A Zero-Knowledge Proof Based on a Multivariate Polynomial Reduction of the Graph Isomorphism Problem

A Zero-Knowledge Proof Based on a Multivariate Polynomial Reduction of the Graph Isomorphism Problem Edgar González Fernández 1,3,†,*, Guillermo Morales-Luna 1,† and Feliú Sagols Troncoso 2,† 1 Department of Computer Science, CINVESTAV-IPN, Av. IPN 2508, Gustavo A. Madero, San Pedro Zacatenco, 07360 Mexico City, Mexico; egonzalez@computacion.cs.cinvestav.mx (E.G.F.), gmorales@cs.cinvestav.mx (G.M.L.) 2 Department of Mathematics, CINVESTAV-IPN, Av. IPN 2508, Gustavo A. Madero, San Pedro Zacatenco, 07360 Mexico City, Mexico; fsagols@math.cinvestav.edu.mx 3 Group of Analysis, Security and Systems (GASS), Department of Software Engineering and Artificial Intelligence (DISIA), Faculty of Computer Science and Engineering, Universidad Complutense de Madrid (UCM), Calle Profesor José García Santesmases, 9, Ciudad Universitaria, Madrid 28040, Spain; edggonza@ucm.es * Correspondence: edggonza@ucm.es; Tel.: +34 913 947 649 † The authors contributed equally to this work.


Introduction
First presented in [1] by Goldwasser, Micali and Rackoff, interactive proof systems are introduced as a method that allows an entity (the prover) to prove the truth of a proposition to a second party (the verifier) without releasing additional information.The parties involved interact in a challenge-response process until the verifier is convinced that the prover's claim is correct, or concludes that the claim is false.This kind of proofs are commonly used in authentication and identification systems, allowing an entity to prove ownership of a valid credential (ie, credit card number or password) without transmitting or storing this information.
As for now, many of the authentication schemes used in the industry make use of protocols based on PKI by means of digital certificates.A vast majority of these schemes are based on either the factorization problem (RSA) or the DLP, both susceptible to quantum computer attacks.To address this issue, we propose a ZKP whose security relies on MQ, known to be NP-hard, and GI, both resistant against quantum computer attacks up to now.
Recently, suitable instances of MQ have been used for proposing novel PKC schemes, since they are considered resistant to quantum computers attacks [2], a feature that popular cryptographic algorithms, such as RSA, DSA and ECDSA, do not share.Frequently, algorithms for key generation in MPKC involve two major phases: • Private key generation.The private key consists of a set of polynomials F = { f 1 , . . ., f m } such that the problem of finding a common root is easy.One of the first attempts to exploit multivariate polynomials in cryptography can be found in [4,5], where a cipher system, known as the Matsumoto-Imai cryptosystem, is proposed but unfortunately broken shortly after being published [6].However, this effort set the basis for a number of other families of cryptographic schemes, such as the Unbalanced Oil-Vinegar (UOV) [7], the Faugere's Hidden Field Equations (HFE) [8] and the Rainbow signature schemes [9].A list of the most promising post-quantum cryptographic algorithms can be found in [10].
We may distinguish cryptanalytic attacks on multivariate schemes (and in public cryptosystems in general) according to two main purposes: • Attacks on ciphertext, where the primary goal is to get the plaintext from the ciphertext.These attacks make use of polynomial system solvers such as the Buchberger Algorithm [11] to compute Groebner bases.The algorithm must be executed each time a ciphertext is gathered.
• Attacks to recover the private key, consisting of the private set F and the affine transformations Example of this algorithms are: High Rank, MinRank and Separation of Oil and Vinegar [12](see Section [VI.5.4]).
The method we define in this work produces key pairs from an associated isomorphism between a pair of graphs.The public key will consist of a system of polynomial equations.The private key will consist of a solution to this system.We will show that finding this solution is at least as difficult as finding an isomorphism between the associated graphs.At present, the fastest algorithm for solving the GI problem runs in quasi-polynomial time [13], but an authentic prover will be able to provide a solution efficiently.
The general layout of this paper is as follows.In Section 2 some basic concepts as well as notation necessary for the development of the zero-knowledge proof is introduced.Next, Section 3 is appointed to the construction of the polynomial sets arising from the GI problem as a reduction exercise.The construction of the ZKP will be explained in 4. Finally, in Section 5 we exhibit evidence supporting the viability of the algorithm by estimating the theoretic complexity of the polynomial set construction.

Mathematical Background
We recall the basic concepts needed to develop the translation from instances of the GI problem in instances of the MQ problem.

Graphs
A graph consists of a set V = {v 1 , . . ., v n }, the vertices and a subset E of V (2) = {e ⊂ V| #e = 2}, the edges.The number of elements of V and E are known as the order and the size of G respectively.
We say that two vertices u 1 , u 2 with u 1 = u 2 , are adjacent if they are joined by an edge.Similarly, two different edges e 1 , e 2 ∈ E are said to be adjacent if they are joined by a vertex.The complementary graph V and every edge has vertices in both sets V 1 and V 2 the graph is called bipartite.Additionally, we say G is complete bipartite provided that every vertex in V 1 is connected to every vertex in V 2 and vice versa.isomorphic and we denote it G ≈ H. Thus, we can define the GI problem as the task of finding one of the possibly many isomorphisms between G and H or deciding that this bijection does not exist.
Finally, we define a matching as a subset M ⊆ E where no to edges e 1 , e 2 ∈ M share a common vertex.If every vertex of G is an extreme of some edge in M, then the matching is perfect.

Polynomial Idelas and Algebraic Sets
Let F q be the finite field of q elements and R the ring of polynomials in n variables over F q .An ideal is a subset I ⊂ R such that for every f , g ∈ I the sum f + g ∈ I and for every f ∈ I, h ∈ R the product h f ∈ I. Then by considering a finite set F = { f 1 , . . ., f m } ⊂ R we can define the ideal generated by F as follows It can be seen without too much effort that a common root for the polynomials f i , i = 1, . . ., m is also a root for any f ∈ F .The zero-set of the ideal I consists of all the points (x 1 , . . ., x n ) ∈ F n q such that f (x 1 , . . ., x n ) = 0 for all f ∈ I, denoted V I (F q ).If we consider any algebraic extension of F q then the zero-set is known as the algebraic set of I.
We can now formalize MQ as a decision problem.Additionally, we state the related search problem.

DECISION PROBLEM
Instance: Solution: Either a proof that V I (F q ) = ∅ or a point x ∈ F n q such that x ∈ V I (F q ).
A solution of the search problem gives an immediate solution for the decision problem.If we are able to find a solution for the polynomial system f 1 = 0, . . ., f m = 0 we conclude that V I (F q ) = ∅ and the value 1 is returned.On the other hand, if we can show that no solution exists then we return 0.
This implies that the search problem is at least as difficult as the decision problem, which is known to be NP-complete.
We have seen that a solution of a polynomial system is also a solution for any element in its generated ideal.The idea behind the most common system solvers is to provide a new set of representatives (generators) of the same ideal, but with nicer properties, making it easier to find such a solution.This is the case for solvers based on the problem of finding Gröbner Basis.We can mention improved versions of the Buchberger Algorithm, such as F4 and F5.They have been successful to attack cryptographic schemes such as the HFE and the Matsumoto-Imai [14] an some variations of UOV [15].Despite this efforts, the complexity of these algorithms on random instances of MQ is fully exponential [16].

Zero-Knowledge Proof Systems
A very useful cryptographic tool to provide identification services is the zero-knowledge proofs.
In the most basic scenario, it consists of two parties: the verifier performs a series of questions to the prover, who has to answer correctly in each step to convince the verifier.The prover will be capable of answering correctly on each trial only if he has legitimate information.
For this process to be implemented successfully, some characteristics are desirable.The whole verification process should be computationally efficient for an authentic verifier, whereas it must be infeasible for a malicious entity to impersonate the authentic prover.Furthermore, no information that to "no statistically significant information".Additionally, we require the following characteristics: • Completeness.An authentic prover will always be accepted by an honest verifier.
• Soundness.If the prover is not authentic the verifier rejects with high probability.This is, a verifier always accepts an authentic prover, but a malicious prover can impersonate an authentic one with a very small probability.

Construction of the Polynomial System
We exhibit the construction of the polynomial ideal from a graph and an isomorphism between them.
Let G and H be two isomorphic graphs of size e and order n with vertex sets U = {u 1 , . . ., u n } and V = {v 1 , . . ., v n } and edge sets D and E respectively.Let K U,V denote the complete bipartite graph with bipartition U, V. We get a perfect matching M in K U,V by selecting u i v k , u j v l into M if and only if and only if u i u j ∈ D and v k v l ∈ E. In other words: is not an edge in H, then the edges u i v k and u j v l do not lie simultaneously in M, (ii) if v k v l is an edge in H but u i u j is not an edge in G, then the edges u i v k and u j v l do not lie simultaneously in M.
We can identify any perfect matching M built in this way with a bijection φ that defines the isomorphism of graphs.From a set-theoretic point of view, φ is treated as a collection of pairs being their first coordinate elements that belong to the domain of the function, while the second ones belong to the co-domain [17].Conditions (i) and (ii) aforementioned constitute an alternative way to assert: We illustrate what we just explained in figure 1.
(a) An isomorphism between G and H can be seen as a perfect matching in the graph K U,V , preserving adjacencies between G and H.  Now, we perform a suitable reduction from an instance of GI to an instance of MQ following the same ideas exposed in reductions of several other problems in graphs to Boolean quadratic polynomials [18,19].
First we will consider the set of n 2 variables {X i,k } for i, k = 1, . . ., n.We restrict any possible solution to the binary set {0, 1} by introducing the following polynomials: Now, the following polynomials are introduced to require that one and only one vertex v i from U is connected to one vertex of V and vice versa.This links solutions to the fact that we have a perfect Finally, to guarantee that the set of polynomials has a solution related to the chosen isomorphism, we introduce a third set of polynomials: X i,k X j,l for any i, j, k, l satisfying This completes the construction of the polynomial set related to the given GI instance.

Zero-Knowledge Protocol
We are ready to explain how we use the theory developed in Section 3 to perform the zero-knowledge proof.
Let us start by generating a graph G and a random bijection φ of its vertices.We create a second graph H which is isomorphic to G with isomorphism φ.Now let F 1 be the polynomial system resulting from the process of construction shown in Section 3. A solution x 1 for the system F 1 is found by setting and X i,k = 0 otherwise.The polynomial set F 1 will be public and is used as the public key.The private key will be the solution x 1 .
Next, we create a second random bijection ψ and the graph K isomorphic to G defined by this isomorphism.We get a chain of isomorphisms as follows: We apply the same process to generate a second set F 2 of polynomials and find a solution in the exact same way as we did for the first set.We can avoid the process of graph generation by applying the permutation directly into the public system.We note that from the bijection ψ : U → V we can derive a permutation σ ψ of the set {1, . . ., n} defined by σ ψ (i) = k if ψ(u i ) = v k .This creates a mapping of variables by sending X i,k to X i,σ ψ (k) .We write the polynomials of F 2 satisfying condition (3) as A solution for the system F 2 is provided by applying the permutation σ ψ to reorder x 1 .A third set of polynomials F 3 can be obtained if we consider γ = ψ • φ.

Computational complexity
We analyse the cost of creating the sets of polynomials, which is the main step in the key generation process.For the first and second sets of polynomials given in ( 1) and ( 2) we have to consider the pairs (i, k) for i, k ∈ {1, . . ., n}.The asymptotic time complexity for these is O(n 2 ).
We include now the polynomials of the form (3). We need also the solution for this system, we complete the construction with these steps: • For every edge u i u j ∈ D, we look for every edge v k v l in the complementary graph H.We add the corresponding polynomials X i,k X j,l to the system.
• For every edge v k v l ∈ D, we walk over every edge v k v l in the complement G.We add the corresponding polynomials X i,k X j,l to the system.
• With the chosen isomorphism φ : G → H we create the complete bipartite graph K U,V an the These equations comprise a total number bounded by n 2 e, where e is size of G. Then we can build the complete system in time O(n 2 e), which is polynomial on the order of G.

Conclusions
We have built an alternative zero-knowledge authentication protocol whose security relies in the difficulty of solving MQ.A solution for this set of polynomials represents an isomorphism between graphs.Then we guarantee that the protocol is at least as secure as the classical ZKP based solely in the GI problem.We have also shown that the construction is feasible in terms of time complexity, and since only a permutation of length n or a binary vector of size n 2 is sent in response at every step, most of the information interchanged on every interaction consists of the set of polynomials, which is a bit string in the order of O(n 4 ).We leave as a future work to verify the possibility of reducing the number of polynomials in the system without weakening the proof system, as well as a complete implementation of the authentication protocol.
Given a pair of graphs G = (U, D) an H = (V, E) a bijection φ : U → V that preserves edges is an isomorphism between G and H.If such a bijection exists between G and H, they are said to be Preprints (www.preprints.org)| NOT PEER-REVIEWED | Posted: 8 May 2018 doi:10.20944/preprints201805.0126.v1 b) The edges u 2 v 2 and u 3 v 4 cannot belong simultaneously to M because u 2 u 3 ∈ D, but v 2 v 4 /∈ E. We add the equation X 2,2 X 3,4 = 0 in I.

Figure 1 .
Figure 1.Process to generate the polynomials set associated to the graph isomorphism.

Preprints (www.preprints.org) | NOT PEER-REVIEWED | Posted: 8 May 2018 doi:10.20944/preprints201805.0126.v1 •
Public key derivation.Starting with the private key F we create another set of polynomials F = { f 1 , ..., f n }.Finding a common root of the set F must be a computationally difficult task since this set must be publicly exhibited without weakening the cryptosystem.Public key is usually derived from the private key by performing compositions with affine bijective transformations, say S 1 , S 2 , by performing F = S 2 • F • S 1 .Consequently, S 1 and S 2 are also kept secret, since they can be easily inverted, and are considered part of the private key.Many other methods for public key generation are explained with detail in[3, 1.2].