Design of Ciphers based on the Geometric Structure of the Möbius Plane
aa r X i v : . [ c s . CR ] F e b Design of Ciphers based on the GeometricStructure of the M¨obius Plane
Christoph Capellaro ∗ Abstract
Till now geometric structures don’t play a major role in cryptog-raphy. Gilbert, MacWilliams and Sloane [GMS74] introduced an au-thentication scheme in the projective plane and showed its perfectnessin the sense of Shannon [Sha49]. In this paper we will show that thisauthentication scheme also fulfills the requirement of completeness ac-cording to Kam and Davida [KD79] and we will extend the applicationof geometric structures in cryptography by introducing an encryptionscheme in the M¨obius plane. We will further examine its properties,showing that it also fulfills the requirement of completeness and Shan-non’s requirement of perfectness in first approximation. The resultsof this paper can be used to define similar encryption schemes in thecircle geometries of Laguerre and Minkowski.
Keywords: circle geometry, M¨obius, cryptography, complete, perfect, optimal keylength
A cryptographic transformation can be understood as an incidence relation,whereby messages m and ciphertexts c are represented as points. The cryp-tographic transformation f that maps m to c is then described by a geometricobject that incises with these two points. In this paper we will design newencryption transformations with the circle geometry of the M¨obius planeand analyze their properties.Quite often the security of cryptographic algorithms is dependent oneither the fact that no efficient algorithm is known to solve a certain math-ematical problem or they use mappings that show very little structure. Ex-amples for the former are asymmetric algorithms like RSA or the discretelogarithm. The latter includes e.g. symmetric algorithms like Feistel ciphers.Little research has been done on the applicability of geometric structures in ∗ EY EMEIA Financial Services - Cyber Security i -th bit results in a change of the j -th bit of the output vectorfor arbitrary i and j . Encryption transformations based on M¨obius are infirst approximation perfect. Strategies for key selection are introduced thatprovide optimal key length for a perfect encryption method, meaning thatthe size of the key does not exceed the size of the message, as long as paddingis ignored. Acknowledgment.
The author would like to express great gratitude toHelmut Karzel. Without the insights in circle geometries that he shared,this paper would not have been possible. Furthermore thank goes to MariiaDenysenko, who with her inspiring attitude and due care of technical detailssupported the completion of this paper.
Definition 2.1.
Let M and C be sets, where M is called a set of messagesand C a set of ciphertexts. If there is a nonempty set of functions F of theform F : M → C with the property that every f ∈ F is reversible, then theelements f ∈ F are called cryptographic transformations and ( M, C, F ) iscalled a cryptographic scheme . Theorem and Definition 2.2.
A cryptographic scheme ( M, C, F ) is calleda countable infinite cryptographic scheme , if the sets M , C and F arecountable infinite. If the set of ciphertexts C ′ of a cryptographic scheme ( M ′ , C ′ , F ′ ) is finite then ( M ′ , C ′ , F ′ ) is called a finite cryptographic scheme .Proof. The finiteness of the sets M ′ and F ′ follow immediately from the2niteness of C ′ and from the fact that all cryptographic transformations f ′ ∈ F ′ are injective. Definition 3.1. If ( M, C, F ) is a cryptographic scheme, then the probabilityof the occurrence of a message m ∈ M is denoted with µ ( m ) = P ( m ) and iscalled a-priori probability of the message m . Similarly the probability of theoccurrence of the message m under the condition that m is mapped to c byany f ∈ F is denoted with ν ( m, c ) = P c = f ( m ) ( m ) and is called a-posterioriprobability of the message m for a given ciphertext c .Remark . In the case that a cryptographic system (
M, C, F ) is finite,relative frequencies can be used to calculate the a-priori and a-posterioriprobabilities. Then µ ( m ) = H ( m ) | M | and ν ( m, c ) = (cid:12)(cid:12) { f ∈ F : c = f ( m ) } (cid:12)(cid:12) P m ∈ M (cid:12)(cid:12) f ∈ F : c = f ( m ) (cid:12)(cid:12) . Here H ( m ) means the frequency of the occurrence of the message m . Definition 3.3.
Let ( M, C, F ) be a cryptographic scheme for which every c ∈ C is a possible ciphertext and let µ and ν be its a-priori and a-posterioriprobabilities. Then ( M, C, F, µ, ν ) is called perfect according to Shannon[Sha49] as long as µ ( m ) = ν ( m, c ) for any m ∈ M and for any c ∈ C .Remark . If (
M, C, F ) is finite and if µ ( m ) = µ ( m ) for any m ∈ M then ( M, C, F, µ, ν ) is perfect as long as | M | = (cid:12)(cid:12) { f ∈ F : c = f ( m ) } (cid:12)(cid:12) P m ∈ M (cid:12)(cid:12) { f ∈ F : c = f ( m ) } (cid:12)(cid:12) for any m ∈ M and for any c ∈ C .Another well-known property for cryptographic schemes is the com-pleteness according to Kam and Davida which is defined for cryptographicschemes based on binary strings. Definition 3.5.
Let ( M, C, F ) be a cryptographic scheme with M = Z r and C = Z s . Then the cryptographic transformation f ∈ F is called completeaccording to Kam and Davida [KD79] , if there is at least one message m = m , m , ..., m r ∈ M for every pair of indices i ≤ r and j ≤ s , wherea change in the i -th bit of m ∈ M results in a change of the j -th bitof c = c , c , ..., c s = f ( m ) ∈ C . A cryptographic scheme ( M, C, F ) that consists exclusively of complete cryptographic transformations is calleda complete cryptographic scheme . Definition 4.1.
Let ( M, C, A ) be a cryptographic scheme. Let µ further bea measure on C that fulfills the condition that µ ( a ( C )) ≪ µ ( C ) for every ∈ A . Then ( M, C, A ) is called authentication scheme , the ciphertexts c ∈ C are called authenticated messages and the transformations a ∈ A arecalled authentications .Remark . The authentications a ∈ A do not necessarily need to beinjective. An authenticated message c ∈ C is verified with a function ν : C → { true, f alse } with ν ( c ) = true , if c ∈ a ( M ) and ν ( c ) = f alse ,if c / ∈ a ( M ).So an authenticated message c ∈ C is accepted as authentic as soon as c ∈ a ( M ). This is the motivation for the condition on the authentications a ∈ A introduced in Definition 4.1, which ensures that only a small subsetof authenticated messages is accepted as authentic. Definition 4.3.
An authentication scheme ( M, C, A ) is called Cartesian ,if any a ∈ A is injective and a ( M ) ∩ a ( M ) = ∅ for any a , a ∈ A and S a ∈ A a ( M ) = C . For a Cartesian authentication scheme based on countable sets C and A counting can be defined as the measure µ on C and A . Then the theoremof Gilbert, MacWilliams and Sloane [GMS74] can be written as follows. Theorem 4.4.
Let n = ν ( A ) be the number of authentications in a Carte-sian authentication scheme ( M, C, A ) and let c ∈ C be a randomly chosenauthenticated message, then the following holds: ν ( { a ∈ A : ∃ m ∈ M and c = a ( m ) } ) ≥ √ n A proof of theorem 4.4 for an authentication scheme based on projectiveplanes which has been introduced in [GMS74] is given below, a general proofcan be found e.g. in [BR92].
Definition 4.5.
A Cartesian authentication scheme ( M, C, A ) with n = ν ( A ) for which theorem 4.4 is fulfilled sharply, is called perfect . In this section we use some well-known facts about projective planes. Thecorresponding proofs can be found in the literature, e.g. in [KK88] or [BR92].
Definition 5.1.
An incidence space ( P , L ) of points P and lines L and atleast 3 different points in P is called a projective plane , if each line consistsof at least 3 points and any two lines of L intersect in exactly one point. Definition 5.2.
A projective plane is finite , if its set of points is finite.Remark . All lines in a finite projective plane have the same number ofpoints. A projective plane with lines that consist of q + 1 points is called aprojective plane of order q . 4 efinition and Theorem 5.4. Let ( P , L ) be a finite projective plane and L ∈ L be a line in ( P , L ) . An authentication scheme ( M, C, A ) can bedefined in ( P , L ) as follows: M is the set of all points on L and C the setof all lines of L \ L . In order to describe the set of authentications A wedefine K as the set of points in P \ L . The authentications a ∈ A are thendefined as follows: A : M × K → C and a (m , k) = m , k for given m ∈ M and k ∈ K , where m and k are considered as points of the projective plane.An authenticated message C ∈ C which has been authenticated using a given k ∈ K is verified as true, if k ∈ C and false otherwise. Here again k isconsidered a point of the projective plane and C a line in the projective plane.This authentication scheme ( M, C, A ) is perfect according to definition 4.5.Proof. Let q be the order of ( P , L ). Then ( P , L ) consists of q + q + 1 pointsand as many lines. There are q + 1 points on each line and q + 1 lines runthrough each point in ( P, L ). Thus | K | = q , | M | = q + 1 and the numberof possible authentications for a given message m ∈ M is q .We distinguish between the two cases that no authenticated message isknown and that one such authenticated message C ∈ C is known.To analyze the first case we select a message m in the set of messages M and create the authenticated message C ∈ C = L \ L . Again we considerthe representations of m, C and L as point and lines in the projectiveplane. There are q possible authentications, since q lines different from L run through the point m ∈ L . Each of these q lines has q different pointsoutside L . So there are q possibilities for the point k ∈ K which representsthe key k used for the authentication. Thus the chance that C is verifiedas a true authenticated message equals to qq = q .In the second case a message m and its corresponding authenticatedmessage C = m , k are known. Again we are looking at the representationsof m , k and C as points and line in the projective plane. Another m ∈ L with m = m and C ∈ L \ L with C = C can be selected. The lines m , kand m , k intersect in the point k ∈ m , k . The probability that k = k is q . Figure 1 visualizes the authentication scheme of definition 5.4. Remark . The points k ∈ K which have been used in definition 5.4 toconstruct the authenticated messages are also referred to as keys. Remark . It’s obvious that in a practical application of this perfect au-thentication scheme each key can be used only once.
Remark . Beutelspacher and Rosenbaum introduced a generalization ofthis perfect authentication scheme in the projective space [BR92].In this paper we continue the examination of the cryptographic proper-ties of the authentication scheme introduced by Gilbert and MacWilliamswith following theorem. 5 C := m , k kmFigure 1: Authentication in the projective plane. Theorem 5.8.
An authentication scheme in a finite projective plane overa filed F with char F = 2 as introduced in definition 5.4 is complete in thesense of definition 3.5.Proof. We consider an authentication scheme (
M, C, A ) in the projectiveplane ( P , L ) over the field Z n and we introduce homogeneous coordinatesx = ( Z n ) ∗ x x x for the points in ( P , L ). Here and in the following thefield F ∗ shall denote the field F without its zero element. We assume thatthe set of messages M and the key k are in the finite and that m = k .Otherwise the projective plane shall be transformed accordingly.Since M is in the finite, its points can be represented as follows: M = (cid:8) x ∈ P : s x − x + t = 0 , s, t ∈ Z n , x = 1 (cid:9) (1)There are q = 2 n points of M in the finite, which are uniquely determinedby the coordinate x in (1).Every line of C passes the point k, the key. Since k is in the finite, itcan be represented with k = (k , k , C are representedby following condition: u x − x + k − u k = 0 ⇔ u (x − k ) − x + k = 0 , u ∈ Z n , x = 1 (2)The q = 2 n lines of C are in the finite. They can be uniquely identifiedwith the parameter u in (2).The authenticated message C ∈ C is determined as that line in C thatpasses the point m which represents the message. Thus we obtain followingcondition for C: u (x − k ) − s x − t + k = 0 (3)6ence, we can refer to the authentication a : ( M, K ) → C as a function a k : Z n → Z n that maps the coordinate x ∈ Z n to the parameter u ∈ Z n : u = a k (x ) := s x + t − k x − k We want to look at the coordinates and parameters of ( P , L ) as binaryvectors in Z n . Furthermore i, j shall be indices with i, j ∈ { , , ..., n } and e i , e j the corresponding unit vectors in Z n .In order to show the completeness of the authentication a , we need tofind a point m ′ in a way that a (m ′ , k) = C ′ when a (m , k) = C. Here m ′ isobtained when x is replaced by x + e i and C ′ is obtained when u is replacedby u + e j in (3):( u + e j )(x + e i − k ) − s (x + e i ) − t + k = 0 (4)Parameters s, t ∈ Z n can be found to fulfill equations (3) and (4). Definition 6.1.
An incidence structure ( S , X ) with a set of points S anda set of circles X is called M¨obius plane , if it satisfies following properties: (M1) ∀ a , b , c ∈ S with a = b = c = a ∃ A ∈ X . Following writing conven-tion will be used in this context: (a , b , c) χ := A . (M2) Touch axiom: ∀ A ∈ X , ∀ a , b ∈ S with a ∈ A and b ∈ S \ A ∃ B ∈ X :a , b ∈ B and A ∩ B = { a } . (M3) | S | ≥ and there are four points in S which are different from eachother and which do not coincide with a common circle. By a stereographic projection of the spherical surface on the Euclideanplane, the M¨obius geometry of the spherical surface is mapped on the ge-ometry of the circles and lines of the Euclidean plane. If one extends theEuclidean plane with a distant point, then the straight lines can be regardedas circles through this point. Figure 2 illustrates this procedure.In the context of this paper we will only consider M¨obius planes thatare defined over separable quadratic field extensions ( G , F ) of finite fields F = GF ( q ). In a quadratic field extension of this kind there is exactlyone involutorial automorphism . : G → G that has the elements of F asfixpoints. We obtain the M¨obius plane over a separable quadratic fieldextension ( G , F ), if we close it with the point ∞ , S := G := G ∪ {∞} .M¨obius planes of this form do always have an analytical representation.7p ′ Figure 2: M¨obius plane.
Definition 6.2.
The derivation of a M¨obius plane ( S , X ) in a point a ∈ S is characterized with the pair ( S a , X a ) with ( S a := S \ { a } and X a := { C \ { a } : C ∈ X , a ∈ C } . Every derivation of a M¨obius plane is an affine plane, as has been showne.g. in [KK88]. In the following we will show three different ways for ananalytical representation of a M¨obius plane.
The Euclidean plane R can be represented by the plane of complex numbers C , i.e. the analytical geometry of the pair ( C , R ). A circle with center c ∈ C that runs through the point c + a , a ∈ C ∗ is defined in C with followingequation. (z − c)(z − c) = a · a (5)The circle has the radius r = | a | .This model of the Euclidean geometry can be generalized by using aseparable quadratic field extension ( L , K ) instead of the pair ( C , R ). Anysuch field extension has exactly one automorphism . : L → L that keeps theelements of K unchanged. The automorphism . is involutory. The circlesof this generalized model are presented with equation (5). To obtain the8¨obius plane of the field pair ( L , K ), L needs to be closed with a distantpoint ∞ , L := L ∪ {∞} and K := K ∪ {∞} . It is known from the elementary function theory that circles in the Gaussiannumber plane can be described using double ratios. This can be generalizedusing a separable quadratic field extension ( L , K ). The circle through thepoints a , b , c ∈ L consists of the points z for which the double ratioDr(a , b , c , z) := a − ca − z / b − cb − z (6)is a value in K . The coresponding M¨obius plane is defined by addingthe point ∞ , i.e. S := L := L ∪ {∞} . In the M¨obius plane ( S , X ) over a separable quadratic field extension ( G , F )fractional linear functions of the following form can be chosen to describecircles: γ : F → X z az + bcz + d , ad − bc ∈ G ∗ , z = ∞ , z = − dc , if dc ∈ F ∞ 7→ ac − dc
7→ ∞ , if dc ∈ F (7)
10 Combinatorial Aspects of the M¨obius Plane
In the following we will focus on M¨obius planes based on finite fields. Let( S , X ) be a M¨obius plane over the field F with | F | =: q . Since any derivationof the M¨obius plane in a point results in an affine plane, where every line has q points, all circles in the M¨obius plane have the same number of k := q + 1points. By calling ν the number of points in S and b the number of circles in X , we find the following relationships by counting coincidences. From (M1)we know: (cid:18) ν (cid:19) = b · (cid:18) k (cid:19) (8)Let x be the number of circles that run through two different points of( S , X ), because of (M1) there is: 9 bCDFigure 3: Circles through two points of the M¨obius plane. x ( q −
1) = ν − S , X ), as there are points on one circle. Therefore letC , D ∈ X and a , b ∈ C , C ∩ D = { a } .Figure 3 shows that any circle through a and b, except the circle C itself,intersects the circle D in a point different from a. In connection with (M1)and (M2) this proves our assertion. Furthermore we can conclude fromequation (9) that the number of points in the M¨obius plane is ν = q + 1.By substituting the relations for ν and k we get from equation (8) that thenumber of circles in the M¨obius plane b = q ( q + 1). Since the derivation ofa M¨obius plane in any point a ∈ S results in an affine plane over the field F and since the affine plane has q + q lines, as much circles of the M¨obiusplane coincide with the point a. Furthermore there are q circles differentfrom the circle C that touch C in the point b ∈ C. Figure 4 shows that anycircle touching C in the point b intersects with the circle D in exactly onepoint. Since circle D has q + 1 points, the assertion is correct.
11 Encryption in the M¨obius Plane
In the following we define a cypher system in a M¨obius plane ( S , X ) over afinite field F with | F | =: q . For this purpose we define (cid:18) S (cid:19) := (cid:8) (s , s , s ) ∈ S : (cid:12)(cid:12) { s , s , s } (cid:12)(cid:12) = 3 (cid:9) (10)as the set of triples in S that consist of three different elements.10 CFigure 4: Touching circles through a point of the M¨obius plane. Definition 11.1.
A cipher system ( M, C, F ) is defined in the M¨obius plane ( S , X ) as follows: Messages M := (cid:18) S (cid:19) Cipher texts C := (cid:18) S (cid:19) Encryption functions F : M → C such that, if M := (m , m , m ) χ is the circle induced bythe message (m , m , m ) , then encryption functions f ∈ F are definedas f : M → M in the following way: (MC1) f is associated with the triple (K , K , K ) ∈ (cid:18) X (cid:19) , which iscalled the key . (MC2) m i ∈ K i and (m , m , m ) χ ∩ K i ∩ K j = ∅ for i, j ∈ { , , } and i = j . Encryption
For a given message (m , m , m ) , an encryption function f ∈ F andan associated key (K , K , K ) ∈ (cid:18) X (cid:19) the ciphertext (c , c , ) := f (m , m , m ) is determined by (MC3) c i := ( K i ∩ (m , m , m ) χ − { m i } if (cid:12)(cid:12) K i ∩ (m , m , m ) χ (cid:12)(cid:12) = 2m i if (cid:12)(cid:12) K i ∩ (m , m , m ) χ (cid:12)(cid:12) = 1Decryption Applying the encryption function f to the cipher text (c , c , c ) ∈ C yields the message. c c m c m K K K Figure 5: Visualization of the M¨obius cipher.
The cipher system ( M, C, F ) is called M¨obius Cipher . Figure 5 illustrates the encryption process of the M¨obius Cipher.
Remark . Due to the prerequisite that the points m , m , m of themessage are different from each other in pairs, it is ensured that the circlethrough these three points is well defined. This allows the chosen construc-tion of the encryption function. Remark . The way, how the circles of the key have been chosen, ensuresthat the three points of the cipher text c , c , c are also different from eachother in pairs and that (c , c , c ) χ = (m , m , m ) χ . Remark . Definition 11.1 doesn’t describe a constructive way to findsuitable circles to determine the key. Some exemplary strategies to get suchkey circles are explained in [Cap94].
Remark . In case the message is shorter than three points in the M¨obiusplane, one or two points have to be added to make the M¨obius cipher ap-plicable. This mechanism is called ”padding”. Both sender and receiver ofencrypted messages need to be aware about the chosen padding mechanism.
Remark . If the message consists of more than three points in the M¨obiusplane, the encryption with the M¨obius cipher is repeated with the next threeconsecutive points until the end of the message is reached. Again somepadding might be required, if there are less than three points remaining at12he end of the message. In order to achieve cryptographic security, for everynew triple of points from the message three new circles have to be chosenas key.
12 Cryptoanalysis of the M¨obius Cipher
Quite often the security of cryptographic algorithms is dependent on eitherthe fact that no efficient algorithm is known to solve a certain mathematicalproblem or they use mappings that show very little structure. Examples forthe former are asymmetric algorithms like RSA or the discrete logarithm.The latter includes e.g. symmetric algorithms like Feistel ciphers. In bothcases the security of these ciphers is based on assumptions and experience,but cannot be concluded strictly. The advantage of the M¨obius cipher thathas been introduced in this paper is that it is based on well defined geometricstructures and hence its cryptographic strength can be derived from knownproperties.Before coming to the perfectness and completeness as introduced in def-initions 3.3 and 3.5, we would like to discuss some other requirements fora cipher system. An important one is that the number of potential keysneeds to be large enough to avoid successful brute force attacks. Typically2 is nowadays considered to be a sufficient size for the number of possiblekeys. The number field F over which the M¨obius plane ( S , X ) has beendefined needs to be large enough, to fulfill this requirement. Another usefulproperty of a cipher system is the ratio between input and output length.If ciphertexts are longer than the original messages, the cipher system iscalled expanding . Again a suitable choice of the underlying number field F can reduce expansion. In the case that ASCII characters, which have alength of 8 bit, shall be encrypted, expansion can be kept low, if the numberfield q := | F | is chosen in a way that q is only slightly bigger than 2 k · and k ≥
16. This choice would also fulfill the requirement mentioned above ofproviding a sufficient large key space.To examine the properties of perfectness and completeness we use asimple strategy to select the necessary keys for the M¨obius cipher (
M, C, F )by choosing lines. In the M¨obius plane ( S , X ) lines are represented by circlesC ∈ C that run through the point ∞ . This gives us following quantities forour M¨obius cipher ( M, C, F ) in the M¨obius plane ( S , X ) over the field F with | F | =: q . The messages m , m , m are three points in ( S \ {∞} ) =: ◦ S ,different in pairs. The key circles K , K , K are determined by the threepoints k i ∈ S \ { (m , m , m ) χ , ∞} , i ∈ { , , } . The following figure 6illustrates the encryption function.The encryption of three points of the message requires three points askeys. Hence the length of the key equals the length of the message. Sinceaccording to Shannon the key length in a perfect encryption scheme is at13 c c m c m K K K Figure 6: M¨obius cipher using lines as keys.least as big as the length of the ciphertext, the key length of our M¨obiuscipher is minimal.To examine the property of perfectness according to definition 3.3 wewant to assume that all messages in (
M, C, F ) are equally distributed. Letm = m = m = m be three points of the message lying on the circleM of the M¨obius plane and let c , c , c be the corresponding points of thecipher text, which also incide with the circle M. Furthermore the probabilitymeasures µ and ν shall be defined on M as explained in definition 3.3. In thefollowing we want to determine the a-priori and a-posteriori probabilities ofthe three points m , m , m of the message independently.Lets have a look at the encryption of m . M := (m , m , m ) χ is thecircle determined by the message points. Since there are q + 1 points on M,the probability of the occurrence of the message point m is µ (m ) = q +1 .The number of possible keys that can be used to encrypt m is given by K := ◦ S \ M, hence | K | = q − q − , c defines a line in ( ◦ S , X ). If m = c , we choosethe tangent to the circle M through the point m . Two different cases areexamined to determine the a-posteriori probabilities:m = c : Every point of the tangent to the circle M through the point c exceptthe points c and ∞ are possible key points. Hence in this case (cid:12)(cid:12) { f ∈ F : (m , c ) ⊂ f } (cid:12)(cid:12) = q − = c : For a given pair of message and cyphertext points m , c the key can14e any point on the line defined by m , c , with the exception of thepoints m , c , ∞ . Hence (cid:12)(cid:12) { f ∈ F : (m , c ) ⊂ f } (cid:12)(cid:12) = q − = c the a-posteriori probability is ν (m , c ) = q − q − q − and in the case of m = c it is ν (m , c ) = q − q − q − . Oura-priori probability was µ (m ) = q +1 . So with large q we can state that infirst approximation µ (m ) ≈ ν (m , c ).Lets proceed with examining the encryption of the message point m .Due to the prerequisite that the tree message points m , m , m determinea unique circle M in the M¨obius plane, we know that m = m . Hencethe a-priori probability equals µ (m ) = q . According to condition (MC2)for the encryption functions of the M¨obius cipher in definition 11.1 theset K of possible keys for the encryption of m is reduced by those keypoints that would map m to m or c . Thus in case of m = c we get K := K \ { (m , m , ∞ ) χ } and | K | = q − q + 1. In case of m = c weget K := K \ { (m , m , ∞ ) χ , (m , c , ∞ ) χ } and | K | = q − q + 3.To calculate the a-posteriori probabilities of the encryption of m , wehave to distinguish the cases m = c and m = c again:m = c ,m = c Every point of the tangent through the point c at the circle M , ex-cept the points c and ∞ are possible key points. Hence (cid:12)(cid:12) { f ∈ F :(m , c ) ⊂ f } (cid:12)(cid:12) = q − = c ,m = c For a given pair of message and ciphertext points m , c all points ofthe line through the points m , c with the exception of m , c , ∞ canbe keys. Thus (cid:12)(cid:12) { f ∈ F : (m , c ) ⊂ f } (cid:12)(cid:12) = q − = c ,m = c Every point of the tangent through the point c at the circle M , ex-cept the points c and ∞ are possible key points. Hence (cid:12)(cid:12) { f ∈ F :(m , c ) ⊂ f } (cid:12)(cid:12) = q − = c ,m = c For a given pair of message and ciphertext points m , c all points ofthe line through the points m , c with the exception of m , c , ∞ canbe keys. Thus (cid:12)(cid:12) { f ∈ F : (m , c ) ⊂ f } (cid:12)(cid:12) = q − = c ,m = c µ (m ) = q ν (m , c ) = q − m = c ,m = c µ (m ) = q ν (m , c ) = q − q − q +1 m = c ,m = c µ (m ) = q ν (m , c ) = q − q − q +3 m = c ,m = c µ (m ) = q ν (m , c ) = q − q − q +3 q .Similar considerations lead to the following results for the encryption ofthe third message point m :Case A-priori probability A-posteriori probabilitym = c ,m = c ,m = c µ (m ) = q − ν (m , c ) = q − q − q +3 m = c ,m = c ,m = c µ (m ) = q − ν (m , c ) = q − q − q +3 m = c ,m = c ,m = c µ (m ) = q − ν (m , c ) = q − q − q +5 m = c ,m = c ,m = c µ (m ) = q − ν (m , c ) = q − q − q +5 m = c ,m = c ,m = c µ (m ) = q − ν (m , c ) = q − q − q +5 m = c ,m = c ,m = c µ (m ) = q − ν (m , c ) = q − q − q +5 m = c ,m = c ,m = c µ (m ) = q − ν (m , c ) = q − q − q +7 m = c ,m = c ,m = c µ (m ) = q − ν (m , c ) = q − q − q +7 So, also the third encryption step of the M¨obius cipher is in first approx-imation perfect for large values for q .To show the completeness of the M¨obius cipher in the sense of defini-tion 3.5, we will look at the special case of a number field F with char F = 2.The points p ∈ ◦ S can then be described in the form p( x, y ) and x ∈ Z n , y ∈ Z n . A message of 2 n bits length can be understood as the point p( x, y )with coordinates x and y . The i -th bit of the message shall be the i -thposition in the representation of the point p( x, y ), which would be the i -thcomponent of the vector x for i = 1 , ..., n and the ( i − n )-th component ofthe vector y for i = n + 1 , ..., n .Let m be a message point and c be the corresponding ciphertext pointwhen using the key point k. The encryption is complete in the sense ofdefinition 3.5, if there is a representation of m where a change in position j of c is caused by a change in position i of m, i, j ∈ { , , ..., n } .Two cases have to be considered. The indices i and j may affect the samecoordinate of both m and c. Without restricting generality we assume the x -coordinate. Alternatively, the first index i may affect one coordinate, saythe x -coordinate of m, the second index j may then affect the y -coordinateof c.We have a look at the second case first. Let m( x, y ) and c( u, v ) bethe message and ciphertext points and their coordinates. Furthermore, let e i , i ∈ { , ..., n } be the unit vectors in Z n . We transform the index j to j → j − n . Then m ′ ( x + e i , y ) and c ′ ( u, v + e j ) are the message andciphertext points with changes in positions i and j . It has to be shown thatthere are two lines G and H in the M¨obius plane ( S , X ) over the field Z n with m , c , k ∈ G and m ′ , c ′ , k ∈ H. Without restricting generality we assume16hat k = (0 , , c) = 0det(m ′ , c ′ ) = 0 (11)Substituting the coordinates for m , m ′ , c , c ′ results in: xv − uy = 0 xv + xe j + ve i + e i e j − uv = 0 (12)Or: xv − uy = 0 xe j + ve i + e i e j = 0 (13)It is easy to provide coordinates for m( x, y ) and c( u, v ) that satisfy theseequations.To show the first case we again assume that the two points m( x, y )and c( u, v ) and their coordinates as given. Let now be m ′ ( x + e i , y ) andc ′ ( u + e j , v ) be the altered points. Once again it has to be shown thatcondition (11) is fulfilled. In analogy to the procedure shown above wereach following conditions: xv − uy = 0 xv + e i v − yu − ye i = 0 (14)Which can be simplified to: xv − uy = 0 e j y + ve i = 0 (15)Again it is easy to find suitable points m and c for all possible i, j .
13 R´esum´e and Outlook
We showed that geometric structures cannot only be used to define au-thentication schemes but that they can also be used to design encryptionfunctions. A cryptographic transformation has been introduced in a M¨obiusplane over a finite field that is approximately perfect in the sense of Shan-non [Sha49] and complete according to [KD79]. We think that the M¨obius17ipher can be of good practical use in the area of quantum cryptography,where a constant stream of qbits is shared as key between two parties tosupport encryption. In comparison to the well known Vernam cipher [Ve26],the M¨obius cipher has the advantage of not only being approximately per-fect according to Shannon, but also complete according to Kam and Davida.The results of this paper can easily generalized for geometric structures ofthe Laguerre and Minkowski plane.