n variables as the number of its monomial terms. The density of multivariate map F: (x1, x2, ..., xn) → (f1(x1, x2, ..., xn), f2(x1, x2, ..., xn), ..., f2(x1, x2, ..., xn), ..., fm(x1, x2, ..., xn)) is the maximal value of densities of fi for i = 1, 2, ..., m.

We also will work with the multivariate maps in n variable of unbounded degree and prescribed density O(nλ). Let K* stands for the multiplicative group of K. Assume that K* is nontrivial. We say that multivariate map F of Kn to itself has multiplicative trapdoor accelerator T if the restriction of F onto (K*)n is injective map and the knowledge of T allows to compute the reimage of the element from F((K*)n) in a polynomial time.

For each nonnegative rational number λ we present the explicit constructions of multivariate maps of density λ with unbounded degree and multiplicative trapdoor accelerator. Additionally we present the iterative process of the expansion of the selected initial map F0 which is a multivariate nonlinear map of density O( 1 ) on Kn with unbounded degree and the multiplicative trapdoor accelerator T. The input consists of positive integers m( 1 ), m( 2 ), ..., m(k), k≥2 and some internal parameters which are nonnegative rational numbers.

The step i, i = 1, 2, ..., k of the algorithm produces the multivariate map Gi of polynomial density on the Kn+m( 1 )+m( 2 )+...+m(i) with the multiplicative trapdoor accelerator Ti. Appropriate choice of internal parameters allows us to construct Gk of prescribed density O((n+m( 1 )+m( 2 )+...+m(k))λ).

We can use multivariate maps of unbounded degree and prescribed polynomial density with the multiplicative trapdoor accelerator instead of maps of bounded degree in the presented above scheme of access control. We can use the same protocol of Noncommutative Cryptography and the same platform nES(K) of Eulerian transformations. The modification of the deformation rule will be presented.

Let us consider the case of finite commutative ring K of the cardinality O( 1 ) with nontrivial multiplicative group. In the case of the map F of unbounded by constant degree of size O(n) and of density O( 1 ) with the multiplicative trapdoor accelerator we use term pseudolinear map. The complexity of computation of F(p), pϵ(K*)n is O(n2). In the case of density O(nλ), λ<1 we use the term of sub quadratic map. The complexity of computation of F(p), pϵ (K*)n is O(n2+λ).

It is better then in the case of quadratic map on the space Kn. If density is O(n) we say that we have pseudo quadratic map.

We hope that defined in the paper wide variety of the quadratic or cubic maps with the trapdoor accelerators and the varieties of pseudo-linear, sub quadratic and pseudo quadratic maps with the multiplicative trapdoor accelerators can be effectively used in the presented above scheme of the access control of Information System.

These varieties are defined via the symbolic computations in terms of algebraic graphs defined by the systems of nonlinear algebraic equations over the finite commutative ring K with unity or temporal analogue of these graphs for which generic equations are changeable with the change of time. The sequences of pseudorandom or genuinely random graphs can be used for the change of coefficients in time dependent algebraic equations.

For the design of maps we use Jordan-Gauss graphs which are bipartite graph with partition sets Kn and Km given via quadratic equations such that the neighbourhood of the vertex is the solution set of linear system of equations written in its row-echelon form.

Subsection 2.1 of Section 2 contains basic definitions of affine Cremona semigroup and group of endomorphism of multivariate ring K[x1, x2, ..., xn], endomorphisms with the trapdoor accelerators. It contains the discussion of the area of Multivariate Cryptography over the general finite commutative ring.

In the subsection 2. 2 we define linguistic graphs over the general commutative ring and their temporal analogue. Algorithm 1.2 allows us to construct the variety of elements of Cremona semigroup with the trapdoor accelerator defined in terms of selected linguistic graph or its temporal analogue. Simple conditions insure that the constructive map is bijective transformation of Kn. The method allows us to construct surjective maps of Kn onto Km, n>m≥2 with the trapdoor accelerator. For practical implementation of the algorithm we need select special classes of linguistic graphs which allow us to control the degrees and densities of the outputs. We define the special class of Jordan-Gauss graphs and consider flexible families of generalised Double Schubert graphs DSs,r(K) and truncated Double Schubert graphs QDSs,r(K) which are convenient instruments for generating of families of multivariate maps of prescribed degree on the affine space Kn.

Assume that (F, T) stands for pair multivariate function F of degree d, d≥2 on K n and its trapdoor accelerator. We suggest the method of construction of new pair (F’, T’) of degree d on Kn’, n’>n from the known (F, T). It can be used iteratively. Many constructions of pairs (F, T) over fields can be found in the recent papers on Classical Multivariate Cryptography [2–13].

In Section 3 we introduce semigroup of nES(K) of Eulerian endomorphisms of K[x1, x2, ..., xn] and consider iterative method of construction of multivariate maps of prescribed density O(nd) with the trapdoor accelerators or multiplicative trapdoor accelerators. These maps are constructed in terms of temporal truncated Schubert graphs.

In Section 4 we consider twisted Diffie-Hellman protocol implemented with the platform nES(K) of Eulerian transformations. We introduce several deformation rules convenient for the safe delivery of multivariate maps of prescribed degree or density from one correspondent to his/her partner. We discuss the use of stable subsemigroups of Cremona semigroup nCS(K) as a platform for the protocol. Stability means that the maximal degree of endomorphisms from the semigroup is a constant d.

Section 5 contains conclusive remarks. We have to note that last talk at Eurocrypt conferences was delivered in 2021. It is paper [14] dedicated to cryptanalytic studies. Some studies on Multivariate Cryptography were presented during PQCrypt workshops [15–18].

Let Assume that commutative ring K contains nontrivial multiplicative group K*. Let us consider the totality nES(K) of endomorphisms of K[z1, z2,..., zn] of kind z1 → q1z1 a( 1,1 ) z2 a( 1,2 ) … zn a(1,n), z2 → q2z1 a( 2,1 ) z2 a( 2,2 ) … zn a(2,n), … ( 3 ) zn → qnz1 a(n,1)  z2 a(n,2)  … zn a(n,n) where qi are regular elements of finite commutative ring K with the unity.

It is easy to see that the complexity of the composition of two elements of kind ( 3 ) is O(n3).

The semigroup nES(K) acts naturally on (K*)n and contains large subgroup nEG(K) of bijective transformations of the variety [1].

Recall that we define density den (f) of element f from K[z1, z2, ..., zn] written in its standard form as its number of monomial terms. The density of the tuple H(z1, z2, ..., zn) is defined as maximum of den(hi), i = 1,2, ..., m.

The following statements are proven in [22].

Proposition 1. 3. Let us consider map introduced above map F = F(a( 1 ), a( 2 ), ..., a(l), b( 1 ), b( 2 ), ..., b(l), c, D1, D2, ..., Dl) in the case of the temporal graph QDSs,r(K)t where K is a commutative ring with nontrivial multiplicative group K*. Assume that the densities of a(i), b(i) and c are of size O(sα(i)), O(sβ(i)) and O(sγ) such that 0≤α(i)+β(i)≤d and γ≤d for some d, d≥0. Then den F has size O(sd).

Remark 1.3. Parameter d can be selected as a rational number.

Corollary 1.3. Let s = r or l is even, r = O(s), m = O(sμ), 1≤μ≤2, H be an element of s+mES(K) and LϵAGLs+m (K) and F satisfies conditions of Proposition 1.3. Then the density of standard form of G = HFL is O(sd+μ) = O((s+m)d/μ+1).

Remark 2.3. We can select L of density O( 1 ) or density O(mλ), 0≤λ≤1. The simplest case is of kind zi → diiżi+dii+1żi+1+…+dis+mżi+sm, i = 1, 2, …, m+s. Then the density of the map is O((s+m)d/μ+λ).

Corollary 2.3. Assume that conditions of Corollary 1.3 holds and C = EN, where EϵsEG(K), NϵsCG(K). Then G induces an injective map of (K*)s+m into (K)s+m.

Let Ms(K) = GLs(K)∩sES(K) be the monomial group of linear transformations.

Corollary 3.3. Assume that conditions of Proposition 1.3 hold and HϵMs+m (K) and CϵsCG(K). Then G is a bijective map of Ks+m onto itself.

Formulated above statements allow us to construct element G of nCG(K) of unbounded degree and prescribed density d, d≥O(n) with the trapdoor accelerator.

We define multiplicative trapdoor accelerator (F, T) of F which is the map of density d such that its restriction F’ on (K*)n is injective map and the knowledge of T allows to compute the reimage of F’ in a polynomial time.

Remark 3.3. We can construct multiplicative accelerators (F, T) where FϵnCS(K) has unbounded degree and prescribed density O(nd ), d≥0.

Algorithm 1.3. Public key with the multivariate map G with the multiplicative trapdoor accelerator.

Alice select even parameter l of size O( 1 ) and commutative ring K with nontrivial multiplicative group K*. Natural examples are finite field Fq or modular arithmetic Zq where q = 2 s, s>1.

She selects parameters n and k = O(n) together with the subset Q = {α( 1 ), α( 2 ), ..., α(m)} of Cartesian product of {1, 2, ..., n} and {1, 2, ..., k} of cardinality m, m = O(nμ) where 1≤μ≤2. Alice will work with graph QDSn,k(R)t, k = O(n), R = K[z1, z2, ..., zn, zα( 1 ), zα( 2 ), ..., zα(m)]. She selects parameter d and tuples of polynomials a( 1 ), a( 2 ), ..., a(l), b( 1 ), b( 2 ), ..., b(l) with coordinates from K[z1, z2, ..., zn] satisfying conditions of Proposition 1.3, i.e. den(a(i)) has size O(s α(i)), den(b(i)) has size O(s β(i)) and α(i)+β(i) = d.

Alice forms the tuples ai, bi, i = 1, 2, ... l of with coordinates of kind q1z1 a( 1,1 ) z2 a( 1,2 ) … zn a(1,s)+q2z1 a( 2,1 ) z2 a( 2,2 ) … zn a(2,n)+…+qrz1 a(r,1) z2 a(r,2) … zn a(r,n) where qi ≠ 0. She selects the pair of E, E’ϵnEG(K) such that (EE’, (K*)n) and (E’E, (K*)s) are identity permutations.

The procedure 1 for this step is given below. She takes N of density O( 1 ) from AGLn(K) and L from AGLn+m(K) together with H and H’ from m+nEG(K) such that HH’ and H’H are identity transformations of (K*)s+m( 1 ). Alice computes C=EN moving (z1, z2, ..., zn) to c = (c( 1 ), c( 2 ), ..., c(n)).

She select parameters i,jα(t)ϵK*, i,jβ(t) and i,jγ(t) where t = 1, 2, ..., l, (i, j)ϵQ for construction of momentum Jordan-Gauss graphs D1, D2, ..., Dl of the temporary graph QDSs,k(K)t.

Alice will use Dj(K[z1, z2, ..., zs, zα( 1 ), zα( 2 ), ..., zα(m( 1 ))]) which are special momentum graphs of QDSs,k(R)t defined by equations with coefficients from K but with the point set Rn+m and line set Rk+m.

She uses symbolic computation in the graph QDSn,k(R)t to construct the transformation F = F(a( 1 ), a( 2 ), ..., a(l), b( 1 ), b( 2 ), ..., b(l), c, D1, D2, ..., Dl) of Kn+m to itself. Alice uses Procedure 1 to form H from n+m EG(K). She forms L from AGLn+m(K) of density O(mλ), λ≤1 and the element G = HFL of affine Cremona semigroup. She computes the standard form of G and announces this multivariate rule publicly.

The standard form of G will be used as an encryption tool in the case of the space of plaintexts (K*)n+m.

Alice generates the map via special walks on the graph. The degree of the map G is O(n+m). The density of the map is O(n+m) λ+d/μ.

Thus the complexity of encryption of computation of the image of (p1, p2, ..., pn+m)ϵ(K*)m+n is O(n+m)λ+d/μ+1.

Decryption procedure.

Public user Bob writes his plaintext p = (p1, p2, ..., pm+n) and sends the ciphertext s = G(p) to Alice. Alice decrypts via the following procedure.

She computes L-1(s) = (d1, d2, ..., dn, dα( 1 ), dα( 2 ), ..., dα(m)) = d. Alice creates intermediate tuple of variables (z1, z2, ..., zn, zα( 1 ), zα( 2 ), ..., zα(m)) consider the equations. She computes N-1(d1, d2, ..., dn) = (e1, e2, ..., en) and considers the equations

E(z1, z2,..., zn) = e1, E(z1, z2,..., zn) = e2, ..., E(z1, z2,..., zn) = en, Alice uses E’ and gets the solution z1 = t1, z2 = t2, ..., zn = tn.

She computes a(i)(t1, t2, ..., tn) = a*i, i = 1, 2, ..., l, b(i)(t1, t2, ..., tn) = b*i, i = 1, 2, ..., l and writes the system of linear equations F = F(a*( 1 ), a*( 2 ), …, a*(l), b*( 1 ), b*( 2 ), ..., b*(l), d’)(t1, t2, ..., tn, zα( 1 ), zα( 2 ), ..., zα(m)) = d where d’ = (d1, d2, ..., dn).

This system is already written in row-echelon form.

So Alice gets the solution zα( 1 ) = tα( 1 ), zα( 2 ) = tα( 2 ),...,zα(m) = tα(m).

She forms t = (t1, t2, ..., tn, tα( 1 ), tα( 2 ), ..., tα(m)) and p as H’(t).

Procedure 1.3. Let K be a finite commutative ring with unity and nontrivial multiplicative group K* of order d>1. Assume that parameter n is selected and we have the task of generating two elements E and E’ of nEG(K) such that EE’ and E’E act on (K*)n as identity transformations.

We form the transformation J1 and J2 from nEG(K) of kind y1 = μ1x1a( 1,1 ) y2 = μ2x1a( 2,1 ) x2a( 2,2 ) … yn = μnx1a(n,1) x2a(n,2) … xna(n,n) where (a( 1,1 ), d) = 1, (a( 2, 2 ), d) = 1, …, (a(n, n), d) = 1, z1 = μ’1y1b( 1,1 ) y2b( 1,2 ) … ynb(1,n) z2 = μ’1y2b( 2,2 ) y2b( 2,3 ) … ynb(2,n) … zn = μ’nynb(n,n) where (b(n,n), d) = 1, (b(n-1, 2), d) = 1, …, (b(1, n), d) = 1. The computation of inverses J’1 and J’2 of the transformations J1 and J2 of the variety (K*) n is straightforward. So Alice computes E = J1J2 and E’ = J’2J’1.

Similarly, she constructs lower triangular and upper triangular bijective transformations JG1 and JG2 from (m+nES(K), (K*)m+n).

So Alice computes H = GJ1 GJ2 and H’ = GJ’2 GJ’1.

In case d = 0 and λ = 0 when the density of a(i), b(i), and L are O( 1 ) we obtain a pseudolinear cryptosystem. Its complexity for the encryption is O(n+m)2.

In the case of d/μ+λ<1 we get sub quadratic cryptosystem. It has complexity better than O(n+m)3.

If d/μ+λ = 1 we obtain a pseudo quadratic cryptosystem.

More general methods of generation of invertible elements of nES(K) can be found in [1].

The family of pseudo quadratic transformations with the trapdoor accelerators based on the modification DSn,k(K) in terms of generalisations of projective geometries was presented in [33].

Corollary 4.3. Let K be a commutative ring with nontrivial multiplicative group K*. Then for each natural n, n>2 we can construct a multivariate map of the prescribed density with the multiplicative trapdoor accelerator.

Recall that G = EQQL induces an injective map of (K*)n+m into Kn+m.

The standard form of G has the trapdoor accelerator Q, E, L, H, N, ai, bi, i = 1, 2, ..., l, T’. We assume that equations of DS(n, K) are known publicly.

Remark 4.3. Note that the map with the trapdoor accelerator of polynomial density O(nd) where d, d ≥2 is a natural number can be obtained as the product of J1 and J2 of Procedure 1 and selected multivariate map F of degree d with the trapdoor accelerator T.

In [34] the first implementation of the scheme of the previous Remark 4.3 was presented in the case of F induced by the special walk on the Jordan-Gauss graphs D(n, K) and A(n, K) for the case when K = Fq, of characteristic 2. Recall that in [24] the special walks of odd length in the JordanGauss graphs D(n, K) of type 1, 1, n-1 were used for the generation of quadratic multivariate map F with the trapdoor accelerator.

In [35] the scheme of remark 4.3 was suggested for the graph-based encryption with D(n, K) and A(n, K) in the case of arithmetical rings Zm.

The point (p) = (p1, p2, …, pn) of the graph D(n, K) is incident with the line [l] = [l1, l2, …, ln], if the following relations between their coordinates hold: l2-p2 = l1p1, l3-p3 = l2p1, l4-p4 = l1p2, li-pi = l1pi-2, li+1-pi+1 = li-1p1, li+2-pi+2 = lip1, li+3-pi+3=l1pi+1 where i≥5.

So the encryption scheme is the following. Let us take graph D(n, K[x1, x2, …, xn]), sequence of colors d( 1 )+x1,d( 2 )+ x1, …, d(k)+x1 where d(i) ϵK), k is a length of walk.

Then we have to take sequence x = (x1, x2, …, xn) (point from D(n, K[x1, x2, …, xn])), v1 = Nd( 1 )+x1(x), Nd( 2 )+x1(v1) = v2, Nd(k)+x1(vk-1) = v1.

Let F be the map x1 → v1(x1, x2, …, xn ), x2 → v2(x1, x2, …, xn), …, xn → vn(x1, x2, …, xn). Then deg F = 3.

We consider the map of kind G = J1J2L1FL2 where L1 and L2 are elements of AGLn(K).

In the case of linguistic graph A(n, K) we simply change the incidence condition between points and lines: l2-p2 = l1p1, l3-p3 = p1l2,l4-p4 = l1p3, l5-p5 = p1l4, … ln-pn = l1pn-1 (for even n) or ln-pn = p1ln-1 (for odd n).

Recently we implement the generating process described above map G in the case when K is arithmetic ring Zq, q=232.

Let us denote G as G(n, k, K) in the case when the length of the sequence of colours d( 1 ), d( 2 ),…, d(k) has length k. We present time the total number M(G) of monomial terms in all gi (global density). We refer to parameter k as the length of the walk. We can see the “condensed matter physics” digital effect. If k is “sufficiently large”, then M(g) is independent of k constant c.

We have written a program for generating elements and for encrypting a text using the generated public key. The program is written in C++. We use an average PC with processor Pentium 3.00 GHz, 2GB memory RAM, and system Windows 7. We have implemented three cases: 1. L1 and L2 are identities. 2. L1 and L2 are maps of kind z1 → z1+a2z2+a3z3+ … +atzt, z2 → z2, z3 → z3, …, zn → zn, ai ≠ 0, i = 1, 2, …, n (linear time of computing for L1 and L2). 3. L1 = Ax+b, L2 = A1x+b1; matrices A, A1 and vectors b, b1 have mostly nonzero elements. Tables confirm that in Cases 2 and 3 we have multivariate transformations of density O(n3) and global O(n4). So, the encryption process for this map of unbounded degree takes O(n5).

Similarly to Example 1 we can use Proposition 4 iteratively.

Example 1.3. Alice selects finite commutative ring K and positive number s and prescribed degree d.

Step 1. Alice selects even parameter l = l( 1 ) of size O( 1 ) and the degree d( 1 ) of the initial map and parameter μ( 1 ), 1≤μ( 1 )≤2.

She takes parameter k = O(s) together with the subset Q = {α( 1 ), α( 2 ), ..., α(m( 1 ))} of Cartesian product of {1, 2, ..., s} and {1, 2, ..., k} of cardinality m( 1 ), m( 1 ) = O(sμ( 1 )) where 1≤μ( 1 )≤2. Alice will work with graph QDSs,k(R) t, k = O(s), R = K[z1, z2, ..., zs, zα( 1 ), zα( 2 ), ..., zα(m( 1 ))]. She selects tuples of polynomials a( 1 ) = a( 1, 1 ), a( 2 ) = a( 1, 2 ), ..., a(l) = a(1, l), b( 1, 1 ), b( 1, 2 ), ..., b(1, l), l = l( 1 ) with coordinates from K[z1, z2, ..., zs] satisfying conditions of Proposition 4, i.e.

deg (a(i)) = α(i), deg b(i) = β(i) and α(i)+β(i) = d( 1 ).

Alice forms the tuples ai, bi, i = 1, 2, .... l of with coordinates of kind q1z1 a( 1,1 ) z2 a( 1,2 ) … zs a(1,s) +q2z1 a( 2,1 ) z2 a( 2,2 ) … zs a(2,s)+…+qrz1 a(r,1) z2 a(r,2) … zs a(r,s) where qi ≠ 0.

She selects the pair of E, E’ϵsEG(K) such that (EE’, (K*)s) and (E’E, (K*)s) are identity permutations. She takes N of density O( 1 ) from AGLs(K) and L of density O( 1 ) from AGLs+m( 1 )(K) together with H = H1 and H’ = H’1 from m( 1 )+sEG(K) such that HH’ and H’H are identity transformations of (K*)s+m( 1 ). Alice computes C = EN moving (z1, z2, ..., zs) to c = (c( 1 ), c( 2 ),..., c(s)). She selects parameters i,jα1(t)ϵK*, i,jβ1(t) and i,jγ1(t) where t = 1, 2, ..., l( 1 ), (i, j)ϵQ for the construction of momentum Jordan-Gauss graphs 1D1, 1D2, ..., 1Dl of the temporary graph QDSs,k(K)t.

Alice will use 1Dj(K[z1, z2, ..., zs, zα( 1 ), zα( 2 ), ..., zα(m( 1 ))]) which are special momentum graphs of QDSs,k(R)t, R = K[z1, z2, ..., zs, zα( 1 ), zα( 2 ), ..., zα(m( 1 ))]) defined by equations of 1D1, 1D2, ..., 1Dl with coefficients from K but with the point set Rs+m( 1 ) and line set Rk+m( 1 ).

She uses symbolic computation in the graph QDSs,k(R) t to construct the transformation F = F1 = F(a( 1, 1 ), a( 1, 2 ), ..., a(1, l( 1 )), b( 1, 1 ), b( 1, 2 ), ..., b(1, l), c, 1D1, 1D2, ..., 1Dl( 1 )) of Ks+m( 1 ). She already formed L = L1 from AGLs+m( 1 )(K) of density O( 1 ). Alice computes the element G1=H1F1L1 of affine Cremona semigroup. She computes the standard form of G1. The degree of the map G1 is O(s+m( 1 )).The density of the map is O(s+m( 1 ))d( 1 )/μ( 1 ). The trapdoor accelerator T1 consist of Q, equations of QDSs,k(K), tuples a( 1 ), a( 2 ), ..., a(l), b( 1 ), b( 2 ), ..., b(l) and momentum graphs, transformations E, N and H1, L1.

Step 2 and the iteration.

Alice selects parameter k( 1 ) = O(s+m( 1 )) and positive integer s+m( 1 )≤m( 2 )≤s+m(k)k( 1 ), even parameter l( 2 ) and constants d( 2 ), d( 2 )≥d( 1 )/μ( 1 ) and μ( 2 ) where 1≤μ( 2 )≤2. She selects the subset Q( 1 ) = {α( 1, 1 ), α( 1, 2 ), ..., α(1, m( 2 ))} of Cartesian product of {1, 2, ..., s+m( 1 )} and {1, 2, ..., k( 1 )} of cardinality m( 2 ), m( 2 ) = O((s+m( 1 ))μ( 2 )). Alice will work with graph Q( 1 )DSs+m( 1 ),k( 1 )(R)t, R = K[z1, z2, ..., zs+m( 1 ), zα( 1,1 ), zα( 1, 2 ), ..., zα(1, m( 2 ))]. She selects parameters to create momentum graphs 2D1, 2D2, ..., 2Dl( 2 ) of the temporary graph Q( 1 )DSs+m( 1 ),k( 1 )(K)t.

Alice will use 2Dj(K[z1, z2, ..., zs+m( 1 ), zα( 1, 1 ), zα( 1, 2 ), ..., zα(1, m( 2 ))]),

J = 1, 2, ..., l( 2 ) which are special momentum graphs of QDSs+m( 1 ), k( 1 )(R)t, R = K[z1, z2, ..., zs, zα( 1 ), zα( 2 ), ..., zα(m( 1 ))]) defined by equations of 2D1, 2D2, ..., 2Dl( 2 ) with coefficients from K but with the point set Rs+m( 1 )+m( 2 ) and line set Rk( 1 )+m(1+)m( 2 ).

She selects tuples a( 2, 1 ), a( 2, 2 ), ..., a(2, l( 2 )), b( 2, 1 ), b( 2, 2 ), ..., b(2, l( 2 )) with coordinates from K[z1, z2, ..., zs+m( 1 )] such that den (a(2, i)b(2, i)) = O((s+m( 1 ))d( 2 )). Alice constructs the transformation F2 = F(a( 2, 1 ), a( 2, 2 ), ..., a(2, l( 2 )), b( 2, 1 ), b( 2, 2 ), ..., b(2, l( 2 )), g( 1 ), 2D1, 2D2, ..., 2Dl( 2 )) of Ks+m( 1 )+m( 2 ) where g1 is the tuple (G1(z1), G1(z2), ..., G1(zs+m( 1 )). She selects the pair of H2, H2’ϵs+m( 1 )+m( 2 )EG(K) such that (H2H2’, (K*)s+m( 1 )+m( 2 )) is identity permutations.

She selects L = L2 from AGLs+m( 1 )+m( 2 )(K) of density O( 1 ) and forms

G2=H2F2L2.

The density of the standard form of the map G2 will be determined as O((s+m( 1 ))d( 2 )) or O((s+m( 1 )+m( 2 ))d( 2 )/μ( 2 )).The map G2 has a multiplicative trapdoor accelerator T2 which is extension of T1 via adding Q( 1 ) of cardinality m( 2 ), parameters k( 1 ), l( 2 ) equations of Q( 1 )DSs+m( 1 ), k( 1 ) (K), tuples a(2.1), a( 2, 2 ), ..., a(2, l( 2 )), b( 2, 1 ), b( 2, 2 ), ..., b(2, l( 2 )), momentum graphs 2D1, 2D2, ..., 2Dl( 2 ) and transformations H2, H2’, L2.

Alice takes parameters d( 3 ), d( 3 )≥d( 2 )/μ( 2 ), μ( 3 ), 1≤μ( 3 ))≤2, k( 2 ) of size O(s+m( 1 )+m( 2 )) and m( 3 ) of size O( (s+m( 1 )+m( 2 ))μ( 3 ) such that s+m( 1 )+m( 2 )≤m( 3 )≤(s+m( 1 )+m( 2 ))k( 2 ). She takes even parameter l( 3 ) and selects subset Q( 2 ) = { α( 2, 1 ), α( 2, 2 ), ..., α(2, m( 3 ))} of Cartesian product of {1, 2, ..., s+m( 1 )+m( 2 )} and {1, 2, ..., k( 2 )}.

Alice will work with graph Q( 2 )DSs+m( 1 )+m( 2 ),k( 2 )(R)t, R = K[z1, z2, ..., zs+m( 1 )+m( 2 ), zα( 2,1 ), zα( 2, 2 ), ..., zα(2, m( 3 ))]. She selects parameters to create momentum graphs 3D1, 3D2, ..., 3Dl( 3 ) of the temporary graph Q( 2 )DSs+m( 1 )+m( 2 ), k( 2 )(K)t.

Alice forms tuples a( 3, 1 ), a( 3, 2 ), ..., a(3, l( 3 )), b( 3, 1 ), b( 3, 2 ), ..., b(3, l( 3 )) with coordinates from K[z1, z2, ..., zs+m( 1 )+m( 2 ) ] such that den (a(3, i)b(3, i)) = O((s+m( 1 )+m( 2 )+m( 3 ))d( 3 ). Alice constructs the transformation F3 = F(a( 3, 1 ), a( 3, 2 ), ..., a(3, l( 3 )), b( 3, 1 ), b( 3, 2 ), ..., b(3, l( 3 )), g( 2 ), 3D1, 3D2, ..., 3Dl( 3 )) of Ks+m( 1 )+m( 2 )+m( 3 ) where g( 2 ) is the tuple (G2(z1), G2(z2), ..., G2(zs+m( 1 )+m( 2 )).

She selects the pair of H3, H3’ϵs+m( 1 )+m( 2 )+m( 3 )EG(K) such that (H3H3’, (K*)s+m( 1 )+m( 2 )+m( 3 )) is identity permutation. She selects L = L3 from AGLs+m( 1 )+m( 2 )+m( 3 )(K) of density O( 1 ) and forms G3 = H3F3L3.

The density of the standard form of the map G3 will be determined as O((s+m( 1 )+m( 2 ) d( 3 )) or O((s+m( 1 )+m( 2 )+m( 3 )) d( 3 )/μ( 3 )). The map G3 has a multiplicative trapdoor accelerator T3 which is extension of T2 via adding Q( 2 ) of cardinality m( 3 ), parameters k( 2 ), l( 3 ), equations of Q( 2 )DSs+m( 1 )+m( 2 ) ,k( 2 ) (K), tuples a( 3, 1 ), a( 3, 2 ), ..., a(3, l( 2 )), b( 3, 1 ), b( 3, 2 ), ..., b(3, l( 3 )), momentum graphs 3D1, 3D2, ..., 3Dl( 3 ) and transformations H3, H3’, L3.

Alice continues the iterative process. She creates G4, G5, ..., Gr of the densities of kind O(n(i)) β(i), i = 4, 5, ..., r where n(i) is the dimension of the space of ciphertexts and β(i) = d(i)/μ(i) with the multiplicative trapdoor accelerators Ti, i =4, 5, ..., r respectively.

So the final map Gr of Ks+m( 1 )+m( 2 )+…+m(r) to itself with the multiplicative trapdoor accelerator Tr has a polynomial density.

Recall that d(i)≥d(i-1)/μ(i-1) for i = 2, 3, ..., r. In the case when these inequalities become equalities d(r)/μ (r) = d( 1 )/(μ( 1 )μ( 2 )μ( 3 ) ... μ(r)).

Alice can select d( 1 ) = 0 when Gr has density O( 1 ). Then the output will be a pseudolinear map. The choice of small parameter d( 1 ) will allow her to get sub quadratic map of the density O(nλ) with arbitrarily selected λ, λ<1. Obviously, Alice can create the map Gr of prescribed density O(nd) with the multiplicative trapdoor accelerator.

Note that Alice can take Gr L where L has degree 1 and density O(n) and use the standard form of transformation of density O(nd+1) with the multiplicative trapdoor accelerator.

Procedure 1.3. (reimage computation for (Gr, Tr)). Assume that Gj = HjFjLj, j = 1, 2, ..., r and Fj = F(a(1, j), a(2, j), ..., a(l(j), j), b(1, j), b(2, j), ..., b(l(j),j), g(j-1), jD1, jD2, ..., jDl(j)) acting on the affine space jW of dimension s+m( 1 )+m( 2 )+...+m(j) = n(j).

Alice obtained the ciphertext 0c = (0c1, 0c2, ..., 0cn(r)). She computes Lr-1(0c) = rc and takes its projection rc’ on the first n(r-1) coordinates.

Alice computes Lr-1-1(rc’) = r-1c and takes its projection r-1c’ on the first n(r-2) coordinates. She continue this procedure and gets the tuples 1c = (b1, b2, ..., bs, bs+1, bs+2, ..., bs+m( 1 )) and 1c’ = (b1, b2, ..., bs).

Alice forms the intermediate tuple (z1, z2, ..., zs) and investigates the system of linear equations c1(z1, z2, ..., zs) = b1,c2(z1, z2, ..., zs) = b2, ..., cs(z1, z2, ..., zs) = bs. She gets the solution z1 = α1, z2 = α2, …, zs = αs. In fact (α1, α2, …, αs) = E’(N-1(b1, b2, …, bs)).

Alice computes tuples a*(i, 1) = a( 1, 1 )(α1, α2, ..., αs), b*(i, 1) = b( 1, 1 )(α1,α2, ..., αs), i = 1, 2, ..., l( 1 ) with coordinates from K.

Alice takes graph 1Dl( 1 ) and computes d(l( 1 )) = Jb*(l( 1 ),1)(1c). She takes the neighbour d’(l( 1 ) = Na*(l( 1 )),1) (d(l( 1 )) of the point d(l( 1 ) of colour a*(l( 1 ), 1).

Alice treats the tuple d’(l( 1 )) as the line of the graph 1Dl( 1 ). She computes Jb*(l( 1 )-1),1) (d’(l( 1 )) = d(l( 1 )1) and its neighbour d’(l( 1 )-1) = N a*(l( 1 )-1),1) (d(l( 1 )-1). Alice continue this process and gets d’( 1 ) = N a*( 1,1 ) (d( 1 )) in the graph 1D1. So she gets e( 1 ) = Jγ(d’( 1 )), γ = (α1,α2,..., αs).

The tuple (H1)’(e( 1 )) = r( 1 ) is the solution of the equation H1F1(z1, z2, zs, zs+1, ..., zs+m( 1 )) = 1c = (L1)1(2c’) which is equivalent to G1(z1, z2, zs, zs+1, ..., zs+m( 1 )) = 2c’.

Alice considers the equation H2F2(z1, z2, ..., zs, zs+1, ..., zs+m( 1 ), zs+m( 1 )+1, ..., zs+m( 1 )+m( 2 )) = 2c = L2(3c’).

The first s+m( 1 ) equations of this system are equivalent to H1F1(z1, z2, ..., zs+m( 1 )) = 1c with the solution γ( 1 ) = (1α1, 1α2, …, 1αs+m( 1 )) obtained due to the knowledge of the trapdoor accelerator.

Alice computes the specializations a*( 1, 2 ), a*( 2, 2 ), ..., a*(l( 2 ), 2), b*( 1, 2 ), b*( 2, 2 ), ..., b*(l( 2 ), 2) of a( 1, 2 ), a( 2, 2 ), ..., a(l( 2 ), 2), b(1, 2), b( 2, 2 ), ..., b(l( 2 ), 2) under the substitution z1 = 1α1, z2 = 1α2, …, zs+m( 1 ) = 1αs+m( 1 ).

She computes the point d(l( 2 )) = Jb*(2, l( 2 ))(2c) and line d’(l( 2 )) = Na*(2, l( 2 ))(d(l( 2 ))) of the graph 2Dl( 2 ), computes d(l( 2 )-1) = Jb*(2, l( 2 )-1)(d’(l( 2 )) and vertex d’(l( 2 )-1) = Na*(2, l( 2 )-1)(d(l( 2 )-1)) of the graph 2Dl( 2 )-1. Alice continue this process and gets d’( 1 )= N a*( 2,1 ) (d( 1 )) in the graph 2D1. So she gets e( 2 ) = Jγ( 1 )(d’( 1 )) in this graph.

The tuple (H2)’(e( 2 )) = γ( 2 ) is the solution of the equation H2F2(z1, z2, zs, zs+1, ..., zs+m( 1 ), zs+m( 1 )+1, ..., zs+m( 1 )+m( 2 )) = 2c=L2(3c’) which is equivalent to G2(z1, z2, zs, zs+1, ..., zs+m( 1 )+m( 2 )) = 3c’. Alice continue this recurrent process and gets the solution γ(r) of the equation Gr(z1, z2, zs, zs+1, ..., zs+m( 1 )+m( 2 )+...+m(k)) = 0c.

Remark 5.3. (nonlinear disturbance). In this iterative algorithm instead of the combination EN on Ks one can take any pseudolinear map Z with the multiplicative trapdoor accelerator at most d with the trapdoor accelerator can be used.

The technique of Jordan-Gauss graphs and their temporal analog defined over arbitrary commutative ring K can be used for the construction of bijective multivariate map F of prescribed degree d on free module Kn with the trapdoor accelerator T which allows computing the reimage of the given value in a polynomial time. In the case of d = 2 and 3 such maps can be used for the construction of public keys.

If d is a constant larger than 3 we can construct sparse maps of density O(n) with the trapdoor accelerator T. So the value of the function can be computed in time O(n2). For each constant d, we can construct the map of degree d, density O(n), and trapdoor accelerator which allows the computation of the reimage in time O(n2). Recall that we define the density of F as the maximal density of polynomials F(xi) for i = 1, 2, ..., n.

It is known that there is a special way to increase the number of variables and rewrite the nonlinear system F(x)=b as equivalent to it quadratic system in many variables. One can select “sufficiently large” d such that the corresponding quadratic system is unfeasible for cryptanalytic investigation.

We define sup(t) of the monomial term t = t(x1, x2, ..., xn) as the number of variables xi in positive power in the expression of t. The support of the multivariate map F is defined as the maximal value of sup(F) supports its monomial terms. We can construct multivariate maps on Kn with the prescribed density O(nα), 0≤α≤1, and prescribed support O(nβ) with the trapdoor accelerator. We construct multivariate map F of unbounded degree with the support n and prescribed density O(nβ) and multiplicative trapdoor accelerator.

Mentioned above pairs of kind (F, T) can be investigated as potential public key constructions of multivariate Cryptography. Alternatively, Alice can use her pair (F, T) in a different way. She and her trusted partner Bob can use twisted Diffie-Hellman protocol with the platform nES(K), and deform the output E via its transformation to polynomial transformation D(E) of Kn. Alice sends F+D(E) to Bob. The security of this asymmetric algorithm described in Section 1 rests on the security of the selected protocol.

Note that the mentioned above pairs (F, T) can be used as stream ciphers when the knowledge of T is shared between Alice and Bob.