1. Introduction
The modern design of block ciphers is based on the confusion–diffusion paradigm introduced by Claude Shannon ([
1]). A direct implementation of the above paradigm is a substitution–permutation network (SPN), which is used for the block cipher construction when it is realized in multiple rounds, each of which uses a different sub-key derived from the original key. This procedure is used for every data block encryption when all data is divided into separate blocks.
One of the examples of the SPN realization for standardized symmetric block cipher creation is the Data Encryption Standard (DES) adoption in 1977 ([
2]). The corresponding block cipher was proposed on this basis. In order to increase the security of the DES, which is only 64 bits key length (while real security relies on 56 bits key length), the Tripple DES (TDES) algorithm was adopted by the ANSI committee X9.F.1 in 1998. Since this algorithm was popular and widely used, some special recommendations were accepted for the Triple Data Encryption Algorithm (TDEA) to modify the block cipher in 2017 ([
3]).
The other sound realization of the SPN is the design of a block cipher adopted as an Advanced Encryption Standard (AES) ([
4]).
We have restricted our consideration to a single data block encryption using the confusion–diffusion paradigm. Then, this encryption can be considered as the Shannon cipher outlined in ([
5]). If the Shannon cipher is proved to be secure under certain conditions, then, on that basis, a secure block cipher can be created. Hence, Shannon cipher can be interpreted as a building block for the block cipher construction. The security of the Shannon cipher is considered in the sense of perfect security which is directly related to the notion of pseudo-randomness ([
5]).
Perfect security, which is formulated in Lemma 1 in
Section 4, is the “gold standard” in cryptography. Many security proofs are based on the computational relaxation of perfect security. The alternative definition of perfect security states that an encryption scheme is perfectly secure if no adversary can succeed with a probability any better than one half. That is, an adversary cannot be able to distinguish the encryption of one plaintext from the encryption of another. It is called adversarial indistinguishability. On the other hand, adversarial indistinguishability is related to pseudo-randomness. If an encryption key is chosen randomly and uniformly from the key space, the ciphertext is pseudo-random and uniformly distributed on any message space.
Yao A., C. [
6] revealed a fundamental relation between one-way functions (OWFs) and pseudo-random generators. Yao A., C. theorem states that pseudo-random generators exist if and only if OWFs exist ([
6]). Hence the intriguing idea is to construct a computationally effective block cipher using the one-way function (OWF). According to this, if the OWFs do exist, then a ciphertext is pseudo-random. Until the century dilemma
P vs.
is not solved (and it is unclear if it can be ever solved) it is believed that
-complete problems can be accepted as the conjectured OWFs.
The notion of pseudo-randomness plays a fundamental role in cryptography, in general, and in private-key encryption, in particular. Loosely speaking, a pseudo-random string is a string that looks like a uniformly distributed string, as long as the entity that is “looking” runs in a polynomial time. Just as indistinguishability can be viewed as a computational relaxation of perfect secrecy, pseudo-randomness is a computational relaxation of true randomness.
The main reason of a Shannon cipher construction on the base of the MPF is that the MPF can be interpreted as a conjectured OWF. This conjectured OWF based on the MPF was proposed earlier in our papers ( [
7,
8,
9,
10,
11]) for some cryptographic protocol construction.
Some solutions of MPF application in a cryptographic function construction were proposed recently. In [
12] the MPF is used for an asymmetric cipher construction, and in [
13] for a digital signature algorithm. The MPF represents a class of non-commuting cryptography that is in the particular interest of a certain group of cryptographers. The linear algebra attack for cryptographic functions based on the MPF is presented in [
14]. This attack was prevented in our subsequent paper [
11].
In general, the MPF can be defined over different algebraic structures. [
15] demonstrates that a conjectured OWF based on the MPF defined over a modified medial semigroup is
-complete. Hence there is some evidence that the MPF could also be used for the block cipher construction.
This paper presents a Shannon cipher based on the matrix power function defined over the certainly-selected algebraic structures. The first result of a block cipher S-box construction using the MPF is published in [
16].
The proof that Shannon cipher based on the MPF defined over the certainly-selected algebraic structures is perfectly secure is presented. A cipher with perfect secrecy is unconditionally secure against a ciphertext-only attack.
Thus far, the main trend of the block cipher construction used the number of rounds for one data block encryption to achieve a good confusion and diffusion, thus providing a required level of security. These rounds are performed sequentially and therefore there is no ability to parallelize computations.
The proposed Shannon cipher is realized in one round using matrix operations. The matrix operations in its turn can be effectively parallelized. So if we have two matrices of order n, then their addition, multiplication and powering matrix by matrix can be effectively performed using n (or integer fraction of n) parallel computations between n rows and n columns of operand matrices. In such a case, these computational results are the entries of a new matrix. Afterwards, obtained matrices are combined, forming a final matrix. Hence, the proposed Shannon cipher can be effectively realized in multiprocessor computation devices.
2. Mathematical Background
Conventionally the field of integers with additive and multiplication operations modulo 3 is denoted by Z={0,1,2}. Subset of Z without zero element is denoted by Z={1,2}. The third order subgroup of multiplication group with multiplication operation modulo 7 is denoted by G={1,2,4}.
Let
S be any finite set. The uniformly and randomly chosen element
s in
S we denote by
Let
f be a function
with the following mapping
Evidently this mapping is one-to-one but not an isomorphism with respect to multiplication and addition operations defined in
Z. Then there exists the inverse one-to-one mapping
f defined by Equation (
2).
Let
Q = {
q} be a matrix with entries
q∈
G. Denote, in general, matrices
X = {
x},
x∈
Z and
Y ={
y},
y∈Z
. All matrices are square and of order
n. Symbolically, the matrix power function (MPF) is defined in the following way:
where matrix
C = {
c} is defined over
.
Group G is named as a platform group and field Z as a power field. Then formally matrices Q and C are defined over the group of direct product and matrices X, Y over .
Formally, the MPF is defined by the following relation
Then the MPF provides the following mapping
where
C = {
c} and
c∈
G.
Let
C={
c} be a matrix defined over
Z. Then mapping
defined in Equations (
1) and (
2) can be separately applied to all entries of matrix
C, obtaining a mapping
For all
we have
where
.
Mapping
F just replaces all entries of matrix
C={
c} to the entries of matrix
C={
c}, where, according to Equations (
1) and (
2),
.
To construct symmetric cipher based on the MPF introduced by Equations (
3)–(
5) we need an additional matrix, namely matrix
M = {
m},
m∈
Z defining a message to be encrypted.
The symmetric encryption-decryption key K in our construction is represented by two invertible matrices K = (X, Y). To satisfy security conditions, the matrix Y must be invertible and its entries are randomly generated from the subset Z, i.e., y1, 2}. X is randomly generated from the subset , .
3. Shannon Cipher Construction Based on the Matrix Power Function (MPF)
Conventionally, the Shannon cipher is any deterministic cipher. It is defined over the key space K, the message space M and the ciphertext space C.
Definition 1. The Shannon cipher is defined by the following triplet , where
In general, it is assumed that M is a random variable distributed over the message space M, however, it is not assumed that M is uniformly distributed over M. The key K is uniformly distributed in K and is independent of M, while ciphertext is a random variable distributed over the ciphertext space C.
The Shannon cipher is constructed for plaintext and ciphertext blocks defined by matrices and , respectively, over the field , where and . Hence the message space M consists of matrices M and ciphertext space C of matrices C and both spaces are denoted by .
The key space K consists of two matrices X and Y composing a vector valued symmetric key , where , and , . Then the key space K is a direct product of the spaces . The additional requirement is that the matrix Y is an invertible matrix.
The encryption operation for one data block
M consists of the following three steps:
where + is a conventional matrix addition and ⊙ is the Hadamard product of matrices, i.e., matrix entries are multiplied directly as it is done with a conventional matrix addition operation.
Symbolically, these steps can be expressed using three encryption functions Enc1, Enc2 and Enc3 in the following form
Equations (
6) can be rewritten in one single equation
The obtained cipher C is a matrix of order n defined over Z as a message matrix M.
For the decryption we need to introduce an inverse matrix in Hadamard sense in
. Let a matrix
T be in
. Then the inverse matrix
, in Hadamard sense, of a matrix
T is such that
where
is a matrix consisting of all elements equal to
.
The decryption procedure is performed in a reverse order. Since matrix
has its inverse in
, while algebraic structures, namely, group
and field
, are symmetric, then
where
is an inverse matrix of matrix
in Hadamard sense and ⊙ is the Hadamard product of matrices.
By fixing a uniformly and randomly generated key
K, two arguments of encryption function
can be interpreted as the following one-to-one permutation function
, where
Looking forward, we intend that the constructed Shannon cipher could be suitable to creating a block cipher with one round per block
M operation. The defined block length is
, composed of digits in
. The main property required for this application is that
should behave like a random permutation. However, since a random permutation realization having a practically acceptable block length is impractical, the notion of pseudo-random permutation is introduced. Intuitively, we can call
pseudorandom if for a randomly and uniformly chosen key
K it is indistinguishable from a function chosen uniformly at random from the set of all functions having the same domain and range. For this reason, Shannon introduced the confusion–diffusion paradigm ([
1]).
A direct implementation of the confusion–diffusion paradigm is a substitution–permutation network ([
17,
18]). There are two confusion phases, namely
and
in Equation (
6). The encryption key for these operations is matrix
X. The diffusion phase is realized for computing
in intermediately encrypted data block
in
.
In the next section we demonstrate that is a perfectly secure pseudo-random permutation.
4. Security Analysis
Let
be a fixed value in a message space
M and
is in
C. Referencing to [
5] the following Lemma can be formulated.
Lemma 1. An encryption scheme over a message spaceMis perfectly secret if and only if for every probability distribution overM, every message , and every ciphertext which means that conditional probability is equal to unconditional probability and hence a ciphertext is independent from the message. Before proving the main theorem of perfect security we need to prove the following lemmas.
Lemma 2. If random variables are independent and uniformly distributed in , and w is uniformly distributed in independent of and , then distribution of is uniform in , and random variable has uniform distribution in .
Proof. Since
is
are independent, we can easily write the following probabilities:
where summation under
gives two possible combinations of
(see contingency
Table 1).
According to the above, is uniformly distributed in .
Denote
. Under the assumption of an independence we get the following probabilities (that is also seen in
Table 2):
where summation under
gives two pairs of
(
) to be equal to each
j.
These probabilities imply that distribution of is uniform in and the lemma is proved. ☐
Lemma 3. If random variables are independent and uniformly distributed in , then the distribution of is uniform in .
Proof. In case
, this lemma is simply proven by contingency
Table 3.
Or, in short,
where summation under
gives three possible combinations of
.
We assume that the lemma holds for
:
It is sufficient to show that lemma is valid for
, which follows directly from the assumption of independent random variables and Equation (
8):
Hence the lemma is proven. ☐
The Theorem of Perfect Security
Referencing to Lemma 1–3, we prove the following theorem.
Theorem 1. If a key K is chosen randomly and uniformly fromK, the probability distribution of M overMis arbitrary, the distributions of K and M overKandMare independent and given the encryption algorithm , the distribution of C overCis fully determined by the distributions overKandM, then the Shannon cipher in Equation (6) based on MPF is perfectly secure. Proof. Each element of matrix
in Equation (
6) of order
n takes the following form:
If
are chosen at random and are uniformly distributed, and
are random arbitrary distributed values in
, then for all
Probability in Equation (
9) can be seen directly from the table of values (see
Table 4).
Conditional probabilities:
because
and
are independent, and
.
Equalities (
9) and (
10) prove, that
Let us turn to matrix
of Equation (
6). Denote the elements of matrix
of order
n by:
where
are chosen randomly and are uniformly distributed over
and
. According to Lemma 2, multiplication
is uniformly distributed (in
) random value and all
are uniformly distributed in
. For simplicity, denote
.
Since
is the product of
independent random variable from
, Lemma 3 yields that for all
and
:
Conditional probabilities of elements of matrix
are the following:
here
. Using the independence of matrices
X,
Y and
:
According to Lemma 3, expression takes values in .
The inverse variables are also in
(see
Table 5).
Equalities (
12)–(
14) prove, that
that is, elements of matrix
are independent of the elements of matrix
. Since matrix
M is in the expression of
, matrix
is independent of
M too.
The third equation in Equation (
6) for each element of the matrix of order
n can be rewritten in the following form
Similarly as in Equations (
9) and (
10) we obtain that
Thus, the elements of matrix are independent of the elements of matrix . By this, does not depend on the value of M.
By taking equalities (
11), (
15) and (
16) all together it is proved that Equation (
7) holds. Hence we have proved that the proposed Shannon cipher is perfectly secure. ☐
5. Conclusions and Discussions
One realization of the Sahnnon cipher is proposed. It is based on the MPF defined over specially selected algebraic structures, namely the finite field of integers and the subgroup of group of residue classes modulo 7. Due to this special selection, it is proved that the proposed Shannon cipher is perfectly secure.
Such a cipher can be interpreted as one data block cipher consisting of digits in . The data in this block is encoded by numbers , i.e., by two bits. The obtained result can be extended to the block cipher construction if the entire data is split into the different blocks of length of digits. Then we directly obtain the Electronic Code Book (ECB) mode of encryption and on this base, the other known secure modes of encryption, e.g., Cipher Block Chaining (CBC), can be constructed.
This research proves that the proposed confusion–diffusion transformation provides perfect security in a single round of operation. The distinguishing property of the proposed cipher is that it does not require a number of round operations for one data block encryption.
The single round operation for a single data block encryption is based on matrix operations. That is a result of the other distinguishing property, namely, that one block encryption can be carried out by effectively parallelizing encryption computations. Since round operations in traditional ciphers must be performed sequentially, the parallelization of round operations cannot be realized in such a case.
The matrix operations can be effectively parallelized. Let us assume we have two operand matrices of order n. Then their addition, Hadamard product and powering matrix by matrix can be effectively performed using n (or integer fraction of n) parallel computations between n rows and n columns of operand matrices. The entries of the resulting matrix are computed in parallel using operations between two n-dimensional vectors. For matrix addition or Hadamard product, two vectors are added or multiplied representing two columns (or rows) of corresponding operand matrices. For matrix powering by matrix, one base vector is powered by the other power vector elementwise, and power operation results are multiplied together. The analogy of this operation can be found in an inner product of two vectors, when addition is replaced with multiplication and multiplication with exponentiation operations, respectively. This parallelization allows us to replace the operations between matrices of order n to n operations between n-dimensional vectors.
For example, let us have a data block size represented by matrix of order . Such a data block has elements encoded by the numbers . Then, parallel computations can be performed using or even 2 microprocessors. Hence, the proposed Shannon cipher can be effectively realized in multiprocessor computation devices.