2018 Математические методы криптографии №40
МАТЕМАТИЧЕСКИЕ МЕТОДЫ КРИПТОГРАФИИ
UDC 519.7 DOI 10.17223/20710410/40/3
ASYMMETRIC CRYPTOSYSTEMS ON BOOLEAN FUNCTIONS1
G. P. Agibalov, I. A. Pankratova National Research Tomsk State University, Tomsk, Russia
Here, we define an asymmetric substitution cryptosystem combining both a public key cipher and a signature scheme with the functional keys. A public key in the cryptosystem is a vector Boolean function f(x^...,xn) of a dimension n. This function is obtained by permutation and negation operations on variables and coordinate functions of a bijective vector Boolean function g(x1,... ,xn) = = (g1(x1,... ,xn),... ,gn(x1,... ,xn)). The function g is called a generating function of the cryptosystem. For each i e {1,..., n}, its coordinate function g^(x1,..., xn) is assumed to be specified in a constructive way and to have a polynomial (in n) complexity. A private key of the cryptosystem is the function f-1, that is, the inverse of f. The existence of f-1 follows from the bijectiveness of g and preserving this property by permutation and negation operations. Function g and its coordinates g1,...,gn are public parameters of the cryptosystem. (A variant of the cryptosystem allows to include them into the private key). Of course, the permutation and negation operations by which a public key is computed from the generating function must be secret as private exponents in RSA and ElGamal cryptosystems. A block P of a plaintext is encrypted to a block C of a ciphertext by the rule C = f (P), and C is decrypted to P by the rule P = f-1(C). A signature on a message M is computed as S = f-1(P), and its validation is proved by verifying the equality M = f (S). This cryptosystem is believed to resist classical and quantum computers attacks. Its security is based on the difficulty of inverting large bijective vector Boolean functions. Cryptanalysis of the cryptosystem shows that its computational complexity can reach the value O(n!2n).
Keywords: vector Boolean functions, invertibility, asymmetric substitution cryptosystem, cryptanalysis.
Introduction
Public-key cryptosystems are usually constructed on the base of number theory or algebraic structures and are very susceptible to quantum attacks. Perhaps the only exception to this rule are finite automaton public key cryptosystems [1]. In this paper, we suggest a public-key cryptosystem based on an invertible system of n Boolean functions which is variable like a cryptographic key by the permutation and negation operations on system's arguments and coordinates. We call it ACBF — Asymmetric Cryptosystem on Boolean Functions. The cryptosystem typically consists of two parts —a public-key cipher and a signature scheme. A general cryptanalysis scheme is described for both of them. According to this scheme, some particular known playntext (and known message) attacks are proposed for the universal ACBF and for its derivatives with some permutation and negation operations being identities. Estimates for computational complexity of these
1The authors were supported by the RFBR-grant no. 17-01-00354.
attacks are given too. The most of them is O(n!2n). For each of fifteen ACBF we considered, the proposed attacks on its cipher and signature scheme happened to have the same estimate of computational complexity.
1. Definition
In [2], we have defined a symmetric block substitution cipher with the functional keys. Here, by using the same construction, we define an asymmetric substitution cryptosystem including both a public key cipher and a signature scheme with the functional keys. To give a formal definition of this cryptosystem, we first define the permutation and negation operations. Let n be an integer, n ^ 2, and be the set of all permutations of the row (12 ... n), that is, = {(¿ii( ... in) : j G {1, 2,..., n}, j = r ^ ij = ir; j, r G {1,..., n}}. A permutation n = (¿1i2... in) G is called a permutation operation if the result of its application to any word w = w1w2 ... wn is the word n(w) = wj2 ... wjn. A Boolean vector a = b1b2... bn G F^ is called a negation operation if the result of its application to a string a = a1a2 ... an of Boolean values (constants, variables or functions) a1,..., an is the string aa = a!1 a(2... a^1 where for a and b in F2, ab = a if b =1 and ab = —a if b = 0. The permutation and negation operations n and a are called identity and denoted by 1 if n =(12 ... n) and a =11... 1 respectively.
Formally, our asymmetric cryptosystem on Boolean functions is a three-tuple C = = (X, K, Y) where X is the set of plaintexts, or messages, X C F^, Y is the set of ciphertexts or signatures, Y C F^, and K = K1 x K( is the set of keys, K1 —the set of public keys, K1 C Kra(g) = {/(x) : f (x) = ^2(gCT2(n1(xCT1))); a1,a2 G F^; ^1,^2 G §„}; x = (x1,... ,xn) is a string of different Boolean variables, g : F^ ^ F^ is a bijective vector Boolean function g(x) = g1(x)g2(x).. .gn(x) (we call it generating function of C) with all its coordinate functions g1(x),..., gn(x) specified in a constructive way and computed with a polynomial (in n) time complexity; n1,n( and a1,a( are, respectively, permutation and negation operations (we call them key parameters of C); and K( = {/-1 : / G K1} — the set of private keys. In the case of X = Y = F^ and K1 = Kn(g), we call C a universal ACBF.
In C, as in any asymmetric cipher, a public key / is used to encrypt a plaintext x and the private key /-1 —to decrypt the corresponding ciphertext y, namely: y = /(x) and x = /-1(y) for x G X, y G Y, / G K1, /-1 G K(. Also, in C, as in any digital signature scheme with appendix (the signed message), a private key /-1 is used to sign a message x and the public key / — to verify signatures, namely: the signature for a message x is s = /-1(x) and a signature s on a message x is valid iff /(s) = x.
To provide the necessary property of ease (polynomial time complexity) of computing the functions / and /-1, the generating function g itself and its inverse g-1 should have this property too. In this case, the values y = /(x) = n((gCT2(n1 (xCT1))) and x = /-1(y) = [n-1(g-1((n-1(y))CT2))]CT1 would be computed with a polynomial complexity. The polynomial computational complexity of each coordinate in generating function g guarantees a polynomial complexity of computing g itself. This is true if, for example, every coordinate function gj(x) essentially depends on some Sj ^ so variables xi1,... ,xis. from the string x, that is, gj(x) = hi(xi1, ...,xj ) for a function hi : F(4 ^ F( and s0 is a small enough integer, 1 ^ s0 ^ n. As for providing a polynomial complexity of computing the function g-1, there are many ways to choose g in C preserving its polynomial complexity in g-1. One of them is the following: g(x) = g(1)(x) ...g(r)(x), 1 ^ r ^ n, g(j)(x) = gi1 (x)... gj (x) = hi1 (x(j))... hj (x(j)) = h(j)(x(j)), x(j) = xi1... xis., h(j) : F(4 ^ F(4 is a bijection, s1 + s( + ... + sr = n, i = j ^ {¿1,..., }H{j1,..., jsj} = 0, i,j G {1,2,...,r}. In this case, g(x) = h(1)(x(1))... h(r)(x(r)) and if y = g(x), then
y(i) = yt1 ...yiai = h(i) 1 (y(i)) = x(i), g-1(y) = h(1) 1 (y(1)) ...h(r) 1 (y(r)). That
is, g-1(y) is computed with a polynomial complexity.
The security of ACBF C is based on the difficulty of inverting large bijective vector Boolean functions, that is, of computing x = f-1(y) for y = f (x). For an opponent or cryptanalyst, who (this is believed) doesn't know the values of key parameters n1, n2, a1 and a2 in f, this problem is really difficult one with an exponential time complexity of decision algorithm.
2. Cryptanalysis problem
The cryptanalysis problem that we study for ACBF C in the paper is the secret key recovery, assuming some plaintexts or messages and the corresponding ciphertexts or signatures are known. If C is a cipher, the problem is set as follows: given f (x) G K1, Pl G X, and Cl = f (Pl), l = 1, 2,...,m, compute f-1 (y). Otherwise, that is, if C is a signature scheme, the problem looks like the following: given f (x) G K1, Ml G X, and Sl = f-1 (Ml), l = 1, 2,..., m, compute f-1(x). Further, the problem in the first case is called the cipher cryptanalysis, in the second case —the signature cryptanalysis. Any methods solving them are called attacks on cipher and on signature scheme respectively. Aiming to recover the secret key, they are total break attacks. Besides, when we say that the public key f (x) is given, we suppose that everybody has a possibility to compute its value at any point x for a polynomial time, but no cryptanalyst (opponent) knows the parameters n1,n2,a1,a2 of f (x) (compare, for example, with ga over Zp in ElGamal cipher).
Below we describe some attacks on ciphers and on signature schemes of a universal ACBF C and of its particular derivatives which are ACBF obtained from C by replacing some key parameters with the identity operation 1. Here is a more correct definition of this concept. Let I = {n,n/,a1,a/}, J C I, and C(J) = (X, K(J),Y) where X = Y = F£, K(J) = K1(J) xK2(J), K2(J) = {f-1(x) : f (x) G K1(J)}, K1(J) = Kra(g, J), and Kra(g, J) is the set of all functions f (x) = n2(gCT2(n1(xCT1))) such that n1,n2 e Sn, a1,a2 G F£, and each key parameter from I\ J is the identity. By the definition, Kn(g, J) C Kn(g), therefore C(J) is really an ACBF; Kn(g, I) = Kn(g), therefore C(I) = C; Kn(g, 0) = {g(x)}, therefore C(0) is a trivial cryptosystem. We call C(J) a particular derivative of the C if 0 = J = I. So, for any universal ACBF C, we have 14 particular derivatives C(J) in total.
Note that for any vector-columns a, a in F^ and a permutation n = (i1i2 ... in) G Sn, if c = —a, w(a) is the weight of a, that is the number of 1's in a, and T = (tkj) is a permutation matrix of order n over F2 where tkj = 1 ^ j = for all k, j G {1, 2,..., n}, then aa = a © c, n(a) = Ta, and w(Ta) = w(a). Further, we use these facts without additional explanations and call T the matrix of the permutation n. Moreover, we introduce the following notation: A and D are the matrices of permutations n1 and n2 respectively and b and d are the vector-columns —a1 and —a2 respectively. This allows us to apply the symbols of variables A, D, b, d instead of symbols of operations n1, n2, a1, a2 respectively in the sets I, J as well as in the formulas for f (x),f-1(x) and so on. The fact of such replacement is denoted by the sign For example, {n1,a2} ~ {A,d}.
3. General scheme of attack
Here is the general scheme of an attack on the cipher in an ACBF C(J).
1. Express the function f-1(y) by a formula in the set of variables and operations
J U{y,g, ©,-,-1 }.
2. Record the system of equations E expressing the dependence of variables from J on the values P, Cl, 1 ^ l ^ n, by means of operations ©, -,-1 and function g.
3. Solve the system E in unknowns from J using a proper method [3].
4. Substitute the variables from J in formula for /-1 (y) by their values from the solution of the system E. The resulting formula is the result of the attack.
5. Estimate the computational complexity of the attack as a time complexity of solving the system of equations E.
The description of the general scheme of an attack on the signature scheme in an ACBF C(J) is obtained from this scheme for ciphers by substitution /-1 (x), Mj, and Sl for /-1 (y), Cl, and P respectively. The attacks, described below, on universal ACBF C = C(I) and on its particular derivatives C(J) are constructed according to the general scheme. In the case of nonlinear equations in the system E, this system in them is solved by the method of linearization set [3, 4] (further we call it briefly method of LS). The vector weight invariance related to multiplying by a permutation matrix is used to decrease the computational complexity of some of these attacks in practice.
4. Attacks on universal ACBF 4.1. Attack on cipher
We have y = /(x) = n((gCT2(ff1(xCT1))) = D(g(A(x © b)) © d); D-1y © d = g(A(x © b)), A-1(g-1(D-1y © d)) © b = x, /—1 (y) = x, and C = / (P), l = 1, 2,... ,m. Hence,
/-1(y) = A-1g-1(D-1y © d) © b
where (D-1, d, b, A) is a solution of the system of equations
D-1Cl © d = g(A(P © b)), l = 1, 2,...,m,
which is solved by the method of LS, namely by assigning in turn the different values to the variables A, b and solving the resulting system of linear equations with unknowns in D-1 and d. So, the computational complexity of the attack is O(n!2n).
4.2. A t t a c k o n s i g n a t u r e s c h e m e
We have S = /-1 (M) = A-1g-1(D-1Ml © d) © b, l = 1, 2,...,m, and
/-1 (x) = A-1g-1(D-1x © d) © b
where (D-1, d, b, A) is a solution of the system of equations
D-1Mi © d = g(A(S © b)), l = 1, 2,...,m,
which is solved by the method of LS, that is, by assigning in turn the different values to the variables A, b and solving the resulting system of linear equations with unknowns D-1 and d. So, the computational complexity of the attack is O(n!2n).
5. Attacks on particular derivatives of universal ACBF
5.1. A t t a c k s o n c i p h e r s
Given J c {n,n(,a1,a(} - {A,D,b,d}, /(x) G Kra(g, J), P G F™ and Q = /(P), l = 1, 2,..., m, compute /-1(y). Consider the possible cases.
1. J = W~{b}.
We have y = f (x) = g(x01) = g(x © b) and b = —a1, therefore g-1(y) = x © b and f-1 (y) = x. Hence,
f-1(y) = g-1(y) © b
where
b = Pi © g-1(Cl), l = 1, 2,...,m.
So, b = P1 © g-1(C1). Computational complexity of this attack is a polynomial in n.
2. J = {nJ~{A}.
Here, y = f(x) = g(n1(x)) = g(Ax) and A is the matrix of n1; Ax = g-1(y), x =
= A-1 g-1(y^ f-1(y) = x. Hence,
f-1(y) = A-1g-1(y),
and the matrix A is a solution of the system of linear equations
APl = g-1(Cl), l = 1, 2,...,m,
which is solved for a polynomial time.
In case m =1, this system has r = w!(n — w)! of solutions where w = w(P1) and r is the product of permutation quantities for ones and for zeros in P1. The computational complexity of this attack coincides the time complexity of solving the system of linear equations problem and does not exceed a polynomial in n.
3. J = {^1,a1}-{A,b}.
In this case, y = f (x) = g(n1(xCT1)) = g(A(x © b)); g-1(y) = A(x © b), w(x © b) = = w(g-1(y)), A-1g-1 (y) © b = x, f-1(y) = x.
Define Bl C F^ by induction on l = 1, 2,..., m, namely let B1 = {b : w(P1 © b) = = w(g-1(C1))} and Bl = {b : b G Bl-1, w(Pl © b) = w(g-1(Cl))}, 2 ^ l ^ m. Then
f-1(y) = A-1 g-1(y) © b where (A, b) is a solution of the following system of equations
A(Pl © b) = g-1(Cl), l = 1, 2,...,m,
which is solved, using the method of LS, by assigning in turn the different values from the set to the variable b and solving the resulting system of linear equations with unknowns in A. The computational complexity of the attack is O(Cn/2).
4. J = {a/} ~ {d}.
y = f (x) = g02 (x) = g(x) © d and d = —a2; g-1(y © d) = x, f-1(y) = x. Hence,
f-1(y) = g-1(y © d)
where
d = Cl © g(Pl), l = 1, 2,..., m.
So, d = C1 © g(P1). Computational complexity of the attack is a polynomial in n.
5. J = {a1,a/} ~ {b, d}.
y = f (x) = g02(x01) = g(x © b) © d where b = —a1, d = —a2; x © b = g-1(y © d), g-1(y © d) © b = x, f-1(y) = x. Hence,
f-1(y) = g-1(y © d) © b
where (b, d) is a solution of the following system of equations
g(P © b) © d = Cl, l = 1, 2,..., m,
and can be computed by the method of LS, that is, by assigning in turn the different values to b and solving the resulting system of linear equations with unknowns in d. The complexity of this attack is O(2n).
6. J = {n1,a(} - {A, d}.
y = /(x) = gCT2(n1(x)) = g(Ax)©d; Ax = g-1(y©d), w(x) = w(g-1(y©d)), A-1g-1(y© © d) = x, /-1(y) = x.
Define Di C F^ by induction on l = 1,2, ...,m, namely let D1 = {d : w(P1) = = w(g-1(C1 © d))} and Di = {d : d G Di-1, w(P) = w(g-1(Ci © d))}, 2 ^ l ^ m. Then
/-1(y) = A-1g-1 (y © d) where (A, d) is a solution of the following system of equations
APi = g-1(Ci © d), l = 1, 2,..., m.
This system is solved, using the method of LS, by assigning in turn the different values from the set Dm to the variable d and solving the resulting system of linear equations in unknowns in A. The computational complexity of the attack is O(Cn/().
7. J = {n1,a1,a(} - {a, b, d}.
y = /(x) = gCT2(ff1(xCT1)) = g(A(x©b))©d; A(x©b) = g-1(y©d), w(x©b) = w(g-1(y©d)), A-1g-1(y © d) = x © b, /-1(y) = x.
For each d G F^, define Bi(d) C F^ by induction on l = 1, 2,..., m, namely let B1(d) = = {b : w(P1 ©b) = w(g-1(C1 ©d))} anc( Bi(d) = {b : b G Bi-1(d), w(Pi©b) = w(g-1(Ci©d))}, 2 ^ l ^ m. Then
/-1(y) = A-1g-1(y © d) © b where (A, b, d) is a solution of the following system of equations
A(Pi © b) = g-1(Ci © d), l = 1, 2,..., m.
This system is solved, using the method of LS, by assigning in turn the different values (b, d) with d from Fn and b from Bm(d) to the pair of variables (b, d) and solving the resulting system of linear equations in unknowns in A. The computational complexity of the attack is O(2nCn/().
8. J = {n}-{D}.
y = /(x) = n2(g(x)) = Dg(x) where D is the matrix of the permutation n(; D-1 y = = g(x), g-1(D-1y) = x, /-1(y) = x. Hence,
/-1(y) = g-1(D-1y)
where D-1 is a solution of the system of linear equations
D-1Ci = g(Pi), l = 1, 2,...,m.
Computational complexity of this attack is a polynomial in n.
9. J = {n(,a1} - {D,b}.
y = /(x) = ff((g(xCT1)) = Dg(x © b); D-1y = g(x © b), w(y) = w(g(x © b)), g-1(D-1y) © © b = x, /-1(y) = x.
Define Bl C F^ by induction on l = 1, 2,..., m, namely let B1 = {b : w(C1) = w(g(P1 © © b))} and Bl = {b : b G Bl-1, w(Cl) = w(g(Pl © b))}, 2 ^ l ^ m. Then
f-1(y) = g-1(D-1y) © b
where (D-1, b) is a solution of the system of equations
D-1Cl = g(Pl © b), l = 1, 2,..., m,
which is solved, using the method of LS, by assigning in turn the different values from to the variable b and solving the resulting system of linear equations with unknowns in D-1. So, the computational complexity of the attack is O(Cn/2).
10. J = {n1,n/} ~ {A,D}.
y = f(x) = n/(g(n1(x))) = Dg(Ax); D-1y = g(Ax), A-1 g-1(D-1y) = x, f-1(y) = x. Hence,
f-1(y) = A-1g-1(D-1y) where (A, D-1) is a solution of the system of equations
D-1Cl = g(APl), l = 1, 2,... , m,
which is solved by the method of LS, that is, by assigning in turn the different values to the variable A and solving the resulting system of linear equations with unknowns in D-1. So, the computational complexity of the attack is O(n!).
11. J = {n1,n/,aj ~ {A, D, b}.
y = f (x) = n2(g(n1(x01))) = Dg(A(x©b)); D-1y = g(A(x©b)), A-1 g-1(D-1y) = x©b, f-1 (y) = x. Hence,
f-1(y) = A-1g-1(D-1y) © b where (A, D-1, b) is a solution of the system of equations
A-1g-1(D-1Cl) © b = Pi, l = 1, 2,..., m,
which is solved by the method of LS, that is, by assigning in turn the different values to the variable D-1 and solving the resulting system of linear equations with unknowns in A, b. The computational complexity of the attack is O(n!).
12. J = {n/,a/} ~ {D, d}.
y = f (x) = n2(g02(x)) = D(g(x) ©d); D-1y = g(x) ©d, g-1(D-1y ©d) = x, f-1(y) = x. Hence,
f-1(y) = g-1(D-1y © d) where (D-1, d) is a solution of the system of linear equations
D-1 Cl © d = g(Pl), l = 1, 2,...,m,
which is solved with a polynomial complexity.
13. J = {n/,a1,a/} ~ {D, b, d}.
y = f (x) = n/(g02(x01)) = D(g(x©b) © d); D-1 y = g(x©b) ©d, g-1(D-1y ©d) = x ©b, f-1 (y) = x. Hence,
f-1(y) = g-1(D-1y © d) © b
where (D 1, b, d) is a solution of the system of equations
D-1Ci © d = g(P © b), l = 1, 2,..., m,
which is solved by the method of LS, that is, by assigning in turn the different values to the variable b and solving the resulting system of linear equations with unknowns in D-1 and d. So, the computational complexity of the attack is O(2n). 14. J = {n1,n(,a(} - {A, D, d}.
y = /(x) = n((gCT2(n1(x))) = D(g(Ax) © d); D-1y = g(Ax) © d, A-1g-1(D-1y © d) = x, /-1 (y) = x. Hence,
/-1(y) = A-1g-1(D-1y © d) where (D-1, d, A) is a solution of the system of equations
D-1Ci © d = g(APi), l = 1, 2,..., m,
which is solved by the method of LS, that is, by assigning in turn the different values to the variable A and solving the resulting system of linear equations with unknowns in D-1 and d. So, the computational complexity of the attack is O(n!).
5.2. A t t a c k s o n s i g n a t u r e s c h e m e s
Given J c {n,n(,a1,a(} - {A,D,b,d}, /(x) G K„(g, j), M G Fi?, and Si = /-1 (M),
1 = 1, 2,..., m, compute /-1(x). Consider the possible cases. As mentioned above, in every case the attack on a signature scheme differs from the attack on a cipher just given by only using variables x, Mi, and Si instead of y, Ci, and Pi respectively. Taking into account that the attacks on the signature schemes have the great and distinctive significance for cryptography, we describe them without abbreviations.
1. J = w-{b}.
In this case, Si = g-1(Mi) © b, l = 1, 2,..., m, and
/-1(x) = g-1(x) © b
where
b = Si © g-1(Mi), l = 1, 2,..., m.
The computational complexity of the attack is a polynomial in n.
2. J = {n1}-{A}.
Si = A-1g-1(Mi), l = 1, 2,...,m, and
/-1(x) = A-1g-1(x) where A is a solution of the system of linear equations
ASi = g-1(Mi), l = 1, 2,..., m,
which is solved for a polynomial time.
3. J = {n1,a1}-{A,b}.
Si = A-1g-1(Mi) © b, A(Si © b) = g-1(Mi), w(Si © b) = w(g-1(Mi)), l = 1, 2,...,m, B1 = {b : w(S1 © b) = w(g-1(M1))}, and Bl = {b : b G Bi-1, w(Si © b) = w(g-1(Mi))},
2 ^ l ^ m. So,
/-1 (x) = A-1 g-1 (x) © b
where (A, b) is a solution of the system of equations
A(Sl © b) = g-1(Ml), l = 1, 2,..., m,
which is solved by the method of LS, that is, by assigning in turn the different values from to the variable b and solving the resulting system of linear equations with unknowns in A. The computational complexity of the attack is O(Cn/2).
4. J = {a/} ~ {d}.
Si = g-1(Ml © d), l = 1, 2,...,m, and
f-1(x) = g-1(x © d)
where
d = Ml © g(Sl), l = 1, 2,... ,m.
Computational complexity of the attack is a polynomial in n.
5. J = {a1,a/} ~ {b, d}.
Si = g-1(Ml © d) © b, l = 1, 2,... ,m, and
f-1(x) = g-1(x © d) © b
where (b, d) is a solution of the following system of equations
g(Sl © b) = Ml © d, l = 1, 2,..., m,
which is solved, using the method of LS, that is, by assigning in turn the different values to the variable b and solving the resulting system of linear equations with unknowns in d. The computational complexity of the attack is O(2n).
6. J = {n1,a/} ~ {A, d}.
Si = A-1g-1(Ml © d), A(Sl © d) = g-1(Ml), w(Sl © d) = w(g-1(Ml)), l = 1, 2,... ,m, D1 = {d : w(S1 © d) = w(g-1(M1))}, and Dl = {d : d G Dl-1, w(Sl © d) = w(g-1(Ml))}, 2 ^ l ^ m. So,
f-1(x) = A-1g-1 (x © d) where (A, d) is a solution of the system of equations
ASl = g-1(Ml © d), l = 1, 2,..., m,
which is solved, using the method of LS, that is, by assigning in turn the different values from Dm to the variable d and solving the resulting system of linear equations with unknowns in A. The computational complexity of the attack is O(Cn/2).
7. J = {n1,a1,a/} ~ {a, b, d}.
Si = A-1g-1(Ml © d) © b, A(Sl © b) = g-1(Ml © d), w(Sl © b) = w(g-1(Ml © d)), l = = 1, 2,... , m, B^d) = {b : w(S1 © b) = w(g-1(M1 © d))}, and Bl(d) = {b : b G Bl-1(d), w(Sl © b) = w(g-1(Ml © d))}, d G F^, 2 ^ l ^ m. So,
f-1 (x) = A-1g-1(x © d) © b,
where (A, b, d) is a solution of the system of equations
A(Sl © b) = g-1(Ml © d), l = 1,2,..., m,
which is solved, using the method of LS, that is, by assigning in turn the different values (b,d) with d from F? and b from Bm(d) to the pair of variables (b, d) and solving the resulting system of linear equations with unknowns in A. The computational complexity of the attack is O(2nCn/().
8. J = {n(} - {D}.
Si = g-1(D-1Mi), l = 1, 2,... ,m, and
/-1(x) = g-1(D-1x) where D-1 is a solution of the system of linear equations
D-1Mi = g(Si), l = 1, 2,..., m.
Computational complexity of this attack is a polynomial in n.
9. J = {n(,a1} - {D, b}.
Si = g-1 (D-1 Mi) © b, g(Si © b) = D-1Mi, w(Mi) = w(g(Si © b)), l = 1, 2,...,m, B1 = {b : w(M1) = w(g(S1 © b))}, and Bi = {b : b G Bi-1, w(M) = w(g(Si © b))}, 2 ^ l ^ m. So,
/-1 (x) = g-1(D-1x) © b where (D-1, b) is a solution of the system of equations
D-1Mi = g(Si © b), l = 1, 2,..., m,
which is solved, using the method of LS, that is, by assigning in turn the different values from Bm to the variable b and solving the resulting system of linear equations with unknowns in D-1. The computational complexity of the attack is O(Cn/().
10. J = {n1,n(} - {A,D}.
Si = A-1g-1(D-1Mi), l = 1, 2,...,m, and
/-1(x) = A-1g-1(D-1x)
where (A, D-1) is a solution of the system of equations
D-1Mi = g(ASi), l = 1, 2,..., m,
which is solved, using the method of LS, that is, by assigning in turn the different values to the variable A and solving the resulting system of linear equations with unknowns in D-1. So, the computational complexity of the attack is O(n!).
11. J = {n1,n(,a1} - {A, D, b}.
Si = A-1g-1(D-1Mi) © b, l = 1, 2,... ,m, and
/-1(x) = A-1g-1(D-1x) © b
where (A, D-1, b) is a solution of the system of equations
A-1g-1(D-1Mi) © b = Si, l = 1,2,..., m,
which is solved, using the method of LS, that is, by assigning in turn the different values to the variables D-1 and solving the resulting system of linear equations with unknowns in A, b. The computational complexity of the attack is O(n!).
12. J = {n/,a/} ~ {D, d}.
Sl = g-1(D-1Ml © d), l = 1, 2,...,m, and
f-1 (x) = g-1(D-1x © d) where (D-1, d) is a solution of the system of equations
D-1Ml © d = g(Sl), l = 1, 2,..., m,
which is solved with a polynomial complexity.
13. J = {n/,a1,a/} ~ {D, b, d}.
Si = g-1(D-1Ml © d) © b, l = 1, 2,... ,m, and
f-1 (x) = g-1(D-1x © d) © b
where (D-1, d, b) is a solution of the system of equations
D-1Ml © d = g(Sl © b), l = 1, 2,... , m,
which is solved, using the method of LS, by assigning in turn the different values to the variable b and solving the resulting system of linear equations with unknowns in D-1 and d. So, the computational complexity of the attack is O(2n).
14. J = {ff1,ff2,a/} ~ {A, D, d}. Si = A-1g-1(D-1Ml © d), l = 1, 2,... ,m, and
f-1 (x) = A-1g-1(D-1x © d)
where (D-1, d, A) is a solution of the system of equations
D-1Ml © d = g(ASl), l = 1, 2,..., m,
which is solved, using the method of LS, by assigning in turn the different values to the variable A and solving the resulting system of linear equations with unknowns in D-1 and d. So, the computational complexity of the attack is O(n!).
Conclusion
What we have discussed above in the paper should be considered as a step in the process of developing the theory of public key cryptosystems based on the bijective systems of Boolean functions. There are many problems we need solve on this way. Some of them are the following: 1) generating pseudorandom invertible systems of Boolean functions depending on a covered parameter such that the system is computed and inverted with a polynomial time complexity iff the value of the parameter is known; 2) necessary and sufficient conditions for uniqueness of a private key, with which the given blocks of a ciphertext are decrypted to the given blocks of a plaintext; 3) lower and upper bounds for the number of blocks with this property of the private key.
REFERENCES
1. Tao R. Finite Automata and Application to Cryptography. Berlin; Heidelberg, Springer, 2009. 411 p.
2. Agibalov G. P. Substitution block ciphers with functional keys. Prikladnaya Diskretnaya Matematika, 2017, no. 38, pp. 57-65.
3. Agibalov G. P. Metody resheniya sistem polinomial'nykh uravneniy nad konechnym polem [Methods for solving systems of polynomial equations over a finite field]. Vestnik TSU. Prilozhenie, 2006, no. 17, pp. 4-9. (in Russian)
4. Agibalov G. P. Logicheskie uravneniya v kriptoanalize generatorov klyuchevogo potoka [Logical equations in cryptanalysis of key stream generators]. Vestnik TSU. Prilozhenie, 2003, no. 6, pp. 31-41. (in Russian)