INFORMATICAInformatica1822-88440868-49520868-4952Vilnius UniversityINFOR49910.15388/22-INFOR499Research ArticleCBC Mode of MPF Based Shannon Cipher Defined Over a Non-Commuting Platform Grouphttps://orcid.org/0000-0002-8661-3021MihalkovichAleksejusaleksejus.michalkovic@ktu.lt∗
A. Mihalkovich obtained his PhD in 2015 and is currently an assistant professor at Kaunas University of Technology. He is a member of Identification and Cryptography Research Group and performs various investigations in symmetric and asymmetric cryptography.
LevinskasMatasmatas.levinskas@ktu.edu
M. Levinskas is currently pursuing a master’s degree at Kaunas University of Technology. He is a member of Identification and Cryptography Research Group and performs investigations in symmetric cryptography.
DindieneLinalina.dindiene@ktu.lt
L. Dindiene obtained her PhD in 2016 and is currently a lecturer at Kaunas University of Technology. She is a member of Identification and Cryptography Research Group and investigates statistical and probabilistic properties of cryptographic primitives.
E. Sakalauskas is currently a professor at Kaunas University of Technology. He is the head of Identification and Cryptography Research Group and performs various investigations in symmetric and asymmetric cryptography.
Commonly modern symmetric encryption schemes (e.g. AES) use rather simple actions repeated many times by defining several rounds to calculate the ciphertext. An idea we previously offered was to trade these multiple repeats for one non-linear operation. Recently we proposed a perfectly secure symmetric encryption scheme based on the matrix power function (MPF). However, the platform group we used was commuting. In this paper, we use a non-commuting group whose cardinality is a power of 2 as a platform for MPF. Due to the convenient cardinality value, our scheme is more suitable for practical implementation. Moreover, due to the non-commuting nature of the platform group, some “natural” constraints on the power matrices arise. We think that this fact complicates the cryptanalysis of our proposal. We demonstrate that the newly defined symmetric cipher possesses are perfectly secure as they were previously done for the commuting platform group. Furthermore, we show that the same secret key can be used multiple times to encrypt several plaintexts without loss of security. Relying on the proven properties we construct the cipher block chaining mode of the initial cipher and show that it can withstand an adaptive chosen plaintext attack.
symmetric cryptographyperfect secrecynon-commuting cryptographymatrix power functionIntroductionMotivation
Symmetric cryptography came a long way from ancient times. One of the fundamental works in this area was presented in Shannon (1949). There the author introduced a concept nowadays known as the Shannon cipher given by a triplet (Gen(),Enc(),Dec()), where Gen() is a key generation function, Enc() and Dec() are encryption and decryption functions, respectively, as defined in Katz and Lindell (2007). Assuming μ is the plaintext to be encrypted, the major requirement of a symmetric encryption scheme is the following:
Dec(k,Enc(k,μ))=μ,
i.e. decryption function correctly restores the message μ using the same key k. Any properly working symmetric cipher must satisfy this requirement. Proving the correctness of any symmetric cipher relies on verifying identity (1).
In the realm of modern symmetric ciphers, the most secure ones possess an essential property of perfect secrecy – a concept initially defined by Shannon himself. One of the most intuitive definitions can be found in various textbooks like Katz and Lindell (2007) or Boneh and Shoup (2020) and states that a symmetric cipher is perfectly secure if the ciphertext c is statistically independent of the encrypted plaintext μ, i.e.
Pr(c=c0∣μ=μ0)=Pr(c=c0),
where Pr() denotes the probability of a random event and c0 and μ0 are fixed ciphertext and plaintext respectively. We use this definition in Section 4 to show that our cipher satisfies condition (2).
The perfect secrecy property of the one-time pad (OTP) technique was proven by Shannon. To our knowledge, up to our previous works, OTP together with its various modifications remained the only technique with this property. This comes from the fact that perfectly secure ciphers require keys of the same size as the plaintext to be encrypted. Hence, despite achieving this highly desirable property, OTP is mainly viewed as a theoretical concept and is rarely used in practice. Moreover, the OTP falls flat due to its inability to reuse the secret key and becomes an easy prey for active attackers. Interestingly enough, the latter flaw is also the main issue for constructing various encryption modes based on this technique.
Therefore, widely popular symmetric ciphers (e.g. AES) are usually constructed by repeating several rather simple operations multiple times. The more rounds are used, the higher security is achieved. These ciphers can also be adapted for practical implementation via various encryption modes.
Our goal is to show that the perfectly secure cipher can be adaptable for practical implementation. In other words, by using a highly non-linear matrix mapping as opposed to multiple rounds of encryption we can achieve a high-security level while also avoiding the main issue of the OTP.
Related Work
Recently our research group published a paper (Sakalauskas et al., 2020b), where we introduced a symmetric encryption scheme based on a special case of the so-called MPF mapping. In Sakalauskas and Luksys (2012), authors formally defined MPF as a mapping Matn(R)×Matn(S)×Matn(R)↦Matn(S), where Matn(·) denotes a set of square n×n matrices with entries taken from the specified algebraic structure: a platform semigroup S or a finite ring of integers R with cardinality determined by the properties of S. Let us assume, that matrices X,Y∈Matn(R) and W,E∈Matn(S). Then we denote
XWY=E,
where each entry of the result matrix E is computed as follows:
eij=∏k=1n∏l=1nwklxikylj.
In the paper (Sakalauskas et al., 2020b) we focused on a Sylow group G3 found in a multiplicative group Z7. Let us recall that the semigroup S contains a Sylow group of cardinality pk if k is the largest power of p dividing the multiplicative order of S, i.e. a number denoted as ord(S) such that for every element s∈S we have s1+ord(S)=s (Sylow, 1872). We proved in Sakalauskas et al. (2020b) that the proposed scheme is perfectly secure.
Our recent research continues the study of MPF applications for symmetric cipher construction but uses a non-commuting platform group. Previously, we published several papers where we proposed new protocols based on MPF defined over non-commuting platform groups (Sakalauskas et al., 2020a; Mihalkovich et al., 2020). In those papers, we proved that the proposed asymmetric cryptographic primitives rely on NP-complete problems (Sakalauskas and Mihalkovich, 2018; Mihalkovich et al., 2020). We used singular matrices to our advantage and showed that non-commuting platform groups and singular matrices contribute to the overall security of the proposed protocols.
In our previous paper (Mihalkovich et al., 2022), we considered the performance of the cipher block chaining (CBC) mode based on MPF mapping. Moreover, we evaluated the computational costs of AES and TDES protocols operating in the CBC mode based on the notion of clock cycles. To achieve a balance between the memory requirements, performance, and statistical properties of our scheme, discussed previously in Levinskas and Mihalkovich (2021), we fixed the main parameters of our cipher at m=4, p=4079 and q=2039. Our results have shown that MPF-based CBC mode outperforms AES-128 by 1.5 times and TDES by roughly 47 times.
Notably, our cipher has another interesting property that was not considered previously in Mihalkovich et al. (2022). Since our cipher is based on matrix operations we can achieve a significant boost of performance speed by implementing parallelization of calculations up to m2 processors during an encryption process of each block. We think that this fact benefits our proposal since other algorithms considered in our previous paper do not have this property.
In this paper, we introduce the CBC mode for our MPF-based cipher and prove its security. We leave the performance evaluation and comparison to other ciphers for our future work. Based on the findings presented in Mihalkovich et al. (2022), we expect to achieve similar results for the to-be-presented CBC mode built on the non-commuting group.
Our Contributions
Obviously, singular matrices cannot be used as symmetric keys since the initial message must be restored by applying the same key which is impossible if the inverse matrix does not exist. Hence, to implement the non-commuting platform groups in symmetric encryption we have to define different templates in such a way that power matrices in (3) would be invertible. Furthermore, as opposed to asymmetric encryption presented in Mihalkovich et al. (2020), we also have to make the base matrix W as flexible as possible. In other words, we cannot simply fix a template for the base matrix W since we want to be able to work with any kind of message without having to adapt them to fit a certain requirement. Therefore, we limit ourselves to defining a template for the power matrix Y, thus keeping the restrictions to a minimum.
As mentioned above, we also consider our cipher from the point of view of practical implementation. One obvious drawback of any perfectly secure block cipher is the fact that the encryption key has to be at least as long as the encrypted plaintext. To overcome this obstacle we define the cipher block chaining mode on the basis of our proposal. To prove its resistance against adaptive chosen plaintext attack we define a security game and show that the probability of a win is negligible.
In this paper, we consider a general form of one of the previously explored non-commuting groups, namely the group M16 (Mihalkovich, 2018; Mihalkovich et al., 2020). We define this general form in the next section and present some important facts useful for our goals. These involve the explicit formulas of basic operations and the properties of MPF. In Section 3, we present our main idea – a Shannon cipher based on MPF defined over a non-commuting group. Later in Section 4 we prove the perfect secrecy of our proposal. Moreover, in Section 6 we define the CBC mode of our cipher and consider the security of this scheme in Section 7. As usual, in Section 8 we present our conclusions.
Mathematical Background
Let us define two generators a and b which do not commute, i.e. ab≠ba. Furthermore, we define the following relations:
R1:a2t−1=e;R2:b2=e;R3:bab−1=a2t−2+1,
where e is the identity element. Using these relations we can form words of the types aαbβ or bβaα, where α∈{0,1,…,2t−1−1} and β∈{0,1}. Moreover, the set of these words defines the following group:
M2t=a,b∣R1,R2,R3.
We use the notation M2t to better distinguish this group from the plaintext matrix M and the plaintext space M. Furthermore, we denote the plaintext bit string by μ and entries of the matrix M by mij.
Evidently, the identity element can be written as e=a0b0=b0a0. Furthermore, based on the defined relations R1 and R2, we can see that all the powers of the generators can be reduced modulo 2t−1 for generator a and modulo 2 for generator b. Using relations R1, R2, R3, it is possible to derive that each element of the group M2t can be represented in the form bβaα. Onwards we call this representation a normal form of the element and use it throughout this paper. Obviously, if β=0, we have:
aαb0=b0aα.
The general representation if β=1 is as follows:
aαb=baα,ifαis even;baα+2t−2,ifα=0is odd.
The proof of this fact in the special case of M16 was presented in Mihalkovich (2018). Since the idea of the proof remains the same, we omit it to shorten the paper. For this reason, the cardinality of the group M2t is 2t, i.e. the parameter t defines the size of the considered group.
Here we defined the group M2t in its most general form. However, special cases of such groups were previously explored by researchers in group theory. For example, M16 is mentioned in Grundman and Smith (1996), where the authors were discussing the groups of cardinality 16, which are not isomorphic to any other group. A total of seven such groups of size 16 were found. In 2010, authors presented a continuation of their research in Grundman and Smith (2010b). There they considered non-abelian groups of size 32 and one of the mentioned groups was M32. Similar non-abelian groups were also explored in Michailov (2007) and Grundman and Smith (2010a).
Expanding the idea to greater sizes grants us opportunities to construct symmetric encryption using M2t as a platform group more flexibly. Conveniently, we can now manipulate two parameters, i.e. square matrix size M and platform group size determined by t. Special cases discussed above are obtained when t=4 or t=5. As mentioned previously, none of these groups are isomorphic to any other groups of the appropriate cardinality.
Let us now present formulas for the basic operations in M2t. All of the formulas given below are verified using relations R1, R2, R3:
Multiplication of two elements w1,w2∈M2tw1·w2=bβ1+β2aα1+α2,ifα1is even;bβ1aα1+α2,ifα1is odd andβ2=0;bβ1+1aα1+α2+2t−2,ifα1is odd andβ2=1;
Raising of an element w∈M2t to a power n∈Z2t−1:
wn=aαn,ifβ=0;bnaαn,ifβ=1andαis even;bnaαn+2t−2[n2],ifβ=1andαis odd,
where notation [n2] stands for the integer part of n2.
Calculating the inverse of the element w∈M2t:
w−1=a−α,ifβ=0;ba−α,ifβ=1andαis even;ba2t−2−α,ifβ=1andαis odd.
Explicit proofs of these formulas for a special case of M16 can be found in Mihalkovich (2018). Since the idea of these proofs stays the same, we omit them.
We also introduce an extra notation:
W=bBaA.
This means that each entry wij of the matrix W is represented in the normal form
wij=bβijaαij,
where βij and αij are entries of matrices B and A, respectively.
Interestingly enough, by using the group M2t as a platform for MPF we also inflict some “natural” restrictions on the set of symmetric keys. This means that any tuple of matrices, which is outside of the specified domain, cannot be used, since the decryption of the ciphertext results in a scrambled mess. Specifically, if M2t is used as a platform group, then in general we have:
(WY)Y−1≠W;Y−1(YW)≠W;(YW)Y≠Y(WY).
Despite these additional complexities, it is possible to construct a working symmetric encryption protocol. However, we think that these extra complexities may be beneficial for the overall security of our proposal. Similar to the previously published key exchange in Mihalkovich et al. (2020), we define a template for power matrix Y, which can be used to achieve correct decryption. Then, due to inequalities (13), anything which disobeys the chosen template makes the decryption incorrect.
Keeping in mind the essence of symmetric encryption, we have chosen to pick power matrices from a subset of permutation matrices modulo 2, i.e. every square power matrix of size n contains exactly n odd entries whereas the rest of the entries are even. In this special case inequalities, (13) turn to equalities regardless of the choice of W. In the next section, we propose Shannon symmetric encryption protocol with this restriction on the power matrices.
Considering security of our protocol we often refer to the following two mappings ϕ:M2t↦Z2 and ψ:M2t↦Z2t−1 defined below: ϕ(bβaα)=β;ψ(bβaα)=α.
Moreover, we define the matrix analogs of these mappings by applying them to each entry of the matrix W of the form (11) entry-wise, i.e. we have: Φ(W)=B;Ψ(W)=A.
These mappings will prove helpful to us when showing the validity of the proposed protocol and establishing perfect secrecy property since they allow us to work with the powers of the specific generator.
The Proposed Shannon Symmetric Encryption Protocol
Before executing the proposed scheme the size of the group M2t, defined by t, the size of square matrices n and the shifting parameter κ, defined below in (18), are published online.
Key Generation Procedure
The key generation procedure consists of the following steps:
Generate a binary matrix Δ;
Generate matrix X with random uniformly selected entries from Z2t−1;
Generate a temporary matrix Y′ with random uniformly selected entries from Z2t−2;
Choose a permutation matrix P uniformly from the set of permutation matrices Pn⊂Matn(Z2) of size n!;
Define Y=2Y′+P. Calculate Y−1 using the Gauss-Jordan algorithm.
The result of this procedure is a symmetric key (X,Y,Δ). Note that each time the matrix is generated at Steps 1–3 of the presented process no additional restrictions are applied. Also, since P=Ymod2 is a permutation matrix, the last step of the presented algorithm is always successful, i.e. Y is invertible. Hence, all the steps of this procedure are executed exactly once since none of them can fail. We also see that due to the definition of matrix Y both even and odd entries of Y are distributed uniformly in the subsets of even and odd elements of Z2t−1 respectively.
Encryption Function
Let us assume that a message needs to be encrypted using the generated symmetric key K→=(X,Y,Δ). The encryption procedure is as follows:
The message is converted to a string of bits of size t·n2. If the message is shorter, then extra symbols are added at the end to achieve the appropriate length. Otherwise, the message is too long.
The obtained string of bits is transformed to the matrix format by splitting it into n2 separate parts of length t each. The outcome of this step is a matrix which we denote by M.
The obtained matrix is split into separate matrices Ma and Mb, where the first bit of each entry of M gets transported to matrix Mb, whereas the rest of bits are written to matrix Ma, hence obtaining powers of generators b and a respectively.
The encryption algorithm is as follows:
C1=bMb+Δ⊙aMa+X;C2=YC1Y;C=Shiftκ(Φ(C2)∥Ψ(C2))+(Δ∥X),
where ∥ denotes the concatenation of two matrices, Shiftκ is the entry-wise shifting by κ bits (e.g. to the right) operator and the addition is performed appropriate modulo, i.e. matrices Mb and Δ are summed modulo 2, Ma and X – modulo 2t−1, and at the last step addition is performed modulo 2t. In all cases, we omit moduli of addition as the appropriate values are usually clear from the context.
The matrix C is converted into a string of bits by concatenating its entries in the following way:
c=c11∥c12∥…∥c1n∥c21∥c22∥…∥c2n∥cnn,
where the first bit of each entry cij is reserved for the power of generator b and the rest of the bits denote the power of generator a. The string of bits c is the ciphertext of the initial message.
Due to the discussed steps, the encryption function is given by:
Enc(K→,M)=Shiftκ(Φ(Y(C1)Y))∥Ψ(Y((C1)Y))+(Δ∥X),
where M=Mb∥Ma is the original message represented in matrix form and C1 is defined as in (18).
Decryption Function
Upon receiving the ciphertext c the following procedure is performed to decrypt the encrypted message using symmetric key K→=(X,Y,Δ).
The ciphertext c is transformed into matrix form C by splitting it into n2 parts of length t.
The decryption algorithm is as follows:
D1=Shiftt−κ(C−Δ∥X),D2=bD1baD1a,D3=Y−1D2Y−1,Da=Ψ(D3)−X,Db=Φ(D3)−Δ,
where D1b is a binary matrix obtained by splitting the first bits of D1 and D1a consists of the leftover bits. Subtraction is to be treated as an inverse of addition in the encryption algorithm (18).
Matrices Da and Db are concatenated together entry-wise, thus producing matrix D=Db∥Da.
The obtained matrix D undergoes the procedure of transformation to a string of bits by concatenating entries of the matrix in a specific way determined by one of the permutation vectors.
Junk symbols are removed, if any. The output of this step is the initial message.
Hence, we can define the decryption function as follows:
Dec(K→,C)=(Φ(Y−1(D2)Y−1)−Δ)∥(Ψ(Y−1(D2)Y−1)−X),
where C is the received ciphertext represented in matrix form and D2 is defined as in (20).
Proof of Correctness
Looking at the presented encryption and decryption algorithms we see that D2=C2 due to definitions of these matrices.
Let us consider an intermediate result H=YC1. Note that entries of matrix T are given by
hij=∏k=1nc1kjyik.
An important restriction, which helps us to prove the validity of our protocol is the structure of the key matrix Y. Obviously, due to Y being a permutation matrix modulo 2, it is invertible over Z2t−1, since its determinant is always odd and hence relatively prime with 2t−1 for any value of t. Furthermore, since exactly one entry is odd in each row and each column of Y, exactly one of the multipliers in the product (22) can contain generator b and hence this generator can never be cancelled unless raised to an even power. For the same reason, matrix Y−1, which has the same structure as Y, successfully restores the initial matrix C1 when applied to H, i.e. we have C1=HY−1.
We now consider the matrix C2=HY=YC1Y. As claimed in the latter paragraph, the generator b can never be cancelled unless raised to an even power. Hence, as previously, the matrix Y−1 successfully restores matrix H, i.e. H=C2Y−1.
Combining these two observations we gain the following result:
D2=Y−1D1Y−1=Y−1C2Y−1=Y−1(YC1Y)Y−1=C1.
Moreover, applying the mappings Φ and Ψ and subtracting appropriate matrices yields the matrix form M of the initial message, i.e. D=M.
The matrix D is now transformed to obtain a string of bits d by concatenating its entries as follows:
d=d11∥d12∥…∥d1n∥d21∥d22∥…∥d2n∥dnn.
Relying on the discussed observations, we conclude that d is the bit string representing the initial message with junk symbols at the end. These can now be dropped to leave us with the initial message.
Proof of Perfect Secrecy
In this section, we consider the security of the proposed symmetric encryption. Our main goal is to show that our scheme possesses the property of perfect secrecy (2). To achieve this, we start by formulating and proving an important result involving the distribution of the MPF value entries.
Let us assume that the entries of the matrixWare random variables distributed uniformly inM2tandYis a permutation matrix modulo 2 with entries uniformly distributed in the subsets of even and odd elements ofZ2t−1, respectively. Under these conditions the entries of the MPF exponent valueE=YWYare uniformly distributed inM2t.
Let us apply previously defined mappings Φ(·) and Ψ(·) to the matrix W of the form (11). Recall that due to the statement of the lemma, entries of Φ(W)=A and Ψ(W)=A are uniformly distributed in Z2 and Z2t−1, respectively.
Since Y is a permutation matrix modulo 2, it mixes up the entries of A without changing them. For this reason, the entries of Φ(E) are uniformly distributed in Z2. Hence powers of generator b in matrix E are uniformly distributed in Z2.
We now consider the distribution of the powers of generator a in matrix E. Keeping in mind the properties of permutation matrices, without loss of generality we onwards consider a special case of identity permutation, i.e. we assume that odd entries of the matrix Y are located on its main diagonal. We make a remark regarding the general case of the permutation matrix later in this proof.
Let us focus on the intermediate result V=YW and apply mapping Ψ(·) to this matrix. We can express every entry ψ(vij) as follows:
ψ(vij)=∑k=1nλkjyik+γij,
where γij∈{0,2t−2} can be one of two possible values depending on the number of times extra summand 2t−2 was added. We split the sum (23) into two parts based on the parity of entries of the matrix Y. Then, for even values of Y we have:
sij=∑k=1,k≠inλkjyik+γij.
Due to the special structure of matrix Y, we have a single summand of the sum (23) containing an odd entry yii. Hence, we denote
uij=λijyii.
Note that if Y is a permutation matrix other than identity modulo 2, then the column index changes in the extracted summand. The omitted index in sum (24) changes as well. These are the only two differences in the general case.
Due to construction, all possible values of the sum (24) lie in the subset of even elements of Z2t−1 and hence we claim that:
∑r=02t−2−1Pr(sij=2r)=1,
which is true, since these probabilities form a total probability. The exact values of these probabilities are irrelevant.
Considering the only odd summand, we can calculate the following probability:
Pr(uij=u0)=Pr(λijyii=u0)=Pr(λij=u0yii−1)=12t−1,
where u0∈Z2t−1 is fixed. This comes from the fact that gcd(yii,2t−1)=1 and hence yii−1 exists. Moreover, λij is uniformly distributed due to the statement of the lemma.
Meshing facts (26) and (27) together we obtain the following result:
Pr(ψ(vij)=z0)=Pr(sij+uij=z0)=Pr(uij=z0−2r)Pr(sij=2r)=12t−1∑r=02t−2−1Pr(sij=2r)=12t−1.
This result means that powers of generator a in an intermediate matrix V are distributed uniformly in Z2t−1. Note also that since the term γij does not play a major part in this calculation, distributions of power of both generators are independent of each other, i.e. powers of generator b do not in any way affect the distribution of powers of generator a.
Similar calculations of probabilities can be performed for the powers of generator a in the matrix VY=YWY=E. Relying on the uniform distribution of entries of the matrix V and properties of the matrix Y we conclude that powers of generator a in matrix E are distributed uniformly.
Lastly, since the powers of both generators in matrix E are distributed uniformly and are independent of each other, the lemma is valid. □
The probabilityPr(E=E0), whereE0is a fixed matrix defined overM2t, equals:
Pr(E=E0)=12n2t.
The proved lemma shows that we have obtained evidence of perfect secrecy property for our protocol. We establish this fact by proving the following theorem:
LetK→=(X,Y,Δ)be a random key uniformly chosen from the set of keysKand letMbe a random matrix chosen from the set of messagesMin an arbitrary way. Assume also that probability distributions ofK→andMare independent and fully determine the distribution of the matrixCin the set of cipher value matricesCtogether with the encryption algorithmEnc(·). Under these assumptions, the proposed Shannon cipher in (18) based on MPF is perfectly secure.
Let us consider encryption algorithm (18). Firstly, we turn our attention to matrix C1 and focus on the powers of generator a. Denoting Ma+X=U we rewrite each entry of matrix U in the following form:
uij=xij+maij,i,j∈{1,…,m}.
Due to the statement of the theorem, entries xij are chosen at random and are uniformly distributed in Z2t−1, whereas entries maij are random arbitrary distributed values in Z2t−1. For any fixed matrix U0 with entries u0ij∈Z2t−1, we have
Pr(uij=u0ij)=Pr(xij=u0ij−maij)==12t−1∑m0ij∈Z2t−1Pr(maij=m0ij)=12t−1,
where m0ij are fixed elements of Z2t−1.
We now calculate the conditional probabilities of the entries of matrix U:
Pr(uij=u0ij∣maij=m0ij)=Pr(xij=u0ij−m0ij)=12t−1,
since the entries xij and maij are independent, and the difference u0ij−m0ij∈Z2t−1.
Another important property of matrix U is the independence of its entries. Since all xij, i,j=1,…,m, are independent, for all u0ij∈Z2t−1 we have:
Pr(⋂i,j=1n{uij=u0ij})=Pr(⋂i,j=1n{xij+maij=u0ij})=∑m∈Z2t−1Pr(⋂i,j=1n{xij=u0ij−m0ij},⋂i,j=1n{maij=m0ij})=12n2(t−1)∑m0ij∈Z2t−1Pr(⋂i,j=1n{maij=m0ij})=12n2(t−1).
In the last step we used the fact that the sum ∑m0ij∈Z2t−1Pr(⋂i,j=1n{maij=m0ij}) is the total probability and hence is equal to 1.
Relying on the obtained equalities (31), (32) and (33) we claim that:
Pr(U=U0)=Pr(U=U0∣Ma=Ma0)=12n2(t−1),
where Ma0 is a fixed matrix defined over Z2t−1.
Similarly, matrix Δ is chosen uniformly from Z2. For this reason, analogous observation holds for the matrix sum Mb+Δ, with probability 2−n2. However, both sums in the expression of C1 are independent of each other and hence we have:
Pr(C1=C10)=Pr(C1=C10∣M=M0)=12n2·12n2(t−1)=12tn2,
where C10 is a fixed matrix defined over M2t and M0 is a fixed matrix defined over Z2t. Hence we have shown that the entries of matrix C1 are uniformly distributed in M2t.
Let us denote the set of all possible values of the key matrix Y by KY. Note that each matrix from this set reduced modulo 2 is a permutation matrix and hence the cardinality of this set is |KY|=n!·2n2(t−2).
We now consider the second step of the encryption algorithm (18), i.e. matrix C2. Due to Lemma 1, entries of MPF value are uniformly distributed in M2t. All that is left is to explore the conditional probabilities of its entries which are expressed as follows:
Pr(C2=C20∣M=M0)=Pr(C2=C20,M=M0)Pr(M=M0).
Explicit calculations of probability Pr(C2=C20,M=M0) are presented below in matrix form for simplicity:
Pr(C2=C20,M=M0)=Pr(Y(C1)Y=C20,M=M0)=(∑Y0∈KYPr(C1=Y0−1(C20)Y0−1)·Pr(Y=Y0))Pr(M=M0)=12tn2·(∑Y0∈KYPr(Y=Y0))·Pr(M=M0)=12tn2·Pr(M=M0),
where Y0∈KY is a fixed matrix. Here we used the fact that the entries of C1 are identically uniformly distributed and are independent of the matrix M. Also, keeping with our notation, the sum ∑Y0∈KYPr(Y=Y0) represents a total probability and hence is equal to 1. Note that we use the notation Pr(M=M0) to indicate the probability of a certain fixed message, which is then split into two parts Ma and Mb.
We limit ourselves to the matrix form of these calculations since the expression of probability for a single entry of C2 is much more complicated due to restriction on matrix Y.
Since expression (37) is a numerator of conditional probability (36), we obtain the following result:
Pr(C2=C20∣M=M0)=12tn2·Pr(M=M0)Pr(M=M0)=12tn2.
Comparing this result to the expression (29), we can see that the distributions match and hence draw a conclusion that entries of the matrix C2 are independent of plaintext matrix M.
The proof for the last step of the encryption algorithm is analogous to the proof for the first step since the matrix Δ∥X consists of uniformly distributed in Z2t entries whereas the shifting function does not have an impact on the distribution of the entries of the other matrix summand. □
Due to the proven result, we can see that no information about the plaintext is leaked by the encryption algorithm. This is the essential property any good symmetric cipher should possess.
Comparison With One-Time Pad
A classic example of a perfectly secure cipher is the one-time pad scheme proposed by G. Vernam in the early XX century. It uses a key k the size of the message mu and a simple XOR operation ⊕ to obtain a ciphertext c=μ⊕k. Decryption works similarly, i.e. μ=c⊕k.
However, despite being an ideal cipher, its practical implementation is highly limited. Firstly, the size of the secret key is a big problem, e.g. encrypting a 1GB file requires a key of the same size. Obviously, no user wants to waste his memory space storing such a key. So far in this sense, our cipher seems even worse since the size of the key is about twice the size of the message. Moreover, regardless of any actions we make, the size of the secret key has to be at least the size of the message for our cipher to remain perfectly secure. This fact is called the Shannon theorem.
The logical question now is if we can gain any benefits by using such a key to encrypt a message. To answer this question we consider another flaw in the one-time pad scheme. It is widely known that reusing the same key k to encrypt messages μ1, μ2 results in a catastrophe, i.e. any adversary possessing c1=μ1⊕k and c2=μ2⊕k is able to restore μ2 given that the plaintext μ1 is known to him since he can perform the following calculation:
c2⊕c1⊕μ1=(μ2⊕k)⊕(μ1⊕k)⊕μ1=μ2.
This fact can be viewed as gaining an advantage of 1 in winning the following Attack Game aimed at the recovery of data encrypted by a fixed key k:
For a given symmetric cipherε=(Enc(k,μ),Dec(k,c))defined over(K,M,C)define the following attack game:
The challenger picks at random a secret keyk∈K;
The adversary sends a sequence of queriesμ1,μ2,…,μQof equal size to the challenger;
The challenger calculates the ciphertextsc1,c2,…,cQ, whereci=Enc(k,μi), and sends them to the adversary;
The adversary outputs a pair(μ,c), whereμ∈M∖{μ1,μ2,…,μQ}andc∈C∖{c1,c2,…,cQ}. He wins ifc=Enc(k,μ).
We let the adversary be adaptive, i.e. he can choose his queries based on the ciphertexts obtained from the challenger.
Obviously, for the case of a one-time pad scheme, an adversary requires a single query, i.e. Q=1. In fact, the secret key k is trivially recoverable in this case.
Let us denote the event of winning the Attack Game 1 by W.
The advantage of the adversary A in winning the Attack Game 1 is given by
KRadv[A,ε]=|Pr(W)−1|K||,
where |K| denotes the cardinality of the keyspace.
Note that due to expression (39) the adversary may not necessarily obtain the secret key k to win the game as long as he can output a working pair (μ,c). Hence, he has two alternatives to winning: determining the secret key or using the obtained replies to gain a way to output a working pair. The advantage KRadv[A,ε] shows how much better than randomly guessing the key can the adversary A do.
The symmetric cipher is secure under key reuse if for any poly-bounded number of queries Q the advantage KRadv[A,ε] is negligible.
As we have seen one-time pad is not secure under key reuse. We prove the following proposition:
The Shannon block cipher defined by the encryption algorithm (18) and decryption algorithm (20) is secure under key reuse.
Let us consider both alternatives for winning the Attack Game 1.
Firstly, we consider determining the key strategy. Assume that the adversary A received ciphertext matrices C(1),C(2),…,C(Q) matching the known message matrices M1,M2,…,MQ. Here we use the upper indexes for C’s to distinguish challenger responses from intermediate results of the encryption algorithm (18). Hence, an adversary can analyse the following system of equations:
C(1)=Shiftκ(2t−1Φ(C2(1))+Ψ(C2(1)))+(2t−1Δ+X),C(2)=Shiftκ(2t−1Φ(C2(2))+Ψ(C2(2)))+(2t−1Δ+X),…C(Q)=Shiftκ(2t−1Φ(C2(Q))+Ψ(C2(Q)))+(2t−1Δ+X),
where matrices X, Y, Δ are unknown, C2(1),C2(2),…,C2(Q) are intermediate matrices at the second step of the encryption function (19), and C(1),C(2),…,C(Q) are its output values, i.e. responses the adversary A sees. However, simplifying this system is not an easy task, since at the very least we have to take the non-commuting nature of M2t into account. In other words, reducing all the equations modulo 2t−1 which would remove the non-commuting aspect of M2t is not helpful since in expression (19) the matrix Δ immediately vanishes along with leading bits of the first term. Furthermore, the shifting operator is not action preserving thus any calculations analogous to (39) are inefficient. For example, computing C(1)−C(2) we get:
C(1)−C(2)=Shiftκ(2t−1Φ1+Ψ1)−Shiftκ(2t−1Φ2+Ψ2),
where notations Φ1, Φ2, Ψ1, Ψ2 are used to shorten the appropriate expressions in (41). We have
Shiftt−κ(C(1)−C(2))≠2t−1Φ1+Ψ1−2t−1Φ2−Ψ2
and thus we cannot make a new equation based on the obtained responses.
Hence, even knowing the parameter k the adversary A cannot use this information to formulate an advantageous system of equations to extract the secret key. As such we conclude that the key determination strategy is not applicable.
Hence we consider the other option, i.e. using the responses to find a way of outputting a working pair. In this scenario, we assume that an adversary obtained n2 matrices C(1),C(2),…,C(n2). Moreover, we can also assume that the correspondent message matrices M1,M2,…,Mn2 are linearly independent and hence form a basis of the linear space M=Mat(Z2t). Then he can express each subsequent query Mj, j>n2{n^{2}}$]]> as a linear combination of M1,M2,…,Mn2. Also, since C=M on the same basis can also be used to express the ciphertext matrices C(1),C(2),…,C(n2), as well as the corresponding response C(j) as a linear combination of M1,M2,…,Mn2. Hence, the adversary can get the following results:
Mj=∑i=1n2αijMi;C(j)=∑i=1n2βijMi.
However, the coefficients αij and βij change independently of each other due to the perfect secrecy property of our cipher, thus establishing a non-linear link between these coefficients. In other words, the obtained coefficients βij seem completely random to A.
For this reason a relation between coefficients αij and βij can be viewed as a random permutation mapping P(α)=β, where α,β∈Z2t−1n2. Define an adversary B who plays the role of challenger to A and plays the Attack Game 4.1 (see Boneh and Shoup, 2020) with his challenger. Recall that Attack Game 4.1 is aimed at distinguishing an encryption function from a random permutation. To be self-contained, let us revise this game:
For the block cipherε={Enc(K→,M),Dec(K→,C)}we define two experiments. Then for a valueβ∈{0,1}we have an Experiment β:
The challenger selects a functionEβas follows:
Eβ=Enc(K→,M),ifβ=0;Rand(M),otherwise.
The adversaryBsubmits a sequence of queries, i.e. plaintexts in their matrix formMi, wherei=1,2,…,Q;
For the i-th query the challenger computesC(i)=Eβ(Mi)and sends all theCi’s to an adversary;
Boutputsβˆ∈{0,1}.
Denote byWβthe random event that in Experiment βBoutputs 1. ThenB’s advantage is defined asBCadv[A,ε]=|Pr(W1)−Pr(W0)|.
Whenever B receives a query Mj from A, he sends it to his challenger and afterward forwards the obtained response Cj back to A. Steps 1 and 3 of the Attack Game 1 are performed by B’s challenger. Due to the perfect secrecy of our cipher, B’s advantage in winning the Attack Game 2 on his own is negligible, i.e. he cannot tell apart the encryption function from a random permutation. On the other hand, if A can output a working pair (M,C) with a non-negligible probability p, then B can send M as his (Q+1)-st query to his own challenger and achieve an advantage of p−ϵ in Attack Game 2 if C=CQ+1. However, to achieve an advantage p, the adversary A has to distinguish a specific mapping P(α)=β among other possible permutations with that particular probability. This would imply that not all choices are equally possible and hence it contradicts the perfect secrecy of our cipher.
As such, we see that the only chance the adversary A has is to randomly guess a pair (M,C) and hope for it to work. However, due to the design of Attack Game 1, there are |M|−Q leftover working pairs out of (|M|−Q)2 possible pairs. Furthermore, due to restrictions applied to the key matrices (X,Y,Δ), the size of the keyspace is
|K|=2n2(t−1)·2n2(t−2)n!·2n2=2n2(2t−2)n!,
where each multiplier describes the total choices of X, Y, and Δ, respectively.
Then we can evaluate A’s advantage in Attack Game 1 as follows
KRadv[A,ε]=||M|−Q(|M|−Q)2−12n2(2t−2)n!|=|12n2t−Q−12n2(2t−2)n!|=n!2n2(t−2)−1+Q·2−n2t(2n2t−Q)n!2n2(t−2).
Throwing away a negligible term Q·2−n2t and approximating the ratio n!2n2(t−2)−1n!2n2(t−2)≈1 we obtain the following result:
KRadv[A,ε]<12n2t−Q,
which is the probability of randomly guessing a working pair (M,C). The obtained advantage is negligible which ends the proof. □
This result is a significant advantage of our cipher over the one-time pad technique. Specifically, as opposed to a one-time pad we do not need to use a different key whenever we use our scheme to encrypt a message. Furthermore, this beneficial property of our cipher greatly outshines the drawback of using a longer key, since it unlocks the implementation of different types of modes, e.g. CBC. This ability follows from the fact that we have to use the same key to encrypt a large number of blocks. As the one-time pad is insecure under key reuse, no encryption mode can ever be constructed on its basis.
CBC Mode of the Proposed Block Cipher
The general idea of the CBC mode is to unite encrypted chunks of the message into a chain. To withstand the chosen plaintext attack, our cipher has to be probabilistic. The commonly used solution is to use a randomly generated initialization vector IV. In our case, we interpret it as a matrix C(0)∈Mat(Z2t). We use this matrix together with the secret key K→ to create a chain in the following way:
C(i)=Enc(K→,Mi+C(i−1)),
where Enc(K→,M) is the encryption function defined by (19). The result of this procedure is the ciphertext
c=c11(0)∥c12(0)∥…∥cnn(0)∥c11(1)∥c12(1)∥…∥cnn(1)∥…∥cnn(l),
where l denotes the number of blocks. The decryption of a ciphertext is performed as follows:
Mi=Dec(K→,C(i))−C(i−1),
where Dec(K→,C) is a decryption function defined by (21). The proof of the correctness of CBC mode follows from the result proven in Section 3.4.
We see that the ciphertext is longer than the plaintext which is a common practice when implementing a CBC mode. As the number of blocks gets larger, the CBC mode of our cipher becomes more efficient as compared to the one-time pad technique. Furthermore, the proof of a perfect secrecy property still holds for a single block Mi. However, we emphasize that when referring to the perfect secrecy property we only consider the initial block cipher. Obviously, as the number of blocks increases, the size of the message surpasses the size of the key and hence the CBC mode is not perfectly secure, which is consistent with the Shannon theorem.
Resistance Against Chosen Plaintext Attack
In this section, we consider the security of our scheme. More precisely, we turn our attention to the chosen plaintext attack which is aimed at the newly defined CBC mode. Any efficient adversary capable of successfully executing this attack can distinguish a plaintext corresponding to the received ciphertext based on the obtained responses to his queries. Moreover, the adversary is adaptable, which means that he can base his queries on the received information. The formal description of this attack is presented here as the following game:
For a given symmetric cipherε=(Enc(k,μ),Dec(k,c))defined over(K,M,C)define the CBC modeε′=(Enc′(K→,μ),Dec′(K→,c))using encryption and decryption functions (44) and (45) respectively. Consider the following attack game:
The challenger selects a random keyK→;
The adversaryAsubmits a sequence of queries i.e. plaintext pairs(μi0,μi1)of equal lengths, wherei=1,2,…,Q;
For the i-th query the challenger computesci=Enc′(K→,μiβ), whereβ∈{0,1}is the Experiment indicator, and sends all theCi’s to an adversary;
Aoutputsβˆ∈{0,1}.
Denote byWβthe random event that in Experiment βAoutputs 1. ThenA’s advantage is defined asCPAadv[A,ε′]=|Pr(W1)−Pr(W0)|.
Note that the challenger of the Attack Game 3 always encrypts either the first or second messages of each query. The essence of the presented Attack Game is that an adversary can win it with a non-negligible probability if he can somehow relate the received ciphertext ci to the correct message in the pair (μi0,μi1).
Let us make two important observations. Firstly, the message space of the CBC mode is super-poly. In fact, its size is |M|=2n2t. Secondly, the number of blocks l is poly-bounded and determined by the length of the plaintext as follows:
l=|μ|n2t.
For these reasons we rely on a strategy presented in (Boneh and Shoup, 2020) to prove the following claim:
Consider probabilistic cipherε′={Enc′(K→,μ),Dec′(K→,c)}. For all efficient adversariesAtheir advantage in Attack Game3is expressed as follows:
CPAadv[A,ε′]=Q2l2(l+1)2n2t−1+2BCadv[B,ε],where Q is the number of queries in Attack Game3, l is the total number of blocks needed to encrypt a plaintextμibandBCadv[B,ε]is the advantage of the adversaryBin winning the Attack Game2.
Before presenting the proof for this theorem, we emphasize that the main adversary in the Attack Game 3 is A. However, he also communicates with adversary B, who attacks the block cipher ε as in Attack Game 2 and forwards A’s queries to his challenger.
Note that before encrypting the first block of the plaintext μiβ a challenger randomly selects an initialization vector C(0) and hence the intermediate block C1(i) consists of random uniformly distributed entries. Hence, by the construction of our scheme the advantage CPAadv∗[A,ε′] of adversary A to win a bit-guessing version (i.e. an adversary wins the game if βˆ=β) of the Attack Game 3 is given by:
CPAadv∗[A,ε′]=|Pr(W0)−12|,
i.e. he can do no better than randomly guessing the Experiment indicator β.
To improve his chances A collaborates with another adversary B whose purpose is to analyse the original block cipher by playing the Attack Game 2. Adversary B wins if he can distinguish between the encrypted block and a random permutation. This is where the perfect secrecy property of our cipher plays a significant role. Due to this property, the entries of the ciphertext matrix C(j) are statistically independent of the entries of the original message block Mj. Hence, this behaviour is indistinguishable from a random permutation and thus the adversary B cannot gain any significant advantage.
Moreover, since the initialization matrix C(0) is selected randomly from a significantly large space of possible values (in fact, the size of this space is super-poly), the responses to multiple queries of the same plaintext are almost always distinct. This claim is based on two facts: choosing the same initialization matrix is practically an impossible random event and the encryption function is a one-to-one mapping. As such, BCadv[B,ε] can be estimated in the following way:
BCadv[B,ε]⩽1|K|=12n2(2t−2)n!.
Obviously, this advantage is negligible for all blocks, including the first one. Moreover, it is negligible even compared to the first term of CPAadv[A,ε′] as can be seen from (46).
The strategy now is to introduce Games 2 and 3 as in the proof of Theorem 5.4 of (Boneh and Shoup, 2020) and evaluate the appropriate results. These games explore the changes influenced by switching from a permutation to a one-to-one mapping and then to many-to-one mapping. These changes are unnoticeable to the adversary under the assumptions that ε is a secure block cipher and the message space is super-poly. Both these assumptions are satisfied for our scheme. We limit ourselves to the essence of these games and leave their detailed description outside of this paper since they are technical and universal for all encryption algorithms. The changes are minor and involve the algebraic structures and actions used in the initial block cipher. In our case – matrix space Matn(Z2t) and entry-wise addition modulo 2t. □
Note that we used the same Attack Game 2 in this proof as in Section 5. This comes from the fact that a good block cipher should be indistinguishable from a random permutation and unpredictable. As it was shown, Attack Game 2 plays an important role in establishing both of these properties.
Let us end this section by presenting an example of computing the CPAadv[A,ε′]. Inspired by the fact that AES encrypts a 128-bit block, we pick the non-commuting group M256 and consider 4×4 matrices, i.e. public parameters t=8, n=4 and the size of the block is n2t=42·8=128 bits. Furthermore, we limit the message size by 232 blocks and hence can encrypt 239 bits (64 GB) of information. Then we get the following result:
CPAadv[A,ε′]⩽Q2·264(232+1)2127+12223·24⩽Q2·2−159.
Then by sending Q=240 queries, the adversary gains an advantage CPAadv[A,ε′]⩽2−79. Relying on the obtained advantage, a tolerable value may be fixed, thus determining how often must the session key be replaced.
Discussion and Conclusions
In this paper, we proposed a new Shannon cipher based on a special case of MPF. Instead of several rounds, our symmetric encryption scheme uses only one round. However, the operations we use are more complex. Moreover, we use a non-commuting platform group in our construction which contributes to the overall security of our cipher.
In our scheme we can manipulate two parameters: the size of square matrices n and the size of the platform group determined by t. This feature makes our scheme flexible and easy to adapt to messages of any length. However, more investigations are needed to make reasonable recommendations for the values of parameters n and t depending on the message length. This is one of the possibilities for future work in this research.
We have proven that our cipher has the property of perfect secrecy and hence the encryption algorithm itself does not leak any information about the plaintext. This is one of the essential properties of a good symmetric encryption scheme.
The perfect secrecy of our block cipher also favourably distinguishes it from a widely used AES scheme, whose perfect secrecy property for a single block to our knowledge has not been established. We also think that a significant boost in the performance of our cipher is because matrix operations can be parallelized and hence the encryption of a single block can be executed on multiple processors. Relying on our findings presented in Mihalkovich et al. (2022), we expect that the non-commuting platform group used in our paper also contributes to the performance of our scheme. Since all powers of the elements of M2t are reduced modulo 2t, the reduction process is much simpler than reducing modulo a prime. For this reason, we think that our proposal can produce better results than those presented in Mihalkovich et al. (2022). However, verifying this claim requires additional research thus far.
Relying on the fact that our cipher is secure under key reuse, we defined a CBC mode for our cipher. As the message becomes longer, its length surpasses the size of the secret key, and hence due to the Shannon theorem, the perfect secrecy property is lost. However, since perfect secrecy also implies semantic security of a block cipher, we claim that the CBC mode can be considered safe in this weaker sense, i.e. an efficient adversary cannot gain a significant advantage in linking a ciphertext c to the correct plaintext.
Moreover, in Section 7 we have shown that the probabilistic cipher ε′ can resist an adaptive chosen plaintext attack, i.e. the previously obtained responses to the sent queries in no way help the efficient adversary to gain a significant advantage in Attack Game 3.
ReferencesBoneh, D., Shoup, V. (2020). A Graduate Course in Applied Cryptography.Grundman, H.G., Smith, T.L. (1996). Automatic realizability of Galois groups of order 16. In: Proceedings of the American Mathematical Society, AMS ’96. AMS, Rhode Island, USA, pp. 2631–2640.Grundman, H.G., Smith, T.L. (2010a). Galois realizability of groups of order 64. Central European Journal of Mathematics, 8(5), 846–854.Grundman, H.G., Smith, T.L. (2010b). Realizability and automatic realizability of Galois groups of order 32. Central European Journal of Mathematics, 8(2), 244–260.Katz, J., Lindell, Y. (2007). Introduction to Modern Cryptography. CRC Press, New York.Levinskas, M., Mihalkovich, A. (2021). Avalanche effect and bit independence criterion of perfectly secure Shannon cipher based on matrix power. Mathematical Models in Engineering, 7(3), 50–53. https://doi.org/10.21595/mme.2021.22234.Michailov, I. (2007). Groups of order 32 as Galois groups. Serdica Mathematical Journal, 33(1), 1–34.Mihalkovich, A. (2018). On the associativity property of MPF over M16. Lietuvos matematikos rinkinys: Lietuvos matematiku draugijos darbai, Serija A, 59, 7–12.Mihalkovich, A., Levinskas, M., Makauskas, P. (2022). MPF based symmetric cipher performance comparison to AES and TDES. Mathematical Models in Engineering, 8(2), 15–25. https://doi.org/10.21595/mme.2022.22517.Mihalkovich, A., Sakalauskas, E., Luksys, K. (2020). Key exchange protocol defined over a non-commuting group based on an NP-complete decisional problem. Symmetry, 12, 1389. https://doi.org/10.3390/sym12091389.Sakalauskas, E., Luksys, K. (2012). Matrix power function and its application to block cipher s-box construction. International Journal of Innovative Computing, Information and Control, 8(4), 2655–2664.Sakalauskas, E., Mihalkovich, A. (2018). MPF problem over modified medial semigroup is NP-complete. Symmetry, 10(11), 571. https://doi.org/10.3390/sym10110571.Sakalauskas, E., Mihalkovich, A., Uselis, A. (2020a). Security analysis of KAP based on enhanced MPF. IET Information Security, 14(4), 410–418.Sakalauskas, E., Dindiene, L., Kilciauskas, A., Luksys, K. (2020b). Perfectly secure Shannon Cipher construction based on the matrix power function. Symmetry, 12, 860. https://doi.org/10.3390/sym12050860.Shannon, C.E. (1949). Communication theory of secrecy systems. The Bell System Technical Journal, 28(4), 656–715.Sylow, M.L. (1872). Théorèmes sur les groupes de substitutions. Mathematische Annalen, 5, 584–594. https://doi.org/10.1007/BF01442913.