On the implementation of cryptoalgorithms based on algebraic graphs over some commutative rings

The paper is devoted to computer implementation of some graph based stream ciphers. We compare the time performance of this new algorithm with fast, but no very secure RC4, and with DES. It turns out that some of new algorithms are faster than RC4. They satisfy the Madryga requirements, which is unusual for stream ciphers (like RC4). The software package with new encryption algorithms is ready for the demonstration.


Introduction
We will study the properties of stream ciphers defined via finite automata corresponding to the family of algebraic graphs of high girth defined in [34].The sequence of the graphs gives a well defined projective limit (infinite graphs) which is useful for theoretical studies of Turing machine corresponding to the graph based stream cipher.Algebraic nature of graphs implies the polynomiality of encryption scheme, but combinatorial properties make it possible to prove the absence of fixed points, and to establish that different keys produce distinct ciphertext.The transition functions of automaton related to graph form an arithmetical dynamic system in the sense of [33].We consider the results of desynchronization of such infinite dynamical system, via applications of graph automorphisms and graph deformation, its effect on the security level and chaotical structure of cipher strings.The time evaluation of these algorithms defined via directed asymmetrical graphs compares well with the performance of fast but not very secure RC4, DES, algorithms based on simple graphs (symmetric anti-reflexive binary relations) developed during the recent ten years.
In section 2 we present the ideology of cryptography based on Extremal Graph Theory created by P. Erdös' and his school and some new results on extremal directed graphs, observe the results on cryptographical properties of graphs of high girth and implementations of algorithms based on automata related to such graphs.
In section 3, the reader can find basic cryptographical terminology.
Next section contains definitions of girth indicator and girth for directed graphs, concept of family of directed graphs of high girth, encryption automata related to members of such a family defined via special colouring of edges.
Section 5 is devoted to explicit constructions of algebraic families of graphs of large girth.For each commutative ring K we define two related families of algebraic directed graphs RED(K) and RDF (K) of large girth.
In section 5 and 6 we discuss the implementation of general stream cipher based of family of directed graphs of large girth RDE n (K), n = 2, 3, . . . in case of rings K = Z 2 k , k ∈ {8, 16, 32}.Graph RDF t (K), which is just a union of some connected components of RDE n (K), is useful in evaluating the girth indicator and the size of connected components of RDE n (K).We evaluate time performance and mixing properties of such algorithms and their modifications obtained via the desynchronization process.

On graphs of high girth and cryptoalgorithms
Studies of graphs with high girth had been motivated by problems of Networking ( [1,7]).Since the well known work by R. Tanner [24], families of graphs of large girth have been instruments in Error Correction Theory (see [9,10,24] on the use of graphs of large girth for the creation of the so-called turbocodes).Recall that the girth is the length of the smallest cycle in the graph.The idea to use families of simple graphs of increasing girth in Cryptography had been explored in [11,25,[27][28][29][30][31][32][33] and [34,37].The encryption scheme for the "potentially infinite" text based on the family of graphs with special colouring of vertex set: the neighbours of each vertex are of different colours, there is a representative of each colour in the neighbourhood, the operator of taking the neigbour of a chosen color is a bijection.It is clear that the graphs have to be regular i.e. a size of the neighbourhood does not depend on the choice of vertex.
For this purpose, we identify the vertex of the graph with the plaintext.Encryption procedure corresponds to the chain of adjacent vertices (walk without consecutive edges) starting from the plaintext, the information on such chain being given by the sequence of corresponding colours (the password).We assume that the end of the chain is the ciphertext.It is easy to see that in the case when the length of the password is less than half of the girth, different passwords produce a distinct ciphertext corresponding to the same password and the ciphertext will be always different from the plaintext.
Notice that without loss of generality we can identify a set of colours with elements of commutative ring Z n .We can attach the difference of colours for v 2 and v 1 to each directed edge (v 1 , v 2 ) and convert the symmetric relation corresponding to the graph into finite automaton with the arbitrary initial state (plaintext).All states (vertices) of such automaton are accepting states.The above encryption procedure corresponds to some computation of this finite automaton.We will identify the graph and the corresponding binary relation.
For each k 3 there is an infinite family of finite k-regular graphs G i , i = 1, 2, . . . of increasing order |V i | and increasing girth g i (see, for instance [27,29]).In case of such a family with the appropriate colouring of its members as above we have a potentially infinite plainspace V i , i = 1, 2, . . .and a potentially infinite keyspace.
The ciphertext will be always different from the plaintext.If the minimal size of the connected component of each G i is growing with i, then the encryption scheme is not a block cipher but a stream cipher.We can consider a more general encryption scheme defined by the sequence of k i -regular graphs G i , i = 1, . . . of nondecreasing degree and increasing girth and order (see [27,37]).
The choice of simple graphs at the first stage (finite automata corresponding to symmetric binary relation) was motivated by classical Extremal Graph Theory.which deals with simple graphs only.
Let e(G), v = v(G) be the size (number of edges) and the order (number of vertices) of the graph G, respectively.Let ex(v, C 3 , . . ., C 2k ) be the maximal size of the graph of the order of v without cycles C 3 , . . ., C 2k .The following modification of Erdös' Even Circuit Theorem the reader can find in [6]: where c is a positive constant independent of v.This bound is known to be sharp for k = 2, 3 and 5.
If the size of members G i of the family of graphs of increasing girth g i is close to the above bound (g i Clog ki (v i ) for some positive constant C, which is the case of the so-called family of graphs of large girth) then the size of the plainspace and the maximal keyspace for the above encryption scheme are close to each other (see [28,29]).
In our encryption scheme we can "hide graphs up to isomorphism", i.e. take binary relation where π i is some bijection on V i .The sequence π i is an invariant part of the key (password).Hiding graphs up to isomorphism is useful in case of graphs with the large automorphism group.It prevents the usage of automorphism of graphs during the attacks on the key.
An important feature of such encryption is the resistance to attacks, when adversary intercepts the pair plaintext -ciphertext (see [28] ) , because the best algorithm of finding the pass between given vertices (by Dijkstra , see [6] and latest modifications) has a complexity vlnv where v is the order of the graph, i.e. size of the plainspace.The situation is similar to the checking of the primality of Fermat's numbers 2 2 m + 1: if the input is given by the string of binary digits, then the problem is polynomial, but if the input is given by just a parameter m, then the task is N P -complete.
We have an encryption scheme with the flexible length of the password (length of the chain).If graphs are connected and the length of password is not restricted, then we can convert each potentially infinite plaintext into the chosen string.In case of the so-called small world graphs we can do such a conversion "as fast as it is possible".
Finally, in the case of algebraic graphs in the sense of N.Biggs (see [2]), when the vertex set and neighbourhoods of each vertex are algebraic varieties over the same field (or ring) we have, in fact, a polynomial cryptography, because the operator of taking the neighbour of chosen colour is a polynomial map.So, such an encryption is easy to implement since software package with small memory is used (an example of the implementation of such public key encryption is in [30]).The first infinite family of algebraic graphs of large unbounded girth and arbitrary degree was constructed in [15]( see [16] for the description of connected components).It was used in different software (different finite fields) packages developed via university projects at the University of South Pacific (Fiji Islands) [11,29,31], which serves for 11 remote island states within Pacific Ocean, Sultan Qaboos University (Oman) [25,32], University college of Cariboo (Canada, BC) [8], Ocanagan college, affiliated with the UBC (Canada), University of Kiev-Mohyla Academy(Ukraine), University of Maria Curie Sklodowska (Poland).The comparison of the first implementation of the algorithm (case field F 127 ) with another stream cipher private key algorithm (RC4) the reader can find in [8].
As we have already mentioned, the classical extreme graph theory deals with simple graphs.So, our first step was restricted to regular graphs of symmetric binary relations without loops.Let us assume that the graph is regular if for each vertex the numbers of inputs and outputs are equal to the same constant.The next step is reflected in [34] where the analog of P. Erdös' bound has been formulated for regular graphs of binary relations without loops and certain commutative diagrams.The analog of girth for directed graph is the so-called girth indicator (see section 4).The size of the graph is the total number of edges.Let E d (v) be the greatest size of a regular directed graph of the order of v the width girth indicator > d.The following analog of Erdös' Even Circuit Theorem has been formulated: This bound turns out to be sharp not only for d = 2, 3 and 5 but for all d 2 as well (see [36] for more general case of balanced directed graphs).
The paper [32] contains definitions of graphs of large girth (graphs with girth indicator d and size which is close to the above bound), small world graphs for this class of graphs, example of directed graphs based encryption.The bound and the related definition, the reader can find in section 4 below.
In the current paper we will discuss the implementation of algorithms which are based on families of nonsymmetric binary relation graphs.Instead of colouring the vertices we use special "rainbow-like colouring" of edges in the spirit of automata theory.In terms of such colouring we define graph based algorithms (subsection 4.2).
The practical advantage of directed graphs based cryptography in comparison with the previously used case of simple graphs is a much wider option to construct explicitly algebraic graphs over an arbitrarily chosen commutative ring K (section 5).Such K-theory has lead to very fast cryptoalgorithm (operation in K = Z p n are much faster than in case of F p n for large n).In section 6 we compare the speed of some new algorithms with classical stream cipher RC4, used for the encryption of large data.In the last section we discuss some specific features of new encryption schemes.

Basic cryptographical terminology
Assume that an unencrypted message, plaintext, which can be image data, is a string of bytes.It is to be transformed into an encrypted string or ciphertext, by means of a cryptographic algorithm and a key: for the recipient to be able to read the message, encryption must be invertible.
Conventional wisdom holds that in order to defy easy decryption, a cryptographic algorithm should produce seeming chaos: that is, ciphertext should look and test random.In theory an eavesdropper should not be able to determine any significant information from an intercepted ciphertext.Broadly speaking, attacks to a cryptosystem fall into 2 categories: passive attacks, in which an adversary monitors the communication channel and active attacks, in which the adversary may transmit messages to obtain information (e.g.ciphertext of chosen plaintext).
Passive attacks are easier to mount, but yield less. Attackers hope to determine the plaintext from the ciphertext they capture; even more successful attacks will determine the key and thus comprise the whole set of messages.
An assumption first codified by Kerckhoffs in the nineteen century is that the algorithm is known and the security of algorithm rests entirely on the security of the key.
Cryptographers have been improving their algorithms to resist the following two major types of attacks: i) ciphertext only -the adversary has access to the encrypted communications.
ii) known plaintext -the adversary has some plaintext and its corresponding ciphertext.
Nowadays the security of the plaintext rests on encryption algorithm (or private key algorithm), depending on the chosen key (password), which has good resistance to attacks of type (i), and algorithm for the key exchange with good resistance to attacks of type (ii) (public key algorithm).
The revolutionary classical result on private key algorithm was obtained by C. Shannon in the late 40th (see [12,13] or [23]).He constructed the so-called absolutely secure algorithms, whose keys and strings of random bits, at least as long as a message itself, achieve the seeming impossibility: an eavesdropper is not able to determine any significant information from the obtained ciphertext.The simplest classical example is the following one-time pad: if p i is the i-th bit of the plaintext, k i is the i-th bit of the key, and c i is the first bit of the ciphertext, then c i = p i + k i , where + is exclusive or, often written XOR, and is simply addition modulo 2. One time pads must be used exactly once: if a key is ever reused, the system becomes highly vulnerable.
It is clear that the encryption scheme as above, like most private key algorithm, is irresistible to attacks of type (ii) -you need just subtract p i from c i and get the key.

Binary relations and related rainbow-like graphs, general symmetric algorithms
The missing theoretical definitions on directed graphs the reader can find in [22].Let Φ be an irreflexive binary relation over the set V , i.e.Φ ∈ V ×V and for each v pair (v, v) is not the element of Φ.
We say that u is the neighbour of v if (v, u) ∈ Φ.We use the term binary relation graph for the graph Γ of irreflexive binary relation φ over finite set V such that for each v ∈ V sets {x|(x, v) ∈ φ} and {x|(v, x) ∈ φ} have same cardinality.It is a directed graph without loops and multiple edges, see [22] for more general definitions).
Let Γ be the graph of binary relation.The pass between vertices a and b is the sequence a = x 0 → x 1 → . . .x s = b of length s, where x i , i = 0, 1, . . .s are distinct vertices.
We say that the pair of passes a = x 0 → x 1 → . . .→ x s = b, s 1 and a = y 0 → y 1 → . . .→ y t = b, t 1 form an (s, t)-commutative diagram O s,t if x i = y j for 0 < i < s, 0 < j < t.Without loss of generality we assume that s t.
We refer to the number max(s, t) as the rank of O s,t .It is 2, because the graph does not contain multiple edges.

Notice, that the graph of antireflexive binary relation may have a directed cycle O
We will count directed cycles as commutative diagrams.
In order to investigate the commutative diagrams we introduce girth indicator gi, which is the minimal value for max(s, t) for parameters s, t of commutative diagram O s,t , s + t 3. Notice that two vertices v and u at distance < gi are connected by unique pass from u to v of length < gi.
In case of symmetric binary relation gi = d implies that the girth of the graph is 2d or 2d − 1.It does not contain an even cycle 2d − 2. In general case gi = d implies that g d + 1.So, in the case of a family of graphs with unbounded girth indicator, the girth is also is unbounded.We also have gi g/2.
We assume that the girth g(Γ) of the directed graph Γ with the girth indicator d + 1 is 2d + 1 if it contains commutative diagram O d+1,d .If there are no such diagrams we assume that g(Γ) is 2d + 2.
In the case of symmetric irreflexive relations the above general definition of the girth agrees with the standard definition of the girth of simple graph, i.e the length of its minimal cycle.
We will use the term the family of graphs of large girth for the family of regular graphs Γ i of degree k i and the order v i such that gi(Γ i ) is clog ki v i , where c is the constant independent of i.So the size of such graphs is quite close to the bound (2).
As it follows from the definition g(Γ i ) c log ki (v i ) for appropriate constant c .So, it agrees with the well known definition for simple graphs.

Graphs with special colouring of vertices and edges, case of large girth
We shall use the term the family of algebraic graphs for the family of graphs Γ(K), where K belongs to some infinite class F of commutative rings, such that the neighbourhood of each vertex of Γ(K) and the vertex set itself are quasiprojective varieties over K of dimension 1 (see [2,3] for the case of simple graphs).
Such a family can be treated as special Turing machine with the internal and external alphabet K.
We say that the graph Γ of binary relation Φ has a rainbow-like colouring over the set of colours C if for each v, v ∈ V we have a colouring function ρ v , which is a bijection from the neighbourhood St(v) of v onto C, such that the operator N c (v) of taking the neighbour of v with colour c is the bijection of V onto V .
We say that the rainbow-like colouring ρ is invertible if there is a rainbow-like colouring of Φ −1 over C such that N c −1 = N c for some colour c ∈ C .

Example 1: Cayley graphs
Let G be the group and S be a subset of distinct generators, then the binary relation φ This rainbow-like colouring is invertible because the inverse graph Examples of Cayley graphs of large girth the reader can find in [18][19][20].
Example 2: Parallelotopic graphs and Latin squares Let G be the graph with the colouring µ : V (G) → C of the set of vertices V (G) into colours from C such that the neighbourhood of each vertex looks like rainbow, i.e. consists of |C| vertices of different colours.In case of pair (G, µ) we shall refer to G as parallelotopic graph with the local projection µ (see [27,28] and further references).
It is obvious that parallelotopic graphs are k-regular with k = |C|.If C is a subset of C, then an induced subgraph G C of G which consists of all vertices with colours from C is also a parallelotopic graph.It is clear that the connected component of the parallelotopic graph is also a parallelotopic graph.
The arc of the graph G is a sequence of vertices v 1 , . . ., v k such that v i Iv i+1 for i = 1, . . ., k − 1 and Let + be the Latin square defined on the set of colours C. Let us assume ρ(u, v) = µ(u) − µ(v).The operator N c (u) of taking the neighbour of the color is invertible, N c −1 = N −c , where −c is the opposite for c element in the Latin square.It means that ρ is invertible rainbow-like colouring.
We shall consider some examples of graphs with parallelotopic colouring in the section 8 and 9.

General symmetric algorithm
Let us consider the encryption algorithm corresponding to the graph Γ with the chosen invertible rainbow-like colouring of edges.
Let ρ(u, v) be the colour of arrow u → v.The set C is the totality of colours and N c (u) is the operator of taking the neighbour of u with the colour c.
The password is the string of colours (c 1 , c 2 , . . ., c s ) and the encryption procedure is the composition given, then the encryption procedure corresponds to the following chain in the graph: The decryption procedure corresponds to the composition of maps N c s , N c s−1 , . . ., N c 1 .The above scheme gives a symmetric encryption algorithm with flexible length of the password (key).Let A(Γ, ρ, s) be the above encryption scheme.The following statement is immediate corollary from definitions.
Lemma 1 Let Γ be the invertible rainbow-like graph of girth g and A(Γ, ρ, s) be the above encryption scheme for s < (gi).Then different passwords produce distinct ciphertexts, plaintext and the corresponding ciphertext are different.

The incidence structures defined over commutative rings
E. Moore [21] used the term tactical configuration of the order (s, t) for biregular bipartite simple graphs with bidegrees s + 1 and r + 1.It corresponds to the incidence structure with the point set P , line set L and symmetric incidence relation I. Its size can be computed as |P |(s + 1) or |L|(t + 1).
Let F = {(p, l)|p ∈ P, l ∈ L, pIl} be the totality of flags for the tactical configuration with partition sets P (point set) and L (line set) and incidence relation I.We define the following irreflexive binary relation φ on the set F : ((l 1 , p 1 ), (l 2 , p 2 )) ∈ φ if and only if p 1 Il 2 , p 1 = p 2 and l 1 = l 2 .
Let F (I) be the binary relation graph corresponding to φ.The order of F (I) is |P |(s + 1) (or |L|(t + 1) We refer to it as directed flag graph of I.
Let (P, L, I) be the incidence structure corresponding to regular tactical configuration of the order t.
Let F 1 = {(l, p)|l ∈ L, p ∈ P, lIp} and F 2 = {[l, p]|l ∈ L, p ∈ P, lIp} be two copies of the totality of flags for (P, L, I).Brackets and parenthesis allow us to distinguish elements from F 1 and F 2 .Let DF (I) be the directed graph (double directed flag graph) on the disjoint union of F 1 with F 2 defined by the following rules: We will define hereinafter the family of graphs D(k, K), where k > 2 is positive integer and K is a commutative ring.Such graphs have been considered in [15] for the case K = F q ( some examples are in [14]).
Let P and L be two copies of Cartesian power K N , where K is the commutative ring and N is the set of positive integer numbers.Elements of P will be called points and those of L lines.
We now define an incidence structure (P, L, I) as follows.We say that the point (p) is incident with the line [l], and we write (p)I[l], if the following relations between their co-ordinates hold: (these four relations are defined for i 1, p 1,1 = p 1,1 , l 1,1 = l 1,1 ).We denote this incidence structure (P, L, I) as D(K).We identify it with the bipartite incidence graph of (P, L, I), which has the vertex set P ∪ L and the edge set consisting of all pairs {(p), [l]} for which (p)I[l].
For each positive integer k 2 we obtain an incidence structure (P k , L k , I k ) as follows.First, P k and L k are obtained from P and L, respectively, by simply projecting each vector onto its k initial coordinates with respect to the above order.The incidence I k is then defined by imposing the first k−1 incidence equations and ignoring all the others.The incidence graph corresponding to the structure (P k , L k , I k ) is denoted by D(k, K).
Notice that for i = 0, the four conditions (3) are satisfied by every point and line, and, for i = 1, the first two equations coincide and give l 1,1 − p 1,1 = l 1,0 p 0,1 .
Remark.Let K be the general commutative ring and C be the equivalence class on τ on the vertex set D(K) (D(n, K)).Then the induced subgraph, with the vertex set C is the union of several connected components of D(K) (D(n, K), respectively).
Without loss of generality we may assume that for the vertex v of C(n, K) satisfying a 2 (v) = 0, . . ., a t (v) = 0. We can find the values of components v i,i from this system of equations and eliminate them.Thus we can identify P and L with elements of K t , where t = [3/4n] + 1 for n = 0, 2, 3 mod 4, and t = [3/4n] + 2 for n = 1 mod 4.
We shall use notation C(t, K) (C(K)) for the induced subgraph of D(n, K) with the vertex set C.

Remark.
If K = F q , q is odd, then the graph C(t, k) coincides with the connected component CD(n, q) of the graph D(n, q) (see [17]), graph C(F q ) is a q-regular tree.In other cases the question on the connectivity of ) defined L k by simply projecting each vector from P k and L k onto its k − 1 initial coordinates with respect to the above order.
Proposition 3 Projective limit of graphs D(n, K) (graphs C(t, K), CD(n, K) ) with respect to standard morphisms of D(n + 1, K) onto D(n, K) (their restrictions on induced subgraphs) is equal to D(K) (C(K), respectively).
If K is an integrity domain, then D(K) and CD(K) are forests.Let C be the connected component, i.e tree.
Let us consider the directed flag graph F (t, K) of the tactical configuration C(t, K).Let E(n, K) be the directed flag graph of bipartite graph D(n, K).We can consider the symbolic invertible rainbow-like colouring ρ(f 1 , f 2 ) of F (t, K) (or E(n, K) ) defined on the colour set K * × K * by the following rule: If K is finite, then the cardinality of the colour set is (|K| − 1) 2 .Let RegK be the totality of regular elements, i.e. not zero divisors.Let us delete all arrows with colour (x, y), where one of the elements x and y is a zero divisor in the graph F (t, K) ( E(n, K), respectively).New graph RF (t, K) (RE(n, K), respectively) is a symbolic rainbow-like graph over the set of colours RegK 2 .
The following statement is proven in [37].

Theorem 4
The girth indicator gi of the algebraic rainbow-like graph RF (t, K) is 1/3t.
Corollary 5 Let K be a finite commutative ring such that k = |RegK| 2. Then graphs RF (t, K), t = 2, 3, . . .form the family of algebraic rainbow-like graphs of large girth of bounded degree.
The graph RF (t, K) is an induced subgraph in RE(n, K).So we get the following statement.Let us consider the double directed flag graph DF (t, K) of the tactical configuration C(t, K).Let DE(n, K) be the double directed graph of the bipartite graph D(n, K).Remember, that we have the arc e of type (l 1 , p 1 ) → [l 2 , p 2 ] if and only if p 1 = p 2 and l 1 = l 2 .Let us assume that the colour ρ(e) of arc e is l 1  1,0 − l 2 1,0 .Recall, that we have the arc e of type [l 2 , p 2 ] → (l 1 , p 1 ) if and only if l 1 = l 2 and p 1 = p 2 .let us assume that the colour ρ(e ) of arc e is p 1  1,0 − p 2 1,0 .
If K is finite, then the cardinality of the colour set is (|K| − 1).Let RegK be the totality of regular elements, i.e. not zero divisors.Let us delete all arrows with colour, which is a zero divisor.New graph RDF (t, K) is an algebraic rainbow-like graph over the set of colours (RegK) Similarly to the previous theorem we formulate the following proposition.
Projective limit of graphs RDE(n, K) (graphs RDF (n, K) ) with respect to standard homomorphisms is well defined.

Time evaluation
We have implemented the computer application, which uses a family of graphs RDE(n, K) for private key cryptography.To achieve high speed property, commutative ring K = Z 2 k , k ∈ {8, 16, 32}, with operations +, × modulo 2 k .Parameter n stands for the length of plaintext (input data) and the length of ciphertext.We mark by G1 the algorithm with k = 8, by G2 the algorithm with k = 16, and by G4 the algorithm with k = 32.So Gi, i ∈ 1, 2, 4 denotes the number of bytes used in the alphabet (and the size of 1 character in the string).
The alphabet for password is the same K as for the plaintext.For an encryption we use the scheme presented in section (4.1).The colour of vertex is its first coordinate.
If u is the vertex, p(u) is the colour of this vertex, and α is the character of password, then the next vertex in the encryption path v has the colour p(v) = p(u) + α.All the next coordinates of v are computed from (3) set of equations.
All the tess were run on computer with parameters: • AMD Athlon 1.46 GHz processor • 1 GB RAM memory • Windows XP operating system.
The program was written in Java language.Well known algorithms RC4 and DES which were used for comparison have been taken from Java standard library for cryptography purposesjavax.crypto.

Our algorithm compared with RC4
RC4 is a well known and widely used stream cipher algorithm.Protocols SSL (to protect Internet traffic) and WEP (to secure wireless networks) uses it as an option.Nowadays RC4 is not secure enough and not recommended for use in a new system.Anyway we chose it for the sake of comparison, because of its popularity and high speed.
RC4 is not dependent on password length in terms of complexity, while our algorithm is dependent on it.Longer password makes us do more steps between vertices of a graph.So, for fair comparison we have used fixed password length equal to the suggested upper bound for RC4 (16 Bytes).

Comparison with DES
In the next test we have compared our algorithm with popular block cipher DES (Data Encryption Standard).DES is more complicated and has better cryptographical properties than RC4, but it is much slower.
The version of DES implemented in Java library uses 64 bit password and makes from it 56 bit key (due to documentation).In our comparison (see figure (2)) we used the password of the same length.

Linearity from password length
It is easy to understand that with the fixed size of the plaintext, our algorithm depends linearly on the password length.Each step of algorithm (taking the neigbour of the chosen colour) has a fixed complexity, and the number of such steps depends on the number of characters in the password.
Figure (3) illustrates this property, and shows the advantage of using bigger alphabet, but a less number of operations.Algorithm "G4", using up-to-date 32 bit arithmetics (with automatic modulo operations) behaves over 8 times faster than "G1" (8 bit arithmetics).

Statistics related to mixing properties
In our cryptographical scheme, different passwords produce different ciphertexts with fixed plaintext.On the other hand, when we fix the password, different plaintexts produce different cypertexts.Good cryptographical systems should ensure this difference to be big in terms of the number of characters changed, looking as "randomly" as possible.These demands are known in literature as Madryga requirements.There are more postulates for a good cryptosystem formulated by Madryga, but here we will concentrate on the two mentioned ones.RC4 algorithm, as most elder stream ciphers, possesses the property at which, in case of fixed password, the change of one element of the plaintext leads to the change of one corresponding element in the ciphertext.Such algorithms are not secure against the plaintext-ciphertext attacks.
Our basic algorithm, based on the paths in graphs from the family RDE(n, K), behaves similarly to RC4: the change of one element in the plaintext leads to the change of only a few elements in the ciphertext.
In order to correct this property, we can combine the algorithm with some fast, sparse matrix operations: 1. Desynchronization of the graph by the automorphism.
Let ā = (a 1 , a 2 , . . ., a m ), (a i ∈ Z 2 k ) be the password and N ai be one step of algorithm (passing from one vertex to another using a i element of password).We can denote our encryption algorithm as E ā = N a1 N a2 . . .N am .
Desynchronization can be described as: where A is some bijection.All the properties of E ā that are of interest to us are preserved.

Deformation of the graph.
With the above notation for the deformation we use two bijections A and B, changing E ā into AE āB.The property that different passwords lead to different ciphertexts is preserved, but there can happen the situation, that for the plaintext vector x the corresponding ciphertext, AE āB(x) coinsides with x.Anyway the probability of such an event is 1/|V |, where V is the plainspace.It is very close to zero.
We chose the bijection A as sparse affine transformation.Its complexity is O(n).Our test shows, that a properly chosen upper-triangular matrix A n used for desynchronization gives about 98.5% difference between the ciphertexts, when changing only 1 element of the plaintext (we use index n, because the size of the A depends on the size of the plaintext).Table (1) shows the extra time spent by all 3 versions of our algorithm on the operation A n .
If instead of desynchronization as above we apply the deformation with B = I (identity map) and the same A, the speed of computation will be twice better and mixing properties remain the same.The second Madryga requirement mentioned above (the effect of the change of one character from the key) can be stated as follows: for short passwords (1B) the percentage of the change within the cipherstring is about 92%, and for longer passwords it is up to 96%.

Table 1 .
Time growth from mixing property AnEāA −1 n for chosen operator An .