Cryptographic schemes, key exchange, public key

General cryptographic schemes are presented where keys can be one-time or ephemeral. Processes for key exchange are derived. Public key cryptographic schemes based on the new systems are established. Authentication and signature schemes are easy to implement. The schemes may be integrated with error-correcting coding schemes so that encryption/coding and decryption/decoding may be done simultaneously.


Introduction
This paper introduces cryptographic systems based on operations with randomly chosen vectors, matrices and group ring elements.Keys used may be one-time session keys or ephemeral; as they are easily constructed they may be changed if necessary for each transaction or series of transactions.Key exchange methods are derived.Public key cryptographic schemes based on the new systems are introduced.It is straightforward to include authentication, signature and 'person-in-middle' interference prevention methods based on the schemes.Encryption may be incorporated with error-correcting codes so that encryption/coding and decryption/decoding can be done simultaneously.A public-key scheme can be altered and made private to an individual.
Large pools from which to randomly draw the keys are available; using for example systems of size 101 over Z p there are of the order of p 100 different elements from which to choose in the construction of a key.

Features
• Encryption and decryption keys are easy to construct and can be chosen for a one-time session or series of transactions.
• Key exchange schemes are derived.
• Public key cryptographic schemes are developed.These can be altered for private communication and messages then authenticated.
• Authentication, signature and 'person-in-middle' interference prevention methods are provided.
• Encryption and error-correction coding may be integrated into one system.Coding and encryption can complement one another.
When a system is used for one-time session then three transmissions are necessary.A key exchange also requires three transmissions but once a key has been exchanged each transaction naturally then requires just the one transmission.

Layout
The layout of the paper is as follows: 1. Details on various theory required for the constructions are given in section 8 and may be consulted as required.Here also various systems and schemes within which the constructions may be realised are outlined.
2. General encryption methods are introduced in section 2.
3. Key exchange methods are laid out in section 3.

4.
Public key encryption methods are given in section 4.
5. Methods to include error-correcting with the cryptography is presented in section 5.
6. Multiple design methods are presented in section 6.
Basic references for cryptography include [3], [4], [9].The first two in particular contain much of the algebra required and further basic algebraic material may be obtained in [10].
2 Encrypt message

General Schemes
Here R n×n denotes the ring of n × n matrices, and R n is the ring of vectors of length n, over a ring R. RG denotes the group ring of the group G over the ring R; for details on general properties of group rings see [10].The R is usually a field and is often then denoted by F .For details on group ring matrices see for example [5]; the set-up and main properties of these are given in section 8.3.They may also be referred to as RG-matrices when the group ring in question is specified and are obtained from the embeddings of a group rings into rings of matrices; they include such matrices as circulant matrices, circulant of circulant matrices and similar such.
An RG-matrix, which is of size |G|×|G|, is determined by its first row and is a matrix corresponding to a group ring element, relative to a listing of the elements of G. Two RG-matrices obtained from the same group ring RG (relative to the same listing) are said to be of the same type.The RG-matrices commute if and only if G is commutative.Methods to randomly choose singular and non-singular matrices with certain properties from a huge pool of such matrices are given in section 8.5.
Let x be a row vector with entries from R. Then the completion of x in RG (relevant to a particular listing) is the RG-matrix with first row x.The rank of a vector, relative to its completion in a specified group ring, is defined as the rank of its completion; this gives meaning to kernel of a vector relative to its group ring completion.
The completion of the vector x is denoted by the corresponding capital letter X (without underlining).For a ∈ RG its image in R n×n under the embedding of RG into R n×n is denoted by the corresponding capital letter A. When x is a vector to be considered as an element of RG then also use X (without underlining) to denote its image under this embedding.
The following Lemma is immediate.
Lemma 2.1 Suppose P, Q are RG-matrices with the same first row.Then P = Q.
Thus if x is a vector in R n and A is an RG-matrix of size n × n then from Lemma 2.1 the completion of xA in RG is XA where X is the completion of x in RG.
Let x be the data to be transmitted secretly from A(lice) to B(ob).The data x is arranged so that X is singular with large kernel where X is the completion of x in same type of RG-matrix as A (the matrix chosen by A below in 1.); details on how this can be arranged are given below in section 8.5.When X is singular with large kernel then also CX, XC are singular with large kernel for any matrix C.Even when the matrices commute, the general scheme of 2.1.1 may still be used.Schemes with commuting matrices may be achieved using group ring matrices derived from an abelian group ring as for example circulant matrices or circulant of circulant matrices.Section 8.4 discusses types of such matrices which may be used.When such group ring matrices are used the data is arranged so that the group ring matrix formed using x as first row is singular with large kernel; how to arrange the data in such a way is discussed later.The non-singular matrices are chosen so that the inverses are immediate or straightforward to calculate.

A chooses the matrix
When some matrices commute the data x may also be 'protected' at each end as follows: 1.A chooses A 1 , A 2 non-singular and transmits A 1 XA 2 .
2. B chooses B 1 , B 2 non-singular and transmits , 2 but otherwise there are no commuting conditions.

B works out X.
If all matrices commute, including X, then the system is the same as above, with A replaced by A 1 A 2 and B replaced by B 1 B 2 .

Key exchange
A modification of the general scheme is now set up so that a process may be initiated whereby two intended correspondents can exchange a secret encoder/decoder.Let {x, y} be vectors so that {X, Y } are singular with large kernel and some combination of {X, Y } or some combination of {X, Y } with a known element or elements is non-singular.Methods to randomly choose such vectors {x, y} are developed in section 8 below.
1.A chooses A non-singular and x with large kernel and transmits xA.
2. B chooses B non-singular and transmits BXA.When x, y are known, an RG-matrix may be formed from these using a different RG from that used for the key exchange.Convolutional methods where appropriate as with group ring matrices may be used for matrix and matrix-vector multiplications.It is sometimes the case that it is sufficient to simply add on a known element or known elements to x + y to obtain an element whose completion is non-singular.For example X + Y + 1 may be known to be non-singular in some systems, see section 8. Knowing the added element(s) gives no information as x, y are known only to A,B.In section 8.6 it is shown how to randomly choose {X, Y } each with large kernel so that a (linear) combination of {X, Y } is non-singular and its inverse is easily constructed.
In cases X, Y may be chosen so that small powers of X, Y are zero.This ensures that ker X, ker Y are large, see Corollary 8.1 below, and then ker XC, ker CY, ker CX, ker Y C are also large for any matrix C.
When key has been exchanged between A and B, messages between them may then be encrypted directly.When a key has been exchanged it is not necessary to arrange data to be transferred to have large kernel.Messages may also then be encrypted and encoded together as shown later.
The data x, y may be protected on both sides when some matrices commute; in 1. above, A chooses A 1 , A 2 non-singular and x with large kernel and transmits A 1 XA 2 to which B chooses B 1 , B 2 where A i B i = B i A i and transmits B 1 A 1 XA 2 B 2 and process continues as above.

Key exchange with commuting matrices
When the matrices commute the schemes may be simplified as follows.
1.A chooses x, with large kernel, and A, non-singular, and transmits xA. 4. At this stage both A and B know x, y from which the combination is formed whose completion is non-singular; this is used as key for transmission(s) between A and B.

Variations
Still using the main ideas, it is clear that many variations on the above schemes can be developed.For example the x as X can be 'protected' on both sides by transmitting A 1 XA 2 at 1. above and B 1 A 1 XA 2 B 2 at 2. where A i B i = B i A i for i = 1, 2; similarly the y can be 'protected' on both sides.Methods using series of vectors {x 1 , x 2 , . . ., x r } and {y 1 , y 2 , . . ., y r } are presented in section 6.2.

Public key
Public key cryptographic methods may be designed by choosing vectors with large kernels from a large pool such that a linear combination of these is non-singular.The participant A constructs a public key as follows.The x, y may be 'protected' on both sides as follows: Step 2. is replaced by: A chooses {A 1 , A 2 , A 3 , A 4 } and works out (A 1 XA 2 , A 3 Y A 4 ); A then has public key (A 1 XA 2 , A 3 Y A 4 ) and private key (X, Y, A 1 , A 2 , A 3 , A 4 ).Choosing A 1 from a set of commuting RG-matrices and completing the data z to Z relative to RG enables ZX to be recovered by A from ZA 1 XA 2 and similarly ZY may be recovered by choosing A 3 from a set of commuting RG 1 -matrices where it's not necessary that G = G 1 .
Details on orthogonal sets of idempotents are given in section 8.6.Here we outline a method of public key construction using full complete orthogonal sets of idempotents.Let {E 0 , E 1 , . . ., E n−1 } be an complete orthogonal set of idempotents in F n×n .Thus here each E i has rank 1 (but this is not necessary in general, see section 8.6).

A chooses
When B wishes to communicate z to A, the process is as follows.
2. A works out (zX, zY ) and then z(X + Y ).Now X + Y is invertible and its inverse is easy to calculate, by Lemma 8.5, and A works out z.
For each n there are many different complete orthogonal sets of idempotents in F n×n .It is not necessary that the particular complete orthogonal set used by A in constructing her public key be known to the world so in fact an additional step before step 1. could be: Convolutional methods where appropriate may be used for matrix and vector-by-matrix multiplications.The public keys may be changed from time to time.Errors (zXA 1 + α, zY A 2 + β) with α = 0 or β = 0 in transmitting (zXA 1 , zY A 2 ) are easily detected unless α = γXA 1 and β = γY A 2 which is extremely unlikely.This does not prevent an intruder from trying to falsify a message but a method to prevent this is given in section 4.1 below.

From public to private
Suppose now A has public key (xA 1 , yA 2 ).This can be made into a private key for B with which messages from B only to A may be received: • B has key (XA B1 , Y A B2 ) with which to send messages to A. Some simplification is possible when matrices commute.
• B has (private) key (xA B1 , yA B2 ) with which to send messages to A.
Suppose now B has key (xA B1 , yA B2 ) with which to send message to A. Using this key, B sends message z to A. Then A can work out zXA B1 and check that message has not been interfered with; an intruder would need to know XA B1 in order to change message that would not be discovered in a check.

Partial public key
It is useful at times, in particular for authentication and signature schemes, for a participant to make public a 'key' of the form yB where y has large kernel and B is invertible.Now yB cannot be inverted and so may not be used as a key itself.It could be used for a message authentication scheme or signature scheme.
This can be made private to another particular user by methods similar to those used in section4.1.Suppose B has published yB where y has large kernel and B is invertible where {y, B} are kept private.
• A chooses A and transmits AY B.
• B chooses B A and transmits AY B A .
• A uses yB A with B.
A simplification using commuting matrices may be initiated similar to section 4.1.

Multiple design for public key
In the above scheme, vectors {x, y} such that their completions {X, Y } have large kernels and such that a linear combination of {X, Y } is non-singular are chosen.More generally vectors {x 1 , x 2 , . . ., x r } such that their completions {X 1 , X 2 , . . ., X r } have large kernels and such that a linear combination of {X 1 , X 2 , . . ., X r } is non-singular may be chosen.However this increases the amount of data to be transmitted as each zX i A i needs to be transmitted.However again one of these could be laid aside authentication; for example a triple of form (xA 1 , yA 2 .pA 3 ) each with large kernel such that a linear combination of {X, Y, P } is non-singular is used but xA 1 = xA B is private for B only to be used as a check; when the message z is worked out, zXA B is used as a message authentication check.An original xA 1 may be altered to xA B by methods similar to those in section 4.1.

Cryptography + error-correction
The cryptographic systems may be used simultaneously with error-correcting systems.A basic general reference for coding theory is [2].
Let x 1 be 1 × r data to be transmitted securely (with encryption) and safely (with error coding) from A to B. Let G be a generator r × n matrix of an error-correcting code and x = x 1 G.When matrices don't necessarily commute proceed as follows: 1.A works out x = x 1 G chooses A non-singular and transmits xA.If using RG-matrices of the same type only the first row of matrices need be worked out.
In general it is shown in Proposition 8.2 that if G is the generator matrix of an (n, r) code which has rank r and G is a zero-divisor code (as are cyclic and similar codes, see [8]) then the completion of x = x 1 G has rank at most r and so dim ker of the completion of x is ≥ (n − r).
When encryption/decryption matrices to be chosen commute the following simplified method may be used: 1.A works out x = x 1 G, chooses A non-singular and transmits xA.The code determined by G is an (n, r) code with rank r.When for example G is cyclic then G can be taken as the first r rows of a circulant matrix which has rank r.Then the completion of x = x 1 G is a circulant matrix of rank at most r.The kernel then of this completion is of dimension at least (n − r).See section 8.8 for details on these aspects.

Key exchange with coding
Modify the methods of section 3 as follows to include error-correcting codes.
Let {x 1 , y 1 } be 1 × r vectors so that {X 1 , Y 1 } are singular with large kernel and some combination of {X 1 , Y 1 } with a known element or elements is non-singular.Methods for randomly being able to choose such vectors {x 1 , y 1 } are discussed in section 8 below.
Let G, L be generator r × n matrices of (n, r) error-correcting codes.
1.A chooses A non-singular and x 1 and transmits x 1 GA.
2. B chooses B and transmits BXA where X is completion of x = x 1 G.

B now knows
x which may contain errors but is decoded to x 1 .
(a) B chooses B 1 non-singular and y 1 so that the completion of a combination of {x 1 , y 1 } with a known element or known elements is non-singular and transmits B 1 Y where y = y 1 L.
(b) A chooses A and transmits B 1 Y A.
(c) B transmits Y A. A knows y with possible errors and decodes to y 1 .
5. Both A and B now have x 1 , y 1 from which to form the encoding matrix as in section 3.

Multiple vector design
The data to be transmitted is broken as (x 1 , x 2 , . . ., x r ).The x i need not be of the same length and are arranged so that the X i are singular except for possibly a relatively very small number of these.

General schemes
B i and A i are group ring matrices and X i and A i are of the same type.
The matrices do not need to commute and B i need not be of the same type as A i , X i .If B i is of the same type as X i , A i then only the first rows of the matrices need be transmitted in 2. 3. above.In these cases convolution methods for multiplication may be used.

Key exchange with multiple vectors and matrices
Key exchange with multiple vector choices may be achieved as follows: Let {x 1 , x 2 , . . ., x r } and {y 1 , y 2 , . . ., y r } be sets of vectors where for each i, x i has the same length as y i ; these are chosen randomly so that X i , Y i are singular (except possibly for a relatively small number of them) and some combination of X i , Y i is non-singular or some combination of X i , Y i with a known element or known elements is non-singular.
Or else: (a) B chooses (y 1 , y 2 , . . ., y r ) so that a combination of X i , Y i or a combination of X i , Y i with a known element or known elements is non-singular.(c) A chooses {A 1 , A 2 , . . ., A r } non-singular and transmits (B 5. Both A and B now have the X i , Y i for each i from which to form the secret encryption matrices.

Key exchange with multiple vectors and coding
Key exchange with multiple vector choices and coding may be achieved as follows: Let {x 1 , x 2 , . . ., x r } and {y 1 , y 2 , . . ., y r } be sets of vectors where for each i, x i has the same length as y i ; these are chosen randomly so that their completions X i , Y i are singular except possibly for a small number of them and some combination of their completions is non-singular or some combination of the completions with known elements are non-singular.Define x i = x i G i , y i = y i K i for appropriately sized generator matrices G i , K i of error-correcting codes.
5. Both A and B now have the x i , y i for each i from which to form the secret encryption matrices.
7 Who is there?
Authentication and/or signature methods may be set up in the usual way when key exchange and/or public key schemes have been established.Section 4.1 shows how public key may in a unique way be used to establish that message is actually emanating from a correspondent A; the constituents of the public key for B are changed so the new key may be used only by a particular A. Without using public key or key exchange one or both of the following may be requirements.
• In a message exchange from A to B it may be the case that a response from B is required.In certain situations then A requires to know that no one else is responding pretending to be B. ('Person-in-middle' problem.) • B requires to know that message purporting to come from A is actually from A.
To prevent these 'person-in-middle' problems proceed as follows.Each person X must have a 'key' which is of the form y X X where y X has large kernel.This must be known to and trusted by the person with whom the contact is to be made but may be public.This is a 'partial' public key as discussed in section 4.2.A wants to communicate x secretly to B. As stated the key for B is constructed from a vector y and a non-singular matrix B and only the product yB is known to A but it may be public.y should be chosen so that its completion Y is singular and has large kernel.However yB is not a public key for B in general as it does not have an inverse.

Prevent
Use the convention that matrices A and A * for suffices * are matrices chosen and applied by A(lice) and B and B * are matrices chosen and applied by B(ob).

With Commuting matrices
Suppose the matrices commute.
1. B chooses signature key yB which is revealed.and adds the two to get x.

A chooses
In fact for 5. yB 2 B −1 can be worked out when B 1 , B 2 are chosen at 3. .Now A never knows y in this set-up so B may use the same yB in communicating with another.
At point 4. A knows yB 2 and may use this it in further transactions from A to B avoiding some transmissions at points 2. , 3. above.In a sense then when A knows yB 2 it may be as a 'key' for transmissions from A to B and may be used as a non-public signature of B for A only.Some simplification can be initiated when B is not worried that A may find y.

With matrices which may not commute
Similar schemes using non-commuting matrices are developed as follows.
A is required to transmit x to B and make sure that an eavesdropper may not pretend to be B. The matrices A * and B * need not be of the same type, that is, need not be formed from the same group ring.
1. B chooses y and B and circulates yB (keeping y and B secret).

To be sure
Suppose now A communicate with B and B wishes to be sure that the message is from A.

Where from, commuting
Each participant X has y X X, where X is invertible.When RG-matrices are used the completion of y X should be singular with large kernel.y X and X are kept secret.

A transmits y
A AB 1 and B checks this.
(At stage 2. B can work out y A AB 1 for checking at 3. )

Where from, non-commuting
Suppose A wishes to communicate with B and B wishes to be sure that the message is from A. Each participant X publishes XY X , where X is invertible and Y X is singular with large kernel.Y X and X are kept secret.

Combined
The methods of 7.1, 7.2 may be combined as required or necessary.A wishes to communicate with B; A requires that an eavesdropper may not pretend to be B and B requires a signature so that (s)he knows the message is from A. The methods are fairly straightforward and details are omitted.

Multiple vector design: Prevention
The authentication, signature methods devised above may also be extended to multiple vector design.We outline just one of the methods.

Prevent E pretending
It is required when A communicates with B that E may not reply to A succeeding in pretending to be B.
1. B has a key (y 1 B 1 , y 2 B 2 , . . ., y s B r ) which is revealed at a particular time and known and trusted by A.

A sends out ((x
. ., y s B r A r )) where (x 1 , x 2 , . . ., x r ) is the data to be transmitted and the size of x i is the same as that of y i .

Authentication, signature, + coding
Authentication and signature with coding may similarly be implemented.The details are omitted.Basically first of all the data is encoded as x = x 1 G. Then when x is received with possible errors it is decoded to x 1 .

Vector by matrix multiplication
Much is contained in the literature on vector-matrix/matrix-vector multiplication.The multiplication can be very fast when the matrix has a structure as for example if the matrix is an RG-matrix; a circulant matrix is such an example.Group ring matrices of the groups C n , C n 2 , C n p and in general abelian groups are particularly suitable.Vector-matrix multiplication in these cases using fast Fourier transform or Walsh-Hadamard fast transform (for F C n p ) can be done in 0(n log n) time.
Theorem 8.1 Given a listing of the elements of a group G of order n there is a bijective ring homomorphism between RG and the n × n RG-matrices.This bijective ring homomorphism is given by σ : w → M (RG, w).
An RG-matrix for a cyclic group G is a circulant matrix; an RG-matrix when G is a dihedral group is one of the form ( A B B A ) (in a natural listing of the elements of G), where A is circulant and B is reverse circulant.
For w ∈ RG the corresponding capital letter W denotes the image of w in the ring of R n×n matrices, relative of course to a particular listing of the elements of G.For a vector x ∈ R n and a fixed listing of a group G by convention the capital letter X, without underlining, denotes the completion of x.Say w ∈ RG is singular if and only if W ∈ R n×n is a singular matrix and w is non-singular if and only if W is a non-singular matrix.Thus when R is a field w is singular if and only if w is a zero-divisor in RG, and w is non-singular if and only if w is a unit in RG, [5].

Commuting matrices
Matrices that commute with one another include group ring matrices corresponding to group rings of abelian groups.Convenient such group ring matrices include: 1. Circulant matrices over any field; in particular circulant matrices over finite fields such as Z p for p a prime.

RG-matrices from
that is, if and only if there are an odd number of non-zero coefficients in w.For say n = 1024 there are 2 1023 such invertible elements and 2 1023 elements whose square is zero.

Matrices from
follows that w is invertible if and only if For say n = 102 there are p 101 (p − 1) such invertible elements and p 101 − 1 such non-zero elements which are zero-divisors satisfying w p = 0.It is easy to choose randomly an invertible element whose inverse is easy to construct or a zero-divisor element with relatively small power equal to zero.
The types of matrices used for the designs and for the transmissions of vectors need not be the same.

Construction methods
For our constructions it is required to randomly choose, from a large available pool, matrices and vectors of the following types: • Singular matrices A with large kernel.
• Non-singular matrices A such that the inverse of A is easy to compute; • Vectors x, y such that X, Y have large kernels and a combination of X, Y with a known element or known elements is non-singular, the inverse of which is easy to obtain. Further: • Given data x it is required to construct x from which x may directly be obtained and for which the completion of x is singular with large kernel.
Here we show how such constructions may be obtained in various group ring matrices.
i=0 α i and so w 2 = 0 or w 2 = 1 according to whether the sum of the coefficients of w is even or odd.When the sum is even then w 2 = 0 and so indeed w is singular with large kernel by Corollary 8.1.In Z 2 C n 2 it is easy to arrange for any data x that if x 2 = 0 then adding one known element to x ensures the square of the data is zero.When x 2 = 0 then rank X, where x is the completion of x is at most n 2 and thus dim ker X ≥ n 2 ; for large n this ensures dim ker X is large.Thus there are at least 2 n 2 solutions in z to Xz = b T or XZ = P for unknown matrix Z.
Thus in Z 2 C n 2 : • Random Matrices X may be chosen such that X 2 = 0 and so has large kernel; • Random Matrices A may be chosen such that A 2 = 1 and so the inverse is easy to obtain.
• Random x, y may be chosen so that X 2 = 0, Y 2 = 0 and then both X, Y are singular with large kernel.Combinations such as X + Y + 1, X + Y + H where h ∈ C n 2 and X + Y + w where w has an odd number of non-zero terms have their squares equal to 1.
• If x is any vector considered in ZC n 2 then either X 2 = 0 and has large kernel or else adding an element h of C n 2 (h could be the identity) ensures (X + H) 2 = 0, or more generally adding an element w with an odd number of non-zero terms ensures (X + W ) 2 = 1.
For any ring R, an RC 2 matrix is one of the form α β β α with α, β ∈ R.An RC n 2 matrix for n ≥ 2 is one of the form

2
-matrices.An RC n 2 -matrix is completely determined by its first row as is any RG-matrix.
Any RC n 2 -matrix is diagonalised by the Walsh-Hadamard 2 n × 2 n matrix which is defined as follows.The Walsh-Hadamard 2 × 2 matrix is W 2 = 1 1 1 −1 and for n ≥ 2 the Walsh-Hadamard 2 n × 2 n matrix is Thus it is easily arranged for the data x to satisfy x p = 0 by adding a known element or known elements as necessary.If now x p = 0 then the completion X of x has dim ker X ≥ n p .Hence any system of equations Xz = b for unknown z has p n p solutions.In C n p every element has order p so w = When w p = 0 then w p = (w) = 0 and the inverse of w is easy to obtain.
Thus in Z p C n p : • Random matrices X may be chosen such that X p = 0 and so X has large kernel.
Let G be an r × n generator matrix of a zero-divisor (n, r) code over F H. Then by Proposition 8.2 the completion X of x = x 1 G has rank at most r.Thus dim ker X ≥ (n − r).Provided r is not very large then given large n it is impossible to deduce X from AX or XA for an unknown (reasonable) matrix A. For example the code could have large rate say 3  4 and then dim ker X ≥ n 4 ; for n large then also dim ker X is large.This is one way to ensure the data to be transmitted has large kernel and at the same time enabling error-correcting.
Thus if x is data to be transmitted considered as an element of the group ring RG then x − (x) is always a singular element.However this element may have large rank.If this way of ensuring the data to be transmitted is singular is used then multiple vector design should be used.The data is broken as (x 1 , x 2 , . . ., x r ).Then its augmentation is added to each x i to get a vector y i = (x i , (x i )) which is then used.So for example (y 1 A 1 , y 2 A 2 , . . ., y r A r ) would be transmitted.Each piece is singular and r is large.

Complete orthogonal sets of idempotents
Here we consider properties of complete sets of idempotent matrices and ranks of the idempotents.These are used to construct X, Y such that these have large kernels and linear combinations of which are non-singular.
Let R be a ring with identity 1 R = 1.A complete family of orthogonal idempotents is a set {e 1 , e 2 , . . ., e k } in R such that (i) e i = 0 and e The idempotent e i is said to be primitive if it cannot be written as e i = e i + e i where e i , e i are idempotents such that e i = 0, e i = 0 and e i e i = 0.A set of idempotents is said to be primitive if each idempotent in the set is primitive.
For example such sets always exist in F G, the group ring over a field F , when charF | |G|; these idempotent sets are related to the representation theory of F G, see [10].General methods for constructing such sets are derived in [6] and the reader is referred therein for details.The constructions in [6] were derived in connection with applications to multi-dimensional paraunitary matrices which are used in the communications' areas.Specific examples of large sets and using modular arithmetic (working over GF (p)) and where convolution methods may be applied are given in [7] .
For completeness some of the basics are given below.
Let {e 1 , e 2 , . . ., e k } be a complete orthogonal set of idempotents in a vector space over F .Suppose on the other hand w is invertible and that some α i = 0. Then we i = 0 and so w is a (non-zero) zero-divisor and is not invertible.Now specialise the e i to be n × n matrices and in this case use capital letters and let e i = E i .
Lemma 8.5 Let {E 1 , E 2 , . . ., E k } be a complete orthogonal set of idempotents in F n×n and define A = a 1 E 1 + a 2 E 2 + . . .+ a k E k .Then A is invertible if and only if each a i = 0 and in this case The reader may consult [6] for a proof of the following.For each n there are many different complete orthogonal sets of idempotents in F n×n .It is not necessary that the particular set used by A in constructing her public key be known to the world so in fact an additional step (before 1. ) in constructing public key could be: 0. A chooses a complete orthogonal set of idempotents {E 0 , E 1 , . . ., E k } in F n×n .
Schemes where X, Y obtained from orthogonal sets of idempotents as above are 'protected' on both sides, as explained in section 4, may also be implemented; details are omitted.

Convolution
Let z * w denote the (circulant) convolution of z and w.Let A be a circulant matrix with first row a. Proof: Let X be the completion of x.Then XA is a circulant matrix whose first row is xA and is also x * a.
Proof: Let X be the completion of x in RG.Then XA is an RG-matrix whose first row is both xA and x * G a.
When G is the cyclic group generated by g, with listing {1, g, g 2 , . . ., g n−1 }, then z * G w is the normal (circulant) convolution.Calculations in the cyclic group ring and with circulant matrices may be performed in O(n log n) time using a fast Fourier transform (FFT) and FTs allow an effective parallel implementation.
The encryption methods of the previous sections which involve multiplying vectors and matrices can be done in O(n log n) time when the matrices have a structure such as the structure of certain group ring matrices.

Coding aspects theory
Suppose data x 1 of size 1 × r is to be transmitted.Encode x 1 by x 1 G = x where G is r × n generator matrix of an (n, r) code with G of rank r.If G is an n × n circulant matrix of rank r then the first r rows of G are linearly independent; this follows from for the following: Lemma 8.10 Let G 1 be a circulant n × n matrix of rank r and suppose G consists of the first r rows of G 1 .Let x = x 1 G where x 1 is a vector of size 1 × r and let X be the completion of x.Then rank X ≤ r.
Proof: Let the rows of G be denoted by {v 1 , v2 , . . ., vr }.Then x 1 G = r i=1 α i vi .Let Ĝ be the circulant matrix from which G is derived and let the rows of this be denoted by v 1 , v 2 , . . ., v n .The first r rows of Ĝ are linearly independent, see [8], and thus vi = r i=1 β i v i for some β i .Hence x = x 1 G = γ i v i for A non-singular and xA is transmitted.2.B chooses the matrix B non-singular and transmits xAB.

3 .
A transmits BX.B now knows X.A can now repeat the process to get Y secretly to B. Or else: (a) B chooses Y with large kernel and B 1 non-singular so that a combination of {X, Y } with a known element or known elements is non-singular and transmits B 1 Y .(b) A transmits B 1 Y A. (c) B transmits Y A. 4. Both A and B now have X, Y from which to form the encoding matrix for use between A and B.

2 .
B chooses B 1 non-singular and transmits xAB 1 .3. A transmits xB 1 .At this stage B, and A, know x.A could proceed to transmit y secretly or else: (a) B chooses y with large kernel and B 2 non-singular and transmits yB 2 .(b) A chooses A 1 non-singular and transmits yB 2 A 1 .(c) B transmits yA 1 B.
2. B chooses B non-singular and transmits BXA.
3. A transmits BX.4.B calculates B −1 BX = X to get x which may have errors in transmission.B decodes the obtainedx to get x 1 .
2. B chooses B non-singular and transmits xAB.
4. B works out x which may have errors in the transmissions and decodes to x 1 .

2
and adds it to B −1 1 Y B 2 , which may be worked out previously, to get X.At point 4. A knows Y B 2 which can be used for further transactions from A to B. Variations on the above are easily constructed and designed.

−1 i=0 α p i = p n − 1 i=0α
−1 where ⊗ denotes tensor product.It is known that the Walsh-Hadamard transformation can be performed in time O(m log m) (m = 2 n ) and thus vector and matrix operations with RC n 2 -matrices can be done in O(m log m) time.Thus using Z 2 C n 2 the constructions may be done in O(m log m) time using Walsh-Hadamard transformations.8.5.2In Z p C n p Consider now the data x = (α 0 , α 1 , . . ., α p n −1 ) to be in Z p C n p , that is x = p n −1 i=0α i g i where {g 0 , g 1 , . . ., g p n −1 } are the elements of Z n p and α i ∈ Z p .Each g i satisfies g p i = 1.Then x p = p n i = (x) where (x) denotes the augmentation of x.If (x) = 0 then x p = 0.If (x) = 0 then (x − (x)g) p = 0 for any g ∈ C n p .More generally (x + j∈J b j g j ) p = 0 when j∈J b j = − (x) for J ⊂ {0, 1, . . ., p n − 1}.
1.A chooses vectors {x, y} such that their completions {X, Y } have large kernels and such that a linear combination of {X, Y } is non-singular.2. A chooses non-singular matrices {A 1 , A 2 } and works out {XA 1 , Y A 2 }. 3. A has public key (XA 1 , Y A 2 ) and private key (X, Y, A 1 , A 2 ).Methods to randomly choose such {x, y} are shown in section 8.6 and methods to randomly choose such {A 1 , A 2 } appear in various parts of section 8.
Eve pretending to be B E(ve), an eavesdropper, looking in at the communications in section 2.1.1 or 2.1.2can see xA and pretends to be B. (S)he then applies E to get EXA in 2.1.1 or xAE in 2.1.2,which is then transmitted to A who applies A −1 and gives back EX or xE to E who can then read off x.
1.A chooses A 1 and transmits A 1 Y A . 2. B chooses B 1 and transmits A 1 Y A B 1 .(At this stage B can work out AY A B 1 .)3. A transmits AY A B 1 and B checks this.