3 Construction of Boolean quasigroups of various degrees and orders

The established form (2) of the T-functions that are quasigroups from the previous section, is quite easy for manipulation. But, for creation of special types of quasigroups we will rewrite it in an equivalent matrix form, very suitable for implementation.

Theorem 3. Let x = (xw, . . . , x1)and y = (yw, . . . , y1) be variables over Z^w2. Then every T-function that is a quasigroup can be written as a vector valued Boolean function in a unique form

q(xw, . . . , x1, yw, . . . , y1) =A1·(xw, . . . , x1)^T+A2·(yw, . . . , y1)^T +b^T, (3) where A1 = [fij]w×w and A2 = [gij]w×w are upper triangular matrices of Boolean expressions, such that:

Proof. We show that (3) and (2) are equivalent forms of a T-function that is a quasigroup. From (3),qis of the formq= (q^(w), q^(w⁻¹⁾, . . . , q⁽¹⁾) where for every

7 Using (3) (or (2)) one can create a quasigroup that is a T-function of arbi-trary degree, by restricting the degrees offijandgij. It also allows construction of a quasigroup of arbitrary order 2^w. This characteristic, together with the var-ious types of isotopic transformations given, is especially suitable for creation of MQQs.

As the authors of [2] noted in the paper, the randomized algorithm for gener-ating MQQs given there was able to produce only quasigroups of low orders (at most 2⁵). That is why the authors proposed the creation of MQQs of higher or-der as an open problem. Another important issue mentioned, was distinguishing the different types of MQQs, and finding a way of producing only quasigroups of the desired type. Finally, finding their number, or lower bound was also posed as open research question regarding the security of the algorithm.

Here, we propose an effective general algorithm, that gives answers to these questions, but also goes deeper into the structure of the MQQs and enables a different classification, with great security implications.

Definition 2. A quasigroup(Q,∗)of order2^w is called Multivariate Quadratic Quasigroup (MQQ) of type Quadw−kLink if exactly w−k of the polynomials q⁽ⁱ⁾ are of degree 2 (i.e., are quadratic) andk of them are of degree 1 (i.e., are linear), where0≤k < w.

The general form of a MQQ of order 2^w that is a T-function, follows directly from the general case.

Corollary 1. The vector valued Boolean functionq(xw, . . . , x1, yw, . . . , y1)over Z^w2 defines a quasigroup that is a multivariate quadratic quasigroup and a T-function if and only if it can be written in the form (3) where fij and gij are linear Boolean expressions.

We will call these quasigroups Triangular Multivariate Quadratic Quasi-groups (T-MQQ).

Proposition 4. With suitably chosen matrices A1 and A2 of linear Boolean expressions, using the form (3), one can produce a T-MQQ of arbitrary type Quadw−kLink, fork= 1, . . . , w, but never of typeQuadwLin0.

Proof. In (3),q^(s)is of the form

q^(s)(x, y) = (0, . . . ,0,1, fw−s+1,w−s+2, . . . , fw−s+1,w)·(xw, . . . , x1)^T+ + (0, . . . ,0,1, gw−s+1,w−s+2, . . . , gw−s+1,w)·(yw, . . . , y1)^T+bs. So, if we choosefw−s+1,jandgw−s+1,j,j=w−s+ 1, . . . , w, to be constants (0s and 1s), thanq^(s)will be a linear polynomial. In this manner we can produce as many linear coordinates ofq as we want. Note that the structure of a T-function implies thatq⁽¹⁾ is always linear, hence a T-MQQ of typeQuadwLin0can not be constructed.

The type of linear Boolean expressions that are present as elements in the matricesA1andA2, in (3), determines the complexity of the produced T-MQQ

q = (q^(w), q^(w⁻¹⁾, . . . , q⁽¹⁾) in the sense of the diﬀerent quadratic monomials that will occur in the functionsq^(s), 1≤s≤w. Using similar strategy as in the previous proposition, we have the following one.

Proposition 5. With suitably chosen matricesA1andA2of linear Boolean ex-pressions, using the form(3), one can produce T-MQQq= (q^(w), q^(w⁻¹⁾, . . . , q⁽¹⁾) with the following structure ofq^(s):

– the only quadratic monomials that appear are of typexixj (yiyj), – q^(s) contains quadratic monomials only of typexixj andyiyj,

– q^(s)contains quadratic monomials only of typexixjandxiyj(yiyjandxiyj), – q^(s) contains quadratic monomials of type xixj, xiyj and yiyj (i.e., of all

types).

The implication of this proposition is that there is a way to mix all the variables xw, . . . , x1, yw, . . . , y1and increase the complexity of the MQQ. We should note that some of the MQ-based cryptsystems that have been broken ([2], [5]) use multivariate quadratic polynomials that don’t mix all the variables, which can impair the security of the system.

Nevertheless, sometimes one needs to trade-off between security and effi-ciency. Quasigroup based cryptsystems use bijective transformations that include the quasigroup operation in one direction (encryption), and some parastrophic operation in the opposite direction (decryption). Generally, finding the paras-trophic operation is a time consuming procedure, especially for quasigroups of higher order. The next proposition gives a special form of a MQQ of arbitrary order that does not mix all the variables, but whose left parastrophe can be easily found. (The case for the right parastrophe is analogous.)

Proposition 6. Let A1 = [fij]w×w and A2 = [gij]w×w be upper triangular matrices of linear Boolean expressions, such that:

– for every i= 1, . . . , w,fii= 1andgii= 1,

– for every i= 1, . . . , w−1,fiw andgiw are constants,

– for alli < j < w,fij andgij can depend only on xw−j, . . . , x1, – the vectorb= (bw, . . . , b1)is a Boolean constant vector.

Then,

q(xw, . . . , x1, yw, . . . , y1) =A1·(xw, . . . , x1)^T +A2·(yw, . . . , y1)^T +b^T, is a quasigroup with left parastropheq_\

q_\(xw, . . . , x1, yw, . . . , y1) =A⁻₂¹·((yw, . . . , y1)^T −A1·(xw, . . . , x1)^T −b^T).

Proof. Clearly, q is a T-MQQ. Since A2 is upper triangular A⁻₂¹ exists, and sinceA1andA2depend only on thexj variables, one can verify that

q(xw, . . . , x1, q_\(xw, . . . , x1, yw, . . . , y1)) = (yw, . . . , y1)^T, and, q_\(xw, . . . , x1, q(xw, . . . , x1, yw, . . . , y1)) = (yw, . . . , y1)^T, i.e.,q_\ is the left parastrophe ofq.

9 Now, using Proposition 2 and Proposition 3 we can perform isotopic trans-formations to a T-MQQ and obtain a general MQQ.

Proposition 7. Let q be a T-MQQ of order 2^w as defined in Corollary 1. Let D,D1,D2 be w×w nonsingular Boolean matrices, and let c, c1, c2 be Boolean vectors of dimensionw. Then

q_∗(xw, . . . , x1, yw, . . . , y1) =q((xw, . . . , x1)·D1+c1,(yw, . . . , y1)·D2+c2)·D+c defines a MQQ.

Proposition 7 provides a way for construction of MQQs that are suitable for use in an MQ-based cryptsystems. Their strength for application in a variant of the scheme [2] is being studied by the authors at the moment.

Example 1. We give an example of a T-MQQ of order 2⁵ obtained using (3).

Then using Proposition 7 we construct a general MQQ of order 2⁵. LetA1,A2be 5×5 matrices given by

At the end we give an estimate of the lower bound of diﬀerent MQQs of order 2^w, that comes as a consequence of the discussion above.

Proposition 8. There are exactly2^w+^w−1^j=1 ^j(4w⁻^4j⁻¹⁾ T-MQQs of order 2^w. Proof. For eachfijthere are exactly 2^2(w⁻^j+1) choices, and for eachgij exactly 2^2(w−j)+1 choices. This means that there are 2^w^j=22(w−j+1)(j−1) different ma-tricesA1 and 2^w^j=2^[2(w⁻^j)+1](j⁻¹⁾ different matrices A2. The vectorb can be chosen in 2^w ways. Altogether, the number of different T-MQQs of order 2^w is exactly 2^w+^w^j=1⁻¹^{j(4w−4j−1)}.

The number of T-MQQs for the ﬁrst few values ofw is given in Table 1.

w 2 3 4 5 6 8 9 10 12 14 15 16

T-MQQs 2⁵ 2¹⁶ 2³⁸ 2⁷⁵ 2¹³¹ 2³¹⁶ 2⁴⁵³ 2⁶²⁵ 2¹⁰⁹⁰ 2¹⁷⁴³ 2²¹⁵⁰ 2²⁶¹⁶ Table 1.T-MQQs of order 2^w

This number can be regarded as a lower bound for general MQQs of order 2^w. Even though it is clear that the number of MQQs that can be created using Proposition 7 is much bigger, the claim itself does not specify it. Still, it provides an estimate of the number of diﬀerent constructions of MQQs. Since there are around 0.28·2^w²diﬀerent nonsingular matrices, the total number of constructions is around 0.28³·2^3w²^+4w+^w−1^j=1 ^j(4w⁻^4j⁻¹⁾.

References

1. C. Adams and S. Tavares,The Structured Design of Cryptographically Good S-Boxes, Journal of Cryptology (1990) 3, pp.27–41

2. D. Gligoroski, S. Markovski, and S.J. Knapskog, Multivariate quadratic trapdoor functions based on multivariate quadratic quasigroups, American Conference on Ap-plied Mathematics; Harvard, March 2008, USA.

3. A. Klimov and A. Shamir, A New Class of Invertible Mappings, In B.S. Kaliski Jr. and C .K. Koc and C. Paar, editor, 4th Workshop on Cryptographic Hardware and Embedded Systems (CHES), volume , pages 471–484. Springer-Verlag, Lecture Notes in Computer Science, August 2002.

4. M. S. E. Mohamed, J. Ding, J. Buchmann and F. Werner Algebraic Attack on the MQQ Public Key Cryptsystem, Lecture Notes in Computer Science, Volume 5888/2009, pp. 392-401

5. A. Kipnis, J. Patarin, and L. Goubin, Unbalanced Oil and Vinegar signature schemes, Advances in Cryptology, EUROCRYPT 1999, LNCS Vol. 1592, pp. 206–

222, 1999.

6. S. Samardziska,Polynomialn-ary quasigroups of orderp^w, Masters’ thesis, PMF -Skopje, 2009,http://sites.google.com/site/samardziska/publications/pubs/

mastersSamardziska.pdf

7. C. K. Wu and V. Varadharajan,Public key cryptsystems based on Boolean permu-tations and their applications, International journal of computer mathematics 2000, vol. 74, no2, pp. 167-184

Dans le document Proceedings of the Second International Conference on Symbolic Computation and Cryptography (Page 121-129)