Perfectly Secure Shannon Cipher Construction Based on the Matrix Power Function

: A Shannon cipher can be used as a building block for the block cipher construction if it is considered as one data block cipher. It has been proved that a Shannon cipher based on a matrix power function (MPF) is perfectly secure. This property was obtained by the special selection of algebraic structures to deﬁne the MPF. In an earlier paper we demonstrated, that certain MPF can be treated as a conjectured one-way function. This property is important since ﬁnding the inverse of a one-way function is related to an NP -complete problem. The obtained results of perfect security on a theoretical level coincide with the NP -completeness notion due to the well known Yao theorem. The proposed cipher does not need multiple rounds for the encryption of one data block and hence can be effectively parallelized since operations with matrices allow this effective parallelization.


Introduction
The modern design of block ciphers is based on the confusion-diffusion paradigm introduced by Claude Shannon ([1]). A direct implementation of the above paradigm is a substitution-permutation network (SPN), which is used for the block cipher construction when it is realized in multiple rounds, each of which uses a different sub-key derived from the original key. This procedure is used for every data block encryption when all data is divided into separate blocks.
One of the examples of the SPN realization for standardized symmetric block cipher creation is the Data Encryption Standard (DES) adoption in 1977 ( [2]). The corresponding block cipher was proposed on this basis. In order to increase the security of the DES, which is only 64 bits key length (while real security relies on 56 bits key length), the Tripple DES (TDES) algorithm was adopted by the ANSI committee X9.F.1 in 1998. Since this algorithm was popular and widely used, some special recommendations were accepted for the Triple Data Encryption Algorithm (TDEA) to modify the block cipher in 2017 ( [3]).
The other sound realization of the SPN is the design of a block cipher adopted as an Advanced Encryption Standard (AES) ( [4]).
We have restricted our consideration to a single data block encryption using the confusion-diffusion paradigm. Then, this encryption can be considered as the Shannon cipher outlined in ( [5]). If the Shannon cipher is proved to be secure under certain conditions, then, on that basis, a secure block cipher can be created. Hence, Shannon cipher can be interpreted as a building block for the block cipher construction. The security of the Shannon cipher is considered in the sense of perfect security which is directly related to the notion of pseudo-randomness ( [5]).
Perfect security, which is formulated in Lemma 1 in Section 4, is the "gold standard" in cryptography. Many security proofs are based on the computational relaxation of perfect security. The alternative definition of perfect security states that an encryption scheme is perfectly secure if no adversary can succeed with a probability any better than one half. That is, an adversary cannot be able to distinguish the encryption of one plaintext from the encryption of another. It is called adversarial indistinguishability. On the other hand, adversarial indistinguishability is related to pseudo-randomness. If an encryption key is chosen randomly and uniformly from the key space, the ciphertext is pseudo-random and uniformly distributed on any message space.
Yao A., C. [6] revealed a fundamental relation between one-way functions (OWFs) and pseudo-random generators. Yao A., C. theorem states that pseudo-random generators exist if and only if OWFs exist ( [6]). Hence the intriguing idea is to construct a computationally effective block cipher using the one-way function (OWF). According to this, if the OWFs do exist, then a ciphertext is pseudo-random. Until the century dilemma P vs. NP is not solved (and it is unclear if it can be ever solved) it is believed that NP-complete problems can be accepted as the conjectured OWFs.
The notion of pseudo-randomness plays a fundamental role in cryptography, in general, and in private-key encryption, in particular. Loosely speaking, a pseudo-random string is a string that looks like a uniformly distributed string, as long as the entity that is "looking" runs in a polynomial time. Just as indistinguishability can be viewed as a computational relaxation of perfect secrecy, pseudo-randomness is a computational relaxation of true randomness.
The main reason of a Shannon cipher construction on the base of the MPF is that the MPF can be interpreted as a conjectured OWF. This conjectured OWF based on the MPF was proposed earlier in our papers ( [7][8][9][10][11]) for some cryptographic protocol construction.
Some solutions of MPF application in a cryptographic function construction were proposed recently. In [12] the MPF is used for an asymmetric cipher construction, and in [13] for a digital signature algorithm. The MPF represents a class of non-commuting cryptography that is in the particular interest of a certain group of cryptographers. The linear algebra attack for cryptographic functions based on the MPF is presented in [14]. This attack was prevented in our subsequent paper [11].
In general, the MPF can be defined over different algebraic structures. [15] demonstrates that a conjectured OWF based on the MPF defined over a modified medial semigroup is NP-complete. Hence there is some evidence that the MPF could also be used for the block cipher construction. This paper presents a Shannon cipher based on the matrix power function defined over the certainly-selected algebraic structures. The first result of a block cipher S-box construction using the MPF is published in [16].
The proof that Shannon cipher based on the MPF defined over the certainly-selected algebraic structures is perfectly secure is presented. A cipher with perfect secrecy is unconditionally secure against a ciphertext-only attack.
Thus far, the main trend of the block cipher construction used the number of rounds for one data block encryption to achieve a good confusion and diffusion, thus providing a required level of security. These rounds are performed sequentially and therefore there is no ability to parallelize computations.
The proposed Shannon cipher is realized in one round using matrix operations. The matrix operations in its turn can be effectively parallelized. So if we have two matrices of order n, then their addition, multiplication and powering matrix by matrix can be effectively performed using n (or integer fraction of n) parallel computations between n rows and n columns of operand matrices. In such a case, these computational results are the entries of a new matrix. Afterwards, obtained matrices are combined, forming a final matrix. Hence, the proposed Shannon cipher can be effectively realized in multiprocessor computation devices.
Let S be any finite set. The uniformly and randomly chosen element s in S we denote by s←rand(S).
Let f be a function with the following mapping Evidently this mapping is one-to-one but not an isomorphism with respect to multiplication and addition operations defined in Z 3 . Then there exists the inverse one-to-one mapping f −1 defined by Equation (2).
Let Q = {q ij } be a matrix with entries q ij ∈ G 3 . Denote, in general, matrices X = {x ij }, x ij ∈ Z 3 and Y ={y ij }, y ij ∈ Z 3 . All matrices are square and of order n. Symbolically, the matrix power function (MPF) is defined in the following way: Group G 3 is named as a platform group and field Z 3 as a power field. Then formally matrices Q and C are defined over the group of direct product G n×n 3 and matrices X, Y over Z n×n Formally, the MPF is defined by the following relation Then the MPF provides the following mapping where C = {c ij } and c ij ∈ G 3 . Let C 1 = {c 1,ij } be a matrix defined over Z 3 . Then mapping f defined in Equations (1) and (2) can be separately applied to all entries of matrix C 1 , obtaining a mapping Mapping F just replaces all entries of matrix C 1 = {c 1,ij } to the entries of matrix C 2 = {c 2,ij }, where, according to Equations (1) and (2), f (c 1,ij ) = c 2,ij .
To construct symmetric cipher based on the MPF introduced by Equations (3)-(5) we need an additional matrix, namely matrix M = {m ij }, m ij ∈ Z 3 defining a message to be encrypted.
The symmetric encryption-decryption key K in our construction is represented by two invertible matrices K=(X, Y). To satisfy security conditions, the matrix Y must be invertible and its entries are randomly generated from the subset Z 3\0 , i.e., y ij ∈ {1, 2}. X is randomly generated from the subset Z 3 , x ij ∈ {0, 1, 2}.

Shannon Cipher Construction Based on the Matrix Power Function (MPF)
Conventionally, the Shannon cipher is any deterministic cipher. It is defined over the key space K, the message space M and the ciphertext space C. Definition 1. The Shannon cipher SC is defined by the following triplet SC = (Gen, Enc, Dec), where

•
Gen is a function of secret key K generation at random and uniformly distributed in K.

•
Enc is the encryption function which takes as an input a key K in K and a message M in M and produces as output a ciphertext C in C. C = Enc(K, M).
• Dec is a decryption function that takes as input a key K in K and a ciphertext C in C and produces a message M in M.
The Shannon cipher is defined over (K,M,C) and with this notation we can write: In general, it is assumed that M is a random variable distributed over the message space M, however, it is not assumed that M is uniformly distributed over M. The key K is uniformly distributed in K and is independent of M, while ciphertext C = Enc(K, M) is a random variable distributed over the ciphertext space C.
The Shannon cipher is constructed for plaintext and ciphertext blocks defined by n × n matrices M = {m ij } and C = {c ij }, respectively, over the field Z 3 = {0, 1, 2}, where m ij ∈ Z 3 and c ij ∈ Z 3 . Hence the message space M consists of n × n matrices M and ciphertext space C of n × n matrices C and both spaces are denoted by Z n×n 3 .
The key space K consists of two matrices X and Y composing a vector valued symmetric key K = (X, Y), where X = {x ij }, x ij ∈ Z 3 and Y = {y ij }, y ij ∈ Z 3\0 . Then the key space K is a direct product of the spaces Z n×n 3 × Z n×n 3\0 . The additional requirement is that the matrix Y is an invertible matrix.
The encryption operation for one data block M consists of the following three steps: where + is a conventional matrix addition and is the Hadamard product of matrices, i.e., matrix entries are multiplied directly as it is done with a conventional matrix addition operation. Symbolically, these steps can be expressed using three encryption functions Enc1, Enc2 and Enc3 in the following form Equations (6) can be rewritten in one single equation The obtained cipher C is a matrix of order n defined over Z 3 as a message matrix M.
For the decryption we need to introduce an inverse matrix in Hadamard sense in G n×n 3 . Let a matrix T be in G n×n 3 . Then the inverse matrix T A , in Hadamard sense, of a matrix T is such that where 1 is a matrix consisting of all elements equal to 1 ∈ G 3 .
The decryption procedure is performed in a reverse order. Since matrix Y has its inverse in Z n×n 3\0 , while algebraic structures, namely, group G 3 and field Z 3 , are symmetric, then where F(X) A is an inverse matrix of matrix F(X) in Hadamard sense and is the Hadamard product of matrices.
By fixing a uniformly and randomly generated key K, two arguments of encryption function Enc(, ) can be interpreted as the following one-to-one permutation function Π K (M) : Z n×n Looking forward, we intend that the constructed Shannon cipher could be suitable to creating a block cipher with one round per block M operation. The defined block length is |M| = |Z n×n 3 | = 3n 2 , composed of digits in Z 3 . The main property required for this application is that Π K should behave like a random permutation. However, since a random permutation realization having a practically acceptable block length is impractical, the notion of pseudo-random permutation is introduced. Intuitively, we can call Π K pseudorandom if for a randomly and uniformly chosen key K it is indistinguishable from a function chosen uniformly at random from the set of all functions having the same domain and range. For this reason, Shannon introduced the confusion-diffusion paradigm ([1]).
A direct implementation of the confusion-diffusion paradigm is a substitution-permutation network ( [17,18]). There are two confusion phases, namely C 1 and C 3 in Equation (6). The encryption key for these operations is matrix X. The diffusion phase is realized for computing C 2 in intermediately encrypted data block F(C 1 ) in G n×n 3 .
In the next section we demonstrate that Π K is a perfectly secure pseudo-random permutation.

Security Analysis
Let M 0 be a fixed value in a message space M and C 0 = Enc(K, M 0 ) is in C. Referencing to [5] the following Lemma can be formulated.
which means that conditional probability is equal to unconditional probability and hence a ciphertext is independent from the message.
Before proving the main theorem of perfect security we need to prove the following lemmas.

Lemma 2.
If random variables z 1 , z 2 are independent and uniformly distributed in Z 3\0 , and w is uniformly distributed in G 3 independent of z 1 and z 2 , then distribution of z 1 · z 2 is uniform in Z 3\0 , and random variable w z 1 ·z 2 has uniform distribution in G 3 .

Proof.
Since z 1 is z 2 are independent, we can easily write the following probabilities: where summation under j 1 · j 2 = j gives two possible combinations of j 1 , j 2 ∈ Z 3\0 (see contingency Table 1). According to the above, z 1 · z 2 is uniformly distributed in Z 3\0 . Denote u = z 1 · z 2 . Under the assumption of an independence we get the following probabilities (that is also seen in Table 2): where summation under j j 2 1 = j gives two pairs of j 1 , j 2 (j 1 ∈ G 3 , j 2 ∈ Z 3\0 ) to be equal to each j. These probabilities imply that distribution of w u is uniform in G 3 and the lemma is proved. Proof. In case n = 2, this lemma is simply proven by contingency Table 3. Table 3. Or, in short, where summation under j 1 · j 2 = j gives three possible combinations of j 1 , j 2 ∈ G 3 . We assume that the lemma holds for n = N: It is sufficient to show that lemma is valid for n = N + 1, which follows directly from the assumption of independent random variables and Equation (8): Hence the lemma is proven.

The Theorem of Perfect Security
Referencing to Lemma 1-3, we prove the following theorem.
Theorem 1. If a key K is chosen randomly and uniformly from K, the probability distribution of M over M is arbitrary, the distributions of K and M over K and M are independent and given the encryption algorithm Enc, the distribution of C over C is fully determined by the distributions over K and M, then the Shannon cipher in Equation (6) based on MPF is perfectly secure.
Proof. Each element of matrix C 1 in Equation (6) of order n takes the following form: If x ij are chosen at random and are uniformly distributed, and m ij are random arbitrary distributed values in Z 3 , then for all c 10 ∈ Z 3 Probability in Equation (9) can be seen directly from the table of values (see Table 4).  Conditional probabilities: because x ij and m ij are independent, and c 10 − m 0 ∈ Z 3 . Equalities (9) and (10) prove, that Let us turn to matrix C 2 of Equation (6). Denote the elements of matrix C 2 of order n by: where y ij are chosen randomly and are uniformly distributed over Z 3\0 and f (c ij ) ∈ G 3 . According to Lemma 2, multiplication y ij · y kl is uniformly distributed (in Z 3\0 ) random value and all ( f (c ij )) y k are uniformly distributed in G 3 . For simplicity, denote y ij · y kl = y s , s ∈ {1, . . . , n · n}.
According to Lemma 3, expression (z y 1 11 · ... · z y n·n nn ) takes values in G 3 . The inverse variables are also in G 3 (see Table 5). Equalities (12)- (14) prove, that that is, elements of matrix C 2 are independent of the elements of matrix C 1 . Since matrix M is in the expression of C 1 , matrix C 2 is independent of M too. The third equation in Equation (6) for each element of the matrix of order n can be rewritten in the following form Similarly as in Equations (9) and (10) we obtain that Thus, the elements of matrix C 3 are independent of the elements of matrix C 2 . By this, C 3 does not depend on the value of M.
By taking equalities (11), (15) and (16) all together it is proved that Equation (7) holds. Hence we have proved that the proposed Shannon cipher is perfectly secure.

Conclusions and Discussions
One realization of the Sahnnon cipher is proposed. It is based on the MPF defined over specially selected algebraic structures, namely the finite field of integers Z 3 and the subgroup G 3 of group Z 7 of residue classes modulo 7. Due to this special selection, it is proved that the proposed Shannon cipher is perfectly secure.
Such a cipher can be interpreted as one data block cipher consisting of n × n digits in Z 3 . The data in this block is encoded by numbers {0, 1, 2}, i.e., by two bits. The obtained result can be extended to the block cipher construction if the entire data is split into the different blocks of length of n × n digits. Then we directly obtain the Electronic Code Book (ECB) mode of encryption and on this base, the other known secure modes of encryption, e.g., Cipher Block Chaining (CBC), can be constructed.
This research proves that the proposed confusion-diffusion transformation provides perfect security in a single round of operation. The distinguishing property of the proposed cipher is that it does not require a number of round operations for one data block encryption.
The single round operation for a single data block encryption is based on matrix operations. That is a result of the other distinguishing property, namely, that one block encryption can be carried out by effectively parallelizing encryption computations. Since round operations in traditional ciphers must be performed sequentially, the parallelization of round operations cannot be realized in such a case.
The matrix operations can be effectively parallelized. Let us assume we have two operand matrices of order n. Then their addition, Hadamard product and powering matrix by matrix can be effectively performed using n (or integer fraction of n) parallel computations between n rows and n columns of operand matrices. The entries of the resulting matrix are computed in parallel using operations between two n-dimensional vectors. For matrix addition or Hadamard product, two vectors are added or multiplied representing two columns (or rows) of corresponding operand matrices. For matrix powering by matrix, one base vector is powered by the other power vector elementwise, and power operation results are multiplied together. The analogy of this operation can be found in an inner product of two vectors, when addition is replaced with multiplication and multiplication with exponentiation operations, respectively. This parallelization allows us to replace the operations between matrices of order n to n operations between n-dimensional vectors.
For example, let us have a data block size represented by matrix of order n = 16. Such a data block has 16 × 16 = 256 elements encoded by the numbers {0, 1, 2}. Then, parallel computations can be performed using 16,8,4 or even 2 microprocessors. Hence, the proposed Shannon cipher can be effectively realized in multiprocessor computation devices.