LINEture Cryptosystem

• LINEture is a post-quantum digital signature scheme based on binary matrix algebra and secret-shared factorable permutations for compact key and signature generation.
• It utilizes a layered construction with message hashing, randomized session keys, and zero-knowledge protocols to ensure secure and efficient identity verification.
• The scheme achieves practical efficiency with significantly smaller keys and signatures compared to conventional NIST candidates, although its non-standard design calls for further cryptanalysis.

The LINEture cryptosystem is a digital signature scheme characterized by compact keys and signatures, utilizing matrix algebra over the field $\mathbb{F}_2$ and novel security mechanisms based on brute-force intractability. Unlike conventional cryptography predicated on computationally hard problems, LINEture achieves post-quantum security through algebraic indeterminacy, secret-shared factorable permutations, randomized session keys, and zero-knowledge authentication protocols (Khalimov et al., 11 Jan 2026, Kotukh et al., 6 Jan 2026).

1. Algebraic Foundation and Core Construction

LINEture operates on vectors and matrices over the binary field $\mathbb{F}_2$, with the principal objects being $m$-bit words and permutation matrices of size $2^m \times m$. Message signatures are constructed by associating each $m$-bit word $x \in \mathbb{F}_2^m$ to an element of an elementary abelian $2$-group. A public factorable permutation $g: \mathbb{F}_2^m \to \mathbb{F}_2^m$ is given as:

$$g(x) = x_1 G_1 \oplus x_2 G_2 \oplus \cdots \oplus x_m G_m,$$

where $G_j$ are blocks encoding basis-vectors. The internal factorization of $g$ is concealed via a sequence of six secret homomorphic matrix transformations: basis permutation, block shuffle, add-vector, polynomial multiplication, non-singular matrix multiplication, and matrix addition. The resulting $G_{\text{final}}$ matrix’s factorization remains infeasible to recover except by brute-force, creating the cryptosystem’s fundamental hardness (Khalimov et al., 11 Jan 2026).

The shared secret for signature generation and verification is encoded as a stack of $l$ permutation matrices $S \in \mathbb{F}_2^{2^m l \times m}$, synthesized homomorphically by combining a public key matrix $B \in \mathbb{F}_2^{2^m l \times m q}$ with a session-key matrix $E \in \mathbb{F}_2^{m q \times m}$:

$S = B \cdot E$

(Eq. 1).

The indeterminacy of recovering $E$ from $S$ (except for known secret parameters) reduces adversarial attacks to brute-force search over secret matrix blocks.

2. Key Generation Process

Key generation proceeds as follows:

1. Master Key Construction:
   • Select a random non-singular matrix $$\mathcal{@}_1 \in \mathbb{F}_2^{m(q-1) \times m(q-1)}$$ and form the private block matrix $\mathcal{@} \in \mathbb{F}_2^{mq \times mq}$:

   $$\mathcal{@} = \begin{bmatrix} \mathcal{@}_1 & 0 \ 0 & I_m \end{bmatrix}$$

2. Public Substitution Blocks:

   • For each $i = 1, \dots, l$, generate matrices $R_{i,1}$, $A_j$, $R_{i,j}$, and $R_{i,q}$ of prescribed dimensions.
   • Assemble block matrices $[B_{i,1} \| B_{i,2} \| \dots \| B_{i,q}]$ to form $B_i \in \mathbb{F}_2^{2^m \times m q}$.
3. Key Publishing:
   • The public key is $B = [B_1; \dots; B_l]$, while master key components $@$, $R_{ij}$, $A_j$, $a_j$ are retained privately (Khalimov et al., 11 Jan 2026).

3. Signature Generation Algorithm

Signature generation leverages message-dependent randomization and session keys as follows:

1. Message Hashing:
   • Hash the message to obtain $y[ml] = H(\text{msg}) \in \mathbb{F}_2^{ml}$, viewed as $l$ words of $m$ bits.
2. Session Key Construction and Nonces:
   • Generate $t$ random nonces $r_1, \dots, r_t$ and an identity-proof nonce $r_{\text{id}}$, then compute $h_i = H(r_i \| \text{msg})$ and $h_{\text{id}} = H(r_{\text{id}} \| \text{msg})$.
   • Derive each $E_i$ from $h_i, h_{\text{id}}$ as per prespecified rules with scalar transformations $\alpha_j, \beta_j$.
3. Shared-Secret Computation:
   • Calculate $S_i = B \cdot E_i$ for two choices of $i$ to enable a zero-knowledge proof of secret knowledge.
   • Verify $S_1 = S_2$ for identity proof.
4. Inverse Substitution:
   • Compute $x = S_1^{-1}(y)$, achieved by block-diagonal inversion into $l$ independent $m \times m$ inverses.
5. Signature Formation:
   • Output $$\sigma = \left(x, \{r_i\}_{i=1}^t, r_{\text{id}}\right)$$ (Khalimov et al., 11 Jan 2026).

4. Signature Verification Algorithm

Verification uses only public data and the received signature:

1. Hash Re-Evaluation:
   • Recompute $h_i, h_{\text{id}}$ from nonces and message.
2. Session Key Reconstruction:
   • Derive $E_i$ for $i = 1, \dots, t$ exactly as performed by the signer.
3. Identity Proof Validation:
   • For any $i \neq j$, confirm $B \cdot E_i = B \cdot E_j$; this demonstrates knowledge of the private decomposition.
4. Message Hash Reconstruction:
   • Compute $y' = S_1(x)$ for the reconstructed shared-secret $S_1$.
5. Acceptance Condition:
   • Accept the signature if and only if $y' = H(\text{msg})$ (Khalimov et al., 11 Jan 2026).

5. Security Properties and Parameter Influence

Security relies on algebraic indeterminacy created by the incomplete definition of the matrix inversion underlying session keys. The adversarial effort to recover the secret matrix $@$ is bounded by brute-force complexity $\sim 2^{m^2(q-1)}$, with $m$ denoting word size and $q$ the number of matrix subblocks. Collision resistance in substitution and hash-forgery is bounded by $2^{t m^2}$ and $2^{ml(t-1)}$ respectively. The effective security is the minimum of these quantities; parameter recommendations for 128/192/256-bit classical security levels are prescribed explicitly:

• 128-bit security: $m=8$, $q=3$, $t=3$, $l \geq 16$
• 192-bit security: $m=8$, $q=3$, $t=4$, $l \geq 8$
• 256-bit security: $m=8$, $q=3$, $t=5$ (Khalimov et al., 11 Jan 2026)

A deeper parameter analysis reveals a dualistic role for the vector dimension $l$. While originally considered to affect only signature length, $l$ also establishes a "verification barrier" of $l \cdot m$ bits in the context of zero-knowledge identity proof. For $l < (q-1)m$, the security contribution from this barrier dominates, enforcing a parameter selection rule $l_{\text{opt}} = (q-1)m$ for maximal cryptographic efficiency (Kotukh et al., 6 Jan 2026).

6. Performance, Practicality, and Comparative Evaluation

Key and signature sizes are notably compact. For typical NIST Level 1 parameters ($m=8$, $l=16$, $q=3$):

• Public key: $\sim$1536 bytes
• Signature (with $t=3$): $\sim$144 bytes
• All signature and verification operations reduce to binary-matrix multiplication and inversion ($O(lqm^3)$ bit operations), compatible with a few thousand machine cycles for practical $m, l, q$ values (Khalimov et al., 11 Jan 2026).

A comparative summary versus other NIST-PQC candidates is shown below:

Scheme	Security (bits)	PubKey size	Sig size
LINEture (8,16,3)	128	~50 B	~100 B
CRYSTALS-Dilithium-II	128	~1300 B	~2420 B
Falcon-512	128	~897 B	~666 B
SPHINCS+	128	~32 B	~8000 B

This suggests LINEture offers key and signature sizes substantially smaller than lattice-based or hash-based alternatives, but its algebraic structure is distinct from NIST standards and lacks a tight reduction proof. The trade-off is between unconventional algebraic design and practical compactness (Kotukh et al., 6 Jan 2026).

7. Context, Implications, and Limitations

LINEture advances a non-standard approach to post-quantum digital signatures, with security based on secret-shared permutations and brute-force resistance rather than assumed computational hardness. The scheme's security and efficiency directly reflect choice of $(m, l, q, t)$, with parameter tuning ensuring classical security thresholds. The absence of a tight reduction and limited public cryptanalysis to date mark open directions for further investigation and scrutiny. A plausible implication is that ongoing community cryptanalysis and standardized benchmark comparisons will be essential for establishing long-term confidence in the scheme's resilience and practicality (Khalimov et al., 11 Jan 2026, Kotukh et al., 6 Jan 2026).