2018 Математические методы криптографии №42

UDC 519.7 DOI 10.17223/20710410/42/4

ELGAMAL CRYPTOSYSTEMS ON BOOLEAN FUNCTIONS1

G. P. Agibalov National Research Tomsk State University, Tomsk, Russia E-mail: agibalov@mail.tsu.ru

Here is a description of ElGamal public-key encryption and digital signature schemes constructed on the base of bijective systems of Boolean functions. The description is illustrated with a simple example in which the used Boolean functions are written in logical notation. In our encryption and signature schemes on Boolean functions, every one ciphertext or message signature is a pair of values, as in the basic ElGamal cryptosystem on a group. In our case, these values are Boolean vectors. Each vector in the pair depends on the value of a function on a plaintext or on a message, and this function is typically obtained from a given bijective vector Boolean function g by applying some random and secret negation and permutation operations on the sets of variables and coordinate functions of g. For the pair of vectors in the ciphertext or in the message signature, the decryption algorithm produces the plaintext, and the signature verification algorithm accepts the signature, performing some computation on this pair. The signature is accepted for a message if and only if the computation results in this message. All the computations in the processes of encryption, decryption, signing and verification are logical and performed for Boolean values, promising their implementation efficiency to be more high than in the basic ElGamal schemes on groups.

Keywords: bijective vector Boolean functions, permutation and negation operations, ElGamal encryption, ElGamal signature.

Introduction

The ElGamal cryptosystems, including the basic encryption and signature schemes as well as their multiple generalizations and variations [1], are typically defined on the base of some groups in which the group operation is easily to apply and the discrete logarithm problem is computationally infeasible. The multiplicative groups Zp, Fgm and additive group of points on elliptic curve over Fq have received the most attention [1]. It is known that the public-key cryptosystems based on similar groups are particularly susceptible to quantum attacks. The ElGamal cryptosystems are not excluded from this family.

In this paper, we try to propose an alternative mathematical background for constructing ElGamal cryptosystems, namely the algebra of bijective vector Boolean functions with the negation and permutation operations on the sets of their variables and coordinate functions. Section 2 of the paper is a collection of the basic elements of this background that we use in the description of our ElGamal encryption and signature schemes in Sections 3 and 5 respectively and of an illustrative example in Section 4. For any of operations encryption and signature, we consider different variations of the scheme and describe each of them in the form of the corresponding basic ElGamal scheme (encryption or signature). For reader's convenience, Section 1 recalls the basic ElGamal encryption and signature schemes in this form from [1].

1The author was supported by the RFBR-grant no. 17-01-00354.

1. Basic ElGamal cryptosystem 1.1. Basic ElGamal encryption scheme

Parameters: p is a large random prime, a is a generator of the multiplicative group Zp, a is a random integer, 1 ^ a ^ p — 2, m is a plaintext, m E Zp.

Public key is (p, a, aa), private key is a.

Encryption: k ER {1, 2,...,p — 2} (here and further, the symbol Er means "to be randomly chosen"), 7 = ak mod p, 5 = m(aa)k mod p, (7, 5) is the ciphertext.

Decryption: 7-a5(= a-akmaak) = m mod p.

1.2. Basic ElGamal signature scheme

Parameters: p is a large random prime, a is a generator of the multiplicative group Zp, a is a random integer, 1 ^ a ^ p — 2, ^ = aa, m is a message (or its hash value), m E Zp.

Public key is (p, a,,5), private key is a.

Signing: k ER {1, 2,... ,p—2}, (k,p— 1) = 1, 7 = ak modp, 5 = k-1(m—a7) mod (p— 1), signature for m is the pair (7, 5).

Verification: if 7 ^ 1 or 7>p — 1, then reject the signature (7, 5), otherwise accept the signature (7,5) if and only if ^Y7^ = am mod p.

2. Algebra of bijective vector Boolean functions

First of all, we note that earlier some elements of this algebra were used in constructing and cryptanalysis of cryptographic systems with functional keys, namely in [2]—for symmetric block ciphers, in [3] —for public-key encryption and signature schemes.

2.1. Permutation and negation operations

We begin with the notions of the permutation and negation operations over Boolean vectors. Let n be an integer, n ^ 2, and Sn be the set of all permutations of the row (12 ... n), that is, Sn = {(i1 i2 ... in) : ij E {1, 2,... , n}, j = r ^ j = ir; j, r E {1,... , n}}. A permutation n = (i1i2 ... in) E Sn is called a permutation operation on Fn if the result of its application to any vector w = w1w2 ... wn in Fn is the vector n(w) = wi1 wi2 ... win. A Boolean vector a = b1b2... bn E Fn is called a negation operation on Fn if the result of its application to a vector a = a1a2 ... an in Fn is the vector a°" = a^1 a22 ... a^1, where for a and b in F2, we have ab = a if b =1 and ab = —a if b = 0. Both of these operations are invertible. The inversions for them are denoted in the usual manner, namely n-1 and a-1. By the definition, if n = (i1i2 ... in), s(k) = ik, and n-1 = (jj2 ... jn), then s-1(ik) = k, s-1(k) = jk, and jk = s-1(s-1(ik)), k E {1,2,...,n}. The permutation and negation operations n and a are called identity and denoted by 1 if n = (12... n) and a = 11... 1 respectively. So 1(w) = w and a1 = a.

2.2. Combinatorial and algebraic notations

Let x = (x1 , X2, . . . , Xn ) be a string of n different Boolean variables, g : Fn ^ Fn be a n-dimensional vector Boolean function g(x), and gi : Fn ^ F2, i E {1, 2,..., n}, be the coordinate functions of g. That is, g(x) = g1(x)g2(x).. .gn(x). Let n1,n2 and a1 ,a2 be the symbols of variables with the values, respectively, of permutation operations in Sn and of negation operations in Fn, namely a1,n1 —over the variables in x and a2,n2 — over the coordinates in g(x). Let also I = {a1, n1, a2, n2}, J C I, Vj be the set of all strings of values for the variables in I in which (strings) the value of each variable from I \ J is equal to 1, i.e. Vj = {(s1p1s2p2) : si = 1 if ai E I \ J and pi = 1 if ni E I \ J; si E Fn if ai E J and pi E Sn if ni E J; i E {1, 2}},

nJ l 1 if ni G I \ J j = f 1 if Oi G 1 \ 4 ^ G n 2) 4 \ ni, if ni G J, i \ Oi, if Oi G J, { , }

and gJ(x) be the formula nJ(ga2j(nJ(xCTi))). Particularly, for any a = (s1p1s2p2) G VJ, a formula ga(x) is defined too as ga(x) = p2(gs2(p1(xsi))). In fact, gJ(x) is a subformula of g1 (x) = n2(gCT2(n1 (xCT1))) with the negation and permutation operations from a subset J C I. For example, if J = {o1,n2}, then nJ =1, oj = 1, and gJ(x) = n2(g(xai)). The formulas gJ (x) for all possible J are given in the Table 1:

Table 1

J 0 W {ni} {^2 } M {^1,^2}

gJ (x) g(x) g(xCT1) g(ni(x)) g"2 (x) n2 (g(x)) g(ni(xff1 )) g"2(xff1) n(g(xff1))

{ni, 02} {ni,n2} {^2,^2} {ai,ni,a2} {ai,ni,n2 }

g"2(ni(x)) n2(g(ni(x))) ^2(gff2(x)) gf2 (ni(xff1 )) n2(g(ni(xff1 )))

{^,^2,^2} {ni, ^2,^2}

n2 (gf2 (xf )) n2(gf2(ni(x))) n2(gf2 (ni(xf1 )))

To make distinction between signs of kinds gJ (x) and g°2 (x) as well as between signs of kinds ga(x) and gs2 (x), we often write (g(x))°2 and (g(x))s2 instead of g°2 (x) and gs2 (x) respectively. So, gJ(x) = nJ(g(nJ(x°2 )))°2 and ga(x) = p2(g(p1(xsi)))s2.

For any vector-columns a, a in F^ and a permutation n = (i1i2 ... in) G Sn, if c = —a, T = (tkj) is a permutation matrix of order n over F2 where tkj = 1 ^ j = ik for all k, j G {1, 2,..., n} (we call it matrix of n), then a0 = a © c and n(a) = Ta. This allows us to introduce the more simple notation in which A and D are the matrices of permutations n1 and n2 respectively and b and d are the vector-columns —a1 and —a2 respectively, to use the symbols of variables A,D,b,d instead of symbols of operations n1, n2, a1, a2 respectively in the sets I, J as well as in the formulas for f (x),f-1(x) and to apply linear algebra methods in solving the equations y = f (x) and x = f-1(y) with regard to unknown key parameters. Further, the fact of such replacement is denoted by the sign For example, {n1,a1,a2} ~ {A, b, d}, g1 (x) = n2(g(n1(x°1 )))°2 ~ D(g(A(x©b)) ©d). The formulas under consideration with symbols of permutation and negation operations a1,n1,a2, n2 are said to be ones in combinatorial notation and the formulas where the operations are represented by symbols b,A,d,D of matrices and vectors are formulas in algebraic notation.

All the formulas gJ(x) in algebraic notation are given in the Table 2:

Table 2

J 0 {b} {A} {d} {D} {b, A} {b, d} {b,D}

gJ (x) g(x) g(x © b) g(Ax) g(x) © d Dg(x) g(A(x © b)) g(x © b) © d Dg(x © b)

{A, d} {A, D} {d,D} {b, A, d} {b, A, D}

g(Ax) © d Dg(Ax) D(g(x) © d) g(A(x © b)) © d Dg(A(x © b))

{b,d,D} {A, d,D} {b, A, d,D}

D(g(x © b) © d) D(g(Ax) © d) D(g(A(x © b)) © d)

2.3. Permutation-negation compositions There are two kinds of composition for permutation-negation operations — multiplicative and serial. We begin with the first one.

Multiplicative composition

For any subsets J,L Ç I, define it as

gJ " (x) = n2L(gJ (nf(x°L )))oL.

Particularly, this means that for any a = (s1p1s2p2) E VJ and k = (r1q1r2q2) E Vf, the value ga (x) is defined as

gak (x) = q2(ga(q1(xr1 )))r2, where ga(x) = p2(g(p1 (xSl)))s2, therefore

k

ga (x) = q2(p2(g(p1((q1(xr1 ))S1 )))s2)r2.

By the definition, we should write (gj)f and (ga)k instead of gjL and gak respectively, but for simplicity we remove the parentheses.

Let bJ = —aJ, bL = —af, dj = —aj, df = — af, and AJ, AL, DJ, Df denote the matrices

of nJ,nf ,nj, nf respectively. We have gJ 2 (x) = gJ(x) © df = Dj(g(Aj(x © bJ)) © dj) © df

l ctl l

and nf (xcti) = Af (x © bf). Hence, gJ 2 (nf (xcti)) = D j(g(Aj(Af (x © bf) © bJ)) © dj) © df and

gjL(x) = Df (Dj(g(Aj(Af (x © bf) © bJ)) © dj) © df).

Particularly,

gak(x) = D'(D(g(A(A'(x © b') © b)) © d) © d'),

where b = —s1,b' = —r1,d = — s2,d' = —r2, and A,A',D,D' are the matrices of permutations p1, q1,p2, q2 respectively.

Serial composition

For the subsets J, L C I, it is defined as follows

gf (gj (x)) = nf (g(nf ((gJ (x))ctL )))<* = nf (g(nf ((nj (g(nj (x-1 )))j )))<* = = Df (g(Af ((DJ(g(Aj(x © bJ)) © dJ)) © bf)) © df),

and for the permutation-negation operations a = (s1p1s2p2) E VJ and k = (r1q1r2q2) E Vf — in the following way

gk (ga(x)) = q2(g(q1((ga(x))r1 )))r2 = q2(g(q1((p2(g(p1(xs1 )))s2 )r1 )))r2 = = D'(g(A'((D(g(A(x © b)) © d)) © b')) © d').

2.4. Derived functions

The order of operation performing in gj(x) is determined by the parentheses and the following additional agreement: in a subformula g°"(u), the value of g(u) is calculated before performing the operation a. So, the operations in gj(x), including the function g, are performed in the order aJ,nJ,g,aj,nj. Under particular operations s1,p1,s2,p2 as possible values for variables aJ,nj, aj ,nj respectively, for particular function g and a value a of x, the value of gj(a) is sequentially computed as follows: v1(a) = as1, v2(a) = = p1(v1(a)), v3(a) = g(v2(a)), v4(a) = (a), gj(a) = p2(v4(a)). This defines a function f : Fn 4 Fn such that f (x) = p2(v4(x)). By the definition, f (x) is uniquely determined by the function g(x) and negation and permutation transformations of its variables and coordinates. For a = (s1,p1, s2,p2), we denote it ga(x) and call it a derived function (derived from g by the transformation a). Thus, ga(x) = p2(gs2(p1(xs1))) = p2(g(p1(xs1 )))s2. The second of these expressions for ga(x) explicitly shows the order of applying operations in the process of computing ga(x). Schematically, the computation according to it can be expressed with the following chain:

x 4 xs1 4 p1 (xs1) 4 g(p1(xs1)) 4 gs2(p1(xs1)) 4 ga(x).

In every case when g(x) is a bijective vector Boolean function on Fn, so should be the function ga(x). Its inverse ga (x) satisfies the identity relation ga (ga(x)) = x and can be performed in the following way: if y = ga(x), then x = ga (y) = [p-^g-1^" 1(y))s2))]s1. Schematically, the computation according to this formula can be expressed with the following chain:

y 4 gs2 (p1(xs 1)) 4 g(p1(xs 1)) 4 p1(xs 1) 4 xs 1 4 x.

Computational complexities of function g(x) and its derived functions are of the same order. In particular, if g(x) is of a polynomial complexity, then ga(x) with known g and a is of a polynomial complexity too what we can not say about ga .

3. ElGamal encryption on Boolean functions

We need to say that in reality we can construct on Boolean functions very many different variations of ElGamal encryption schemes which can differ each other in public and private keys definitions and in encryption and decryption equations. The following variation seems to have the most simple expression and insufficiently strong private key.

3.1. Encryption scheme E1

Parameters: n is an integer, n ^ 2; g(x) = g1(x)g2(x) ...gn(x) is a bijective vector Boolean function with the coordinate functions g1(x),... ,gn(x) specified in a constructive way and computed with a polynomial (in n) time complexity, g : Fn 4 Fn; 0 = = J, L C I = {a1, n1, a2, n2}, where n1,n2 and a1,a2 are the symbols of variables with the values, respectively, of permutation operations in Sn and of negation operations in Fn; a = (s1p1s2p2) Er Vj and ga(x) = p2(gs2(p1(xs1))).

Public key is (g(x), ga(x)), private key is ga (x), secret parameter is a.

Encryption: m is a plaintext, m E Fn; k is a randomization parameter, k = (r1,q1, r2,q2) Er Vf; y(m) = gk(m) = q2(gr2(q1(mr1))), S(m) = gk(m) © ga(m); (y(m),S(m)) is the ciphertext.

Decryption: m = ga (y(m) © i(m)).

Proof that decryption works: ga (y(m) © i(m)) = ga (gk(m) © gk(m) © ga(m)) = = ga (ga(m)) = m.

3.2. E n c r y p t i o n s c h e m e E2

Public key is ga(x), private key is ga 1 (x), secret parameter is a.

Encryption: m is a plaintext, m E Fn; k is a randomization parameter, k = (r1,q1, r2,q2) Er ^; Y(m) = ga (m) = q2(ga(q1(mr1 )))r2, i(m) = ga (m) © ga(m); (y(m),i(m)) is the ciphertext.

Decryption: m = ga (y(m) © i(m)).

Proof that decryption works: ga (y(m) © i(m)) = ga (ga (m) © ga (m) © ga(m)) = = ga (ga(m)) = m.

3.3. Encryption scheme E3

This variation is proposed by V. A. Roman'kov.

Public key is ga(x), private key is ga (x), secret parameter is a.

Encryption: m is a plaintext, m E Fn; (k,u) are randomization parameters, k = (r1,q1, r2, q2) Er vl, u Er Fn; y = ga(gk(u)), S = gk(u) © m; (y, is the ciphertext.

Decryption: m = ga (y) © S.

Proof that decryption works: ga (y) ©S = ga (ga(gk(u))) ©gk(u) ©m = gk(u) ©gk(u) © © m = m.

3.4. Encryption scheme E4

This variation is proposed by I. A. Pankratova.

Public key is ga(x), private key is ga (x), secret parameter is a.

Encryption: m is a plaintext, m G F^; u is a randomization parameter, u GR F^; 7 = = ga(u), 8 = u © m; (7, 8) is the ciphertext. Decryption: m = ga (7) © 8.

Proof that decryption works: ga (7) © 8 = ga (ga(u)) © u © m = u © u © m = m.

4. Example

Here, we illustrate the ElGamal encryption on Boolean functions effectively represented in an analytical form (not by tables).

Let n = 4, x = x1x2x3x4, g : F44 ^ F44, g(x) = g^x)g2(x)g3(x)g4(x),

gi(x) = x1 © x2 © x3 © x4, g2(x) = x1x2 V x1x2, g3(x) = x4, g4(x) = x2x3 V x1x3,

*i*Не можете найти то, что вам нужно? Попробуйте сервис подбора литературы.

g-1 : F4 ^ F2, g-1(x) = gi (x)g2 (x)g3(x)g4 (x). We have

g1 (x) = x2x4 V x1x3x4 V x1x2x3x4 V x1x2x3x4 V x1x3x4, g2 (x) = x2x4 V x1x3x4 V x1x3x4 V x1x2x3x4 V x1x2x3x4, g3(x) = x1x2x3 V x1 x2x3 V x1x2x3 V x1x2x3, g4(x) = x3.

Let also J = L = I, VJ = VL = {(s1 ,P1, S2,P2) : P1,P2 G S4; S1, S2 G F44};

a = (s1,p1, s2,p2) G VJ, p1 = 2341, p2 = 4123, s1 = 1001,s2 = 0111; k = (r1,q1,r2,q2) G VL, q1 = 4321, q2 = 3412, n = 0001, r2 = 1000.

We have that

xsi = x1x2x3x4, p1(xsi) = x2x3x4x1, gs2(x) = gl(x)g2(x)gз(x)g4(x), p2(gs2(x)) = g4(x)g1(x)g2(x)g3(x); ga(x) = p2(gs2(p1 (xsi))) = (g4(x2x3x4x1), <71(x2x3x4x1),g2(x2x3x4x1),g3(x2x3x4x1)) = = ((x3x4 V x2x4), -(x2 © x3 © x4 © x1), (x2x3 V x2x3), (x1));

y = p-1(y) = У2УзУ4Уl, (p-1(y))s2 = f/2y3^4Уl,

p-1(x) = x4x1x2x3, (p-1(x))si = x4x1x2x3;

ga_i (y) = [p-1 (g-1((p-1(y))s2 ))]si = [p-1 (g-1(y2y3y4y1))]si = [p-1(gi (y2y3y4y1),g2 (y2y3y4y1), g3 (y2y3y4y1), g4 (y2y3y4y1)] si = [g4 (y2y3y4y1), g' 1 (y2y3y4y1), g^ (y2y3y4y1), g3 (y2 y3y4 y1)] = [y4, -(y1y3V y1y2y4V №№ V y1y2y3y4V y1y2y4),

1 (y1y3 V y1y2y4 V y1y2y/4 V /1 y2y3y4 V J/1y2|/3y4) , y2y3j/4 V y2y3y4 V y2y3y4 V y/2/3y4];

xri = x1x2x3x4, q1(xri) = x4x3x2x1, gr2 (x) = g1(x)g2(x)g3(x)/4 (x),

q2(gr2 (x)) = g3(x)/4(x)g1(x)g2(x);

gk (x) = y = y1y2y3y4 = q2(gr2 (q1(xri))) =

= ^3^4x3x2x1), g4 ^4x3x2x1), g1 ^4x3x2x1), g2^x3x2x1)) = = (x1, -(x2x3 V x2x4), x4 © x3 © x2 © x1, -(x3x4 V x3x4));

q-1(y) = УзУ4УlУ2, (q-1(y))r2 = y3j/4y1|/2, q-1 (x) = x4x3x2x1, (q-1(x))ri = x4x3x2x1;

gk-1 (y) = [qr1(g-1((q2-1(y))r2 ))]ri = [qrV^Mi^P = = [qr1(#l(y3y4yiy2), (yay4yiy2), g3(yay4yiy2), yiy2)]ri = = [gl4(y3y4yiy2),gl3(y3y4Viy2),gl2(y3V4yiV2),gli ^4 № )] =

= [yi , -(yiy3y4 V yiy3y4 V yiy3y4 V yiy3y4), -(y2y4 V f/iM3 V y 1^3 V y^3y4 V yiy2y3y4),

M4 V yiy2y3 V yiy2y3y4 V yiy2y3y4 V yiy2y3];

h

ga (x) = q2(g"(qi(xri)))r2 = q2(ga(x4X3X2Xi))r2 = = ?2((XiX2 V X1X3),-(X4 © X3 © X2 © Xi), (X2X3 © X2X3),X4)r2 = = ?2((XiX2 V X1X3),-(Xi © X2 © X3 © X4),-(X2X3 © X2X3), X4) = = (X2X3 V X2X3, X4, X1X2 V X1X3, -(Xi © X2 © X3 © X4)).

Suppose, we want to encrypt the plaintext m = X1X2x3x4 = 1010, applying the scheme E1. We compute 7(m) = 7(1010) = gk(1010) = 1110, g°(m) = g°(l010) = 0101, 5(m) = 5(1010) = gk(1010) © g°(1010) = 1110 © 0101 = 1011 and obtain the ciphertext (7(m),5(m)) = (1110,1011). To decrypt this ciphertext, we compute g" (7(m) © ¿(m)) = = g"-1 (1110 © 1011) = g"-1 (0101) = 1010 = m.

Suppose, we also want to encrypt the same plaintext m = 1010, applying the scheme E2. In this case, we compute 7(m) = g" (1010) = 1101, g"(m) = 0101, ¿(m) = = g"k(1010) © g"(1010) = 1101 © 0101 = 1000 and obtain the ciphertext (7(m),5(m)) = = (1101,1000). To decrypt this ciphertext, we compute g" (7(m) © ¿(m)) = g" (1101 © © 1000) = g"-1 (0101) = 1010 = m.

Now, by applying to m = 1010 the encryption scheme E3 under u = 1100, we obtain gk(u) = 1011, 7 = g"(gk(u)) = 1001, 5 = gk(u) © m = 0001, g"-1 (7) © 5 = 1011 © 0001 = = 1010 = m.

At last, by applying to m = 1010 the encryption scheme E4 under u = 1100, we obtain 7 = g"(u) = 1101, 5 = u © m = 0110, g"-1 (7) © 5 = 1100 © 0110 = 1010 = m.

5. ElGamal signature scheme on Boolean functions

The ElGamal signature schemes are all randomized ones, as are all ElGamal encryption schemes. This means that there are many valid signatures for any given message, as are many ciphertexts for any given plaintext. It is known (see, for instance, [4]) there is a method by which an adversary can sign a random message m without knowing the private key by choosing (7, 5) and m simultaneously. Any adversary knowing a valid signature (7, 5) for a message m can also sign various other messages [4]. Both of these methods for producing the valid forged signatures do not "enable an opponent to forge a signature on a message of his own choosing". The ElGamal signature schemes on Boolean functions described in this paper below enable an adversary, knowing a valid signature (7, 5) for a message m, to produce valid forged signatures (y1,51) for the same message m and do not seem to represent a threat to the security of our ELGamal signature schemes, as do not these methods to the security of the ElGamal signature schemes on groups.

Each of encryption schemes E1-E4 becomes a signature scheme with appendix after appointing keys and equations to play the proper roles in it. So we obtain the following ElGamal signature schemes on Boolean functions. In the description of them, the terms that are not explained once more have the former meanings.

5.1. Signature scheme S1

Private key (for signing) is {g(x),a}, public key (for verifying) is ga ^x).

Signing: m is a message, m G F^; 7(m) = gk(m), 8(m) = gk(m) © ga(m), k GR VL; (7(m),8(m)) is the signature.

Verification: accept the signature iff ga (7(m) © 8(m)) = m.

5.2. Signature scheme S2

Private key (for signing) is ga(x), public key (for verifying) is ga ^x), secret parameter is a.

k k

Signing: m is a message, m G F^; 7(m) = ga (m), 8(m) = ga (m) © ga(m), k GR VL; (7(m),8(m)) is the signature.

Verification: accept the signature iff ga (7(m) © 8(m)) = m.

5.3. S i g n a t u r e s c h e m e S3

Private key (for signing) is {g(x),a}, public key (for verifying) is ga ^x).

Signing: m is a message, m G F^; k GR VL, u GR F^; 7 = ga(gk(u)), 8 = gk(u) © ga(m); (7, 8) is the signature.

Verification: accept the signature iff ga (ga (7) © 8) = m.

5.4. S i g n a t u r e s c h e m e S4

Private key (for signing) is ga(x), public key (for verifying) is ga ^x), secret parameter is a.

Signing: m is a message, m G F^; u GR F^; 7 = ga(u), 8 = u © ga(m); (7,8) is the signature.

Verification: accept the signature iff ga (ga (7) © 8) = m.

5.5. Signature scheme S5

Private key (for signing) is ga(x), public key (for verifying) is ga ^x), secret parameter is a.

Signing: m is a message, m G F^; u GR F^; 7 = u, 8 = u ©ga(m); (7, 8) is the signature.

Verification: accept the signature iff ga (7 © 8) = m.

Conclusion

We should say that the paper doesn't provide a solution of a research problem. We have only described a new approach to constructing ElGamal encryption and signature schemes by using the algebra of bijective vector Boolean functions with the negation and permutation operations on the sets of variables and coordinate functions in them. We are not really sure whether the given schemes are secure or not. Naturally this approach has begot quite a large number of new problems for a subsequent research. These problems are directly related to the cryptanalysis of new ElGamal cryptographic schemes described (or not yet) in the paper, to constructing ElGamal signature schemes on Boolean functions with message recovery, and to the development of the used algebra. Computational methods and estimates of their complexity are the most important subject in researching the last.

Acknowledgements

I would like to thank my colleagues Irina A. Pankratova for reading and editing the manuscript and for suggesting me the encryption scheme E4, and Vitaliy A. Romankov for suggesting me the encryption scheme E3.

REFERENCES

1. Menezes A., van Oorshot P., and Vanstone S. Handbook of Applied Cryptography. CRC Press Inc., 1997. 661 p.

2. Agibalov G. P. Substitution block ciphers with functional keys. Prikladnaya Diskretnaya Matematika, 2017, no. 38, pp. 57-65.

3. Agibalov G. P. and Pankratova I. A. Asymmetric cryptosystems on Boolean functions. Prikladnaya Diskretnaya Matematika, 2018, no. 40, pp. 23-33.

4. Stinson D. R. Cryptography: Theory and Practice. CRC Press Inc., 1995. 434 p.