A Scalable Symmetric Cryptographic Scheme Based on Latin Square, Permutations, and Reed-Muller Codes for Resilient Encryption

Abstract

Symmetric cryptography is essential for secure communication as it ensures confidentiality by using shared secret keys. This paper proposes a novel substitution-permutation network (SPN) that integrates Latin squares, permutations, and Reed-Muller (RM) codes to achieve robust security and resilience. As an adaptive design using binary representation with base-n Latin square mappings for non-linear substitutions, it supports any n (Codeword length and Latin square order), k (RM code dimension), d (RM code minimum distance) parameters aligned with the Latin square and $\mathrm{RM}(n,k,d)$ codes. The scheme employs $2{log}_{2}n$-round transformations using ${log}_{2}n$ permutations ${\rho }_z$, where in the additional ${log}_{2}n$ rounds, row and column pairs are swapped for each pair of rounds, with key-dependent ${\pi }_z$ permutations for round outputs and fixed ${\rho }_z$ permutations for codeword shuffling, ensuring strong diffusion. The scheme leverages dynamic Latin square substitutions for confusion and a vast key space, with permutations ensuring strong diffusion and $\mathrm{RM}(n,k,d)$ codes correcting transmission errors and enhancing robustness against fault-based attacks. Precomputed components optimize deployment efficiency. The paper presents mathematical foundations, security primitives, and experimental results, including avalanche effect analysis, demonstrating flexibility and balancing enhanced security with computational and storage overhead.

1. Introduction

Symmetric cryptography, especially block ciphers, plays a fundamental role in secure communication by ensuring confidentiality through the use of shared secret keys. Block ciphers encrypt fixed-size blocks of plaintext into ciphertext using a series of iterative transformations. They are highly valued for their efficiency and security [1]. Traditional block ciphers are strong but often do not include built-in error correction, which limits their effectiveness in various environments. As a result, modern systems encounter challenges like transmission errors in noisy channels, fault-based attacks that exploit hardware vulnerabilities, and the need for adaptable, scalable designs that strike a balance between security and resource constraints [2]. This aspect has gained importance in addressing these attacks [3,4,5].

Recent studies have employed Latin squares for cryptographic substitutions, utilizing their nonlinear properties and combinatorial diversity. The Zefreh and Abdali Latin Square Image Encryption (LSIE) scheme uses Latin square S-boxes with chaotic systems for fast and noise-resilient image encryption [6]. Walid El-Shafai, et al. developed a compression-encryption scheme using Latin squares for IoT multimedia security, achieving low computational overhead to guarantee security and high speed without compromising the complexity [7]. The Latin square image cipher (LSIC) of Wu et al. uses Latin square whitening, Latin square S-box, and Latin square P-box for confusion and diffusion [8]. A hybrid model was presented by Nada Ali et al. that uses the Latin square matrix (LSM) and subtractive random number generator (SRNG) algorithms to generate random keys that raise the degree of diffusion and strengthen the cipher key’s defense against various attacks [9]. These schemes, often designed for image coding, lack general applicability and resistance to noise or bit-flipping attacks, challenges addressed in our scheme through Reed-Muller codes.

Error-correcting codes (ECCs) play a vital role in ensuring data integrity and improving the reliability and security of cryptographic systems [10]. Repka et al. discussed the use of ECCs in secure protocols and their effectiveness in mitigating fault attacks [10]. Alabady’s low complexity product code (LCPC) offers an efficient method of error correction that is particularly suitable for Internet of Things (IoT), which often have limited resources [11]. Boneh et al. highlighted the importance of ECCs in eliminating computational errors, which is crucial for protecting against fault attacks in block ciphers [12]. Carlet investigated the use of RM codes in Boolean functions to enhance resistance against fault attacks [13]. Therefore, integrating ECCs with cryptographic systems is highly recommended to prevent errors, as even a single-bit change in an encrypted message can cause significant damage in the decrypted output [14].

We propose a novel block cipher based on an SPN that integrates Latin squares, permutations, and Reed-Muller codes to deliver robust security and resilience in noisy and adversarial environments. Our adaptive design supports any parameters $n,k,d$ and utilizes binary representation along with base-n Latin square mappings. The cipher incorporates Latin square S-boxes to enhance confusion, applies diffusion permutations, and employs RM codes, which add an extra layer of security, enable error correction, and provide resistance to fault attacks. It features a scalable key space and parameter flexibility, optimizing the balance between security and resource usage. The scheme operates over $2{log}_{2}n$ rounds. This framework is versatile for symmetric cryptography, supporting independent encoding and decoding processes that allow for parallelization in multi-core or distributed systems. Precomputed components are included to ensure deployment efficiency across various applications. The paper concludes with an evaluation of both security and performance.

The structure of our paper is organized as follows: Section 2 introduces a background for primitives. Section 3 describes the cryptographic system. Section 4 presents experimental results. Section 5 evaluates security properties. Section 6 discusses limitations and outlines future directions.

2. Background

2.1. Latin Squares

Let n (order) be a non-negative integer. A Latin square $L={\left(l_{i,j}\right)}_{1\le i,j\le n}$ of order n is an $n\times n$ array with entries $l_{i,j}\in \{0,\dots ,n-1\}$, such that each element of the set $\{0,\dots ,n-1\}$, is contained exactly once in each row and in each column.

A key defined over key space $K=\{0,\dots ,n-1\}$ is used and distributed uniformly over the message space $M=\{0,\dots ,n-1\}$ [15].

A Latin square of order n (on the symbol set $1,2,\dots ,n$ or on the symbol set $0,1,\dots ,n-1$) is reduced or in standard form if in the first row and column the symbols occur in natural order as shown in

Table 1. A reduced Latin square of order 3 [16].

1	2	3
2	3	1
3	1	2

.

A cipher is defined over the message space and the key space, and the function

$$y=C_k\left(m\right)=l_{k,m}$$

(1)

describes the encryption of a plaintext $m\in M$ under a key $k\in K$ [17].

2.1.1. Relation Between Cayley Tables, Quasigroups, and Latin Squares

A Cayley table [18,19], which resembles an addition or multiplication table in square form, represents the structure of a finite group [20], by arranging all possible products of all of the group’s components. An order-n Latin square, with each row (or column) encoding a permutation of the group’s components, is what an unbordered Cayley table of an order-n group essentially is, according to a Cayley discovery [18,19,21].

Theorem 1.

If $(G,⨁)$ is a finite group of order n and $L^G$ is the unbordered Cayley table of G, then $L^G$ is a Latin square of order n.

Definition 1.

A set G equipped with a binary operation ∗ is said to be a quasigroup if the following conditions are satisfied:

• G is closed under the operation: $q_i\ast q_j\in G,\forall q_i,q_j\in G$.
• The Latin square property holds: $\forall q_i,q_j\in G,\exists !x,y\in G,q_i\ast x=q_j$ and $y\ast q_i=q_j$.

G is said to be a finite quasigroup if it contains a finite number of elements.

Theorem 2.

If $G=(G,\ast )$ is a finite quasigroup and $L^G$ is the unbordered Cayley table of G, then $L^G$ is a Latin square.

From Definition 1 and Theorem 2, we guarantee that every element of G appears exactly once in each row and once in each column of the Cayley table of G. It is an elementary property of all groups and the defining property of all quasigroups. In Section 3.2.4, we will illustrate how to construct a Latin square by creating a quasi-group from a finite group using permutations.

2.1.2. Conjugacy Class

Each cell of a Latin square can be represented by a triple (row, column, symbol). One method to represent L is to conceive of a set of ordered triples instead of a Latin square [22]. If $L=l_{i,j}$ is a Latin square of order n, the corresponding $n^2$ triples are:

$$T_L=\{(r_i,c_j,l_{i,j}):0\le i,j\le n-1\}$$

(2)

The entry that appears at a particular position inside a triple is referred to as a coordinate.

A Latin square’s isotopism L is a permutation of L that permutes its symbols, rows, and columns. Another Latin square that is stated to be isotopic to L is the result [23].

The operation of permuting the coordinates themselves is referred to as conjugacy or parastrophy. For two Latin squares $L_1$ and $L_2$, we say that $L_2$ is conjugate equivalent of $L_1$ where they are in the same conjugacy class [23].

Every conjugate may be identified by the permutation used to generate it. Since we have three coordinates, for each Latin square, it has at most six distinct conjugates, including the Latin square itself [16].

We require the conjugate of a Latin square to decrypt the ciphertext c produced by Latin square $L=(r_i,c_j,l_{i,j})$ using key k and plaintext m, which we can construct as follows:

• $L^{\left(12\right)}=(c_j,r_i,l_{i,j})$, where the row and column numbers of the Latin square are switched (transpose).
• $L^{\left(13\right)}=(l_{i,j},c_j,r_i)$, where the entries and row numbers of the Latin square are switched.
• $L^{\left(23\right)}=(r_i,l_{i,j},c_j)$, where the entries and column numbers of the Latin square are switched [22,24].

We will use a Latin square L as a substitution square for encryption, and apply $L^{\left(23\right)}$ as the substitution square for decryption in our scheme.

Latin squares are used in many modern applications, such as experimental design in statistics [25], programming language compiler testing [26], telecommunications [27], and cryptography [7,28,29,30].

Latin squares are important in cryptography because they can be used to construct efficient and secure cryptographic algorithms. They have been used in cryptography for various purposes [31], including as a way to generate cryptographic keys [7], and as a tool for designing symmetric cryptosystems [32]. In addition to these applications, Latin squares have also been used in other areas of cryptography, for example, in the design of cryptographic hash functions [33,34], in the analysis of cryptographic protocols [35], and in cryptographic key management systems [36].

2.2. Permutation Groups

Let $\mathsf{\Omega }$ be an arbitrary non-empty set of non-negative integers. A permutation is a one-to-one map of $\mathsf{\Omega }$ to itself. The set of all permutations on $\mathsf{\Omega }$ forms a group under the composition of permutations (that is, the composition of permutations is associative, the identity permutation is the unit element, and for each permutation there exists an inverse element).

The group of all permutations on a set with n elements is called the symmetric group, which is usually denoted by $S_n$. Every permutation group is a subgroup of the symmetric group for some positive integer n [37]. Let $\mathsf{\Omega }=\{1,2,\dots ,n\}$, then a permutation $\rho$ on $\mathsf{\Omega }$ is defined by:

$$\left(\begin{array}{ccccc}1& 2& 3& \dots & n\\ \rho \left(1\right)& \rho \left(2\right)& \rho \left(3\right)& \dots & \rho \left(n\right)\end{array}\right)$$

(3)

Example 1.

A particular permutation of the set $\{1,2,3,4,5\}$ can be written as:

$$\left(\begin{array}{ccccc}1& 2& 3& 4& 5\\ 2& 5& 4& 3& 1\end{array}\right)$$

This means $\rho \left(1\right)=2$, $\rho \left(2\right)=5$, $\rho \left(3\right)=4$, $\rho \left(4\right)=3$, and $\rho \left(5\right)=1$.

The composition of permutations involves combining two or more permutations to create a new permutation. For example, if we have two permutations, f and g, we denote their composition as $fg$. To compute the composition $fg$, we first apply permutation g to the elements and then apply permutation f to the resulting set of elements.

Example 2.

Let $f=\left(123\right)$, $g=\left(231\right)$. We first apply g to the set of elements: $g\left(1\right)=2$, $g\left(2\right)=3$, $g\left(3\right)=1$. Then, we apply f to the resulting set of elements: $f\left(g\right(1\left)\right)=3$, $f\left(g\right(2\left)\right)=1$, $f\left(g\right(3\left)\right)=2$. Therefore, $fg=\left(132\right)$.

The most common applications of symmetric groups in cryptography occur during the key generation phase [38]. Permutations play a vital role in this process by enhancing randomness through the shuffling of bits or bytes within the key. This ensures that each bit position in the key is influenced by all parts of the original key. Additionally, permutations contribute to security by introducing confusion and diffusion, making it more difficult for attackers to compromise the generated keys. They are employed to mix, distribute, and derive key material in a manner that ensures cryptographic keys meet the necessary security standards.

Moreover, permutations play a crucial role in both the encryption and decryption processes as part of the multi-step approach used in symmetric encryption algorithms, such as the Advanced Encryption Standard (AES) [39]. These permutations contribute to two essential properties of cryptographic algorithms: confusion and diffusion.

Confusion ensures that the relationship between the ciphertext and the key is complex and non-linear, making it difficult for an attacker to infer the key. On the other hand, diffusion ensures that a change in a single bit of the plaintext affects many bits of the ciphertext. By rearranging the data in a controlled manner, permutations help achieve both confusion and diffusion. This sensitivity to input changes enhances the overall security of the encryption process.

Permutations are often combined with other operations, such as substitution (like the S-box in AES) and bitwise operations (such as XOR), to create a mixing effect that further strengthens the security and cryptographic robustness of the algorithm.

2.3. Error-Correcting Codes

Error-correcting codes are used in digital communication systems to detect and correct errors that may happen during data transmission. These codes introduce redundancy into the data, allowing for the detection and correction of errors even if some of the transmitted information becomes corrupted.

One crucial parameter of an error-correcting code is its minimum distance, which is defined as the smallest number of bit or symbol changes needed to convert one valid codeword into another. This minimum distance directly influences the code’s ability to detect and correct errors. Specifically, a code with a minimum distance d can detect up to $(d-1)$ errors and can correct up to $\lfloor {\displaystyle \frac{d-1}{2}}\rfloor$ errors [40].

Error-correcting codes are a vital component of cryptography, as they help ensure that data transmitted between two parties remains accurate and secure [10]. In the realm of cryptography, these codes are commonly employed to protect messages or data from corruption or alteration during transmission or storage. They are essential for maintaining the reliability, integrity, and security of encrypted communications in cryptographic systems. By detecting and correcting errors, error-correcting codes help preserve the confidentiality and authenticity of encrypted data [10].

3. The Proposed Cryptographic Scheme

In this section, we present our proposed scheme, which encompasses the process of secret key generation and the method for generating security parameters. Next, we will explain the structure of the encoding/encryption and decoding/decryption algorithms used in this scheme. Lastly, we will illustrate how to generate a Latin square.

3.1. Scheme Description

Our encryption scheme operates on a message M and a key K, each of length $\alpha ={log}_{2}n·k(\alpha \ge n)$ bits, where n denotes both the order of the Latin square L and the codeword length of the Reed–Muller code, and k represents its dimension. The scheme employs a multi-round encryption process consisting of $2{log}_{2}n$ rounds, which seamlessly integrates multiple parallel encoding operations. Both communicating parties precompute all key-related components to enable efficient real-world deployment. The scheme utilizes two types of permutations: ${\pi }_z$, which act on $\alpha$-bit blocks during the Latin square transformations, and ${\rho }_z$, which are n-bit permutations used in the generation of ${\pi }_z$ and applied to the RM codewords. All indexing conventions (for permutations, rounds, and arrays) begin at zero. The process proceeds as follows:

1.

Multi-Round Latin Square Encryption: We divide M and K into k segments, each of length ${log}_{2}n$ bits. Using L, we perform $2{log}_{2}n$ rounds. For each pair of rounds, the first uses the original row and column subsets, and the second swaps them. This process includes converting the message and the key to n-base, mapping the message with the Latin square using the generated scheduled keys, and permuting the intermediate messages using ${\pi }_z$ permutations for each round.

2.

Portioning: We split Y into ${log}_{2}n$ portions, each of length k bits.

3.

Reed-Muller Encoding: Each portion is independently encoded using the RM code, transforming it into an n-bit codeword.

4.

Permutations and Error Addition: Each codeword is permuted using the corresponding n-bit permutation ${\rho }_z$ and modified by adding a generated error vector $e_z$.

5.

Final Ciphertext: The modified codewords are concatenated to form the ciphertext C, of length $n·{log}_{2}n$ bits.

The decryption process reverses the encryption steps by utilizing the conjugate Latin square $L^{\left(23\right)}$ together with the inverse permutations ${\pi }_z^{-1}$ for the rounds and ${\rho }_z^{-1}$ for the codewords. It employs RM decoding, which can correct up to t errors per segment. By executing ${log}_{2}n$ RM encodings in parallel within a single encryption cycle, the proposed scheme enhances computational efficiency while preserving interdependence through the Latin square transformations and the associated permutations. Furthermore, the scheme is flexible and can be adapted to different parameter settings of n and k.

3.2. Proposed Scheme

Let L be a Latin square of order n, and denote its row permutations by ${\sigma }_0,\dots ,{\sigma }_{n-1}$ and its column permutations by ${\tau }_0,\dots ,{\tau }_{n-1}$, respectively. In our cryptographic scheme, we employ the generator matrix of an RM code. For comprehensive details on RM codes, the reader is referred to [14,41]. Let $RM(n,k,d)$ denote an RM code of length $n=2^m$, dimension k, and minimum distance d, which can correct up to t errors and possesses a generator matrix G.

3.2.1. Key Generation

The key generation process is formalized in (Algorithm 1), which produces the secret key and parameters for the cryptographic scheme. It relies on subroutines for key scheduling (Algorithm 2) and permutation extension (Algorithm 3). The process involves generating a random key, computing round-specific permutations, deriving key schedules, and extending permutations for transformations. The secret key consists of the generator matrix G, the binary key K, the Latin square L, and subsets ${\{I_{r_z},I_{c_z}\}}_{z=0,\dots ,{log}_{2}n-1}$.

The key generation process proceeds as follows:

1.

Key Initialization:

• Generate a random binary key K of length $\alpha =k·{log}_{2}n$.
• Convert K to a sequence of k base-n digits, $K_{\mathrm{digits}}=\{k_0,k_1,\dots ,k_{k-1}\}$, where each $k_i$ is a ${log}_{2}n$-bit digit.

2.

Permutation Setup: For $z=0,\dots ,{log}_{2}n-1$, select random subsets $I_{r_z},I_{c_z}\subseteq \{0,\dots ,n-1\}$ to define permutations for the first ${log}_{2}n$ rounds. For each round $z=0,\dots ,2{log}_{2}n-1$:

• Compute the round index $k=\lfloor z/2\rfloor$.
• If z is even, compute the permutation ${\rho }_z={\prod }_{i\in I_{r_k}}{\sigma }_i{\prod }_{j\in I_{c_k}}{\tau }_j$, where ${\sigma }_i$ and ${\tau }_j$ are permutations derived from the row $L\left[i\right]$ and column $L[:,j]$ of the Latin square L.
• If z is odd, compute ${\rho }_z={\prod }_{j\in I_{c_k}}{\tau }_j{\prod }_{i\in I_{r_k}}{\sigma }_i$, swapping the order of row and column permutations.

3.

Key Schedule Computation: Compute the key schedule $D_{\mathrm{digits}}^{\left(z\right)}$ for each round $z=0,\dots ,2{log}_{2}n-1$ using Algorithm 2:

• For $z=0$: Set $D_{\mathrm{digits}}^{\left(0\right)}=K_{\mathrm{digits}}$.
• For $z=1$: Compute $D_{\mathrm{digits}}^{\left(1\right)}=\{L\left[k_i\right]\left[k_{(i+1)modk}\right]\mid i=0,\dots ,k-1\}$.
• For $z=2,\dots ,2{log}_{2}n-1$: Compute $D_{\mathrm{digits}}^{\left(z\right)}=\{L\left[d_i^{(z-1)}\right]\left[d_i^{(z-2)}\right]\mid i=0,\dots ,k-1\}$, where $d_i^{(z-1)}$ and $d_i^{(z-2)}$ are digits from the previous two rounds.

4.

Permutation Extension: Extend each permutation ${\rho }_z$ to an $\alpha$-bit permutation ${\pi }_z$ using Algorithm 3. This approach is inspired by key-dependent permutation techniques [42,43], but incorporates modifications to enhance security and adaptability:

• For each index $i=0,\dots ,n-1$, compute:

  $$v_i=\left({\rho }_z\left[i\right]+d_{imodk}·(i^2+1)+z·(i+1)\right)mod\alpha ,$$

  where $d_{imodk}$ is the corresponding key digit from $D_{\mathrm{digits}}^{\left(z\right)}$.
• If $\alpha >n$, compute additional values for $i=0,\dots ,\alpha -n-1$:

  $$v_{n+i}=\left(d_{imodk}·(z+i+1)·(i+2)\right)mod\alpha .$$
• Form tuples $(v_j,d_{jmodk},j)$ for $j=0,\dots ,\alpha -1$. Sort them by $v_j$, then $d_{jmodk}$, and finally by $\left(j+{\sum }_{i=0}^{k-1}{d}_i+z\right)mod\alpha$. Use the sorted indices j to construct the permutation.
• Apply a circular shift to the permutation by $\left({\sum }_{i=0}^{k-1}{d}_i+z\right)mod\alpha$.

5.

Precomputations: Compute the conjugate Latin square $L^{\left(23\right)}=(r_i,l_{i,j},c_j)$.

The resulting secret key is $(G,K,L,{\{I_{r_z},I_{c_z}\}}_{z=0,\dots ,{log}_{2}n-1})$, with key schedules

${\left\{D_{\mathrm{digits}}^{\left(z\right)}\right\}}_{z=0,\dots ,2{log}_{2}n-1}$ and permutations ${\{{\rho }_z,{\pi }_z\}}_{z=0,\dots ,2{log}_{2}n-1}$.

Algorithm 1 Key and Parameters Setup Algorithm

Require: Latin square L of order n, $RM(n,k,d)$ generator matrix G, parameters n, k, $\alpha =k{log}_{2}n$ Ensure: Secret key $(G,K,L,{\{I_{r_z},I_{c_z}\}}_{z=0,\dots ,{log}_{2}n-1})$, key schedules ${\left\{D_{\mathrm{digits}}^{\left(z\right)}\right\}}_{z=0,\dots ,2{log}_{2}n-1}$, permutations ${\{{\rho }_z,{\pi }_z\}}_{z=0,\dots ,2{log}_{2}n-1}$   1: $K\leftarrow \mathrm{RandomBinary}\left(\alpha \right)$   2: $K_{\mathrm{digits}}\leftarrow \mathrm{ConvertToBaseN}(K,n)$   3: for $z=0$ to $2{log}_{2}n-1$ do   4:       $k\leftarrow \lfloor z/2\rfloor$   5:       if $z<{log}_{2}n$ then   6:            Choose random subsets $I_{r_k},I_{c_k}\subseteq \{0,\dots ,n-1\}$   7:       if $zmod2=0$ then   8:            ${\rho }_z\leftarrow {\prod }_{i\in I_{r_k}}{\sigma }_i{\prod }_{j\in I_{c_k}}{\tau }_j$   9:       else 10:            ${\rho }_z\leftarrow {\prod }_{j\in I_{c_k}}{\tau }_j{\prod }_{i\in I_{r_k}}{\sigma }_i$ 11:       $D_{\mathrm{digits}}^{\left(z\right)}\leftarrow$  KeySchedule$(L,K_{\mathrm{digits}},z)$ 12:       ${\pi }_z\leftarrow$  ExtendPermutation$({\rho }_z,D_{\mathrm{digits}}^{\left(z\right)},z,\alpha ,k,n)$ 13:  return  $(G,K,L,{\{I_{r_z},I_{c_z}\}}_{z=0,\dots ,{log}_{2}n-1}),{\{D_{\mathrm{digits}}^{\left(z\right)}\}}_{z=0,\dots ,2{log}_{2}n-1},{\{{\rho }_z,{\pi }_z\}}_{z=0,\dots ,2{log}_{2}n-1}$

Algorithm 2 Key Schedule Subroutine

1: procedure  KeySchedule( $L,K_{\mathrm{digits}},z$ ) 2:       if $z=0$ then 3:             return $K_{\mathrm{digits}}$ 4:       else if $z=1$ then 5:             return $\{L\left[k_i\right]\left[k_{(i+1)modk}\right]\mid i=0,\dots ,k-1\}$ 6:       else 7:             $D^{(z-1)}\leftarrow$  KeySchedule$(L,K_{\mathrm{digits}},z-1)$ 8:             $D^{(z-2)}\leftarrow$  KeySchedule$(L,K_{\mathrm{digits}},z-2)$ 9:             return $\{L\left[d_i^{(z-1)}\right]\left[d_i^{(z-2)}\right]\mid i=0,\dots ,k-1\}$

Algorithm 3 Permutation Extension Subroutine

1: procedure ExtendPermutation(${\rho }_z,D_{\mathrm{digits}}^{\left(z\right)},z,\alpha ,k,n$)   2:       for $i=0$ to $n-1$ do   3:             $v_i\leftarrow ({\rho }_z\left[i\right]+d_{imodk}·(i^2+1)+z·(i+1))mod\alpha$   4:       for $i=0$ to $\alpha -n-1$ do   5:             $v_{n+i}\leftarrow (d_{imodk}·(z+i+1)·(i+2))mod\alpha$   6:   Sort tuples $(v_j,d_{jmodk},j)$ for $j=0,\dots ,\alpha -1$ by $v_j$, $d_{jmodk}$, $\left(j+{\sum }_{i=0}^{k-1}{d}_i+z\right)mod\alpha$   7:       Initialize permutation as empty list   8:       for $j=0$ to $\alpha -1$ do   9:             Append j to permutation 10:       Apply circular shift by $\left({\sum }_{i=0}^{k-1}{d}_i+z\right)mod\alpha$ 11:       return resulting permutation

3.2.2. Encryption

The encryption process, formalized in Algorithm 4, transforms a message M into a ciphertext C using the secret key $(G,K,L,{\{I_{r_z},I_{c_z}\}}_{z=0,\dots ,{log}_{2}n-1})$, permutations $\{{\pi }_z,{\rho }_z\}$, and key schedules $\left\{D_{\mathrm{digits}}^{\left(z\right)}\right\}$. It relies on subroutines for multi-round mapping (Algorithm 5) and RM encoding (Algorithm 6). The process involves converting the message and key to base-n digits, applying multi-round transformations with Latin square lookups and permutations, encoding with an RM code, and adding error vectors.

1.

The encryption process proceeds as follows:

• Message and Key Conversion: Convert the input message M of length $\alpha =k{log}_{2}n$ and the key K into base-n digits, where n is the order of the Latin square L. This yields k digits for each: $M_{\mathrm{digits}}=\{m_0,\dots ,m_{k-1}\}$ and $K_{\mathrm{digits}}=\{k_0,\dots ,k_{k-1}\}$, with each digit in $\{0,\dots ,n-1\}$. This conversion ensures uniform digit distribution [44].
• Multi-Round Mapping: Perform $2{log}_{2}n$ rounds of mapping using Algorithm 5 to produce an intermediate output Y:

  −

  For round $z=0$:

  ∗

  Compute $y_i^{\prime \left(0\right)}=L\left[k_i\right]\left[m_i\right]$ for $i=0,\dots ,k-1$.

  ∗

  Convert $\{y_0^{\prime \left(0\right)},\dots ,y_{k-1}^{\prime \left(0\right)}\}$ to an $\alpha$-bit binary vector, apply the permutation ${\pi }_0$ to obtain $y_{\mathrm{binary}}^{\left(0\right)}$, and convert back to base-n digits $\{y_0^{\left(0\right)},\dots ,y_{k-1}^{\left(0\right)}\}$.

  −

  For rounds $z=1,\dots ,2{log}_{2}n-1$:

  ∗

  Compute $y_i^{\prime \left(z\right)}=L\left[d_i^{\left(z\right)}\right]\left[y_i^{(z-1)}\right]$ for $i=0,\dots ,k-1$, where $d_i^{\left(z\right)}$ is from $D_{\mathrm{digits}}^{\left(z\right)}$.

  ∗

  Convert $\{y_0^{\prime \left(z\right)},\dots ,y_{k-1}^{\prime \left(z\right)}\}$ to an $\alpha$-bit binary vector, and apply ${\pi }_z$ to obtain $y_{\mathrm{binary}}^{\left(z\right)}$.

  −

  For $z<2{log}_{2}n-1$, convert $y_{\mathrm{binary}}^{\left(z\right)}$ back to base-n digits $\{y_0^{\left(z\right)},\dots ,y_{k-1}^{\left(z\right)}\}$.

  −

  Output $Y=y_0^{(2{log}_{2}n-1)}\parallel \cdots \parallel y_{k-1}^{(2{log}_{2}n-1)}$, an $\alpha$-bit binary vector.

• Splitting the Intermediate Output: Divide Y into ${log}_{2}n$ portions $\{Y_0,\dots ,Y_{{log}_{2}n-1}\}$, each of length k bits.
• RM Encoding and Permutation: For each portion $Y_i$, $i=0,\dots ,{log}_{2}n-1$, apply Algorithm 6:

  −

  Compute $c_i^{\prime }=Y_i·G$, where G is the generator matrix of the $RM(n,k,d)$ code, producing an n-bit vector.

  −

  Apply the n-bit permutation ${\rho }_i$ to $c_i^{\prime }$, resulting in $c_i={(Y_i·G)}^{{\rho }_i}$.

• Error Vector Addition: For each $i=0,\dots ,{log}_{2}n-1$, generate an error vector $e_i\in {\{0,1\}}^n$ with weight at most t. Compute the encrypted portion:

  $$C_i=c_i+e_i={(Y_i·G)}^{{\rho }_i}+e_i.$$
• Ciphertext Construction: Concatenate the encrypted portions to form the ciphertext:

  $$C=C_0\parallel C_1\parallel \cdots \parallel C_{{log}_{2}n-1},$$

  where $\mathrm{length}\left(C\right)=n·{log}_{2}n$.

The resulting ciphertext C has length $n·{log}_{2}n$.

Algorithm 4 Encryption Algorithm

Require: Message M of length $\alpha$, secret key $(G,K,L,{\{I_{r_z},I_{c_z}\}}_{z=0,\dots ,{log}_{2}n-1})$, permutations $\{{\pi }_z,{\rho }_z\}$, key digits $\left\{D_{\mathrm{digits}}^{\left(z\right)}\right\}$ Ensure: Ciphertext C of length ${log}_{2}n\times n$ 1: $Y\leftarrow$  MultiRoundMapping$(M,K,L,\left\{D_{\mathrm{digits}}^{\left(z\right)}\right\},\left\{{\pi }_z\right\},n,k,\alpha )$ 2: $\{Y_0,\dots ,Y_{{log}_{2}n-1}\}\leftarrow \mathrm{Split}(Y,{log}_{2}n,k)$ 3: for $i=0$ to ${log}_{2}n-1$ do 4:       $c_i\leftarrow$RMEncode$(Y_i,G,{\rho }_i)$ 5:       $e_i\leftarrow$ GenerateErrorVector $(n,t)$ 6:       $C_i\leftarrow c_i+e_i$ 7: $C\leftarrow C_0\parallel \cdots \parallel C_{{log}_{2}n-1}$ 8: return  C

Algorithm 5 Multi-Round Mapping Subroutine

1: procedure MultiRoundMapping( $M,K,L,\{D_{\mathrm{digits}}^{\left(z\right)}\},\left\{{\pi }_z\right\},n,k,\alpha$ )   2:       $M_{\mathrm{digits}}\leftarrow \mathrm{ConvertToBaseN}(M,n)$   3:       $K_{\mathrm{digits}}\leftarrow \mathrm{ConvertToBaseN}(K,n)$   4:       for $z=0$ to $2{log}_{2}n-1$ do   5:             if $z=0$ then   6:                   for $i=0$ to $k-1$ do   7:                         $y_i^{\prime \left(0\right)}\leftarrow L\left[k_i\right]\left[m_i\right]$   8:             else   9:                   for $i=0$ to $k-1$ do 10:                         $y_i^{\prime \left(z\right)}\leftarrow L\left[d_i^{\left(z\right)}\right]\left[y_i^{(z-1)}\right]$ 11:             $y_{\mathrm{binary}}^{\prime \left(z\right)}\leftarrow \mathrm{ConvertToBinary}(y_0^{\prime \left(z\right)},\dots ,y_{k-1}^{\prime \left(z\right)},\alpha )$ 12:             $y_{\mathrm{binary}}^{\left(z\right)}\leftarrow \mathrm{ApplyPermutation}(y_{\mathrm{binary}}^{\prime \left(z\right)},{\pi }_z)$ 13:             if $z\ne 2{log}_{2}n-1$ then 14:                   $y_0^{\left(z\right)},\dots ,y_{k-1}^{\left(z\right)}\leftarrow \mathrm{ConvertToBaseN}(y_{\mathrm{binary}}^{\left(z\right)},n)$ 15:       return $y_0^{(2{log}_{2}n-1)}\parallel \dots \parallel y_{k-1}^{(2{log}_{2}n-1)}$

Algorithm 6 RM Encoding Subroutine

1: procedure RMEncode( $Y_i,G,{\rho }_i$ ) 2:     $c_i\leftarrow Y_i·G$ 3:     $c_i\leftarrow \mathrm{ApplyPermutation}(c_i,{\rho }_i)$ 4:     return $c_i$

3.2.3. Decryption

The decryption process, formalized in Algorithm 7, recovers the original message M from the ciphertext C using the secret key $(G,K,L,{\{I_{r_z},I_{c_z}\}}_{z=0,\dots ,{log}_{2}n-1})$, inverse permutations $\{{\pi }_z^{-1},{\rho }_z^{-1}\}$, key schedules $\left\{D_{\mathrm{digits}}^{\left(z\right)}\right\}$, and a conjugate Latin square $L^{\left(23\right)}$.

It relies on subroutines for multi-round mapping (Algorithm 8) and RM decoding (Algorithm 9).

The process involves splitting the ciphertext, decoding RM codewords, correcting errors, and reversing the multi-round mapping to retrieve the message.

1.

The decryption process proceeds as follows:

• Ciphertext Splitting: Divide the ciphertext C of length ${log}_{2}n·n$ into ${log}_{2}n$ portions $\{C_0,\dots ,C_{{log}_{2}n-1}\}$, where each $C_i$ is an n-bit vector representing an encoded, permuted, and error-corrupted portion of the intermediate message.
• RM Decoding: For each portion $C_i$, $i=0,\dots ,{log}_{2}n-1$, apply Algorithm 9:

  −

  Compute the inversely permuted vector $r_i=\mathrm{ApplyPermutation}(C_i,{\rho }_i^{-1})$, where $C_i={(Y_i·G)}^{{\rho }_i}+e_i$, $Y_i$ is a k-bit portion of the intermediate message, G is the RM generator matrix, and $e_i$ is an error vector with weight at most t.

  −

  Decode $r_i$ using the $RM(n,k,d)$ decoding algorithm to correct up to $t=\lfloor (d-1)/2\rfloor$ errors, yielding the k-bit portion $Y_i$.

• Reconstructing Intermediate Message: Concatenate the decoded portions to form the intermediate message:

  $$Y=Y_0\parallel Y_1\parallel \cdots \parallel Y_{{log}_{2}n-1},$$

  where Y is an $\alpha =k{log}_{2}n$-bit binary vector.
• Inverse Multi-Round Mapping: Apply Algorithm 8 to reverse the $2{log}_{2}n$ rounds of mapping:

  −

  Initialize $y_{\mathrm{binary}}^{\left(2{log}_{2}n\right)}=Y$.

  −

  For rounds $z=2{log}_{2}n-1$ down to 0:

  ∗

  If $z\ne 2{log}_{2}n-1$, convert $\{y_0^{(z+1)},\dots ,y_{k-1}^{(z+1)}\}$ to an $\alpha$-bit binary vector $y_{\mathrm{binary}}^{(z+1)}$.

  ∗

  Apply the inverse permutation ${\pi }_z^{-1}$ to $y_{\mathrm{binary}}^{(z+1)}$ to obtain $y_{\mathrm{binary}}^{\prime \left(z\right)}$.

  ∗

  Convert $y_{\mathrm{binary}}^{\prime \left(z\right)}$ to base-n digits $\{y_0^{\prime \left(z\right)},\dots ,y_{k-1}^{\prime \left(z\right)}\}$.

  ∗

  For $i=0,\dots ,k-1$, compute $y_i^{\left(z\right)}=L^{\left(23\right)}\left[y_i^{\prime \left(z\right)}\right]\left[d_i^{\left(z\right)}\right]$, where $L^{\left(23\right)}$ is the conjugate Latin square, and $d_i^{\left(z\right)}$ is from the key schedule $D_{\mathrm{digits}}^{\left(z\right)}$.

  ∗

  For $z=0$, use $d_i^{\left(0\right)}=k_i$ from $K_{\mathrm{digits}}$.

  −

  Output $M=\mathrm{ConvertToBinary}(y_0^{\left(0\right)},\dots ,y_{k-1}^{\left(0\right)},\alpha )$, the original $\alpha$-bit message.

The resulting message M has length $\alpha =k{log}_{2}n$.

Algorithm 7 Decryption Algorithm

Require: Ciphertext C of length ${log}_{2}n\times n$, secret key $(G,K,L,{\{I_{r_z},I_{c_z}\}}_{z=0,\dots ,{log}_{2}n-1})$, permutations $\{{\pi }_z^{-1},{\rho }_z^{-1}\}$, key digits $\left\{D_{\mathrm{digits}}^{\left(z\right)}\right\}$, conjugate $L^{\left(23\right)}$ Ensure: Message M of length $\alpha$ 1: $\{C_0,\dots ,C_{{log}_{2}n-1}\}\leftarrow \mathrm{Split}(C,{log}_{2}n,n)$ 2: for $i=0$ to ${log}_{2}n-1$ do 3:       $Y_i\leftarrow$RMDecode$(C_i,G,{\rho }_i^{-1})$ 4: $Y\leftarrow Y_0\parallel \cdots \parallel Y_{{log}_{2}n-1}$ 5: $M\leftarrow$InverseMultiRoundMapping$(Y,K,L^{\left(23\right)},\left\{D_{\mathrm{digits}}^{\left(z\right)}\right\},\left\{{\pi }_z^{-1}\right\},n,k,\alpha )$ 6: return  M

Algorithm 8 Inverse Multi-Round Mapping Subroutine

1: procedure InverseMultiRoundMapping( $Y,K,L^{\left(23\right)},\left\{D_{\mathrm{digits}}^{\left(z\right)}\right\},\left\{{\pi }_z^{-1}\right\},n,k,\alpha$ )   2:       $y_{\mathrm{binary}}^{\left(2{log}_{2}n\right)}\leftarrow Y$   3:       for $z=2{log}_{2}n-1$ downto 0 do   4:             if $z\ne 2{log}_{2}n-1$ then   5:                  $y_{\mathrm{binary}}^{(z+1)}\leftarrow \mathrm{ConvertToBinary}(y_0^{(z+1)},\dots ,y_{k-1}^{(z+1)},\alpha )$   6:             $y_{\mathrm{binary}}^{\prime \left(z\right)}\leftarrow \mathrm{ApplyPermutation}(y_{\mathrm{binary}}^{(z+1)},{\pi }_z^{-1})$   7:             $y_0^{\prime \left(z\right)},\dots ,y_{k-1}^{\prime \left(z\right)}\leftarrow \mathrm{ConvertToBaseN}(y_{\mathrm{binary}}^{\prime \left(z\right)},n)$   8:             for $i=0$ to $k-1$ do   9:                  $y_i^{\left(z\right)}\leftarrow L^{\left(23\right)}\left[y_i^{\prime \left(z\right)}\right]\left[d_i^{\left(z\right)}\right]$ 10:       return $\mathrm{ConvertToBinary}(y_0^{\left(0\right)},\dots ,y_{k-1}^{\left(0\right)},\alpha )$

Algorithm 9 RM Decoding Subroutine

1: procedure RMDecode( $C_i,G,{\rho }_i^{-1}$ ) 2:      $r_i\leftarrow \mathrm{ApplyPermutation}(C_i,{\rho }_i^{-1})$ 3:      $Y_i\leftarrow \mathrm{RMDecode}(r_i,G)$ 4:      return $Y_i$

3.2.4. Generation of Latin Squares

There are numerous ways to generate Latin squares in the literature which aim to rapidly generate in an efficient and clear way the entire set of Latin squares of order n or a proper set of Latin squares of order n for practical use [31]. These methods rely on several concepts such as simple product of quasigroups, generation using linear mapping, and generation using keyed permutation, etc. [45]. Since we want to generate a single Latin square for both sides, we will use a simple method to achieve that by means of a non-linear mapping [45].

Both parties to the connection produce two random permutations, f and g, and each permutation is then stored in a one-dimensional array with a size equal to the permutation. To generate the $(i,j)$-th element of the Latin square, add the i-th element of the first permutation to the j-th element of the second permutation. Then, apply the modulus operation with respect to the size of the Latin square to be generated to the addition of the i-th element of the first permutation and the j-th element of the second permutation.

Example 3.

Let $A={\mathbb{Z}}_n=\{0,1,\dots ,n-1\}$ and let the group operation be addition modulo n. Then, we can create a quasigroup $(Q,+)$ from $({\mathbb{Z}}_n,+)$ by supposing $f\left(x\right)$ and $g\left(x\right)$ (Table 2) and defining $h(x,y)=\left(f\right(x)+g(y\left)\right)modn$.

To generate a Latin square of order 4, first, we will generate two random permutations f and g and then apply $h(x,y)=\left(f\right(x)+g(y\left)\right)mod4$ for x and y ranging from 0 to 3.

Table 2. Defining two permutations f and g.

x	0	1	2	3
f(x)	1	3	0	2
g(x)	2	3	1	0

Table 2. Defining two permutations f and g.

x	0	1	2	3
f(x)	1	3	0	2
g(x)	2	3	1	0

Then, the quasigroup $(Q,+)$ created from f and g by supposing $h(x,y)=\left(f\right(x)+g(y\left)\right)modn$ is shown in Table 3.

Table 3. The quasigroup $(Q,+)$ created from two permutations f and g.

+	0	1	2	3
0	3	0	2	1
1	1	2	0	3
2	2	3	1	0
3	0	1	3	2

Table 3. The quasigroup $(Q,+)$ created from two permutations f and g.

+	0	1	2	3
0	3	0	2	1
1	1	2	0	3
2	2	3	1	0
3	0	1	3	2

The main advantage of using this method is that $(Q,+)$ is not associative because $h(0,h(2,3\left)\right)=h(0,0)=3$ and $h\left(h\right(0,2),3)=h(2,3)=0$, and not commutative because $h(2,3)=0$ and $h(3,2)=3$. Because there are no inverses or identity elements, the rows are independent, meaning that no one can guess the entire Latin square by figuring out any one row [45].

4. Experimental Results

To validate the proposed symmetric cryptographic scheme, we conducted a numeric experiment using a Latin square of order $n=8$ and the Reed-Muller code $RM(8,4,4)$, with ${log}_{2}n=3$, resulting in $2{log}_{2}n=6$ rounds. The goal is to demonstrate secure encryption using $2{log}_{2}n$ rounds of Latin square transformations with row-column swapping in the additional ${log}_{2}n$ rounds and $\alpha$-bit permutations ${\pi }_z$, and reliable message recovery leveraging the error-correcting properties of $RM(8,4,4)$ despite transmission errors. This section details the environment, setup, processes, and results.

4.1. Experimental Environment

The experiment was performed on:

• System Model: HP ProBook 450 15.6-inch G10 Notebook PC (HP Inc., Palo Alto, CA, USA);
• Processor: 13th Gen Intel(R) Core(TM) i5-1335U (12 CPUs), up to 1.3 GHz;
• Memory: 16,384 MB RAM (16 GB).

Execution times were measured on this hardware, implemented in Python 3.12, and reflect performance under these conditions. Variations in system specifications may affect timings.

The experiment used a CipherSystem class in Python, handling Latin square mappings, permutation generation, Reed-Muller encoding/decoding, and error correction. Key functions include multi_round_mapping, inverse_multi_round_mapping, rm_encode, and rm_decode. Source code is available in the Supplementary Material.

4.2. Experimental Setup

The experiment uses:

• Parameters: $n=8$, ${log}_{2}8=3$, $k=4$, $\alpha =12$ bits.
• Latin Square L:

  $$L=\left[\begin{array}{cccccccc}2& 4& 7& 0& 6& 1& 5& 3\\ 3& 2& 4& 7& 0& 6& 1& 5\\ 5& 3& 2& 4& 7& 0& 6& 1\\ 1& 5& 3& 2& 4& 7& 0& 6\\ 6& 1& 5& 3& 2& 4& 7& 0\\ 0& 6& 1& 5& 3& 2& 4& 7\\ 7& 0& 6& 1& 5& 3& 2& 4\\ 4& 7& 0& 6& 1& 5& 3& 2\end{array}\right]$$
• Generator Matrix G: For $RM(8,4,4)$:

  $$G=\left[\begin{array}{cccccccc}1& 1& 1& 1& 1& 1& 1& 1\\ 0& 0& 0& 0& 1& 1& 1& 1\\ 0& 0& 1& 1& 0& 0& 1& 1\\ 0& 1& 0& 1& 0& 1& 0& 1\end{array}\right]$$
• Message: $M=101100110010$ ($[5,4,6,2]$).
• Key: $K=011010110000$ ($[3,2,6,0]$).
• Subsets: For $z=0,1,2$:

  −

  $I_{r_0}=\{0,1,3,4,7\},I_{c_0}=\{2,3,5\}$

  −

  $I_{r_1}=\{1,2,5,6,7\},I_{c_1}=\{0,2,4,6\}$

  −

  $I_{r_2}=\{2,3,4\},I_{c_2}=\{1,5\}$

• Error Vectors:

  $$e_0=[0,0,0,0,1,0,0,0],e_1=[0,0,0,0,0,0,0,1],e_2=[0,0,0,1,0,0,0,0]$$

4.3. Key Generation

• Select a 12-bit key $K=011010110000$.
• Compute 8-bit permutations ${\rho }_z$, where for even $z=0,2,4$, ${\rho }_z={\prod }_{i\in I_{r_k}}{\sigma }_i{\prod }_{j\in I_{c_k}}{\tau }_j$, and for odd $z=1,3,5$, ${\rho }_z={\prod }_{j\in I_{c_k}}{\tau }_j{\prod }_{i\in I_{r_k}}{\sigma }_i$, with $k=\lfloor z/2\rfloor$, and ${\sigma }_i$, ${\tau }_j$ are row and column permutations of L:

  −

  ${\rho }_0=[6,2,5,0,4,1,3,7]$ (from $I_{r_0}=\{0,1,3,4,7\},I_{c_0}=\{2,3,5\}$)

  −

  ${\rho }_1=[7,6,5,0,4,1,3,2]$ (from swapped $I_{c_0},I_{r_0}$)

  −

  ${\rho }_2=[0,4,6,5,7,3,1,2]$ (from $I_{r_1}=\{1,2,5,6,7\},I_{c_1}=\{0,2,4,6\}$)

  −

  ${\rho }_3=[4,2,1,5,6,0,7,3]$ (from swapped $I_{c_1},I_{r_1}$)

  −

  ${\rho }_4=[4,0,5,3,2,1,7,6]$ (from $I_{r_2}=\{2,3,4\},I_{c_2}=\{1,5\}$)

  −

  ${\rho }_5=[2,6,5,7,4,1,3,0]$ (from swapped $I_{c_2},I_{r_2}$)

• Extend ${\rho }_z$ to 12-bit round permutations ${\pi }_z$, using a key-dependent transformation with non-linear operations:

  −

  ${\pi }_0=[0,2,3,4,5,6,7,11,1,8,9,10]$

  −

  ${\pi }_1=[0,1,3,5,8,9,10,2,4,6,7,11]$

  −

  ${\pi }_2=[0,2,4,6,9,10,11,1,5,3,7,8]$

  −

  ${\pi }_3=[0,1,4,5,6,7,8,10,11,2,3,9]$

  −

  ${\pi }_4=[2,6,7,8,10,11,5,0,1,3,4,9]$

  −

  ${\pi }_5=[0,3,7,9,11,2,5,6,1,4,8,10]$

• Compute key schedule:

  −

  Round 0: $D_{\mathrm{digits}}^{\left(0\right)}=K_{\mathrm{digits}}=[3,2,6,0]$.

  −

  Round 1: $D_{\mathrm{digits}}^{\left(1\right)}=[L\left[k_i\right]\left[k_{(i+1)mod4}\right]\mid i=0,\dots ,3]=[3,6,7,0]$.

  −

  Round 2: $D_{\mathrm{digits}}^{\left(2\right)}=[L\left[d_i^{\left(1\right)}\right]\left[d_i^{\left(0\right)}\right]\mid i=0,\dots ,3]=[2,6,3,2]$.

  −

  Round 3: $D_{\mathrm{digits}}^{\left(3\right)}=[L\left[d_i^{\left(2\right)}\right]\left[d_i^{\left(1\right)}\right]\mid i=0,\dots ,3]=[4,2,6,5]$.

  −

  Round 4: $D_{\mathrm{digits}}^{\left(4\right)}=[L\left[d_i^{\left(3\right)}\right]\left[d_i^{\left(2\right)}\right]\mid i=0,\dots ,3]=[5,6,1,1]$.

  −

  Round 5: $D_{\mathrm{digits}}^{\left(5\right)}=[L\left[d_i^{\left(4\right)}\right]\left[d_i^{\left(3\right)}\right]\mid i=0,\dots ,3]=[3,6,1,6]$.

Secret key: $(G,K,L,{\{I_{r_z},I_{c_z}\}}_{z=0,1,2})$.

4.4. Encryption Process

For $M=101100110010$:

1.

Base-8 Conversion:

$$M=[5,4,6,2],K=[3,2,6,0]$$

2.

Round 0 Encryption:

• $D_{\mathrm{digits}}^{\left(0\right)}=[3,2,6,0]$.
• $y_i^{\prime \left(0\right)}=L\left[k_i\right]\left[m_i\right]$:

  $$y_0^{\prime \left(0\right)}=L\left[3\right]\left[5\right]=7,y_1^{\prime \left(0\right)}=L\left[2\right]\left[4\right]=7,y_2^{\prime \left(0\right)}=L\left[6\right]\left[6\right]=2,y_3^{\prime \left(0\right)}=L\left[0\right]\left[2\right]=7$$
• $y^{\prime \left(0\right)}=[7,7,2,7]\to 111111010111$.
• Apply ${\pi }_0=[0,2,3,4,5,6,7,11,1,8,9,10]$: 111110111011.
• Base-8: $y^{\left(0\right)}=[7,6,7,3]$.

3.

Round 1 Encryption:

• $D_{\mathrm{digits}}^{\left(1\right)}=[3,6,7,0]$.
• $y_i^{\prime \left(1\right)}=L\left[d_i^{\left(1\right)}\right]\left[y_i^{\left(0\right)}\right]$:

  $$y_0^{\prime \left(1\right)}=L\left[3\right]\left[7\right]=6,y_1^{\prime \left(1\right)}=L\left[6\right]\left[6\right]=2,y_2^{\prime \left(1\right)}=L\left[7\right]\left[7\right]=2,y_3^{\prime \left(1\right)}=L\left[0\right]\left[3\right]=0$$
• $y^{\prime \left(1\right)}=[6,2,2,0]\to 110010010000$.
• Apply ${\pi }_1=[0,1,3,5,8,9,10,2,4,6,7,11]$: 110000001010.
• Base-8: $y^{\left(1\right)}=[6,0,1,2]$.

4.

Round 2 Encryption:

• $D_{\mathrm{digits}}^{\left(2\right)}=[2,6,3,2]$.
• $y_i^{\prime \left(2\right)}=L\left[d_i^{\left(2\right)}\right]\left[y_i^{\left(1\right)}\right]$:

  $$y_0^{\prime \left(2\right)}=L\left[2\right]\left[6\right]=6,y_1^{\prime \left(2\right)}=L\left[6\right]\left[0\right]=7,y_2^{\prime \left(2\right)}=L\left[3\right]\left[1\right]=5,y_3^{\prime \left(2\right)}=L\left[2\right]\left[2\right]=2$$
• $y^{\prime \left(2\right)}=[6,7,5,2]\to 110111101010$.
• Apply ${\pi }_2=[0,2,4,6,9,10,11,1,5,3,7,8]$: 101101101011.
• Base-8: $y^{\left(2\right)}=[5,5,3,5]$.

5.

Round 3 Encryption:

• $D_{\mathrm{digits}}^{\left(3\right)}=[4,2,6,5]$.
• $y_i^{\prime \left(3\right)}=L\left[d_i^{\left(3\right)}\right]\left[y_i^{\left(2\right)}\right]$:

  $$y_0^{\prime \left(3\right)}=L\left[4\right]\left[5\right]=4,y_1^{\prime \left(3\right)}=L\left[2\right]\left[5\right]=0,y_2^{\prime \left(3\right)}=L\left[6\right]\left[3\right]=1,y_3^{\prime \left(3\right)}=L\left[5\right]\left[5\right]=2$$
• $y^{\prime \left(3\right)}=[4,0,1,2]\to 100000001010$.
• Apply ${\pi }_3=[0,1,4,5,6,7,8,10,11,2,3,9]$: 100000110000.
• Base-8: $y^{\left(3\right)}=[4,0,6,0]$.

6.

Round 4 Encryption:

• $D_{\mathrm{digits}}^{\left(4\right)}=[5,6,1,1]$.
• $y_i^{\prime \left(4\right)}=L\left[d_i^{\left(4\right)}\right]\left[y_i^{\left(3\right)}\right]$:

  $$y_0^{\prime \left(4\right)}=L\left[5\right]\left[4\right]=3,y_1^{\prime \left(4\right)}=L\left[6\right]\left[0\right]=7,y_2^{\prime \left(4\right)}=L\left[1\right]\left[6\right]=1,y_3^{\prime \left(4\right)}=L\left[1\right]\left[0\right]=3$$
• $y^{\prime \left(4\right)}=[3,7,1,3]\to 011111001011$.
• Apply ${\pi }_4=[2,6,7,8,10,11,5,0,1,3,4,9]$: 100111110110.
• Base-8: $y^{\left(4\right)}=[4,7,5,6]$.

7.

Round 5 Encryption:

• $D_{\mathrm{digits}}^{\left(5\right)}=[3,6,1,6]$.
• $y_i^{\prime \left(5\right)}=L\left[d_i^{\left(5\right)}\right]\left[y_i^{\left(4\right)}\right]$:

  $$y_0^{\prime \left(5\right)}=L\left[3\right]\left[4\right]=4,y_1^{\prime \left(5\right)}=L\left[6\right]\left[7\right]=4,y_2^{\prime \left(5\right)}=L\left[1\right]\left[5\right]=6,y_3^{\prime \left(5\right)}=L\left[6\right]\left[6\right]=2$$
• $y^{\prime \left(5\right)}=[4,4,6,2]\to 100100110010$.
• Apply ${\pi }_5=[0,3,7,9,11,2,5,6,1,4,8,10]$: 111000010001.
• Base-8: $y^{\left(5\right)}=[7,0,2,1]$.

8.

Divide into Portions: $Y=111000010001\to Y_0=1110,Y_1=0001,Y_2=0001$.

9.

Encode with G:

$$c_0=[1,1,0,0,0,0,1,1],c_1=[0,1,0,1,0,1,0,1],c_2=[0,1,0,1,0,1,0,1]$$

10.

Apply Permutations:

$$c_0^{{\rho }_0}=[1,0,0,1,0,1,0,1],c_1^{{\rho }_1}=[1,0,1,0,0,1,1,0],c_2^{{\rho }_2}=[0,0,0,1,1,1,1,0]$$

11.

Add Errors:

$$C_0=[1,0,0,1,1,1,0,1],C_1=[1,0,1,0,0,1,1,1],C_2=[0,0,0,0,1,1,1,0]$$

12.

Ciphertext: $C=100111011010011100001110$.

4.5. Decryption Process

For $C=100111011010011100001110$:

1.

Reconstruct Permutations: Using the secret key $(G,K,L,{\{I_{r_z},I_{c_z}\}}_{z=0,1,2})$, compute the 12-bit round permutations ${\pi }_z$, their inverses ${\pi }_z^{-1}$, and the 8-bit codeword permutations ${\rho }_z$, their inverses ${\rho }_z^{-1}$:

• ${\rho }_0=[6,2,5,0,4,1,3,7]$, ${\rho }_0^{-1}=[3,5,1,6,4,2,0,7]$
• ${\rho }_1=[7,6,5,0,4,1,3,2]$, ${\rho }_1^{-1}=[3,5,7,6,4,2,1,0]$
• ${\rho }_2=[0,4,6,5,7,3,1,2]$, ${\rho }_2^{-1}=[0,6,7,5,1,3,2,4]$
• ${\rho }_3=[4,2,1,5,6,0,7,3]$, ${\rho }_3^{-1}=[5,2,1,7,0,3,4,6]$
• ${\rho }_4=[4,0,5,3,2,1,7,6]$, ${\rho }_4^{-1}=[1,5,4,3,0,2,7,6]$
• ${\rho }_5=[2,6,5,7,4,1,3,0]$, ${\rho }_5^{-1}=[7,5,0,6,4,2,1,3]$
• ${\pi }_0=[0,2,3,4,5,6,7,11,1,8,9,10]$, ${\pi }_0^{-1}=[0,8,1,2,3,4,5,6,9,10,11,7]$
• ${\pi }_1=[0,1,3,5,8,9,10,2,4,6,7,11]$, ${\pi }_1^{-1}=[0,1,7,2,8,3,9,10,4,5,6,11]$
• ${\pi }_2=[0,2,4,6,9,10,11,1,5,3,7,8]$, ${\pi }_2^{-1}=[0,7,1,9,2,8,3,10,11,4,5,6]$
• ${\pi }_3=[0,1,4,5,6,7,8,10,11,2,3,9]$, ${\pi }_3^{-1}=[0,1,9,10,2,3,4,5,6,11,7,8]$
• ${\pi }_4=[2,6,7,8,10,11,5,0,1,3,4,9]$, ${\pi }_4^{-1}=[7,8,0,9,10,6,1,2,3,11,4,5]$
• ${\pi }_5=[0,3,7,9,11,2,5,6,1,4,8,10]$, ${\pi }_5^{-1}=[0,8,5,1,9,6,7,2,10,3,11,4]$

2.

Split Ciphertext: Divide into $C_0,C_1,C_2$, each 8 bits:

$$C_0=[1,0,0,1,1,1,0,1],C_1=[1,0,1,0,0,1,1,1],C_2=[0,0,0,0,1,1,1,0]$$

3.

Apply Inverse Permutations and Decode:

• $r_0=C_0^{{\rho }_0^{-1}}=[1,1,0,0,1,0,1,1]\to Y_0=[1,1,1,0]$.
• $r_1=C_1^{{\rho }_1^{-1}}=[0,1,1,1,0,1,0,1]\to Y_1=[0,0,0,1]$.
• $r_2=C_2^{{\rho }_2^{-1}}=[0,1,0,1,0,0,0,1]\to Y_2=[0,0,0,1]$.

4.

Reconstruct Y: $Y=111000010001$.

5.

Round 5 Decryption:

• Apply ${\pi }_5^{-1}$: $111000010001\to 100100110010\to [4,4,6,2]$.
• Inverse mapping: $y_i^{\left(5\right)}=L^{\left(23\right)}\left[y_i^{\prime \left(5\right)}\right]\left[d_i^{\left(5\right)}\right]$:

  $$y_0^{\left(5\right)}=L^{\left(23\right)}\left[4\right]\left[3\right]=4,y_1^{\left(5\right)}=L^{\left(23\right)}\left[4\right]\left[6\right]=7$$

  $$y_2^{\left(5\right)}=L^{\left(23\right)}\left[6\right]\left[1\right]=5,y_3^{\left(5\right)}=L^{\left(23\right)}\left[2\right]\left[6\right]=6$$
• $y^{\left(5\right)}=[4,7,5,6]$.

6.

Round 4 Decryption:

• $y_{\mathrm{binary}}^{\left(5\right)}=100111110110$.
• Apply ${\pi }_4^{-1}$: $011111001011\to [3,7,1,3]$.
• Inverse mapping: $y_i^{\left(4\right)}=L^{\left(23\right)}\left[y_i^{\prime \left(4\right)}\right]\left[d_i^{\left(4\right)}\right]$:

  $$y_0^{\left(4\right)}=L^{\left(23\right)}\left[3\right]\left[5\right]=4,y_1^{\left(4\right)}=L^{\left(23\right)}\left[7\right]\left[6\right]=0$$

  $$y_2^{\left(4\right)}=L^{\left(23\right)}\left[1\right]\left[1\right]=6,y_3^{\left(4\right)}=L^{\left(23\right)}\left[3\right]\left[1\right]=0$$
• $y^{\left(4\right)}=[4,0,6,0]$.

7.

Round 3 Decryption:

• $y_{\mathrm{binary}}^{\left(4\right)}=100000110000$.
• Apply ${\pi }_3^{-1}$: $100000001010\to [4,0,1,2]$.
• Inverse mapping: $y_i^{\left(3\right)}=L^{\left(23\right)}\left[y_i^{\prime \left(3\right)}\right]\left[d_i^{\left(3\right)}\right]$:

  $$y_0^{\left(3\right)}=L^{\left(23\right)}\left[4\right]\left[4\right]=5,y_1^{\left(3\right)}=L^{\left(23\right)}\left[0\right]\left[2\right]=5$$

  $$y_2^{\left(3\right)}=L^{\left(23\right)}\left[1\right]\left[6\right]=3,y_3^{\left(3\right)}=L^{\left(23\right)}\left[2\right]\left[5\right]=5$$
• $y^{\left(3\right)}=[5,5,3,5]$.

8.

Round 2 Decryption:

• $y_{\mathrm{binary}}^{\left(3\right)}=101101101011$.
• Apply ${\pi }_2^{-1}$: $110111101010\to [6,7,5,2]$.
• Inverse mapping: $y_i^{\left(2\right)}=L^{\left(23\right)}\left[y_i^{\prime \left(2\right)}\right]\left[d_i^{\left(2\right)}\right]$:

  $$y_0^{\left(2\right)}=L^{\left(23\right)}\left[6\right]\left[2\right]=6,y_1^{\left(2\right)}=L^{\left(23\right)}\left[7\right]\left[6\right]=0$$

  $$y_2^{\left(2\right)}=L^{\left(23\right)}\left[5\right]\left[3\right]=1,y_3^{\left(2\right)}=L^{\left(23\right)}\left[2\right]\left[2\right]=2$$
• $y^{\left(2\right)}=[6,0,1,2]$.

9.

Round 1 Decryption:

• $y_{\mathrm{binary}}^{\left(2\right)}=110000001010$.
• Apply ${\pi }_1^{-1}$: $110010010000\to [6,2,2,0]$.
• Inverse mapping: $y_i^{\left(1\right)}=L^{\left(23\right)}\left[y_i^{\prime \left(1\right)}\right]\left[d_i^{\left(1\right)}\right]$:

  $$y_0^{\left(1\right)}=L^{\left(23\right)}\left[6\right]\left[3\right]=7,y_1^{\left(1\right)}=L^{\left(23\right)}\left[2\right]\left[6\right]=6$$

  $$y_2^{\left(1\right)}=L^{\left(23\right)}\left[2\right]\left[7\right]=7,y_3^{\left(1\right)}=L^{\left(23\right)}\left[0\right]\left[0\right]=3$$
• $y^{\left(1\right)}=[7,6,7,3]$.

10.

Round 0 Decryption:

• $y_{\mathrm{binary}}^{\left(1\right)}=111110111011$.
• Apply ${\pi }_0^{-1}$: $111111010111\to [7,7,2,7]$.
• Inverse mapping: $y_i^{\left(0\right)}=L^{\left(23\right)}\left[y_i^{\prime \left(0\right)}\right]\left[d_i^{\left(0\right)}\right]$:

  $$y_0^{\left(0\right)}=L^{\left(23\right)}\left[7\right]\left[3\right]=5,y_1^{\left(0\right)}=L^{\left(23\right)}\left[7\right]\left[2\right]=4$$

  $$y_2^{\left(0\right)}=L^{\left(23\right)}\left[2\right]\left[6\right]=6,y_3^{\left(0\right)}=L^{\left(23\right)}\left[7\right]\left[0\right]=2$$
• $y^{\left(0\right)}=[5,4,6,2]\to 101100110010$.

4.6. Results

• Original Message: $M=101100110010$;
• Ciphertext: $C=100111011010011100001110$;
• Decrypted Message: 101100110010, and it matches the original;
• Outcome: Successfully encrypted and decrypted, correcting single-bit errors using $RM(8,4,4)$.

4.7. Avalanche Effect and Differential Analysis

To evaluate the diffusion properties and resistance against differential cryptanalysis for practical parameter sets, we conducted avalanche effect and differential pattern consistency tests. These tests align with configurations used in the performance analysis:

• $RM(16,15,2)$: $n=16,k=15,d=2$ (Input: 60-bit, Output: 64-bit)
• $RM(32,16,8)$: $n=32,k=16,d=8$ (Input: 80-bit, Output: 160-bit)
• $RM(32,26,4)$: $n=32,k=26,d=4$ (Input: 130-bit, Output: 160-bit)

For each configuration, 100 random messages were used, and every possible single input bit flip was performed using our implementation.

4.7.1. Avalanche Effect Analysis

The avalanche effect measures how a single input bit flip impacts the output bits. Ideally, approximately 50% of the output bits should change. We measured the average Hamming Distance (HD) between the original and modified ciphertexts for each input bit flip, as well as the distribution of these changes across the ${log}_{2}n$ output portions corresponding to the RM codewords. The results are summarized in Table 4.

The results demonstrate consistently strong diffusion properties across all tested parameter sets incorporating different $RM(n,k,d)$ codes.

• Overall Avalanche: The average change across all input bits is remarkably close to the ideal 50% for all configurations ($RM(16,15,2)$, $RM(32,16,8)$, and $RM(32,26,4)$). This indicates excellent overall diffusion regardless of the specific code parameters.
• Consistency: The range between the minimum and maximum average avalanche percentages observed for individual input bit flips remains reasonably tight across all sets, suggesting good uniformity in diffusion behavior across different input bit positions.
• Distribution: The analysis of flip distribution across the ${log}_{2}n$ output sections shows near-perfect uniformity for all configurations. The average percentage of flips landing in each section consistently matches the ideal ($100/{log}_{2}n$%), indicating that the diffusion mechanism effectively spreads changes evenly throughout the entire ciphertext block, irrespective of the specific $RM(n,k,d)$ used.
• SAC: The Strict Avalanche Criterion is met in 14–24% of individual flips. While not approaching 100%, the excellent average avalanche and uniform distribution are more indicative of strong practical diffusion.

Table 4. Avalanche Effect Summary for Different Parameter Sets (Avg. over 100 messages).

Metric	$\mathbf{RM}(16,15,2)$	$\mathbf{RM}(32,16,8)$	$\mathbf{RM}(32,26,4)$
	(In: 60b, Out: 64b)	(In: 80b, Out: 160b)	(In: 130b, Out: 160b)
Overall Avg. Avalanche	49.75%	50.00%	50.06%
(Ideal: 50%)	(Avg. HD: 31.84)	(Avg. HD: 80.00)	(Avg. HD: 80.10)
Min Avg. Avalanche	42.81%	45.75%	47.13%
(per input bit)	(Bit 21)	(Bit 71)	(Bit 67)
Max Avg. Avalanche	53.44%	52.75%	54.12%
(per input bit)	(Bit 0, 36)	(Bit 31, 36)	(Bit 27)
SAC Met (%) *	21.17%	23.62%	14.15%
	(127/600 flips)	(189/800 flips)	(184/1300 flips)
Output Sections (${log}_{2}n$)	4	5	5
Ideal Flip Distr. (%)	25.0%	20.0%	20.0%
Observed Avg. Distr. (%)	[24.9, 25.2, 24.8, 25.1]	[20.1, 20.0, 20.0, 19.8, 20.0]	[19.9, 20.1, 20.1, 20.0, 19.9]

* SAC: Strict Avalanche Criterion (% of flips with exactly 50% output change).

Table 4. Avalanche Effect Summary for Different Parameter Sets (Avg. over 100 messages).

Metric	$\mathbf{RM}(16,15,2)$	$\mathbf{RM}(32,16,8)$	$\mathbf{RM}(32,26,4)$
	(In: 60b, Out: 64b)	(In: 80b, Out: 160b)	(In: 130b, Out: 160b)
Overall Avg. Avalanche	49.75%	50.00%	50.06%
(Ideal: 50%)	(Avg. HD: 31.84)	(Avg. HD: 80.00)	(Avg. HD: 80.10)
Min Avg. Avalanche	42.81%	45.75%	47.13%
(per input bit)	(Bit 21)	(Bit 71)	(Bit 67)
Max Avg. Avalanche	53.44%	52.75%	54.12%
(per input bit)	(Bit 0, 36)	(Bit 31, 36)	(Bit 27)
SAC Met (%) *	21.17%	23.62%	14.15%
	(127/600 flips)	(189/800 flips)	(184/1300 flips)
Output Sections (${log}_{2}n$)	4	5	5
Ideal Flip Distr. (%)	25.0%	20.0%	20.0%
Observed Avg. Distr. (%)	[24.9, 25.2, 24.8, 25.1]	[20.1, 20.0, 20.0, 19.8, 20.0]	[19.9, 20.1, 20.1, 20.0, 19.9]

* SAC: Strict Avalanche Criterion (% of flips with exactly 50% output change).

4.7.2. Differential Pattern Consistency Analysis

We tested for consistent input/output differential characteristics by flipping each input bit for 100 random messages and observing the resulting output XOR patterns ($\Delta C$).

For all three parameter sets tested ($RM(16,15,2)$; $RM(32,16,8)$; and $RM(32,26,4)$), the results were optimal:

Found common differential patterns for 0 / $\alpha$ input bit flips across 100 messages.

This indicates that for every single input bit flip tested, the specific pattern of output bit changes varied depending on the message being encrypted. No consistent input/output differential characteristic was detected in these empirical tests for any configuration. This provides strong evidence suggesting resistance against simple first-order differential attacks across different scales and configurations of the cipher.

4.7.3. Implications

These comprehensive results, obtained using practical parameters and NumPy optimizations, significantly strengthen the security claims. The cipher consistently exhibits excellent average diffusion, near-perfect distribution of changes across the output block, and empirical resistance to consistent differential patterns across different $RM(n,k,d)$ configurations. This suggests the core design principles—including $2{log}_{2}n$ SPN rounds with row/column swapping, key-dependent permutations, and the overlapping structure—effectively provide robust confusion and diffusion properties that scale well with the chosen parameters.

4.8. Performance and Comparison

To quantify the computational overhead and scalability of our scheme, we conducted a comprehensive performance analysis. This analysis addresses the reviewer’s request by benchmarking our scheme against its own “SPN-only” baseline (with RM codes removed), the Advanced Encryption Standard (AES-128), and the lightweight cipher PRESENT-128.

We benchmarked two parameter sets for our scheme on the hardware specified in Section 4.1. The results, averaged over 100 runs, are presented in Table 5. We measured three metrics for our scheme:

• SPN-Only (Baseline): The core SPN operation, representing the performance without the error-correction layer.
• Full Scheme (Single Node): The total time for the entire serial process, including the SPN and all RM encoding/decoding operations.
• Full Scheme (Parallel Est.): The theoretical time in a distributed environment, calculated as the SPN time plus the time of the slowest parallel RM-encoding/decoding node observed during the runs.

Overhead of RM Codes: The “SPN-Only” baseline clearly quantifies the cost of the resilience feature. For the 130-bit scheme, adding RM codes introduces a substantial 9.5× overhead for encryption (1.383 ms vs 0.146 ms) and a very significant 69.2× overhead for decryption (10.859 ms vs 0.157 ms). This stark difference underscores that the RM decoding, likely the majority-logic algorithm used, is the primary performance bottleneck, representing the explicit trade-off for error correction and fault-attack resilience absent in AES and PRESENT.

Comparison to PRESENT: The SPN baseline demonstrates excellent performance. Both the 60-bit (0.094 ms) and 130-bit (0.146 ms) baseline encryptions are faster than PRESENT encryption (0.233 ms), showcasing the efficiency of the core SPN structure when implemented with NumPy.

Parallelization Advantage: The “Parallel Est.” results confirm the critical importance of the distributed design. For the 130-bit scheme, parallelization dramatically reduces the decryption time from 10.859 ms to 2.412 ms, achieving a 77.8% speedup. For the 60-bit scheme, the decryption speedup is 70.2% (from 2.048 ms to 0.610 ms). Even encryption benefits significantly, with the 130-bit parallel estimate (0.409 ms) being 70.4% faster than the single-node full scheme. This proves that the parallel architecture effectively mitigates the RM processing overhead, particularly for decryption, making the scheme viable for multi-core or distributed systems.

Comparison to AES: AES remains orders of magnitude faster due to optimized libraries and hardware support, serving as a performance ceiling. Our scheme focuses on resilience, a feature AES lacks natively.

Table 5. Comprehensive Performance Comparison (Average time in ms).

Cipher/Scheme	Block Size/Key Size (bits)	Encryption (ms)	Decryption (ms)
Proposed $RM(32,26,4)$ *	130/130
SPN-Only (Baseline)		0.146	0.157
Full Scheme (Single Node)		1.383	10.859
Full Scheme (Parallel Est.)		0.409	2.412
Proposed $RM(16,15,2)$ *	60/60
SPN-Only (Baseline)		0.094	0.105
Full Scheme (Single Node)		0.432	2.048
Full Scheme (Parallel Est.)		0.177	0.610
Standard Ciphers
PRESENT-128	64/128	0.233	0.224
AES-128 (ECB)	128/128	0.008	0.002
AES-128 (CBC)	128/128	0.003	0.002
AES-128 (CTR)	128/128	0.003	0.002

* Benchmarks for the proposed scheme are from a Python prototype using NumPy 2.3. Standard cipher results may reflect library optimizations or hardware acceleration.

Table 5. Comprehensive Performance Comparison (Average time in ms).

Cipher/Scheme	Block Size/Key Size (bits)	Encryption (ms)	Decryption (ms)
Proposed $RM(32,26,4)$ *	130/130
SPN-Only (Baseline)		0.146	0.157
Full Scheme (Single Node)		1.383	10.859
Full Scheme (Parallel Est.)		0.409	2.412
Proposed $RM(16,15,2)$ *	60/60
SPN-Only (Baseline)		0.094	0.105
Full Scheme (Single Node)		0.432	2.048
Full Scheme (Parallel Est.)		0.177	0.610
Standard Ciphers
PRESENT-128	64/128	0.233	0.224
AES-128 (ECB)	128/128	0.008	0.002
AES-128 (CBC)	128/128	0.003	0.002
AES-128 (CTR)	128/128	0.003	0.002

* Benchmarks for the proposed scheme are from a Python prototype using NumPy 2.3. Standard cipher results may reflect library optimizations or hardware acceleration.

5. Security Analysis

The proposed cryptographic scheme achieves robust security by integrating Latin square transformations, permutations, and Reed-Muller (RM) codes. This section analyzes the scheme’s security primitives using general parameters: Latin square order $n=2^m$, RM code length n, dimension k, minimum distance d, and error-correcting capability $t=\lfloor (d-1)/2\rfloor$. The total message/key length is $\alpha =k·{log}_{2}n$. We evaluate the key space, resistance to common cryptanalytic attacks, and the impact of parameter variation, supported by the empirical results presented in Section 4.

5.1. Key Space and Components

The security of the proposed cryptographic scheme relies on the size and complexity of its secret key, which directly influences the final ciphertext C. The secret key consists of the binary key K, the Latin square L, the generator matrix G of the Reed-Muller code $RM(r,m)$, and distinct subsets ${\{I_{r_z},I_{c_z}\}}_{z=0,\dots ,{log}_{2}n-1}$ used to generate permutations ${\rho }_z$. The ciphertext C is produced through multi-round Latin square transformations over $2{log}_{2}n$ rounds with row-column swapping, ${\pi }_z$ permutations derived from ${\rho }_z$ and the key schedule, RM encoding with G, application of ${\rho }_z$, and potential addition of $e_z$. Each key component contributes to the key space, making brute-force attacks computationally infeasible. Below, we analyze each component’s contribution to the key space.

- Binary Key K: The key K is a binary string of length $\alpha =k·{log}_{2}n$, where $n=2^m$, $k={\sum }_{i=0}^r\left({\displaystyle \genfrac{}{}{0pt}{}{m}{i}}\right)$, and $m={log}_{2}n$. The key space for K is $2^{\alpha }$. For the tested parameters: $RM(16,15,2)$ gives $\alpha =15·4=60$, $RM(32,16,8)$ gives $\alpha =16·5=80$, and $RM(32,26,4)$ gives $\alpha =26·5=130$. The key space ranges from $2^{60}$ to $2^{130}$ for these examples. K is converted to base-n digits, used in the first round and to derive the key schedule. The key schedule ($D_{\mathrm{digits}}^{\left(z\right)}$) depends deterministically on K and L, ensuring non-linear transformations across rounds and enhancing K’s diffusion.

- Latin Square L: The number of Latin squares of order n, denoted $L\left(n\right)$, grows factorially with n. For large values of n, the exact number of Latin squares $L\left(n\right)$ is not known, but there are bounds on the number of Latin squares $L\left(n\right)$. One such bound is: $L\left(n\right)\ge {(n!)}^{2n}/n^{n^2}$ [46]. This bound implies that the number of Latin squares of order n grows very rapidly as n increases. The number of Latin squares is known for $n\le 11$ [47]. This lower bound assures that against the development of hardware, n can always be chosen in a way such that it is computationally infeasible to find the Latin square L. For $n=16$, ${log}_{2}L\left(16\right)\approx 379$ bits, or $L\left(16\right)\approx 2^{379}$. For $n=32$, ${log}_{2}L\left(32\right)\approx 2407$ bits, or $L\left(32\right)\approx 2^{2407}$. The Latin square L is used for substitution in each of the $2{log}_{2}n$ rounds, mapping message digits to new values based on key digits, and its conjugate $L^{\left(23\right)}$ is used for decryption. The vast number of possible Latin squares ensures that guessing L is impractical, even if an attacker knows the scheme’s structure. Since L directly affects the intermediate value Y and, through the key schedule, the permutations ${\pi }_z$, it significantly contributes to the randomness of C.

- Generator Matrix G: The RM code $RM(r,m)$ has a generator matrix G of size $k\times n$, where $n=2^m$, $k={\sum }_{i=0}^r\left({\displaystyle \genfrac{}{}{0pt}{}{m}{i}}\right)$, and the minimum distance $d=2^{m-r}$. For $n=8$, $m=3$, and $r=1$, $k=4$, the specific G used in the experiment is fixed. In general, the choice of G for $RM(r,m)$ can vary by selecting different bases for the code’s k-dimensional vector space. The number of distinct generator matrices is the number of ordered bases, which is:

$$\prod _{i=0}^{k-1}(2^k-2^i)$$

For $n=16$, $m=4$, $r=1$, $k=5$, this is approximately $2^{25}$, and for $n=32$, $m=5$, $r=1$, $k=6$, approximately $2^{35}$. We assume a fixed G, but including it as a variable key component would increase the key space by these factors. G affects C by encoding portions of Y into codewords, ensuring error correction and adding a security layer [14,48].

- Subsets for Permutations: For each of the first ${log}_{2}n$ rounds, a distinct pair of subsets $(I_{r_z},I_{c_z})\subseteq \{0,\dots ,n-1\}$ is chosen to generate the permutation ${\rho }_z$ for rounds $z=0,2,\dots ,2{log}_{2}n-2$, and swapped for rounds $z=1,3,\dots ,2{log}_{2}n-1$, which is extended to the $\alpha$-bit permutation ${\pi }_z$ using key-dependent transformations. The number of possible subsets for each $I_{r_z}$ and $I_{c_z}$ is $2^n$, so each pair contributes $2^n\times 2^n=2^{2n}$ possibilities. With ${log}_{2}n$ subset pairs (used across $2{log}_{2}n$ rounds with swapping), the total contribution from subsets is ${\left(2^{2n}\right)}^{{log}_{2}n}=2^{2n{log}_{2}n}$. For $n=16$, ${log}_{2}16=4$, so $2^{2\times 16\times 4}=2^{128}$. For $n=32$, ${log}_{2}32=5$, so $2^{2\times 32\times 5}=2^{320}$. Each ${\rho }_z$ is computed as ${\rho }_z={\prod }_{i\in I_{r_k}}{\sigma }_i{\prod }_{j\in I_{c_k}}{\tau }_j$ for even z, and ${\rho }_z={\prod }_{j\in I_{c_k}}{\tau }_j{\prod }_{i\in I_{r_k}}{\sigma }_i$ for odd z, where $k=\lfloor z/2\rfloor$, and ${\sigma }_i$ and ${\tau }_j$ are row and column permutations of L. These permutations affect C by permuting RM codewords and, through ${\pi }_z$, shuffling intermediate values during the $2{log}_{2}n$ round transformations, significantly increasing the key space.

- Combined Key Space: The total key space is the product of independent components, adjusted for dependencies. The secret key is $(G,K,L,{\{I_{r_z},I_{c_z}\}}_{z=0,\dots ,{log}_{2}n-1})$. Assuming a fixed G, the size of the key space is:

$$\left|K\right|\times \left|L\right|\times \prod _{z=0}^{{log}_{2}n-1}|I_{r_z}\times I_{c_z}|=2^{\alpha }\times L\left(n\right)\times 2^{2n{log}_{2}n}$$

For $n=16$, this is approximately $2^{20}\times 2^{379}\times 2^{128}=2^{527}$. For $n=32$, it is $2^{30}\times 2^{2407}\times 2^{320}=2^{2757}$. These values far exceed recommended key sizes for symmetric ciphers [1,2]. Dependencies, such as the key schedule deriving $D_{\mathrm{digits}}^{\left(z\right)}$ from K and L over $2{log}_{2}n$ rounds with swapping, may slightly reduce the effective key space, but the factorial growth of $L\left(n\right)$ and the exponential contribution of subsets dominate, ensuring robustness.

- Impact on Ciphertext C: The key components collectively determine C. The key K and Latin square L govern the multi-round transformations over $2{log}_{2}n$ rounds with row-column swapping, producing Y. The subsets $\{I_{r_z},I_{c_z}\}$ generate ${\rho }_z$, which, with K, derives ${\pi }_z$, affecting Y, and directly permutes RM codewords. The matrix G encodes Y’s portions. An attacker attempting to guess C without the key faces the full key space, as each component is essential for decryption. Even partial knowledge (e.g., G) leaves an infeasible number of possibilities for K, L, and $\{I_{r_z},I_{c_z}\}$.

5.2. Resistance to Linear Cryptanalysis

Linear cryptanalysis seeks linear relationships between plaintext, ciphertext, and key bits to approximate the cipher’s behavior. The scheme’s non-linear Latin squares, scrambling permutations, and increased $2{log}_{2}n$ rounds with row-column switching provide strong resistance.

Each Latin square substitution introduces a bias of approximately ${\displaystyle \frac{1}{n}}$ in any linear approximation. Over $2m$ rounds (where $m={log}_{2}n$), the total bias becomes:

$${\left({\displaystyle \frac{1}{n}}\right)}^{2m}$$

with required data $D\approx {\mathrm{bias}}^{-2}$: - For $n=16$, $m=4$, $2m=8$, the bias is ${\left({\displaystyle \frac{1}{16}}\right)}^8=2^{-32}$, requiring $2^{64}$ known plaintext-ciphertext pairs to exploit, a significant computational burden. For $n=32$, $m=5$, $2m=10$, the bias is ${\left({\displaystyle \frac{1}{32}}\right)}^{10}=2^{-50}$, needing $2^{100}$ pairs, rendering the attack infeasible.

Although RM codes are linear, the permutations ${\rho }_z$ with swapping disrupt linear patterns by shuffling bits unpredictably, ensuring that linear cryptanalysis is ineffective for practical n.

5.3. Resistance to Differential Cryptanalysis

Differential cryptanalysis exploits non-random propagation of differences through the cipher. The strength against this relies on the non-linearity of L, the diffusion properties of ${\pi }_z$, and the number of rounds. The maximum differential probability (DP) of the Latin square substitution is expected to be low (e.g., ≈2/n for random S-boxes). Over $2{log}_{2}n$ rounds, the probability of a differential characteristic drops exponentially. Furthermore, the empirical tests presented in Section 4.7.2 show excellent avalanche characteristics (average close to 50% change) and, crucially, found no evidence of consistent input/output differential patterns for any tested parameter set ($RM(16,15,2)$, $RM(32,16,8)$, $RM(32,26,4)$). This suggests strong resistance against first-order differential attacks for these configurations.

5.4. Resistance to Algebraic Attacks

Algebraic attacks model the cipher as a system of multivariate polynomial equations over a finite field ($\mathrm{GF}\left(2\right)$) to solve for the secret key. The scheme’s resistance relies on its vast key space and high algebraic complexity across the $2{log}_{2}n$ rounds.

1.

Vast Key Space Complexity. The full secret key includes the binary key K (length $\alpha$), the Latin square L (order n), the generator matrix G of $\mathrm{RM}(r,m)$, and the permutation subsets $\{I_r^z,I_c^z\}$. The combined size of the key components (excluding G for a fixed RM code) grows as:

$$\alpha +{log}_{2}L\left(n\right)+2n{log}_{2}n.$$

This metric results in hundreds to thousands of bits (e.g., 527 bits for $n=16$ and 2757 bits for $n=32$), making exhaustively solving the system infeasible due to the massive number of variables.

2.

High Structural Degree. The core algebraic strength stems from the composition of highly complex, non-linear round functions:

• Non-linear Substitution: Each round’s Latin square lookup, $y_i^{\prime }=L\left[k_i\right]\left[x_i\right]$, is inherently non-linear, causing the overall polynomial degree to grow exponentially with the number of rounds.
• hlKey-Dependent Permutations: The $\alpha$-bit round permutations ${\pi }_z$ are derived through non-linear functions of ${\rho }_z$ and the round key digits. These mix all state bits and prevent the isolation or linearization of individual S-box equations.
• Tangled Constraints: The final stage involves linear encoding by G and permutation by ${\rho }_z$ of the intermediate state Y. This adds tangled linear constraints that cannot be separated from the prior non-linear SPN equations, complicating the inversion process.

Together with the vast key space and the effect of $2{log}_{2}n$ rounds, these design features ensure that deriving and solving a unified algebraic system for the key remains beyond current computational resources.

5.5. Resistance to Fault Attacks

Fault attacks inject errors to gain information. The integrated RM codes provide inherent resilience. The ciphertext consists of ${log}_{2}n$ independently encoded portions using $RM(n,k,d)$ with error-correcting capability t. Based on the tested parameters:

• For $RM(16,15,2)$: $n=16,k=15,d=2\Rightarrow t=\lfloor (2-1)/2\rfloor =0$. Each of the ${log}_{2}16=4$ portions can detect 1 bit-fault but corrects 0. An injected fault leads to a decoding failure (detectable error).
• For $RM(32,16,8)$: $n=32,k=16,d=8\Rightarrow t=\lfloor (8-1)/2\rfloor =3$. Each of the ${log}_{2}32=5$ portions corrects up to 3 bit-faults. More faults cause decoding failure.
• For $RM(32,26,4)$: $n=32,k=26,d=4\Rightarrow t=\lfloor (4-1)/2\rfloor =1$. Each of the ${log}_{2}32=5$ portions corrects up to 1 bit-fault. More faults cause decoding failure.

In all cases, faults up to t are corrected silently. Faults exceeding t result in a decoding failure (producing an incorrect, likely all-zero or garbage, block segment) rather than revealing intermediate state information related to the key. This inherent detection/correction mechanism significantly hinders fault attacks aiming to extract secrets through differential fault analysis.

5.6. Resistance to Chosen-Ciphertext Attacks

Chosen-Ciphertext Attacks (CCAs) involve an adversary querying a decryption oracle with chosen ciphertexts to gain information about a target ciphertext or the secret key. The proposed scheme’s architecture provides resistance through the combined action of the Reed-Muller codes and the core SPN structure.

•

RM Codes as a Malleability Barrier: A key feature against CCA is the integrated RM codes. When an adversary submits a modified ciphertext $C_i$ to the oracle, the RM decoding behavior acts as a crucial barrier:

−

If modifications constitute less than $t=\lfloor (d-1)/2\rfloor$ errors, the decoder corrects them, returning the original intermediate segment $Y_i$. The adversary gains no information from the modification.

−

If modifications exceed t errors, the decoder fails, producing an invalid output (e.g., all zeros or garbage). This prevents the adversary from observing a meaningful plaintext related to their manipulated ciphertext.

 

This mechanism directly prevents attacks relying on ciphertext malleability, as predictable plaintext changes cannot be induced from controlled ciphertext alterations.

•

Core SPN Security: The fundamental cryptographic strength against CCA resides in the complex, multi-round SPN. Operating over $2{log}_{2}n$ rounds, it employs:

−

Non-linear Latin square substitutions (L).

−

Key-dependent $\alpha$-bit permutations (${\pi }_z$) derived from a non-linear process.

−

Unique round keys ($D_{\mathrm{digits}}^{\left(z\right)}$) from a non-linear key schedule.

−

Round structure variations via row-column swapping.

 

These components ensure that the relationship between the intermediate state Y (the SPN output before RM encoding) and the final plaintext M is computationally infeasible to invert without the secret key. Even if an adversary could somehow bypass the RM layer, recovering M or key information from Y remains intractable.

•

Codeword Permutation Obscurity: The application of the secret n-bit permutations ${\rho }_z$ to the RM codewords further obscures the link between the SPN output Y and the transmitted ciphertext C, adding another layer of difficulty for the adversary analyzing oracle responses.

In concert, the RM layer’s ability to detect or correct modifications, combined with the cryptographic strength and complexity of the multi-round SPN, renders the scheme resistant to Chosen-Ciphertext Attacks.

5.7. Security Enhancement via Overlapping Portions

The scheme enhances diffusion by splitting the $\alpha$-bit intermediate state Y (output of the SPN) into ${log}_{2}n$ overlapping k-bit portions $Y^{\left(i\right)}$ for RM encoding. Since Y is formed by concatenating k base-n digits (each ${log}_{2}n$ bits wide) after $2{log}_{2}n$ rounds of substitution and permutation, a single input bit flip in M typically affects multiple digits in the final SPN state. When this state Y is re-segmented into k-bit chunks $Y^{\left(i\right)}$, the changes are distributed across the inputs to multiple independent RM encoders. This redistribution effect is supported by the experimental results in Table 4, which demonstrate a near-uniform distribution of output bit changes across all RM portions following a single input bit flip. This mechanism ensures that local changes are rapidly spread across the entire ciphertext block, complementing the round function’s diffusion.

5.8. Parameter Flexibility and Limitations

The proposed cryptographic scheme offers flexible adaptation to diverse applications. By varying the Latin square order n, the number of key/message segments k, and the RM code’s minimum distance d, the scheme balances security, error correction, and efficiency. The independent encoding of ${log}_{2}n$ k-bit portions supports parallelization, enhancing performance in multi-core systems.

Storage Overhead. Parameter growth escalates resource demands. The primary storage cost comes from precomputed components required for efficient operation. To accurately quantify the memory requirement per device, we empirically measured the total process memory increment (Resident Set Size, RSS) during the sequential initialization of two identical cipher instances (Alice and Bob) using the psutil module. The total measured increment was then divided by two to estimate the footprint for a single user.

As shown, the measured practical storage requirements range from an estimated 6.0 KiB up to 238.0 KiB for the largest tested configuration ($RM(32,26,4)$). This footprint, dominated by the allocation of permutation tables and the RM decoding structure, could be challenging for highly constrained IoT devices (often under 20 KiB RAM).

Computational Overhead and Mitigation. Computationally, the SPN complexity is approximately $O({log}_{2}n·\alpha log\alpha )$, dominated by permutation generation. Reed-Muller encoding/decoding complexity typically scales with n, often as $O(nlogn)$ or $O\left({log}^{2}n\right)$. The RM decoding latency, identified in the performance analysis (Table 5), is the most significant cost but is mitigated by parallelization.

Mitigation in Distributed Systems. The memory footprint represents a fixed, one-time investment per device. When the scheme is utilized in a distributed or cloud environment, this cost is less restrictive because the large, precomputed structures (Latin squares and permutation tables) are loaded only once, and the investment is justified by the parallel processing benefits and high throughput achieved by processing multiple ${log}_{2}n$ portions concurrently.

The scheme’s flexibility with n, k, and d supports different applications, with robust key spaces and error correction. However, the calculated storage and computational overheads highlight the need for careful parameter selection and potential optimizations like partial precomputation or hardware acceleration for deployment in resource-constrained environments.

6. Conclusions

This paper presents a novel symmetric block cipher based on an SPN that integrates Latin squares, permutations, and Reed-Muller (RM) codes to provide robust security and resilience. The scheme processes a message and key of length $\alpha =k·{log}_{2}n$ bits over $2{log}_{2}n$ rounds, featuring row-column swapping for enhanced diffusion. The intermediate state is split into ${log}_{2}n$ portions, each encoded using $RM(n,k,d)$, permuted by ${\rho }_z$, yielding a ciphertext of length ${log}_{2}n·n$ bits. The design supports parallel processing for efficiency.

The scheme offers a large key space, ensuring resistance to brute-force attacks. The RM code corrects up to $t=\lfloor (d-1)/2\rfloor$ errors per portion (or detects errors if $t=0$), enhancing resilience against channel noise and fault attacks (Section 5). Experimental results (Section 4.7) demonstrate excellent diffusion properties, with average avalanche effects near 50% and uniform distribution of changes across output blocks for tested parameters ($RM(16,15,2)$, $RM(32,16,8)$, $RM(32,26,4)$). Empirical tests also showed no consistent differential patterns, suggesting resistance to first-order differential attacks. The multi-round SPN structure, overlapping portions, and key-dependent elements contribute to resistance against linear, algebraic, and chosen-ciphertext attacks (Section 5).

Limitations primarily involve resource usage. While empirical differential tests were positive for the tested parameters and messages, the theoretical possibility of weak keys or higher-order characteristics warrants further study. Significant measured storage demands, ranging from approximately 6.0 KiB to 238.0 KiB per user for the practical parameter sets tested (

Table 6. Measured Memory Footprint for Precomputed Components (Single User Estimate).

Parameter Set	Total Bits ($\mathsf{\alpha }$)/Code	Estimated Single User Footprint (KiB)
RM(32, 26, 4)	130/RM(3, 5)	238.0 KiB
RM(32, 16, 8)	80/RM(2, 5)	20.0 KiB
RM(16, 15, 2)	60/RM(3, 4)	6.0 KiB
RM(8, 4, 4)	12/RM(1, 3)	<1.0 KiB

The single-user footprint is estimated by dividing the total process memory increment (RSS) during sequential initialization (Alice + Bob) by two.

), pose a challenge for highly memory-constrained devices. Computational complexity, particularly the $O\left(n{log}^{2}n\right)$ scaling and observed latency of RM decoding, impacts low-power devices, though parallelization provides substantial mitigation (Table 5).

Future research should focus on optimizing storage, potentially through dynamic Latin square generation or partial precomputation. Deeper cryptanalysis, including formal proofs and simulations against side-channel attacks, is needed. Investigating the use of other error-correcting codes, such as Reed-Solomon codes, to handle different error models (e.g., burst errors) could broaden applicability. Exploring secret sharing for key/component distribution and hardware acceleration for permutations and RM decoding could further enhance security and performance.

In conclusion, the proposed scheme offers a flexible, resilient framework for symmetric cryptography. It balances a vast key space and error correction with computational and storage overheads. The demonstrated diffusion properties and potential for parallelization make it a promising candidate for diverse applications, particularly where resilience is paramount, with future optimizations poised to improve practicality for resource-constrained environments.