Keywords

1 Introduction

Recent advances in quantum computing for solving complex problems formulate new trends for building secure public-key cryptosystems. The main directions in this area are the solution of the problem of finding the conjugate element in the theory of non-commutative groups and the word problem in groups and semigroups. The word complexity problem was proposed by Wagner and Magyarik [1] and implemented in several cryptosystems. One of the best known and most studied is a cryptosystem based on factorization in finite groups of permutations, called the logarithmic signature [2]. In 2009, Lempken et al. described an MST3 public-key cryptosystem based on a logarithmic signature and a Suzuki 2-group [2]. In 2008 Magliveras et al. [4] presented a comprehensive analysis of the MST3 cryptosystem identifying limitations for the logarithmic signature and stated that the transitive logarithmic signature is not suitable for the MST3 cryptosystem. In 2010, Swaba et al. [5] analyzed all known attacks on MST cryptography and built a more secure eMST3 cryptosystem by adding a secret homomorphic coverage. In 2018, T. van Trung [7] proposed a general method for constructing strong aperiodic logarithmic signatures for Abelian p-groups, which is a further contribution to the practical application of MST cryptosystems.

The construction of MST cryptosystems based on multiparameter non-commutative groups was proposed in [7,8,9]. MST cryptosystems based on multi-parameter groups allow optimizing the costs of cryptosystem parameters and secrecy.

Generalized Suzuki 2-groups are multivariable and have the highest group order compared to other multivariable groups. The first implementation of the cryptosystem on the generalized Suzuki 2-group is presented in [8] and does not provide protection against brute force attacks with sequential brute force key recovery. Analysis of MST cryptosystems by group shows their vulnerability to highlighted text attacks. The design feature of all known MST implementations is the presence of known texts and, as a consequence, the possibility of such cryptanalysis. A secure encryption scheme is proposed based on the generic Suzuki 2-group with homomorphic encryption.

2 Proposal

The generalizations of Suzuki 2-groups is defined over a finite field, \(F_{q}\), \(q = 2^{n}\), \(n > 0\) for a positive integer \(l\) and \(a_{1} ,a_{2} ,...,a_{l} \in F\) for some automorphism \(\theta\) of F as [10]:

$$ A_{l} (n,\theta ) = \left\{ {S(a_{1} ,a_{2} ,...,a_{l} )|a_{i} \in F_{q} } \right\} $$

Each element of \(A_{l} (n,\theta )\) can be expressed uniquely and it follows that \(\left| {A_{l} (n,\theta )} \right| = 2^{nl}\) and \(A_{l} (n,\theta )\) define a group of order \(2^{nl}\). If \(l = 2\), this group is isomorphic to a Suzuki 2-group \(A(n,\theta )\).

Group operation is defined as a product:

$$ \begin{array}{*{20}l} \begin{gathered} S(a_{1} ,a_{2} ,...,a_{l} )S(b_{1} ,b_{2} ,...,b_{l} ) = S(a_{1} + b_{1} ,a_{2} + (a_{1} \theta )b_{1} \hfill \\ + b_{2} ,a_{3} + (a_{2} \theta )b_{1} + (a_{1} \theta^{2} )b_{2} + b_{3} , \hfill \\ \end{gathered} \hfill \\ {...,a_{l} + (a_{l - 1} \theta )b_{1} + ... + (a_{1} \theta^{l - 1} )b_{l - 1} + b_{l} ).} \hfill \\ \end{array} $$

with the Identity element being \(S(0_{1} ,0,...,0)\).

The inverse element is given by:

$$ \begin{gathered} S(a_{1} ,a_{2} ,a_{3} ,...,a_{l} )^{ - 1} = S(a_{1} ,a_{2} + a_{1} \theta a_{1} ,a_{3} + a_{2} \theta a_{1} \hfill \\ \,\,\,\,\,\,\,\,\,\,\,\,\,\,\,\,\,\,\,\,\,\,\,\,\,\,\,\,\,\,\,\,\,\,\,\,\,\,\,\,\,\,\,\, + a_{1} \theta^{2} (a_{2} + a_{1} \theta a_{1} ),...,a_{l} + a_{l - 1} \theta a_{1} + ...). \hfill \\ \end{gathered} $$

The group \(G\) is nonabelian group and has nontrivial center:

$$ Z\left( G \right) = \left\{ {S(0,0,...,c)\left| {c \in F_{q} } \right.} \right\}. $$

Assume that \(\theta\) is the Frobenius automorphism of \(F,\theta :x \to x^{2}\). For the fixed finite field, the group \(A_{l} (n,\theta )\) order is greater than the classical Suzuki 2 - group.

In the new implementation of the cryptosystem, we have changed the encryption algorithm and suggest using homomorphic encryption for random covers. In this case, the complexity of the key recovery attack will be determined by exhaustive search over the entire group.

2.1 Description of the Scheme

Our proposal is to create a logarithmic signature for the whole generalized Suzuki 2-group and homomorphic encryption of random covers in the logarithmic signature.

Let’s take a look at the basic steps of encryption.

Key Generation.

We fix a large group \(A_{l} (n,\theta ) = \left\{ {S(a_{1} ,a_{2} ,...,a_{l} )|a_{i} \in F_{q} } \right\}\), \(q = 2^{n}\).

Let’s build a tame logarithmic signatures \(\beta_{k} = \left[ {B_{1(k)} ,...,B_{s(k)} } \right] = \left( {b_{ij} } \right)_{k} = S\left( {0,..,0,b_{ij(k)} ,0,...,0} \right)\) of type: \(\left( {r_{1(k)} ,...,r_{s(k)} } \right)\), \(i = \overline{0,s(k)}\), \(j = \overline{{1,r_{i(k)} }}\), \(b_{ij(k)} \in F_{q}\), \(k = \overline{1,l}\).

Let’s set a random cover:

$$ \alpha_{k} = \left[ {A_{1(k)} , \ldots ,A_{s(k)} } \right] = \left( {a_{ij} } \right)_{k} = S\left( {a_{ij(k)}^{(1)} ,a_{ij(k)}^{(2)} , \ldots ,a_{ij(k)}^{(l)} } \right) $$

of the same type as \(\beta_{k}\), where \(a_{ij} \in A_{l} (n,\theta )\), \(a_{ij(k)}^{(v)} \in F_{q} \backslash \left\{ 0 \right\}\), \(i = \overline{1,s}\), \(j = \overline{{1,r_{i(k)} }}\), \(k = \overline{1,l}\).

Select the random covers:

\(w_{(k)} = \left[ {W_{1(k)} , \ldots ,W_{s(k)} } \right] = \left( {w_{ij} } \right)_{(k)} = S\left( {w_{ij(k)}^{(1)} ,w_{ij(k)}^{(2)} , \ldots ,w_{ij(k)}^{(l)} } \right)\) of the same types as \(\beta_{(k)}\), where \(w_{ij} \in A_{l} (n,\theta )\), \(w_{ij(k)} \in F_{q} \backslash \left\{ 0 \right\}\), \(i = \overline{0,s(k)}\), \(j = \overline{{1,r_{i(k)} }}\), \(k = \overline{1,l}\).

Let’s generate random \(t_{0(k)} ,...,t_{s(k)} \in A_{l} (n,\theta )\backslash Z\), \(t_{i(k)} = S(t_{i1(k)} ,...,t_{il(k)} )\), \(t_{ij(k)} \in F^{ \times }\), \(i = \overline{0,s(k)}\), \(k = \overline{1,l}\). Choose

$$ \begin{gathered} \tau_{0(k)} , \ldots ,\tau_{s(k)} \in A_{l} (n,\theta )\backslash Z,\,\tau_{i(k)} \hfill \\ = S(\tau_{i1(k)} , \ldots ,\tau_{il(k)} ),\,\tau_{ij(k)} \in F^{ \times } ,\,i = \overline{0,s(k)} ,\,k = \overline{1,l} . \hfill \\ \end{gathered} $$

Let’s take \(t_{s(k - 1)}^{{}} = t_{0(k)}\), \(\tau_{s(k - 1)}^{{}} = \tau_{0(k)}\), \(k = \overline{1,l}\).

Let’s define an additional group operation:

$$ \begin{array}{*{20}l} {S(a_{1} ,a_{2} ,...,a_{l} ) \circ^{\left( k \right)} S(b_{1} ,b_{2} ,...,b_{l} ) = } \hfill \\ \begin{gathered} S(a_{1} + b_{1} ,a_{2} + b_{2} ,...,a_{k} + b_{k} ,a_{k + 1} + a_{k}^{2} b_{1} + ... + a_{1}^{{2^{k} }} b_{k} \hfill \\ + b_{k + 1} ,...,a_{l} + a_{l - 1}^{2} b_{1} + ... + a_{1}^{{2^{l - 1} }} b_{l - 1} + b_{l} ). \hfill \\ \end{gathered} \hfill \\ \end{array} $$

The inverse element \(S^{ - (k)}\) for the group operation \(\circ^{\left( k \right)}\) is

$$ S^{ - (k)} (a_{1} ,a_{2} ,...,a_{l} ) = S(a_{1} ,a_{2} ,...,a_{k} ,\alpha_{k + 1} ,...,\alpha_{l} ) $$

where

$$ \begin{array}{*{20}l} {\alpha_{k + 1} = a_{k + 1} + a_{k}^{2} a_{1} + \ldots + a_{2}^{{2^{k - 1} }} a_{k - 1} + a_{1}^{{2^{k} }} a_{k} ,} \hfill \\ {\alpha_{k + 2} = a_{k + 2} + a_{k + 1}^{2} a_{1} + \ldots + a_{3}^{{2^{k - 1} }} a_{k - 1} + a_{2}^{{2^{k} }} a_{k} + a_{1}^{{2^{k + 1} }} \alpha_{k + 1} ,} \hfill \\ \ldots \hfill \\ {\alpha_{l} = a_{l} + a_{l - 1}^{2} a_{1} + \ldots + a_{l - k}^{{2^{k} }} a_{k} + a_{l - k - 1}^{{2^{k + 1} }} \alpha_{k + 1} + , \ldots , + a_{l}^{{2^{l - 1} }} \alpha_{l - 1} } \hfill \\ \end{array} $$

The application of additional group operation \(\circ^{\left( k \right)}\) leads to homomorphic representation of group elements \(S(a_{1} ,a_{2} ,...,a_{l} )\,\mathop{\longrightarrow}\limits^{{ \circ^{\left( k \right)} }}\,S(a_{1} ,a_{2} ,...,a_{k} ,\alpha_{k + 1} ,...,\alpha_{l} ) = S^{(k)}\).

We apply inverse homomorphic transformation for the inverse and direct elements \(S_{1}^{ - (k)}\), \(S_{2}^{(k)}\) of the group for the calculation in group with left inverse element \(S_{1}^{ - (n) \circ }\).

\(S_{3} = S_{1}^{ - (k) \circ } \cdot S_{2}^{(k) \circ }\) For \(S_{1}^{ - (k)}\) we have:

\(S^{ - (k) \circ } = S^{ \circ } (a_{1} ,a_{2} ,...,a_{k} ,\alpha_{k + 1} ,...,\alpha_{l} ) = S(\alpha_{1} ,...,\alpha_{k} ,\alpha_{k + 1} ,...,\alpha_{l} )\), where

$$ \alpha_{1} = a_{1} ,\alpha_{2} = a_{2} + a_{1}^{2} a_{1} ,...\alpha_{k} = a_{k} + a_{k - 1}^{2} a_{1} + ...,a_{l}^{{2^{k - 1} }} a_{k - 1} . $$

and for \(S_{2}^{(k)}\) respectively to \(S_{3} = S_{1}^{ - (k) \circ } \cdot S_{2}^{(k) \circ }\) we get

$$ S^{(k) \circ } = S^{ \circ } (b_{1} ,b_{2} ,...,b_{k} ,\beta_{k + 1} ,...,\beta_{l} ) = S(\beta_{1} ,...,\beta_{k} ,\beta_{k + 1} ,...,\beta_{l} ) $$
$$ \begin{gathered} \beta_{1} = b_{1} ,\beta_{2} = b_{2} + a_{1}^{2} \left( {b_{1} + a_{1} } \right),... \hfill \\ \beta_{k} = b_{k} + a_{k - 1}^{2} \left( {b_{1} + a_{1} } \right) + ...,a_{l}^{{2^{k - 1} }} \left( {b_{k - 1} + a_{k - 1} } \right). \hfill \\ \end{gathered} $$

Homomorphic transformations for \(S^{ - (k) \circ }\), \(S^{(k) \circ }\) are needed to for not breaking the group operation when calculating the elements of the group \(A_{l} (n,\theta )\).

Let \(f(e)\) be a homomorphic cryptographic transformation with respect to addition \(f(a + b) = f(a) + f(b)\), \(e,a,b \in F_{q}\) and the corresponding inverse transformation \(\hat{f}(e) = e\). We calculate the covering of the logarithmic signatures:

$$ h_{(k)} = \left[ {h_{1(k)} ,...,h_{s(k)} } \right] = t_{(i - 1)(k)}^{ - (k)} \circ^{(k)} \left( {w_{ij} } \right)_{(k)} \circ^{(k)} \left( {b_{ij} } \right)_{(k)} \circ^{(k)} t_{i(k)} $$

and coverings of the homomorphic cryptographic transformation:

\(g_{(k)} = \left[ {g_{1(k)} ,...,g_{s(k)} } \right] = \tau_{(i - 1)(k)}^{ - (k)} \circ^{(k)} f\left( {w_{ij} } \right)_{(k)} \circ^{(k)} \tau_{i(k)}\), where

$$ f(w_{(k)} ) = f\left( {w_{ij} } \right)_{(k)} = S\left( {f(w_{{ij(k)_{1} }} ),f(w_{{ij(k)_{2} }} ),...,f(w_{{ij(k)_{l} }} )} \right), $$
$$ i = \overline{1,s(k)} ,\,j = \overline{{1,r_{i(k)} }} ,\,k = \overline{1,l} . $$

An output public key is \((a_{k} ,h_{k} ,g_{k} )\), and a private key \(\left[ {f,\beta_{(k)} ,\left( {t_{0(k)} , \ldots ,t_{s(k)} } \right),\left( {\tau_{0(k)} , \ldots ,\tau_{s(k)} } \right)} \right]\), \(k = \overline{1,l}\) respectively.

Encryption

Let the message to be \(x = S\left( {x_{1} ,...,x_{l} } \right)\) and the public key \((a_{k} ,h_{k} ,g_{k} )\), \(k = \overline{1,l}\) respectively. Choose a random \(R = (R_{1} ,...,R_{l} )\), \(R_{1} ,...,R_{l} \in {\mathbb{Z}}_{{\left| {F_{q} } \right|}}\).

Compute the ciphertext \(y_{1}\), \(y_{2}\), \(y_{3}\) as:

$$ \begin{gathered} y_{1} = \alpha \left( R \right) \cdot x = \alpha_{1} \left( {R_{1} } \right) \cdot \alpha_{2} \left( {R_{2} } \right) \ldots \alpha_{l} \left( {R_{l} } \right) \cdot x \hfill \\ = S(\sum\limits_{k = 1}^{l} {\sum\limits_{{i = 1,j = R_{i(k)} }}^{s(k)} {a_{ij(k)}^{(1)} } } + x_{1} ,\sum\limits_{k = 1}^{l} {\sum\limits_{{i = 1,j = R_{i(k)} }}^{s(k)} {a_{ij(k)}^{(2)} } } + x_{2} + * , \hfill \\ \,\,\,\,\,\,\,\,\, \ldots ,\sum\limits_{k = 1}^{l} {\sum\limits_{{i = 1,j = R_{i(k)} }}^{s(k)} {a_{ij(k)}^{(l)} } } + x_{l} + * ,\left. {} \right), \hfill \\ \end{gathered} $$
$$ \begin{gathered} y_{2} = h\left( R \right) = h_{1} \left( {R_{1} } \right) \circ^{(1)} \hfill \\ \left( {h_{2} \left( {R_{2} } \right) \circ^{(2)} \ldots } \right.\left. {\left( {h_{l - 1} \left( {R_{l - 1} } \right) \circ^{(l - 2)} \left( {h_{l - 1} \left( {R_{l - 1} } \right) \circ^{(l - 1)} h_{l} \left( {R_{l} } \right)} \right)} \right)} \right) \hfill \\ = S\left( {\sum\limits_{k = 1}^{l} {\sum\limits_{{i = 1,j = R_{i(k)} }}^{s(k)} {w_{ij(k)}^{(1)} } } + \sum\limits_{{i = 1,j = R_{i(1)} }}^{s(1)} {\beta_{ij(1)} } ,\sum\limits_{k = 1}^{l} {\sum\limits_{{i = 1,j = R_{i(k)} }}^{s(k)} {w_{ij(k)}^{(2)} } } } \right. \hfill \\ \left. { + \sum\limits_{{i = 1,j = R_{i(2)} }}^{s(2)} {\beta_{ij(2)} } + * , \ldots ,\sum\limits_{k = 1}^{l} {\sum\limits_{{i = 1,j = R_{i(k)} }}^{s(k)} {w_{ij(k)}^{(l)} } } + \sum\limits_{{i = 1,j = R_{i(l)} }}^{s(l)} {\beta_{ij(l)} } + * } \right) \hfill \\ \end{gathered} $$

Here, the \(\left( * \right)\) components are determined by cross-calculations in the group operation of the product of \(t_{0(k)} ,...,t_{s(k)}\) and the product of \(w_{(k)} \left( {R_{k} } \right) + \beta_{(k)} \left( {R_{k} } \right)\).

$$ \begin{gathered} y_{3} = g\left( R \right) = g_{1} \left( {R_{1} } \right) \circ^{(1)} \hfill \\ \left( {g_{2} \left( {R_{2} } \right) \circ^{(2)} \ldots } \right.\left. {\left( {g_{l - 1} \left( {R_{l - 1} } \right) \circ^{(l - 2)} \left( {g_{l - 1} \left( {R_{l - 1} } \right) \circ^{(l - 1)} g_{l} \left( {R_{l} } \right)} \right)} \right)} \right) \hfill \\ = S\left( {\sum\limits_{k = 1}^{l} {\sum\limits_{{i = 1,j = R_{i(k)} }}^{s(k)} {f\left( {w_{ij(k)}^{(1)} } \right)} } + ,\sum\limits_{k = 1}^{l} {\sum\limits_{{i = 1,j = R_{i(k)} }}^{s(k)} {f\left( {w_{ij(k)}^{(2)} } \right)} } + } \right. * ,\, \ldots \,, \hfill \\ \left. {\sum\limits_{k = 1}^{l} {\sum\limits_{{i = 1,j = R_{i(k)} }}^{s(k)} {f\left( {w_{ij(k)}^{(l)} } \right)} } + * } \right) \hfill \\ \end{gathered} $$

Here, the \(\left( * \right)\) components are determined by cross-calculations in the group operation of the product of \(\tau_{0(k)} , \ldots ,\tau_{s(k)}\) and the product of \(f\left( {w_{(k)} \left( {R_{k} } \right)} \right)\).

Output: a ciphertext (y1, y2, y3) of the message \(x\).

Decryption Input: a ciphertext \(\left( {y_{1} ,y_{2} ,y_{3} } \right)\) and a private key \(\left[ {f,\beta_{(k)} ,t_{i(k)} ,\tau_{i(k)} } \right]\), \(i = \overline{0,s(k)}\), \(k = \overline{1,l}\).

To decrypt a message \(x\), we need to restore random numbers \(R = (R_{1} ,R_{2} ,...,R_{l} )\).

Compute

$$ \begin{gathered} D^{(1)} (R) = D^{(1)} (R_{1} ,R_{2} , \ldots ,R_{l} ) = t_{0(1)} \circ^{(1)} y_{2} \circ^{(l)} t_{s(l)}^{ - (l)} \hfill \\ \,\,\,\,\,\,\,\,\,\,\,\,\,\,\,\,\,\, = S\left( {} \right.\sum\limits_{{i = 1,j = R_{i(1)} }}^{s(1)} {w_{ij(1)}^{(1)} } + \beta_{1} \left( {R_{1} } \right), * , \ldots , * \left. {} \right), \hfill \\ \end{gathered} $$
$$ \begin{gathered} G^{(1)} (R) = G^{(1)} (R_{1} ,R_{2} , \ldots ,R_{l} ) = \tau_{0(1)} \circ^{(1)} y_{3} \circ^{(l)} \tau_{s(l)}^{ - (l)} \hfill \\ \,\,\,\,\,\,\,\,\,\,\,\,\,\, = S\left( {} \right.\sum\limits_{{i = 1,j = R_{i(1)} }}^{s(1)} {f\left( {w_{ij(1)}^{(1)} } \right)} , * , \ldots , * \left. {} \right), \hfill \\ \end{gathered} $$

\(D^{(1)} (R)^{\prime} = D^{(1)} (R) \circ^{(1)} \hat{f}(G^{(1)} (R))^{ - (1)} = S(\sum\limits_{{i = 1,j = R_{i(1)} }}^{s(1)} {\beta_{ij(1)} } , * , * )\) Restore \(R_{1}\) with \(\beta_{(1)} \left( {R_{1} } \right) = \sum\limits_{{i = 1,j = R_{i(1)} }}^{s(1)} {\beta_{ij(1)} }\) using \(\beta_{(1)} \left( {R_{1} } \right)^{ - 1}\), because \(\beta_{1}\) is simple.

For the further calculation, it is necessary to remove the component \(h_{1} \left( {R_{1} } \right)\) from \(y_{2}\) and \(g_{1} \left( {R_{1} } \right)\) from \(y_{3}\). Compute

$$ y_{2}^{(1)} = h_{1} \left( {R_{1} } \right)^{ - (1) \circ } \cdot y_{2}^{ \circ } ,\,y_{3}^{(1)} = g_{1} \left( {R_{1} } \right)^{ - (1) \circ } \cdot y_{3}^{ \circ } ,\,D(R)^{(2)} = t_{0(2)} \circ^{(2)} y_{2}^{(1)} \circ^{(l)} t_{s(l)}^{ - (l)} , $$
$$ G(R)^{(2)} = \tau_{0(2)} \circ^{(2)} y_{3}^{(1)} \circ^{(l)} \tau_{s(l)}^{ - (l)} , $$
$$ D^{(2)} (R)^{\prime} = D^{(2)} (R) \circ^{(2)} \hat{f}(G^{(2)} (R))^{ - (2)} = S(0,\sum\limits_{{i = 1,j = R_{i(2)} }}^{s(2)} {\beta_{{ij(2)_{c} }} } , * ). $$

and restore \(R_{2}\) with \(\beta_{(2)} \left( {R_{2} } \right) = \sum\limits_{{i = 1,j = R_{i(2)} }}^{s(2)} {\beta_{ij(2)} }\) using \(\beta_{(2)} \left( {R_{2} } \right)^{ - 1}\), because \(\beta_{2}\) is simple. We continue the calculations iteratively until the last value \(R_{l}\) is restored. We have the following recurrent relations for \(n = \overline{1,l - 1}\):

\(y_{2}^{(n)} = h_{n} \left( {R_{n} } \right)^{ - (n) \circ } \cdot y_{2}^{(n - 1) \circ }\), \(y_{3}^{(n)} = g_{n} \left( {R_{n} } \right)^{ - (n) \circ } \cdot y_{3}^{(n - 1) \circ }\),

\(D^{(n + 1)} (R) = t_{0(n + 1)} \circ^{(n + 1)} y_{2}^{(n)} \circ^{(l)} t_{s(l)}^{ - (l)}\), \(G^{(n + 1)} (R) = \tau_{0(n + 1)} \circ^{(n + 1)} y_{3}^{(n)} \circ^{(l)} \tau_{s(l)}^{ - (l)}\),

\(D^{(n + 1)} (R)^{\prime} = D^{(n + 1)} (R) \circ^{(n + 1)} \hat{f}(G^{(n + 1)} (R))^{ - (n + 1)} = S(0,0,...,0,\sum\limits_{{i = 1,j = R_{i(n + 1)} }}^{s(n + 1)} {\beta_{ij(n + 1)} } , * )\)

Restore \(R_{n + 1}\) with \(\beta_{(n + 1)} \left( {R_{n + 1} } \right) = \sum\limits_{{i = 1,j = R_{i(n + 1)} }}^{s(n + 1)} {\beta_{ij(n + 1)} }\) using \(\beta_{(n + 1)} \left( {R_{n + 1} } \right)^{ - 1}\).

Recovery of the message \(x = a\left( {R_{1} ,R_{2} ,...,R_{l} } \right)^{ - 1} \cdot y_{1}\).

Example

We will show the correctness of the obtained expressions in the following simple example.

Let’s fix the four-parameter generalized Suzuki group \(G = A_{4} (n,\theta )\) over the finite field \(F_{q}\), \(q = 2^{5}\), \(g(x) = x^{5} + x^{3} + 1 \, \). Assume that \(\theta\) is the Frobenius automorphism of \(F_{q} ,\theta :\alpha \to \alpha^{2}\). Group operation is defined as:

$$ \begin{gathered} S(a_{1} ,a_{2} ,a_{3} ,a_{4} )S(b_{1} ,b_{2} ,b_{3} ,b_{4} ) = S(a_{1} + b_{1} ,a_{2} + a_{1}^{2} b_{1} + b_{2} , \hfill \\ a_{3} + a_{2}^{2} b_{1} + a_{1}^{4} b_{2} + b_{3} ,a_{4} + a_{3}^{2} b_{1} + a_{2}^{4} b_{2} + a_{1}^{8} b_{3} + b_{4} ). \hfill \\ \end{gathered} $$

The inverse element is determined as:

$$ S(a_{1} ,a_{2} ,a_{3} ,a_{4} )^{ - 1} = S(a_{1} ,a_{2} + a_{1}^{3} ,a_{3} + a_{2}^{2} a_{1} + a_{1}^{4} a^{\prime}_{2} ,a_{4} + a_{3}^{2} a_{1} + a_{2}^{4} a^{\prime}_{2} + a_{1}^{8} a^{\prime}_{3} ) $$

where \(a^{\prime}_{2} = a_{2} + a_{1}^{3}\), \(a^{\prime}_{3} = a_{3} + a_{2}^{2} a_{1} + a_{1}^{4} a^{\prime}_{2}\).

Let’s consider the basic steps of our calculations.

Generation of public and private keys

First stage is to generate a tame logarithmic signature with the dimension of corresponding selected type \(\left( {r_{1(k)} ,...,r_{s(k)} } \right)\) and finite field \(F_{q}\). The construction of arrays of logarithmic signatures is presented in [11]. For our example, we use the construction of simple logarithmic signatures without analyzing the details of their secrecy. Let’s \(\beta_{(k)}\) for \(k = \overline{1,3}\) have the types of \(\left( {2^{2} ,2^{3} } \right)\), \(\left( {2,2^{2} ,2^{2} } \right)\), \(\left( {2^{2} ,2,2^{2} } \right)\), \(\left( {2^{2} ,2^{2} ,2} \right)\). They are represented as a strings and elements of the group over the field \(F_{q}\) in the table provided below (Table 1).

Table 1. Logarithmic signature generation
Full size table

Construct random covers \(\alpha_{k}\), for the same type as \(\beta_{(k)}\)

$$ \alpha_{k} = \left[ {A_{1(k)} , \ldots ,A_{s(k)} } \right] = \left( {a_{ij} } \right)_{k} = S\left( {a_{ij(k)}^{(1)} ,a_{ij(k)}^{(2)} ,a_{ij(k)}^{(3)} ,a_{ij(k)}^{(4)} } \right) $$

where \(a_{ij} \in A_{l = 4} (n,\theta )\), \(a_{ij(k)}^{(v)} \in F_{q} \backslash \left\{ 0 \right\}\), \(i = \overline{1,s}\), \(j = \overline{{1,r_{i(k)} }}\), \(k = \overline{1,4}\).

In the field representation \(\alpha_{k}\) has the following form (Table 2)

Table 2. Random covers construction
Full size table

Choose random \(A_{l} (n,\theta )\) \(t_{0(k)} ,t_{1(k)} ,...,t_{s(k)} \in A_{l} (n,\theta )\), \(s_{(k)}\), \(k = \overline{1,4}\) and \(t_{2(1)}^{{}} = t_{0(2)}\), \(t_{3(2)}^{{}} = t_{0(3)}\), \(t_{3(3)}^{{}} = t_{0(4)}\) (Table 3)

Table 3. Random \(t\) vectors
Full size table

The inverse elements \(t_{0(k)}^{ - (k)} ,t_{1(k)}^{ - (k)} ,...,t_{s(k)}^{ - (k)}\) of the group \(A_{4} (n,\theta )\) were computed with reference below (Table 4):

Table 4. Computing of inverse elements \(t_{0(k)}^{ - (k)} ,t_{1(k)}^{ - (k)} , \ldots ,t_{s(k)}^{ - (k)}\)
Full size table

Similarly, we choose random \(\tau_{0(k)} ,\tau_{1(k)} ,...,\tau_{s(k)} \in A_{l} (n,\theta )\), \(s_{(k)}\), \(k = \overline{1,4}\) and \(t_{2(1)}^{{}} = t_{0(2)}\), \(t_{3(2)}^{{}} = t_{0(3)}\), \(t_{3(3)}^{{}} = t_{0(4)}\):

and the inverse elements \(\tau_{0(k)}^{ - (k)} ,\tau_{1(k)}^{ - (k)} ,...,\tau_{s(k)}^{ - (k)}\) (Table 5):

Table 5. Computing of random \(\tau\) vectors \(\tau_{0(k)} ,\tau_{1(k)} ,...,\tau_{s(k)} \in A(P_{\infty } )\backslash Z\)
Full size table
Table 6. Computing of inverse elements \(\tau_{0(k)}^{ - (k)} ,\tau_{1(k)}^{ - (k)} , \ldots ,\tau_{s(k)}^{ - (k)}\)
Full size table

Construct random covers \(w_{k}\), for the same type as \(\beta_{(k)}\)

\(w_{(k)} = \left[ {W_{1(k)} , \ldots ,W_{s(k)} } \right] = \left( {w_{ij} } \right)_{(k)} = S\left( {w_{ij(k)}^{(1)} ,w_{ij(k)}^{(2)} , \ldots ,w_{ij(k)}^{(l)} } \right)\), where \(w_{ij} \in A_{l = 4} (n,\theta )\), \(w_{ij(k)}^{(v)} \in F_{q}\), \(i = \overline{0,s(k)}\), \(j = \overline{{1,r_{i(k)} }}\), \(k = \overline{1,4}\) (Table 6 and 7).

Table 7. Construct random covers \(w_{k}\)
Full size table

The next step is to calculate the arrays \(h_{k}\). Within the condition of the example, we obtain:

\(h_{(k)} = \left[ {h_{1(k)} ,...,h_{s(k)} } \right] = t_{(i - 1)(k)}^{ - (k)} \circ^{(k)} \left( {w_{ij} } \right)_{(k)} \circ^{(k)} \left( {b_{ij} } \right)_{(k)} \circ^{(k)} t_{i(k)}\)

\(i = \overline{1,s(k)}\), \(j = \overline{{1,r_{i(k)} }}\), \(k = \overline{1,4}\).

Let’s a homomorphic cryptographic transformation for a field element \(e \Rightarrow \rho_{i} e\) where \(\rho_{i}\) is a secret parameter. The transformation is chosen to be the simplest. You can also use more complex homomorphic transformations with respect to the addition operation. We define homomorphic cryptographic transformation for a group element \(S\) as

$$ f\left( {S(e_{1} ,e_{2} ,e_{3} ,e_{4} )} \right) = S\left( {\rho_{1} e_{1} ,\rho_{2} e_{2} ,\rho_{3} e_{3} ,\rho_{4} e_{4} } \right), $$

and let’s \(\rho = \left( {\rho_{1} ,\rho_{2} ,\rho_{3} ,\rho_{4} } \right) = \left( {\alpha^{4} ,\alpha^{5} ,\alpha^{6} ,\alpha^{7} } \right)\).

Let’s a homomorphic cryptographic transformation for a field element \(e \Rightarrow \rho_{i} e\) where \(\rho_{i}\) is a secret parameter. The transformation is chosen to be the simplest (Table 8).

Table 8. Construct arrays \(h_{k}\)
Full size table
Table 9. Construct arrays \(g_{k}\)
Full size table

You can also use more complex homomorphic transformations with respect to the addition operation. We define homomorphic cryptographic transformation for a group element \(S\) as

$$ f\left( {S(e_{1} ,e_{2} ,e_{3} ,e_{4} )} \right) = S\left( {\rho_{1} e_{1} ,\rho_{2} e_{2} ,\rho_{3} e_{3} ,\rho_{4} e_{4} } \right), $$

and let’s \(\rho = \left( {\rho_{1} ,\rho_{2} ,\rho_{3} ,\rho_{4} } \right) = \left( {\alpha^{4} ,\alpha^{5} ,\alpha^{6} ,\alpha^{7} } \right)\).

Next, we compute the arrays \(g_{k}\) via the homomorphic transformation

$$ g_{(k)} = \left[ {g_{1(k)} ,...,g_{s(k)} } \right] = \tau_{(i - 1)(k)}^{ - (k)} \circ^{(k)} f\left( {w_{ij} } \right)_{(k)} \circ^{(k)} \tau_{i(k)} $$

\(i = \overline{1,s(k)}\), \(j = \overline{{1,r_{i(k)} }}\), \(k = \overline{1,4}\). See the Table 9 for the results.

An output public key \((a_{k} ,h_{k} ,g_{k} )\), and a private key \(\left[ {f,\beta_{(k)} ,\left( {t_{0(k)} , \ldots ,t_{s(k)} } \right),\,\left( {\tau_{0(k)} , \ldots ,\tau_{s(k)} } \right)} \right]\), \(k = \overline{1,4}\).

Encryption

Input: a message \(m \in A_{l} (n,\theta )\), \(m = S\left( {m_{1} ,m_{2} ,m_{3} ,m_{4} } \right)\), \(m_{i} \in F_{q}\) and the public key \(\left[ {f_{k} ,(a_{k} ,h_{k} ,g_{k} )} \right]\), \(k = \overline{1,4}\).

Let \(m = \left( {\alpha^{1} ,\alpha^{2} ,\alpha^{3} ,\alpha^{4} } \right) = S\left( {\alpha^{1} ,\alpha^{2} ,\alpha^{3} ,\alpha^{4} } \right)\).

Choose a random \(R = (R_{1} ,R_{2} ,R_{3} ,R_{4} ) = (10,20,30,14)\).

We obtain the following \(R_{i}\) expansions for given types of \(\left( {r_{1(k)} ,...,r_{s(k)} } \right)\), \(k = \overline{1,4}\)

$$ R_{1} = \left( {R_{1(1)} ,R_{2(1)} } \right) = \left( {2,2} \right) = 10, $$
$$ R_{2} = \left( {R_{1(2)} ,R_{2(2)} ,R_{3(2)} } \right) = \left( {0,1,1} \right) = 20, $$
$$ R_{3} = \left( {R_{1(3)} ,R_{2(3)} ,R_{3(3)} } \right) = \left( {0,3,3} \right) = 30. $$
$$ R_{4} = \left( {R_{1(4)} ,R_{2(4)} ,R_{3(4)} } \right) = \left( {2,1,1} \right) = 14 $$

Compute the cipher text:

$$ \begin{gathered} y_{1} = a^{\prime}\left( R \right) \cdot m = a^{\prime}_{1} \left( {R_{1} } \right) \cdot a^{\prime}_{2} \left( {R_{2} } \right) \cdot a^{\prime}_{3} \left( {R_{3} } \right) \cdot a^{\prime}_{4} \left( {R_{4} } \right) \cdot m = \hfill \\ S\left( {\alpha^{7} ,\alpha^{6} ,\alpha^{22} ,\alpha^{11} } \right) \hfill \\ \end{gathered} $$

where:

$$ a^{\prime}_{1} \left( {R_{1} } \right) = a_{1} \left( {10} \right) = a_{1(1)} \left( 2 \right)a_{2(1)} \left( 2 \right) = S\left( {\alpha^{23} ,\alpha^{13} ,\alpha^{20} ,\alpha^{20} } \right), $$
$$ a^{\prime}_{2} \left( {R_{2} } \right) = a_{2} \left( {20} \right) = a_{1(2)} \left( 0 \right)a_{2(2)} \left( 1 \right)a_{3(2)} \left( 1 \right) = S\left( {\alpha^{26} ,\alpha^{3} ,\alpha^{5} ,\alpha^{29} } \right), $$
$$ a^{\prime}_{3} \left( {R_{3} } \right) = a_{3} \left( {30} \right) = a_{1(3)} \left( 0 \right)a_{2(3)} \left( 3 \right)a_{3(3)} \left( 3 \right) = S\left( {0,\alpha^{27} ,\alpha^{8} ,\alpha^{4} } \right), $$
$$ a^{\prime}_{4} \left( {R_{4} } \right) = a_{4} \left( {14} \right) = a_{1(4)} \left( 2 \right)a_{2(4)} \left( 1 \right)a_{3(4)} \left( 1 \right) = S\left( {\alpha^{5} ,\alpha^{12} ,\alpha^{21} ,\alpha^{16} } \right). $$

Calculate

$$ y_{2} = h_{1} \left( {R_{1} } \right) \circ^{(1)} \left( {h_{2} \left( {R_{2} } \right) \circ^{(2)} \left( {h_{3} \left( {R_{3} } \right) \circ^{(3)} h_{4} \left( {R_{4} } \right)} \right)} \right) = S\left( {0,\alpha^{8} ,\alpha^{16} ,\alpha^{17} } \right) $$

The components \(h^{\prime}_{k} \left( {R_{k} } \right)\) are calculated similarly to \(a^{\prime}_{k} \left( {R_{k} } \right)\) components, but using the appropriate multiplication operation. Compute the component \(y_{3}\):

$$ y_{3} = g_{1} \left( {R_{1} } \right) \circ^{(1)} \left( {g_{2} \left( {R_{2} } \right) \circ^{(2)} \left( {g_{3} \left( {R_{3} } \right) \circ^{(3)} g_{4} \left( {R_{4} } \right)} \right)} \right) = S\left( {\alpha^{16} ,\alpha^{14} ,\alpha^{1} ,\alpha^{4} } \right). $$

We obtained output \(y_{1} = \left( {\alpha^{7} ,\alpha^{6} ,\alpha^{22} ,\alpha^{11} } \right),\) \(y_{2} = \left( {0,\alpha^{8} ,\alpha^{16} ,\alpha^{17} } \right)\), \(y_{3} = \left( {\alpha^{16} ,\alpha^{14} ,\alpha^{1} ,\alpha^{4} } \right)\).

Decryption

Input: a ciphertext \(\left( {y_{1} ,y_{2} ,y_{3} } \right)\) and private key \(\left[ {f,\beta_{(k)} ,t_{i(k)} ,\tau_{i(k)} } \right]\), \(i = \overline{0,s(k)}\), \(k = \overline{1,4}\).

Output: the message \(m \in A\left( {P_{\infty } } \right)\) corresponding to ciphertext \(\left( {y_{1} ,y_{2} ,y_{3} } \right)\).

To decrypt a message \(m\), we need to restore random numbers \(R = (R_{1} ,R_{2} ,R_{3} )\).

Compute

$$ D^{(1)} (R) = t_{0(1)} \circ^{(1)} y_{2} \circ^{(4)} t_{s(4)}^{ - (4)} = S(\alpha^{29} ,\alpha^{8} ,\alpha^{24} ,\alpha^{28} ), $$
$$ G^{(1)} (R) = \tau_{0(1)} \circ^{(1)} y_{3} \circ^{(4)} \tau_{s(4)}^{ - (4)} = S(\alpha^{18} ,\alpha^{5} ,\alpha^{7} ,\alpha^{30} ), $$
$$ D^{(1)} (R)^{\prime} = D^{(1)} (R) \circ^{(1)} \hat{f}(G^{(1)} (R))^{ - (1)} = S(\alpha^{5} ,\alpha^{22} ,\alpha^{21} ,\alpha^{0} ). $$

Restore \(R_{1}\) with \(\beta_{(1)} \left( {R_{1} } \right) = \sum\limits_{{i = 1,j = R_{i(1)} }}^{s(1)} {\beta_{ij(1)} }\) using \(\beta_{(1)} \left( {R_{1} } \right)^{ - 1}\), because \(\beta_{1}\) is simple.

We get \(\beta_{1} \left( {R_{1} } \right) = \alpha^{5} = ({10010})\). Perform inverse calculations \(\beta_{(1)} \left( {R_{1} } \right)^{ - 1}\).

10|010 R1 = (*, 2)

11|010 row 1 from B4(1)

10|010−11|010 = 01|000 R1 = (2, 2)

We get \(\beta_{1} \left( {R_{1} } \right)^{ - 1} = \left( {2,2} \right) = 10\)

For further calculation, it is necessary to remove the component \(h^{\prime}_{1} \left( {R_{1} } \right)\) from \(y_{2}\) and \(g^{\prime}_{1} \left( {R_{1} } \right)\) from \(y_{3}\).

Compute

$$ y_{2}^{(1)} = h_{1} \left( {R_{1} } \right)^{ - (1) \circ } \cdot y_{2}^{ \circ } = S(\alpha^{26} ,\alpha^{16} ,\alpha^{17} ,\alpha^{19} ), $$
$$ y_{3}^{(1)} = g_{1} \left( {R_{1} } \right)^{ - (1) \circ } \cdot y_{3}^{ \circ } = S(\alpha^{19} ,\alpha^{18} ,\alpha^{12} ,\alpha^{19} ), $$
$$ D^{(2)} (R) = t_{0(2)} \circ^{(2)} y_{2}^{(1)} \circ^{(4)} t_{s(4)}^{ - (4)} = S(\alpha^{26} ,\alpha^{18} ,\alpha^{16} ,\alpha^{2} ), $$
$$ G^{(2)} (R) = \tau_{0(2)} \circ^{(2)} y_{3}^{(1)} \circ^{(4)} \tau_{s(4)}^{ - (4)} = S(\alpha^{30} ,\alpha^{27} ,\alpha^{0} ,\alpha^{11} ), $$
$$ D^{(2)} (R)^{\prime} = D^{(2)} (R) \circ^{(2)} \hat{f}(G^{(2)} (R))^{ - (2)} = S(0,\alpha^{12} ,\alpha^{4} ,\alpha^{30} ) $$

and restore \(R_{2}\) with \(\beta_{(2)} \left( {R_{2} } \right) = \sum\limits_{{i = 1,j = R_{i(2)} }}^{s(2)} {\beta_{ij(2)} }\) using \(\beta_{(2)} \left( {R_{2} } \right)^{ - 1}\), because \(\beta_{2}\) is simple. We get \(\beta_{2} \left( {R_{2} } \right) = \alpha^{12} = (01111)\). Restore \(R_{2}\) with \(\beta_{2} \left( {R_{2} } \right)\). We use the same calculations as in the example for \(\beta_{2} \left( {R_{2} } \right)^{ - 1}\), and we get:

01|11|1 R2 = (*, *, 1)

10|01|1 row 1 from B3(2)

01|11|1−10|01|1 = 11|10|0 R2 = (*, 1, 1)

11|10|0 row 0 from B3(2)

11|10|0−11|10|0 = 00|00|0 R2 = (0, 1, 1)

We get \(\beta_{2} \left( {R_{2} } \right)^{ - 1} = \left( {0,1,1} \right) = 20\).

Remove the component \(h_{2} ^{\prime}\left( {R_{2} } \right)\) from \(y_{2}^{(1)}\) and \(g_{2} ^{\prime}\left( {R_{2} } \right)\) from \(y_{3}^{(1)}\). We get

$$ y_{2}^{(2)} = h_{3} \left( {R_{3} } \right)^{ - (2) \circ } \cdot y_{2}^{(1) \circ } = S(\alpha^{19} ,\alpha^{18} ,\alpha^{22} ,\alpha^{15} ), $$
$$ y_{3}^{(2)} = g_{3} \left( {R_{3} } \right)^{ - (2) \circ } \cdot y_{3}^{(1) \circ } = S(\alpha^{21} ,\alpha^{10} ,\alpha^{0} ,\alpha^{19} ), $$
$$ D^{(3)} (R) = t_{0(3)} \circ^{(3)} y_{2}^{(2)} \circ^{(4)} t_{s(4)}^{ - (4)} = S(\alpha^{23} ,\alpha^{5} ,\alpha^{18} ,\alpha^{21} ), $$
$$ G^{(3)} (R) = \tau_{0(3)} \circ^{(3)} y_{3}^{(2)} \circ^{(4)} \tau_{s(4)}^{ - (4)} = S(\alpha^{21} ,\alpha^{10} ,\alpha^{7} ,\alpha^{13} ), $$
$$ D^{(3)} (R)^{\prime} = D^{(3)} (R) \circ^{(3)} \hat{f}(G^{(3)} (R))^{ - (3)} = S(0,0,\alpha^{19} ,\alpha^{6} ) $$

We get \(\beta_{3} \left( {R_{3} } \right) = \alpha^{19} = (11011)\).

Perform inverse calculations \(\beta_{3} \left( {R_{3} } \right)^{ - 1}\).

1|10|11 R3 = (*, *, 3)

1|01|11 row 3 from B3(3)

1|10|11−1|01|11 = 0|11|00 R3= *, 3, 3)

0|11|00 row 3 from B2(3)

0|11|00−0|11|00 = 0|00|00 R3 = (0, 3, 3)

We get \(\beta_{3} \left( {R_{3} } \right)^{ - 1} = \left( {0,3,3} \right) = 30\).

Remove the component \(h_{3} ^{\prime}\left( {R_{3} } \right)\) from \(y_{2}^{(2)}\) and \(g_{3} ^{\prime}\left( {R_{3} } \right)\) from \(y_{3}^{(2)}\).

As a result, we get:

$$ y_{2}^{(3)} = h_{3} \left( {R_{3} } \right)^{ - (3) \circ } \cdot y_{2}^{(2) \circ } = S(\alpha^{19} ,\alpha^{1} ,\alpha^{29} ,\alpha^{17} ), $$
$$ y_{3}^{(3)} = g_{3} \left( {R_{3} } \right)^{ - (3) \circ } \cdot y_{3}^{(2) \circ } = S(\alpha^{13} ,\alpha^{13} ,\alpha^{0} ,\alpha^{16} ), $$
$$ D^{(4)} (R) = t_{0(4)} \circ^{(4)} y_{2}^{(3)} \circ^{(4)} t_{s(4)}^{ - (4)} = S(\alpha^{7} ,\alpha^{2} ,\alpha^{25} ,\alpha^{21} ), $$
$$ G^{(4)} (R) = \tau_{0(4)} \circ^{(3)} y_{3}^{(3)} \circ^{(4)} \tau_{s(4)}^{ - (4)} = S(\alpha^{11} ,\alpha^{7} ,\alpha^{0} ,\alpha^{16} ), $$
$$ D^{(3)} (R)^{\prime} = D^{(4)} (R) \circ^{(4)} \hat{f}(G^{(4)} (R))^{ - (4)} = S(0,0,0,\alpha^{29} ) $$

\(01010\)

We get \(\beta_{4} \left( {R_{4} } \right) = \alpha^{29} = (01010)\). Perform inverse calculations \(\beta_{4} \left( {R_{4} } \right)^{ - 1}\).

01|0|10 R3 = (*, *, 1)

00|1|10 row 1 from B3(4)

01|0|10−00|1|10 = 01|1|00 R3 = (*, 1, 1)

00|1|00 row 1 from B2(4)

01|1|00−00|1|00 = 01|0|00 R3 = (2, 1, 1)

We get \(\beta_{4} \left( {R_{4} } \right)^{ - 1} = \left( {2,1,1} \right) = 14\).

Receive a message \(m = a^{\prime}\left( R \right)^{ - 1} y_{1} = S\left( {\alpha^{1} ,\alpha^{2} ,\alpha^{3} ,\alpha^{4} } \right)\).

3 Security Parameters Analysis and Cost Estimation

Consider a brute force attack of key recovery. There are three possible schemes for such an attack.

Brute force attack on cipher text. By selecting \(R = (R_{1} ,R_{2} ,...,R_{l} )\) try to decipher the text \(y^{\prime}_{1} = \alpha^{\prime}\left( {R^{\prime}} \right) \cdot m = \alpha^{\prime}_{1} \left( {R^{\prime}_{1} } \right) \cdot \alpha^{\prime}_{2} \left( {R^{\prime}_{2} } \right) \ldots \alpha^{\prime}_{l} \left( {R^{\prime}_{l} } \right) \cdot m\). The covers \(\alpha_{k} = \left( {a_{ij} } \right)_{k} = S\left( {a_{ij(k)}^{(1)} ,a_{ij(k)}^{(2)} ,...,a_{ij(k)}^{(l)} } \right)\) are selected randomly and the value is determined by multiplication in a group with no coordinate constraints. The resulting vector \(\alpha ^{\prime}\left( {R^{\prime}} \right)\) depends on all components \(\alpha_{i} ^{\prime}\left( {R_{i} ^{\prime}} \right)\). Enumeration of key values \(R = (R_{1} ,R_{2} ,...,R_{l} )\) has an estimation of complexity. For a practical attack, the message\(m\) is also unknown and has uncertainty to choose from \(q^{l}\). This makes a brute-force attack on a key infeasible. If we take an attack model with a known text, then the attack complexity still remains the same and equal to \(q^{l}\).

Brute force attack on the cyphertext y2. Select \(R = (R_{1} ,R_{2} ,...,R_{l} )\) to match y2. The vector y2 has a following definition over the components \(\alpha^{\prime}_{i} (R_{i} )\)

$$ \begin{gathered} y_{2} = S\left( {\sum\limits_{k = 1}^{l} {\sum\limits_{{i = 1,j = R_{i(k)} }}^{s(k)} {w_{ij(k)}^{(1)} } } + \sum\limits_{{i = 1,j = R_{i(1)} }}^{s(1)} {\beta_{ij(1)} } ,\sum\limits_{k = 1}^{l} {\sum\limits_{{i = 1,j = R_{i(k)} }}^{s(k)} {w_{ij(k)}^{(2)} } } + } \right. \hfill \\ \left. {\sum\limits_{{i = 1,j = R_{i(2)} }}^{s(2)} {\beta_{ij(2)} } + * , \ldots ,\sum\limits_{k = 1}^{l} {\sum\limits_{{i = 1,j = R_{i(k)} }}^{s(k)} {w_{ij(k)}^{(l)} } } + \sum\limits_{{i = 1,j = R_{i(l)} }}^{s(l)} {\beta_{ij(l)} } + * } \right) \hfill \\ \end{gathered} $$

The values of the coordinates y2 are defined by calculations over the vectors \(w^{\prime}_{1} \left( {R_{1} } \right),w^{\prime}_{2} \left( {R_{2} } \right),...,w^{\prime}_{l} \left( {R_{l} } \right)\). The keys \(R = (R_{1} ,R_{2} ,...,R_{l} )\) are bound and changes in any of them leads to change y2. The brute force attack on key \(R\) has a complexity equal to \(q^{l}\).

Brute force attack on the ciphertext \(y_{3}\). Select \(R = (R_{1} ,R_{2} ,...,R_{l} )\) to match \(y_{3}\). The vector \(y_{3}\) has a following definition over the components \(\rho_{i} w_{i} ^{\prime}\left( {R_{i} } \right)\)

$$ \begin{gathered} y_{3} = S\left( {\sum\limits_{k = 1}^{l} {\sum\limits_{{i = 1,j = R_{i(k)} }}^{s(k)} {f\left( {w_{ij(k)}^{(1)} } \right)} } + ,\sum\limits_{k = 1}^{l} {\sum\limits_{{i = 1,j = R_{i(k)} }}^{s(k)} {f\left( {w_{ij(k)}^{(2)} } \right)} } + } \right. * , \hfill \\ \,\,\,\,\,\,\,\,\,\,\, \ldots ,\left. {\sum\limits_{k = 1}^{l} {\sum\limits_{{i = 1,j = R_{i(k)} }}^{s(k)} {f\left( {w_{ij(k)}^{(l)} } \right)} } + * } \right). \hfill \\ \end{gathered} $$

The values of the coordinates \(y_{3}\) are defined by calculations over the vectors \(w_{1} ^{\prime}\left( {R_{1} } \right),w_{2} ^{\prime}\left( {R_{2} } \right),...,w_{l} ^{\prime}\left( {R_{l} } \right)\). The keys \(R_{1} ,R_{2} ,...,R_{l}\) are bound and changes in any of them leads to change \(y_{3}\). The brute force attack on key \(R\) has a complexity equal to \(q^{l}\).

Brute force attack on the vectors \(\left( {t_{0(k)} , \ldots ,t_{s(k)} } \right)\) and \(\left( {\tau_{0(k)} ,\tau_{1(k)} , \ldots ,\tau_{s(k)} } \right)\). The brute force attack on \(\left( {t_{0(k)} , \ldots ,t_{s(k)} } \right)\) is a general for the MST cryptosystems and for the calculation in the field \(F_{q}\) over the group center \(Z\left( G \right)\) has an optimistic complexity estimation equal to \(q\). For the proposed algorithm all calculations are executed on whole group \(\left| {A_{l} (n,\theta )} \right| = q^{l}\) and is a such case the complexity of the brute force attack on \(\left( {t_{0(k)} , \ldots ,t_{s(k)} } \right)\) and \(\left( {\tau_{0(k)} ,\tau_{1(k)} , \ldots ,\tau_{s(k)} } \right)\) will be equal to \(q^{l}\).

Attack on the Algorithm. The attack on the implementation algorithm of the MST cryptosystem based on the generalized Suzuki 2-group is multifaceted. Practical attacks look at the features of logarithmic signatures and random coverings known to a cryptanalyst. One solution is to use aperiodic logarithmic signatures. In the new cryptosystem with homomorphic encryption, random covers are a secret for the cryptanalyst. In this case, the known attacks based on the weakness of logarithmic signatures are impossible.

Let’s estimate security and keys parameters for generalized Suzuki-2 group cryptosystem. We fix a generalized Suzuki 2-group \(A_{l} (n,\theta ) = \left\{ {S(a_{1} ,a_{2} , \ldots ,a_{l} )|a_{i} \in F_{q} } \right\}\), which is defined over the field \(F_{q}\), \(q = 2^{n}\). Then for \(l\)-parametric group we achieve \(K = nl\) bit cryptography. Logarithmic signature array and random covers are known parameters that are used in encryption as follows

$$ \alpha_{k} = \left[ {A_{1(k)} , \ldots ,A_{s(k)} } \right] = \left( {a_{ij} } \right)_{k} = S\left( {a_{ij(k)}^{(1)} ,a_{ij(k)}^{(2)} , \ldots ,a_{ij(k)}^{(l)} } \right), $$
$$ h_{(k)} = \left[ {h_{1(k)} , \ldots ,h_{s(k)} } \right] = S\left( {h_{ij(k)}^{(1)} ,h_{ij(k)}^{(2)} , \ldots ,h_{ij(k)}^{(l)} } \right) $$

Also, we know random cover with homomorphic encryption

$$ g_{(k)} = \left[ {g_{1(k)} , \ldots ,g_{s(k)} } \right] = S\left( {g_{ij(k)}^{(1)} ,g_{ij(k)}^{(2)} , \ldots ,g_{ij(k)}^{(l)} } \right) $$

for \(k = \overline{1,l}\).

The number of vectors in arrays \(\alpha_{k}\), \(h_{(k)}\), \(g_{(k)}\) is defined by the type of logarithmic signature. \(\left( {r_{1(k)} , \ldots ,r_{s(k)} } \right)\) and equals to \(N = \sum\limits_{k = 1}^{l} {\left( {r_{1(k)} + r_{2(k)} + \ldots + r_{s(k)} } \right)}\)

Since arrays \(\alpha_{k}\), \(g_{(k)}\) are random and can be constructed by random bits deterministic generator from some initial vector \(V\), then we can define \(\alpha_{k}\), \(g_{(k)}\) over the vector \(V\). Let’s fix the vector length \(V\)to be equal to \(nl\) bits.

The array size \(g_{(k)}\) equals to: \(N_{g} = l\sum\limits_{k = 1}^{l} {\left( {r_{1(k)} + r_{2(k)} + \ldots + r_{s(k)} } \right)}\) n-bits words.

The secret parameters of the cryptosystem include vectors \(t\), \(\tau\), \(\rho\):

$$ t_{0(k)} , \ldots ,t_{s(k)} \in A_{l} (n,\theta )\backslash Z,\,t_{i(k)} = S(t_{i1(k)} , \ldots ,t_{il(k)} ), $$
$$ \tau_{0(k)} , \ldots ,\tau_{s(k)} \in A_{l} (n,\theta )\backslash Z,\,\tau_{i(k)} = S(\tau_{i1(k)} , \ldots ,\tau_{il(k)} ),\,\rho = \left( {\rho_{1} ,\rho_{2} , \ldots ,\rho_{l} } \right),\,k = \overline{1,l} . $$

The number of vectors \(t_{i(k)}\), \(\tau_{i(k)}\) equals to:\(N_{t} = N_{\tau } = l\sum\limits_{k = 1}^{l} {s(k)}\) n-bits words.

The length of the vector \(\rho\) equal to \(nl\) bits.

Obviously, that \(N_{g}\), \(N_{t}\), \(N_{\tau }\) depends on type of \(\left( {r_{1(k)} , \ldots ,r_{s(k)} } \right)\).

Let the secrecy of cryptographic transformations be determined by\(K\) bits.

Let’s define a type of \(\left( {r_{1(k)} , \ldots ,r_{s(k)} } \right) = \left( {2, \ldots ,2} \right)\), then \(s(k) = n\) over the field \(F(2^{n} )\). We get the following values

\(N_{g} = nl\sum\limits_{k = 1}^{l} {\left( {r_{1(k)} + r_{2(k)} + \ldots + r_{s(k)} } \right)} = 2n^{2} l^{2} = 2K^{2}\) bit

\(N_{t} = N_{\tau } = nl\sum\limits_{k = 1}^{l} {s(k)} = n^{2} l^{2} = K^{2}\) bit

The length of vectors \(V\), \(\rho\) equals to \(N_{V} = N_{\rho } = nl = K\) bit. Let’s define a type of \(\left( {r_{1(k)} , \ldots ,r_{s(k)} } \right) = \left( {2^{8} , \ldots ,2^{8} } \right)\), \(s(k) = n/8\) over field \(F(2^{n} )\). We achieve

\(N_{g} = nl\sum\limits_{k = 1}^{l} {\left( {r_{1(k)} + r_{2(k)} + \ldots + r_{s(k)} } \right)} = 2^{5} n^{2} l^{2} = 2^{5} K^{2}\) bit

\(N_{t} = N_{\tau } = nl\sum\limits_{k = 1}^{l} {s(k)} = n^{2} l^{2} /8 = 2^{ - 3} K^{2}\) bit

Estimated implementation costs are presented in the table below.

Memory costs for arrays of shared and secret parameters do not depend on the field \(F(2^{n} )\) and the number of parameters of the generalized Suzuki group. Selection of field \(F_{q}\) and parameters of the Suzuki group will define the speed of calculations on the group and depends on the software implementation (Table 10).

Table 10. Estimated implementation costs
Full size table

4 Conclusions

Generalized Suzuki 2-groups are multiparameter groups and may have an arbitrarily large order. MST cryptosystems based on generalized Suzuki 2-group have an advantage over other schemes implementations in secrecy and realization. We can build a highly secure cryptosystem with group computation in a small finite field. Applying homomorphic encryption to random coverings in a logarithmic signature provides protection against known attacks on logarithmic signature implementations. To build a cryptosystem, you can use secure logarithmic signatures of a simple design, which leads to low costs for the general parameters of the cryptosystem. The proposed cryptosystem with homomorphic encryption is a good candidate for post-quantum cryptography.