Symmetric and asymmetric cryptographic key exchange protocols in the octonion algebra

We propose three cryptographic key exchange protocols in the octonion algebra. Using the totient function, defined for integral octonions, we generalize the RSA public-key cryptosystem to the octonion arithmetics. The two proposed symmetric cryptographic key exchange protocols are based on the automorphism and the derivation of the octonion algebra.


Introduction
The development on non-commutative cryptography has its origin in the solutions of the three famous problems in combinatorial group theory proposed by Dehn [1] and Miller [2] . In 1954 Novikov constructed a finitely presented group for which the conjugacy problem is unsolvable, [3]. In 1955, Novikov and Boone independently showed that there are finite group presentations whose word problem is undecidable, [4][5][6][7][8]. In [9] Wagner and Magyarik devised the first public-key protocol based on the unsolvability of the word problem for finitely presented groups. A non-deterministic public-key cryptosystem based on the conjugacy problem on braid group, similar to the Diffie-Hellman key exchange system, was proposed in [10]. The most interesting non-commutative key agreement cryptographic systems were proposed by Anshel, Anshel and Goldfeld (AAG) in [11,12]. To construct a key agreement cryptographic system the authors used the braid groups for which the best known algorithm to solve the conjugacy problem requires at least exponential running time. A natural extension B Z. Lipiński zlipinski@uni.opole.pl 1 University of Opole, Opole, Poland of the non-commutative cryptography is the cryptography on the non-associative algebraic structures. The earliest quasigroup-based public-key cryptosystem was proposed by Koscielny and Mullen, [13]. In [14] the AAG PKC was generalized to the nonassociative algebraic structures, called the left self-distributive (LD) systems, [15,16]. In [14] Kalka used the LD-systems to define the non-associative public-key cryptographic protocol.
In this article we propose three cryptographic key exchange protocols based on the octonion algebra, [17]. The first protocol is the generalization of the RSA algorithm to the octonion arithmetic, [18]. The another two, symmetric cryptographic key exchange protocols, are based on the automorphism and the derivation of the octonion algebra.
We denote by {e i } 7 i=0 the basis of the octonion algebra O. The multiplication of the octonions can be described using the set of directed lines L = {013, 045, 352, 346, 260, 241, 156} in the Fano plane, [19]. Each line i jk ∈ L contains three points i, j, k which represents three octonions with the multiplication e i e j = e k . For the octonion unit e 7 = 1 the multiplication in O can be defined by the following relations e i e j = −δ i, j e 7 + i jk e k , i, j ∈ [0, 6], where i jk is an antisymmetric tensor such, that i jk = 1 if i jk ∈ L and δ i, j is the Kronecker delta. The octonions O form the non-associative, normed division algebra, [17]. The non-associativity of three elements x, y, z from O can be expressed by an associator (x, y, z) = (x y)z − x(yz). It is linear in each of its three variables and vanishes whenever two of its variables are equal, i.e., it is an alternating function, [20]. By linearizing the alternative laws one can show that the associator is skew symmetric, i.e., it changes the sign whenever two of its variables are interchanged.
Any element x ∈ O satisfies the minimal polynomial where N(x) = 7 i=0 x 2 i is the norm of the octonion x and Re(x) = x 7 . The octonion is integer when the trace tr(x) = 2Re(x) ∈ Z and N(x) ∈ Z. We denote by e i jkl the octonion 1 2 (e i + e j + e k + e l ). On can easily check that the product of the two integral octonions e 0235 and e 7235 is non-integral, i.e., tr(e 0235 e 7235 ) = − 3 2 . From this follows, that the set of octonion integers does not form a ring, and it is necessary to consider subrings of integers, called the orders, [21,22]. There are sixteen orders of integral octonions containing O(Z), [17]. Among them there are seven isomorphic maximal orders (called the octonion arithmetics). By a maximal order we mean an order which is not contained in any other order. To construct a maximal closed under multiplication set of integral octonions (the octionion arithmetic) we use two sets L 0 and Q 0457, 3527, 3467, 2607, 2417, 1567},  Q = {2456, 6123, 4601, 5012, 1345, 3560, 0234}, where Q is the complements of the lines L on the Fano plane. If we interchange in L 0 and Q the elements 0 and 7 we obtain the Coxeter-Dickson 0-sets (0-integers). The 0-integers are spanned by the following halving-sets of octonions, [17]. where Ω is the set of Kleinian octonions generated by the element 1 2 7 i=0 e i , and the empty set ∅ generated by 7 i=0 e i , called the Graves integers, i.e., the octonions of the form x = 7 i=0 x i e i , x i ∈ Z. The underlined octonions are the generators of the 0-sets over the Gravesian integers. The octonion arithmetic generated by the 0-sets we denote by O and call the integral octonions. Two octonions are congruent mod m provided that their difference is m times an octonion integer [22,23]. In the following lemma we prove, an important for further applications, property of λ(x, m).
In the next section, based on the property (2) of the totient function we define the public-key agrement cryptographic protocol in the octonion arithmetic O.

The octonionic public-key cryptosystem
By k we denote an integral octonion O I m with the known totient function λ(k, m). A plain text for encryption we will represent by an integral octonion u = (u 0 , . . . , u 7 ) ∈ O I m . From Lemma 1 it follows, that any integral octonion of the form uku −1 , where u ∈ O I m , has the same totient function λ(uku −1 , m) = λ(k, m). We use k to enocde the plain text u into the octonion u k = uku −1 . Let e be a number from the interval [1, λ(k, m)) that is coprime to λ(k, m), i.e., gcd(e, λ(k, m)) = 1 mod m. By d we denote the number inverse to e mod λ(k, m), i.e., e · d = 1 mod λ(k, m). To encrypt the encoded text in the octonion u k we calculate the expression C(u k ) = u e k mod m. The decryption is the operation of taking the cipher text octonion C(u k ) to the power d mod m, i.e., u k = C(u k ) d = u e·d k mod m. To encode the plain text u from u k , the recipient has to solve the linear equation uk = u k u mod m in O m . In general, a solution of this equation is not unique. To allow the recipient of the cipher C(u k ) uniquely recover the encrypted text one can attached to the cipher a hash value of the encoded octonion or provide to the recipient three parameters which allow to solve the equation uniquely. The general equation xa = bx mod m for the x variable, where x, a, b ∈ O m and m ∈ N is equivalent to Solution of the homogeneous equation over the real octonion algebra O exists when N(a) = N(b) and tr(a) = tr(b) (a 7 = b 7 ). From the vanishing of the associator (xax −1 , x, a) = 0 follows, that any solution x 0 of (4) satisfies (b, x 0 , a) = 0 and that x 0 a is also a solution of (4). Let us take as the solutions of (4) x 1 =b +ā − 2a 7 and x 1 a, then the general solution of (4) we can write as where To solve the Eq. (4) we need to fix two parameters. To obtain a unique solution of the congruence equation (3) we need to know three parameters. The recipient should obtain these three parameters from the sender. For example, the first can be the parameter in u which is prescribed to ensure that gcd(N (u), m) = 1 and it is not a part of the encryption text. The next two parameters, can be obtained by the recipient from the decrypted block of data from the previous encryption.
Below we give the exact definition of the octonion public-key cryptosystem (O-PKC).

The user B decodes the plain text u by solving the linear congruence equation
The security of the octonionic public-key cryptosystem is based on the computational difficulty of factorization of the modulus m and difficulty of finding the values of the totient function λ(k, p) for a large prime numbers. Let us assume that, the modulus m is a product of two prime numbers p, q and the norm N(k) of the octonion k is coprime to m = pq, then the following formula is satisfied If the product λ(k, p)λ(k, q) has the lowest value, among all numbers satisfying (6), then it is equal to the totient λ(k, pq). In general, the function λ(k, pq) satisfies the inequalities where lcm means the least common multiple. The above formula allows in a relatively easy way to calculate λ(k, pq) having λ(k, p) and λ(k, q). Unfortunately, an effective algorithm for determining the octonion totient function for a large prime modulus is currently unknown. Partly, the problem can be solved by adopting to the octonion algebra the quantum algorithm for finding the orders of a finite cyclic subgroups of noncommutative group proposed by Mosca and Ekert in [24].
As an example of application of the O-PKC algorithm we encrypt and decrypt a plain text represented by the Gravesian octonion u = (26, 27, 28, 29, 30, 31, 32, 3) ∈ O I 35 with the norm N(u) = 9 mod 35. The octonion k = 1 2 (e 0 +e 1 +e 3 +e 7 )+(e 2 +2e 4 + 3e 5 +4e 6 ) we will use to encode the text u before encryption. The minimal polynomial of k is k 2 = k−31 which means, that k is an integer octonion with the norm N (k) = 31. 2 ). 20,6,22,26,17,19,33). After the decryption C(u k ) 29 mod 35 the recipient obtains u k . For a given three fixed parameters in u the recipient is able uniquely to recover the rest of them.
To determine the totient for the integral octonion we can use the 'matrix representation' of the octonion algebra. The multiplication defines the 'matrix representation' of the octonion algebra. The octonion algebra is power associative which means, that to determine the totient for a given element From the minimal polynomial equation (1) follows that arbitrary power of an octonion x ∈ O is proportional to x, i.e., x 7 = Re(x) and U −n = 1 N(x) n−1 U n , V −n = 1 N(x) n V n . The coefficients U n and U n we obtained by solving the following recurrence equation One of the possible attacks on the totient function λ(k, m) there is an attempt to solve the congruence equations k λ = U λ k + V λ = 1 mod m or equivalently where U λ and V λ are given in (7). To solve the equation (8) it is necessary to expand the functions U λ and V λ in x 7 and N (x) variables which makes such attack impractical.

The symmetric key exchange algorithm on quaternion algebra
The positive definite bilinear form (x, y) = 1 2 tr(xȳ) allows to define the orthogonality in the octonion algebra O. Two octonions x, y are said to be orthogonal if (x, y) = 0. The natural orthogonal decomposition of octonion algebra can be defined using the which is an automorphism of the octonion algebra, [20]. The transformation T c, p = cxc −1 + ( pcyc −1 )α, where N ( p) = 1, satisfies the equation and has the multiplication property T c 1 , . We use the splitting D Dα of the octonion algebra to construct a symmetric cryptographic key on the quaternion subalgebra D and then we extend the key to the completion D ⊥ .
The construction of the symmetric cryptographic key on the quaternion algebra D is motivated by the AAG symmetric key exchange protocol, [25], in which instead of the formula K = aba −1 b −1 for the cryptographic key, where a, b are elements of a given non-abelian group G, we use the formula To explain the main idea of the construction we begin with a trivial example. Let the user A selects two sets of quaternions S a = {a 0 , a 1 , a 2 }, S v = {v 1 , v 2 } such, that a 2 = v 1 v 2 . Similarly, the user B selects S b = {b 0 , b 1 , b 2 } and S u = {u 1 , u 2 } such, that b 2 = u 1 u 2 . The users exchange the sets S v and S u . The user A calculates the set S aua −1 = {a 0 u 1 a −1 1 , a 1 u 2 a −1 2 } and sends it to B. Similarly, the user B calculates } and sends the set S bvb −1 to A. Both users are able to calculate the common key K = a 0 b 2 a −1 2 b −1 0 . In this example, the man-in-the-middle attack can easily recover the cryptographic key K because for a given quaternions w 1 = a 0 u 1 a −1 1 , w 2 = a 1 u 2 a −1 2 from S aua −1 to recover the unknown variable a 0 it's enough to solve the equation For a known expression a 2 = v 1 v 2 this equation can be trivially solved. In the proposed algorithm, we hide the variable a 2 in order to make it difficult to find the element a 0 and the key K . To do this, we introduce a graph G in the quaternion algebra and for encryption we use paths between two fixed nodes (quaternions) that allow uniquely define the shared cryptographic key.
By G = {E, V x,y } we denote the graph with the set of directed edges E and the set of nodes We define a directed path p a,v with the set of nodes such, that the product of subsequent nodes on the path satisfies the equation which means, that a N = v i 1 · · · v i N . The paths p a,v ⊂ G with the property (10) we will use for definition of the cryptographic key exchange algorithm in the quaternion subalgebra D.
The quaternion symmetric key exchange algorithm A selects a path p A (a, v) in the graph G from the root node, represented by the quaternion a 0 v 1 a −1 i , to the leaf node a k v N a −1 N . The path is selected such, that the formula (10) is satisfied. In a similar way, the user B generates the two sets S b and S u of quaternions. The set S b is kept secret by B. The set S u is sent to the user A. The user B selects a path p B (b, u) in the graph G from the root node b 0 u 1 b −1 i to the leaf node b k u N b −1 N . such, that the formula (10) is satisfied, i.e., b N = u i 1 · · · u i N . 2. The user A, based on the received set S u , calculates

set S a is kept secret. The set S v is sent to the user B. The user
and sends the set S aua −1 to B. The user B calculates and sends the set S bvb −1 to A. 3. The user A uses the set S bvb −1 to calculate the product of sequential vertices of the path p A (b, v). In this way A obtains b 0 a N b −1 N . The user B, based on the set S aua −1 , calculates the product of sequential vertices of the path p B (a, u). In this way B obtains a 0 b N a −1 N . A and B calculate k A = ((b 0 a N

The users
The shared cryptographic key of A and B is To recover the cryptographic key k a,b the man in the middle can try to find the quaternions a 0 , a N by solving the system of linear equations obtained from the set S aua −1 , i.e., {a i u j = w j a k } N j=1 , or recover the quaternion a N from the formula (10) by searching the correct encryption path in the graph G. After the reduction, the man in the middle can obtain the set of two equations The unique solution of these equations can be obtained from the formula (5) after fixing two parameters in a i . Also, the attack on the cryptographic key by searching the correct cryptographic path in a sufficiently complex graph G is not very effective. It means that the quaternions a N , b N can be regarded as unknown variables.
For the two keys 0 generated by the quaternion symmetric key exchange algorithm we define the symmetric octonion cryptographic key as the automorphism The key K k a,b , p c,d can be applied to encrypt a product of octonions by means of the formula (9). The multiplication property of K k a,b , p c,d allows to compose the keys from several others keys.
Below, we apply defined the quaternion key exchange algorithm to generate the cryptographic key using the graph G given on Fig. 1. In the graph there are four paths between the root node x 0 y 1 x −1 1 and the leaf node x 4 y 7 x −1 5 which means that there are four possible ways to choose the cryptographic key k a,b . A generates two sets of quaternions S a = {a 0 , a 1 , a 2 , a 3 , a 4 , 5 , v 6 , v 7 } and selects the path Fig. 1 The graph G for generation of the cryptographic keys From the relation (10) it follows that

The user
The user B generates two sets of quaternions From the relation (10) it follows that b 5 = u 1 u 3 u 4 u 6 u 7 .

The user A calculates
and sends the set S aua −1 to B. The user B calculates and sends S bvb −1 to A. 3. The user A calculates the product of sequential vertices in the path p A (b, v) and calculates the key

The user B calculates the product of sequential vertices in the path p B (a, u)
and calculates the key k B = (a 0 b 5 a −1 The security of the cryptographic key k a,b depends on the difficulty of finding the path p A (b, v) or p B (b, u) in G. In the example there are four ways to choose the path. In general, for increasing number of nodes in the graph the number of paths grows exponentially.

The derivation octonionic symmetric key exchange algorithm
A derivation is transformation with the property In an associative algebra any element x defines an inner derivation ad x (y) = x y − yx.
In a non-associative algebra this formula usually does not satisfy (11). We define two operations in octonion algebra L x (a) = ax and R x (a) = xa, a, x ∈ O. We note, that these operations for a non-associative algebra have the following composition rules L x L y (a) = x(ya) and similarly for R x R y (a) = (ay)x. The transformation is a derivation in the octonion algebra, [26]. The derivation D x,y we write in the standard form where (x, y, z) denotes the associator (x y)z−x(yz) and [x, y] = x y−yx. To construct the symmetric key exchange algorithm on the octonion algebra we use the following property of the derivation (12) The basic idea that lies behind the construction of the algorithm is that for a given monomial p(u) = u 1 · · · u N in octonion algebra its derivative D x,y ( p(u)) can be expressed by the elements u i and D x,y (u i ). Let us assume that, the user A generates two polynomials  D p B,1 ,D a 1 ,a 2 ( p B,2 ) .
In a similar way, the user A using the derivatives 2 (v 0 )) and the key Because both expressions differ by the sign the common cryptographic key is a 2 ),( p B,1 , p B,2 ) .
Below, we give the exact definition of the symmetric key exchange cryptographic algorithm based on the octonion derivation. The set S u = {Im(u 1 ), Im(u 2 )} is sent to A. 2. The user A calculates D a 1 ,a 2 (S u ) = {D a 1 ,a 2 (Im(u 1 )), D a 1 ,a 2 (Im(u 2 ))} and sends the set D a 1 ,a 2 (S u ) to B. The user B calculates The user B calculates the derivation D a 1 ,a 2 ( p B,i (u 1 , u 2 )), i = 1, 2 D a 1 ,a 2 (b i ) = p B,i (u 1 , u 2 , D a 1 ,a 2 (u 1 ), D a 1 ,a 2 (u 2 ))).

4.
For the agreed octonion w ∈ Im(O), the user A calculates the key and B calculates The octonion defines the common secret key.
Next, the user A calculates two secret octonions  To recover the secret octonions a 1 and a 2 (b 1 , b 2 ) based on the knowledge of u 1 , u 2 and w 1 , w 2 it is necessary to solve the set of equations D a 1 ,a 2 (u i ) = w i , i = 1, 2. For imaginary octonions this set of equations can be written in the form It consists of 12 equations with 14 unknown variables. Because, the key K (w) depends also on the real parts of the octonions v i and u i , which are kept secret, to recover the octonions a 1 and a 2 the man in middle should determine 16 parameters having only the system of twelve equations (16).

Conclusion
We discussed three key exchange cryptographic protocols in the octonion algebra. The proposed octonionic public-key cryptosystem is the generalization of the RSA algorithm to the octonion arithmetics. We defined a totient function for an invertible, integral octonion k as the order of a multiplicative cyclic group mod m generated by the element k. We proved, that any octonion u k which lies in the orbit of the element k under the adjoint action of the octonion algebra has the same totient function. This property of the totient function allows to encrypted and decrypted the elements from the orbit by the same pair of the cryptographic keys {k, e, m} and {k, d, m}. The disadvantage of proposed algorithm is that the recipient, to recover the cipher text, must solve the congruence equation xu = wx mod m, which unique solution requires knowledge of a three parameter of x. We also proposed two symmetric cryptographic key exchange protocols based on the automorphism and the derivation of the octonion algebra. We apply the quaternion symmetric key exchange algorithm to generate two quaternionic cryptographic keys and used them to define the shared octonionic key as an automorphism of the octonion algebra which leaves the quaternion subalgebra invariant. To generate a cryptographic key by mens of the quaternion key exchange algorithm it is necessary to select a path in a graph defined over the quaternion algebra. Security of the proposed quaternion key exchange algorithm is based on the complexity of the graph. The second symmetric key exchange protocol we defined using the derivation mapping in the octonion algebra. By calculating the commutator of two derivatives both sides of the data exchange can generate a common cryptographic key.
The future work will include detailed analysis of security aspects of the proposed algorithms and creating models of attacks on the cryptographic keys defined in the octonion algebra and in any non-associative algebraic structures.
Open Access This article is distributed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made.