Next Article in Journal
Structure Preserving Uncertainty Modelling and Robustness Analysis for Spatially Distributed Dissipative Dynamical Systems
Next Article in Special Issue
Secure DNA-Coding Image Optical Communication Using Non-Degenerate Hyperchaos and Dynamic Secret-Key
Previous Article in Journal
Is Jump Robust Two Times Scaled Estimator Superior among Realized Volatility Competitors?
 
 
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

Matrix Power Function Based Block Cipher Operating in CBC Mode

Department of Applied Mathematics, Faculty of Mathematics and Natural Sciences, Kaunas University of Technology, 44249 Kaunas, Lithuania
*
Author to whom correspondence should be addressed.
These authors contributed equally to this work.
Mathematics 2022, 10(12), 2123; https://doi.org/10.3390/math10122123
Submission received: 18 March 2022 / Revised: 15 April 2022 / Accepted: 21 April 2022 / Published: 18 June 2022
(This article belongs to the Special Issue Advances in Algebraic Coding Theory and Cryptography)

Abstract

:
In our previous study, we proposed a perfectly secure Shannon cipher based on the so-called matrix power function. There we also introduced a concept of single round symmetric encryption, i.e., we used the matrix power function together with some rather simple operations to define a three-step encryption algorithm that needs no additional rounds. Interestingly enough, the newly proposed Shannon cipher possesses the option of parallelization—an important property of efficiently performing calculations using several processors. Relying on our previous proposal, in this study we introduce a concept of a one round block cipher, which can be used to encrypt an arbitrary large message by dividing it into several blocks. In other words, we construct a block cipher operating in cipher block chaining mode on the basis of the previously defined Shannon cipher. Moreover, due to the perfect secrecy property of the original algorithm, we show that our proposal is able to withstand the chosen plaintext attack.

1. Introduction

Since ancient times, people have used symmetric cryptography to encrypt data. Over many centuries, this branch of modern cryptography has greatly evolved. Nowadays, all the symmetric ciphers either operate on fixed-length blocks of bits or create a keystream to be combined with the initial plaintext. These approaches to data encryption are called block ciphers and stream ciphers, respectively.
The concept of a symmetric cipher is generally defined as a triplet ( G e n ( ) , E n c ( ) , D e c ( ) ) , where G e n ( ) is a key generation function, E n c ( ) and D e c ( ) are encryption and decryption functions, respectively [1]. The major requirement of a symmetric encryption scheme is the following:
D e c ( k , E n c ( k , μ ) ) = μ ,
i.e., decryption function correctly restores the message μ using the same key k. Any properly working symmetric cipher must satisfy this requirement. Proving the correctness of any symmetric cipher relies on verifying identity (1).
So far, the majority of the widely used block ciphers use at least several rounds to encrypt the secret data. Usually, operations used in these ciphers (e.g., AES) are fairly simple (some of them even linear) and could be easily inverted if a single round was executed. Hence, the security of these algorithms relies on the combination of fairly simple steps performed multiple times.
There are two common approaches to the design of symmetric block cipher. One of them is the Feistel network developed in the last quarter of the 20th century [2]. Noticeable ciphers, such as DES, Camelia, Blowfish, and CAST-128, were constructed using this technique. The general idea behind the Feistel network is to divide the block to be encrypted into two equal parts L 0 , R 0 and manipulate them using some round function F and round sub-keys K 0 , K 1 , , K n to calculate the ciphertext, which is usually defined as a concatenation of R n + 1 and L n + 1 . Depending on the complexity of the scheme the number of rounds is chosen carefully and can vary from being quite small (e.g., 8) to several dozens (e.g., 64 or 72). The more rounds the greater security—that is the general rule.
An alternative approach is designing the substitution-permutation (SP) network. The Rijndael block cipher known as the AES is perhaps the most popular example of this type. It superseded the DES and became the standard recommended by NIST for data encryption in 2002 [3]. The most common version of AES uses a 128-bit block and 10, 12, or 14 rounds depending on the key size. Another example is the Kuznyechik symmetric block cipher developed in 2015 [4]. It was later standardized by the Russian government and replaced the previously used scheme based on the Feistel network. The SP network is usually designed by defining the so-called substitution boxes (S-boxes) and permutation boxes (P-boxes). These boxes are commonly introduced via mathematical functions and logical operations, e.g., shifting operation and the bitwise addition (XOR).
However, since the operations themselves are rather simple, the cryptanalysis of these block ciphers is a non-stopping field of research. Over recent years many attacks on the developed ciphers were published, e.g., [5,6,7], one of the more notable ones was proposed by Courtois whose goal was to break the AES cipher [8]. It was later proven to be impractical.
In the most general form any good cipher should act as a one-way function (OWF), i.e., calculating the argument x of the function f given its value f ( x ) without knowing some secret key should be an impossible task. To put it simply the ciphertext c should look completely random to any adversary even if he knows the original message μ . In fact, a fundamental relation between OWFs and pseudorandom generators was revealed by Yao in [9], where he proved that OWFs exist if, and only if, the pseudorandom generators exist.
In the realm of the symmetric ciphers, one particular example stands out. This simple technique developed by Vernam in 1917 is now commonly referred to as the one-time pad. The reason behind this is the property of perfect secrecy, which guarantees that no information about the encrypted plaintext is leaked by the ciphertext. Formally perfect secrecy can be defined as follows (however, there are other equivalent definitions) [1,10]:
Definition 1.
The symmetric cipher ε = ( E n c ( k , μ ) , D e c ( k , c ) ) is perfectly secure if for any fixed values μ 0 , c 0 the following probabilities are equal:
Pr ( c = c 0 | μ = μ 0 ) = Pr ( c = c 0 ) .
This definition is due to Shannon who has also shown that the one-time pad is perfectly secure [11]. Together the result by Yao and this definition explain why it is essential for a secure cipher to possess good properties of randomness. Notably, the link between OWF and pseudorandom generators is reflected in the avalanche effect and the bit independence criterion. Some work in this area was previously performed in [12] for our scheme.
Interestingly enough, the one-time pad uses a single round and a simple XOR operation to encrypt a plaintext μ . Though the idea of using this technique is theoretical (at least for the most part) we can see that the keys of modern symmetric block cipher are no shorter than the block size, thus staying true to the original idea by Vernam. For example, AES encrypts 128-bit block using 128, 192, or 256-bit keys [3]. Our cipher follows the same pattern, i.e., the secret key is longer than the size of a block.
The main goal is to propose a symmetric cipher based on the conjectured one-way function (OWF). During our previous research, we proved that a certain realization of asymmetric encryption based on our function is NP-complete [13]. It is conjectured that such cryptographic primitives could be resistant to algebraic analysis and quantum cryptanalysis.
Despite the fact that we are currently working on a symmetric encryption scheme we think that its security may prove to be a hard nut to crack. In particular, we aim to make our block cipher perfectly secure while also achieving several other important properties which allow our proposal to be used as a basis for the cipher block chaining (CBC) mode. At the same time in Section 3, we introduce modifications of the initial cipher making it more flexible. Furthermore, by generalizing algebraic structures we gain a higher encryption speed of our proposal. We prove the perfect secrecy property of our block cipher in Section 5.
In Section 6 we prove that our block cipher is secure against CPA. As demonstrated by Boneh and Shoup in [10] this fact is directly linked to the perfect secrecy property of the presented Shannon cipher. Due to made modifications we also inspect their influence on the perfect secrecy property. We end our paper by presenting conclusions and a list of references.

2. Our Previous Work

Our first attempt at designing a symmetric block cipher was made in 2007 when our research group published a paper [14]. There we have proposed a technique to construct an S-box based on at that time newly defined matrix power function (MPF)—a non-linear matrix mapping M a t m ( R ) × M a t m ( R ) M a t m ( S ) , where S is a multiplicative semigroup, R is a ring of integers and M a t m ( · ) denotes a ring of m × m matrices with entries selected from the specified algebraic structure. We denote the MPF in the following way:
X W Y = E ,
where X , Y M a t m ( R ) and W , E M a t m ( S ) . Usually, in our research, we refer to X , Y as power matrices. We also refer to W as a base matrix and to E as the matrix exponent. Furthermore, we call M a t m ( S ) a platform semigroup and M a t m ( R ) a power ring. Each entry of matrix exponent E is calculated in the following way:
e i j = k = 1 m l = 1 m w k l x i k y l j .
We can see from the latter expression that MPF bears a strong resemblance to classical matrix multiplication. In fact, explicit expressions of the entries of matrix E in the case of 2 × 2 matrices are presented below:
e 11 = w 11 x 11 y 11 w 12 x 11 y 21 w 21 x 12 y 11 w 22 x 12 y 21 ; e 12 = w 11 x 11 y 12 w 12 x 11 y 22 w 21 x 12 y 12 w 22 x 12 y 22 ; e 21 = w 11 x 21 y 11 w 12 x 21 y 21 w 21 x 22 y 11 w 22 x 22 y 21 ; e 22 = w 11 x 21 y 12 w 12 x 21 y 22 w 21 x 22 y 12 w 22 x 22 y 22 .
Properties similar to the ones of matrix multiplication also hold for MPF if the platform semigroup S is commuting. However, this may not be the case for the non-abelian platform semigroups.
Note that here and onwards all the matrices are denoted by uppercase bold letters whereas all the scalars and bitstrings are denoted by lowercase italic letters. All the sets are denoted by uppercase blackboard bold letters, e.g., S , R , etc.
However, we had to apply restrictions on the plaintext matrix form to avoid the potentially harmful property of MPF, i.e., the base matrix W cannot contain any zero entries, since otherwise the MPF value matrix E is a zero matrix. Here, we plan to eliminate this constraint while also avoiding zero entries in the base matrix. Furthermore, we use a more general approach to construct a valid block cipher.
Recently in our paper [15] we introduced a new block cipher and proposed a concept of single round symmetric encryption based on the MPF mapping. However, there we used low cardinality algebraic structures. For this reason, our cipher lacked the flexibility necessary for the implementation of our scheme in practice. Furthermore, our investigation in [12] has shown that the statistical properties of the proposed scheme leave much to be desired for the parameters introduced in [15]. However, that very same investigation revealed that extra flexibility in the main parameters significantly improves the statistical properties of our scheme. As such we consider the paper [15] a first draft for constructing a symmetric block cipher. To be self-contained we present the encryption and decryption algorithms of our original proposal.
Let M be the initial message converted to matrix form. To encrypt the initial message we use a secret key—a pair of matrices ( X , Y ) , where X , Y M a t m ( Z 3 ) , X does not contain any zero entries and Y is invertible. The encryption algorithm consists of the following steps:
S 1 = X + M ; S 2 = F ( X ) Y F ( S 1 ) Y ; S = S 3 = F 1 ( S 2 ) + X ,
where F ( X ) : M a t m ( Z 3 ) M a t m ( G 3 ) is a publicly known one-to-one mapping which replaces entries of matrix X with elements from G 3 —a Sylow subgroup of Z 7 . Clearly, F 1 ( S 2 ) is the inverse transformation. We use ⊙ to denote Hadamard product of two matrices.
Recall that the Hadamard product is simply the entry-wise multiplication of two matrices, much like the addition operation. As such the properties of the Hadamard product are similar to the regular matrix addition with the neutral element equal to the unit matrix 1 , i.e., each entry of this matrix is equal to 1. Moreover, we can define the inverse of a matrix A in Hadamard sense as a matrix B , such that A B = 1 . We denote B = A H .
Let us also briefly revise the notion of the Sylow subgroup. For simplicity, let us focus on the multiplicative ring of integers Z p , where p = k q + 1 , p and q are primes and gcd ( k , q ) = 1 . Then, the group G q is called a Sylow subgroup if the multiplicative order of its generator g equals q, i.e., g q 1 mod p . In fact, due to the Lagrange theorem since q is prime, every element of G q generates the whole group apart from 1. Sylow subgroups can also be defined in a more general case as well, but our research does not require considering it.
The decryption algorithm is simply a reversal of each presented step and is as follows:
D 1 = S X ; D 2 = Y 1 F ( D 1 ) F ( X ) H Y 1 ; M = D 3 = F 1 ( D 2 ) X ,
where F ( X ) H is the inverse matrix in a Hadamard sense. It can be easily shown that D 1 = S 2 and D 2 = F ( S 1 ) . Hence, the proposed cipher works correctly. Explicit proof of correctness is presented in [15].
A beneficial feature of MPF which distinguishes our scheme from others is that it is a highly non-linear function. For this reason, differential and linear cryptanalysis is assumed to be inefficient.
In our previous publication, we proved that the proposed Shannon cipher is perfectly secure; hence, it does not leak any information about the secret data.
In this paper we take the second major step, i.e., we present a block cipher based on our previous scheme which operates in CBC mode.

3. Modifications of the Initial Cipher

In this section, we consider some important modifications of the cipher presented in [15]. The first major change we make is the introduction of a prime integer q which denotes the size of the Sylow group G q . Recall that the essential property of this group is that every element g G q such that g 1 generates the whole group. This property of the Sylow group G q means that for a uniformly chosen α Z q and a fixed element a G q we have:
Pr ( g α = a ) = 1 q ,
where we used the notation Pr ( x = x 0 ) to denote the probability that a random variable x equals a fixed value x 0 .
We use G q as a platform group and Z q as a power ring of the MPF. Consequently, we define a one-to-one mapping f : Z q G q and its matrix analogue F as an entry-wise application of f. Then by our construction, we have:
Pr ( x = x 0 ) = Pr ( f ( x ) = f ( x 0 ) ) ,
where x Z q is a random variable and x 0 Z q is a fixed value. Obviously f ( x ) and f ( x 0 ) are respectively a random variable and a fixed value in a Sylow group G q . Hence the mapping f as well as its inverse f 1 : G q Z q preserves all the probabilities.
Furthermore, in step 2 of our cipher we introduce an extra matrix Z with entries randomly chosen from the platform group G q . In other words, Step 2 of our cipher now looks as follows:
S 2 = Z Y F ( S 1 ) Y ,
where matrices S 1 and Y as well as mapping F are defined as above. Hence, the secret key is now K = X , Y , Z .
By applying these modifications we are able to enlarge the set of possible messages while keeping the matrix order m fairly small. However, for practical purposes we may want to limit the entries of matrix M by the number 2 log 2 q , i.e., by the largest power of 2, which does not exceed q. We do not consider this limitation here and leave the investigation of its effect for our future research.
Furthermore, because matrix Z is chosen independently from other matrices, the reintroduced matrix S 2 sufficiently contributes to the proof of perfect secrecy property of the block cipher.
It is also important to note that it is possible to implement extra precautions which can contribute to the overall security of our block cipher. One of these precautions is the procedure of transformation of the initial message to its matrix form. Although important, this procedure does not in any way affect the proof we present in Section 5.

4. CBC Mode of Our Cipher

Using the previously defined scheme for a single message in this section, we present the CBC mode of our cipher. Because we can encrypt at most m 2 · t bits, where t = log 2 q , we split the giant bit string into parts of length m 2 · t . We also add junk symbols at the end of the last part, if needed. Moreover, we split each of the obtained parts into smaller chunks as discussed above to perform a transformation of the original plaintext to its matrix form.
Let us denote the matrix form of each plaintext part by M i and the obtained ciphertext matrix by C i with C 0 denoting the publicly known initialization matrix. Each block M i is encrypted using the key K = X , Y , Z , where X M a t m ( Z q \ 0 ) , Y M a t m ( Z q ) and Z M a t m ( G q ) . We can encrypt the whole message μ divided into blocks by executing the following scheme:
S 1 i = M i + C i 1 ; S 2 i = Z Y F ( S 1 i ) Y ; C i = S 3 i = F 1 ( S 2 i ) + X ,
where S 1 i , S 2 i and S 3 i are intermediate matrices obtained during the encryption of the i-th block M i . Hence the encryption function is:
E n c ( M i , ( X , Y , Z ) ) = F 1 ( Z Y F ( M i + C i 1 ) Y ) + X .
Each encrypted block C i is converted to a bit string by concatenating the obtained entries in their bit representations. Hence, the final result, i.e., the ciphertext of the original massive message, is the following bit string:
c = c 011 c 012 c 01 m c 021 c 022 c 0 m m c 111 c 1 m m c N m m ,
where N is the number of blocks and ‖ stands for the concatenation operation. Hence we see that the obtained ciphertext consists of N + 1 blocks of size m 2 t each.
The decryption algorithm is similar to the previously presented encryption procedure and consists of the following steps:
D 1 i = C i X ; D 2 i = Y 1 ( F ( D 1 i ) Z H ) Y 1 ; D i = D 3 i = F 1 ( D 2 i ) C i 1 ,
where D 1 i , D 2 i and D 3 i are intermediate matrices obtained during the decryption of the i-th block C i . Hence the decryption function is:
D e c ( C i , ( X , Y , Z ) ) = F 1 ( Y 1 ( F ( C i X ) Z H ) Y 1 ) C i 1 .
Now we prove the correctness of the decryption algorithm.
Clearly, all the blocks (i.e., C i ’s) can be obtained from the ciphertext (4) by splitting it into N parts of length m 2 · t . Then, it is easy to see that by subtracting X from the i-th block C i we obtain matrix F 1 ( S 2 i ) . Because F ( F 1 ( S 2 i ) ) is clearly equal to S 2 i , we can multiply this matrix by Z H in the Hadamard sense to cancel matrix Z and hence we have:
F ( D 1 i ) Z H = F ( F 1 ( S 2 i ) ) Z H = S 2 i Z H = = Z Y F ( S 1 i ) Y Z H = Y F ( S 1 i ) Y 1 = Y F ( S 1 i ) Y .
Because F ( D 1 i ) = F ( F 1 ( S 2 i ) ) = S 2 i . However, due to properties of MPF, by raising the obtained result to power matrix Y 1 on both sides we obtain:
Y 1 ( Y F ( S 1 i ) Y ) Y 1 = Y 1 Y F ( S 1 i ) Y Y 1 = I F ( S 1 i ) I = F ( S 1 i ) .
Therefore, we see that:
D 2 i = Y 1 ( F ( D 1 i ) Z H ) Y 1 = F ( S 1 i ) .
Then, Because F 1 ( F ( S 1 i ) ) = S 1 i , by subtracting C i 1 we obtain the block M i —a matrix form of a part of the original plaintext as desired.

5. Perfect Secrecy of the Block Cipher

Referencing the definition of the perfect secrecy property proposed by Boneh and Shoup (2), we formulate the following important result:
Proposition 1.
The block cipher with the proposed Algorithm (3) is perfectly secure, i.e., the following properties hold:
Pr ( S 1 i = S 1 i 0 ) = Pr ( S 1 i = S 1 i 0 | M i = M i 0 ) = 1 q m 2 ; Pr ( S 2 i = S 2 i 0 ) = Pr ( S 2 i = S 2 i 0 | M i = M i 0 ) = 1 q m 2 ; Pr ( S 3 i = S 3 i 0 ) = Pr ( S 3 i = S 3 i 0 | M i = M i 0 ) = 1 q m 2 .
Note that because there are many lower indices involved in notation, throughout this section we use an upper index 0 to indicate some fixed value (matrix or a single entry) defined in the appropriate set or an algebraic structure as was performed in expression (5).
As mentioned previously, the matrix X does not contain any zero entries. We use notation Z q \ 0 to denote a set of integers between 1 and q 1 , i.e., Z q \ 0 = Z q \ { 0 } . Note that we do not perform any operations with the elements of Z q \ 0 . Hence, our motivation for the chosen notation is to distinguish this set from a widely known multiplicative group of integers Z q * , i.e., we do not confuse the reader with the multiplicative or any other nature of the set Z q \ 0 .
Before elaborating the main proof, we emphasize some initial relationships between matrices of the cipher (3). Initialization matrix C 0 is independent of key and message matrices, with mutually independent entries. Key matrices X , Y , Z and their entries are mutually independent. Entries of C 0 and X are uniformly distributed in Z q . Entries of Y are uniformly distributed in Z q \ 0 . Entries of Z are uniformly distributed in G q .
Proof. 
The proof of the proposition is essentially based on the idea presented in [15]. We split the proof into three steps. We show that entries of matrices S 1 , S 2 and S 3 of each block are uniformly distributed in an appropriate structure, that they are independent of message matrix M and that all the entries are mutually independent.
All initial assumptions and proved statements on the independence of matrices are used without explicit emphasis to avoid lots of repetitive statements. The proof of each matrix’s independence is presented in a separate subsection to retain the structure of the section.
Proving the independence, we rely on one of the main formula of probabilities: if two variables X and Y are independent, then Pr ( X | Y ) = Pr ( X , Y ) Pr ( Y ) = Pr ( X ) , i.e., Pr ( X , Y ) = Pr ( X ) · Pr ( Y ) . In a further proof of independence, we refer to the latter formula.
For the simplicity of proving the above-listed independence, let us take the first block of the cipher (3). The proof of its independence is closely related to the proof of Theorem 1 in [15], but in our case, we have an extended structure from the set of three elements to the set which consists of q elements. Probabilities of the first block are used in the proof of further blocks. Therefore, we present the detailed proof here.
Rewrite Equation (3) of the first (initial) block for each entry of matrices
( i , j = 1 , , m ):
s 11 , i j = m 1 , i j + c 0 , i j ; s 21 , i j = z i j · k = 1 m l = 1 m ( f ( s 11 , k l ) ) y i k y l j ; c 1 , i j = s 31 , i j = f 1 ( s 21 , i j ) + x i j .

5.1. S 11 Independence

Knowing that entries of the initialization matrix are uniformly distributed random variables independent of M , for fixed s 11 , i j 0 Z q we have:
Pr ( s 11 , i j = s 11 , i j 0 ) = Pr ( c 0 , i j = s 11 , i j 0 m 1 , i j ) = = 1 q m 0 Z q Pr ( m 1 , i j = m 0 ) = 1 = 1 q ,
i.e., entries s 11 , i j are uniformly distributed in Z q . The summation of the probabilities to all possible values gives us the total probability, which is equal to 1. This fact is noted in the Equation (6). This notation will be used in the further part of the proof.
It is easy to see, that
Pr ( s 11 , i j = s 11 , i j 0 , m 1 , i j = m 1 , i j 0 ) = = Pr ( c 0 , i j = s 11 , i j 0 m 1 , i j 0 , m 1 , i j = m 1 , i j 0 ) = = 1 q Pr ( m 1 , i j = m 1 , i j 0 ) = = Pr ( s 11 , i j = s 11 , i j 0 ) Pr ( m 1 , i j = m 1 , i j 0 ) ,
i.e., entries s 11 , i j are independent of entries m 1 , i j . Then we have
Pr ( i , j = 1 m { s 11 , i j = s 11 , i j 0 } ) = = Pr ( i , j = 1 m { c 0 , i j + m 1 , i j = s 11 , i j 0 } ) = = m i j 0 Z q Pr ( i , j = 1 m { c 0 , i j = s 11 , i j 0 m 1 , i j 0 } Z q , i , j = 1 m { m 1 , i j = m 1 , i j 0 } ) = 1 q m 2 · · m 1 , i j 0 Z q P r ( i , j = 1 m { m 1 , i j = m 1 , i j 0 } ) = 1 = 1 q m 2 .
i.e., entries s 11 , i j are independent of each other.

5.2. S 21 Independence

Before proving the uniformity of matrix S 21 , we need the following corollary, which can be easily verified using the results of Lemma 2 and Lemma 3 in [15].
Corollary 1.
Let random variables w 1 , w 2 , , w n be independent and uniformly distributed in G q , v 1 , v 2 , , v n be independent and uniformly distributed in Z q \ 0 , then the product w 1 v 1 · w 2 v 2 · · w n v n is uniformly distributed in G q .
Because entries of S 11 , Z and X are independent and uniformly distributed in the appropriate structure, Corollary 1 implies that entries of S 21 are uniformly distributed in G q :
Pr ( s 21 , i j = s 21 , i j 0 ) = 1 q
and independent of M 1 :
Pr ( s 21 , i j = s 21 , i j 0 , i , j = 1 m { m 1 , i j = m i j 0 } ) = = Pr ( z i j k = 1 m l = 1 m ( f ( s 11 , k l ) ) y i k y l j = s 21 , i j 0 , i , j = 1 m { m 1 , i j = m 1 , i j 0 } ) = c 0 , k l 0 Z q y k l 0 Z q \ 0 Pr ( z i j = s 21 , i j 0 ( k = 1 m l = 1 m ( f ( c 0 , k l 0 + m 1 , k l 0 ) ) y i k 0 y l j 0 ) 1 G q , i , j = 1 m { m 1 , i j = m 1 , i j 0 } , k , l = 1 m { c 0 , k l = c 0 , k l 0 } , k , l = 1 m { y k l = y k l 0 } ) = = 1 q · Pr ( i , j = 1 m { m 1 , i j = m 1 , i j 0 } ) · c 0 , k l 0 Z q Pr ( k , l = 1 m { c 0 , k l = c 0 , k l 0 } ) = 1 · · y k l 0 Z q \ 0 Pr ( k , l = 1 m { y k l = y k l 0 } ) = 1 = 1 q · Pr ( i , j = 1 m { m 1 , i j = m 1 , i j 0 } ) = = Pr ( s 21 , i j = s 21 , i j 0 ) Pr ( i , j = 1 m { m 1 , i j = m i j 0 } ) .
Entries of S 21 are independent of each other:
Pr ( i , j = 1 m { s 21 , i j = s 21 , i j 0 } ) = = Pr ( i , j = 1 m { z i j k = 1 m l = 1 m ( f ( s 11 , k l ) ) y i k y l j = s i j 0 } ) = = s 11 , k l 0 Z q y i j 0 Z q \ 0 Pr ( i , j = 1 m { z i j = s 21 , i j k = 1 m l = 1 m ( f ( s 11 , k l 0 ) ) y i k 0 y l j 0 1 G q } , k , l = 1 m { s 11 , k l = s 11 , k l 0 } , i , j = 1 m { y i j = y i j 0 } ) = 1 q m 2 ,
where S 11 and Z are independent:
Pr ( s 11 , i j = s 11 , i j 0 , z i j = z i j 0 ) = m 1 , i j 0 Z q Pr ( c 0 , i j = s 11 , i j 0 m 1 , i j 0 Z q , z i j = z i j 0 , m 1 , i j = m 1 , i j 0 ) = 1 q Pr ( z i j = z i j 0 ) = = Pr ( s 11 , i j = s 11 , i j 0 ) Pr ( z i j = z i j 0 ) .

5.3. S 31 = C 1 Independence

Entries of C 1 = S 31 are uniformly distributed in Z q :
Pr ( s 31 , i j = s 30 ) = Pr ( f 1 ( s 21 , i j ) = s 30 x i j ) = 1 q x i j 0 Z q Pr ( x i j = x i j 0 ) = 1 = 1 q ,
because, similarly as in (10), S 21 is independent of X :
Pr ( s 31 , i j = s 30 ) = Pr ( f 1 ( s 21 , i j ) = s 30 x i j ) = = 1 q x i j 0 Z q P r ( x i j = x i j 0 ) = 1 = 1 q ,
because, similarly as in (10), S 21 is independent of X :
Pr ( s 21 , i j = s 21 , i j 0 , i , j = 1 m { x i j = x i j 0 } ) = = Pr ( z i j k = 1 m l = 1 m ( f ( s 11 , k l ) ) y i k y l j = s 21 , i j 0 , i , j = 1 m { x i j = x i j 0 } ) = m 1 , i j 0 Z q c 0 , k l 0 Z q y i j 0 Z q \ 0 Pr ( z i j = = s 21 , i j 0 ( k = 1 m l = 1 m ( f ( c 0 , k l 0 + m 1 , k l 0 ) ) y i k 0 y l j 0 ) 1 , i , j = 1 m { x i j = x i j 0 } , i , j = 1 m { y i j = y i j 0 } , i , j = 1 n { m 1 , i j = m 1 , i j 0 } , k , l = 1 n { c 0 , k l = c 0 , k l 0 } ) = 1 q Pr ( i , j = 1 m { x i j = x i j 0 } ) = = Pr ( s 21 , i j = s 21 , i j 0 ) Pr ( i , j = 1 m { x i j = x i j 0 } ) .
C 1 is independent of M 1 , because:
Pr ( s 31 , i j = s 31 , i j 0 , i , j = 1 m { m 1 , i j = m 1 , i j 0 } ) = = Pr ( f 1 ( s 21 , i j ) + x i j = s 31 , i j 0 , i , j = 1 n { m 1 , i j = m 1 , i j 0 } ) = = x i j 0 Z q Pr ( s 21 , i j = f ( s 31 , i j 0 x i j 0 ) , i , j = 1 m { m 1 , i j = m 1 , i j 0 } , i , j = 1 n { x i j = x i j 0 } ) = = 1 q Pr ( i , j = 1 m { m 1 , i j = m 1 , i j 0 } ) = Pr ( s 31 , i j = s 31 , i j 0 ) Pr ( i , j = 1 m { m 1 , i j = m 1 , i j 0 } ) .
Finally, according to (15), we have that entries s 31 , i j are independent of each other:
Pr ( i , j = 1 m { s 31 , i j = s 31 , i j 0 } ) = Pr ( i , j = 1 m { f 1 ( s 21 , i j ) + + x i j = s 31 , i j 0 } ) = x i j 0 Z q Pr ( i , j = 1 m { f 1 ( s 21 , i j ) = = s 31 , i j 0 x i j 0 Z q } , i , j = 1 m { x i j = x i j 0 } ) = i , j = 1 m Pr ( f 1 ( s 21 , i j ) = = s 31 , i j 0 x i j 0 ) = 1 q m 2 .
The process of proving the main three independencies for each block is iterative. The proof of the perfect security of the second block relies on the same idea and technique as was shown for the first block. Because the expressions of the formulas are more complex and much longer, we place the proof of the second block in Appendix A.
Let us summarize the results. From the analysis of the first CBC mode block, we obtain that:
B1.1 
Entries of S 11 are uniformly distributed in Z q (6), independent of M 1 (7) and mutually independent (8);
B1.2 
Entries of S 21 are uniformly distributed in G q (9), independent of M 1 (10), M 2 (A3), X (15) and mutually independent (11);
B1.3 
Entries of S 31 = C 1 are uniformly distributed in Z q (14), independent of M 1 (16), M 2 (A7), M 3 (A19), X (A13), Z (A6), Y (A9) and mutually independent (17).
From the analysis of the second CBC mode block (see Appendix A), we obtain that:
B2.1 
Entries of S 12 are uniformly distributed in Z q (A1), independent of M 2 (A2), X , Y (A11), Z (A12) and mutually independent (A4);
B2.2 
Entries of S 22 are uniformly distributed in G q (A5), independent of M 2 (A8), M 3 (A18) X (A14) and mutually independent (A10);
B2.3 
Entries of S 32 = C 2 are uniformly distributed in Z q (A15), independent of M 2 (A16), M 3 (A20), X , Y (A23), Z (A22) and mutually independent (A17).
From the results of B1.1B1.3, we obtain that the first block of the CBC mode (3) is perfectly secure. B2.1B2.3 imply that the second block of the CBC mode (3) is perfectly secure. i.e., Euquation (5) holds for the first two blocks in CBC mode with Algorithm (3).
To prove that each of the n blocks of the CBC mode with our cipher is perfectly secure, we need the method of mathematical induction. According to it, we now generalize the results of B1.1B1.3 and B2.1B2.3 and assume that the N-th block of the mode is perfectly secure, i.e., the following assumptions hold:
BN.1 
Entries of S 1 N are uniformly distributed in Z q , independent of M N , X , Y , Z and mutually independent;
BN.2 
Entries of S 2 N are uniformly distributed in G q , independent of M N , M N + 1 , X and mutually independent;
BN.3 
Entries of S 3 N = C N are uniformly distributed in Z q , independent of M N , M N + 1 , M N + 2 , X , Y , Z and mutually independent.
Under the assumptions BN.1BN.3, in the next section we show that the ( N + 1 ) -th block of the mode is perfectly secure, i.e., the latter assumptions hold for the ( N + 1 ) -th block, too.

5.4. S 1 , N + 1 Independence

Without loss of generality, to shorten the equalities and keeping in mind that each formula can be written for an entry of the matrix, the next equations are presented in matrix form.
Following the same idea as in matrices S 11 (6) and S 12 (A1), we obtain that entries of matrix S 1 , N + 1 are uniformly and independently distributed in Z q :
Pr ( S 1 , N + 1 = S 1 , N + 1 0 ) = Pr ( C N + M N + 1 = S 1 , N + 1 0 ) = = M N + 1 0 Z q Pr ( C N = S 1 , N + 1 0 M N + 1 0 , M N + 1 = M N + 1 0 ) = = 1 q m 2 M N + 1 0 Z q Pr ( M N + 1 = M N + 1 0 ) total probability = 1 = 1 q m 2 .
Analogously as in (7) and (A2), we easily verify the independence between S 1 , N + 1 and M N + 1 :
Pr ( S 1 , N + 1 = S 1 , N + 1 0 , M N + 1 = M N + 1 0 ) = = S 2 , N 0 G q Pr ( X = S 1 , N + 1 0 M N + 1 0 F 1 ( S 2 , N 0 ) , M N + 1 = M N + 1 0 , S 2 , N = s 2 , N 0 ) = = 1 q m 2 Pr ( M N + 1 = M N + 1 0 ) · · S 2 , N 0 G q Pr ( S 2 , N = S 2 , N 0 ) = 1 = 1 q m 2 Pr ( M N + 1 = M N + 1 0 ) = = Pr ( S 1 , N + 1 = S 1 , N + 1 0 ) Pr ( M N + 1 = M N + 1 0 ) .

5.5. S 2 , N + 1 Independence

Similarly to (9) and (A5), s 2 , N + 1 ; i j are all uniformly distributed in G q . Hence, by Corollary 1 we have:
Pr ( s 2 , N + 1 ; i j = s 2 , N + 1 ; i j 0 ) = 1 q .
Finally, by Equations (11) and (A10), entries of S 22 are mutually independent:
Pr ( S 2 , N + 1 = S 2 , N + 1 0 ) = Pr ( Z Y F ( S 1 , N + 1 ) Y = S i j 0 ) = = C N 0 Z q Y 0 Z q \ 0 M N + 1 0 Z q Pr ( Z = S 2 , N + 1 0 ( Y 0 F ( C N 0 + M N + 1 0 ) Y 0 ) 1 , C N = C N 0 , Y = Y 0 , M N + 1 = M N + 1 0 ) = 1 q m 2 .
As in (10) and in (A8), S 2 , N + 1 and M N + 1 are independent:
Pr ( S 2 , N + 1 = S 2 , N + 1 0 , M N + 1 = M N + 1 0 } ) = = C N 0 Z q Y 0 Z q \ 0 Pr ( Z = S 2 , N + 1 0 ( Y 0 F ( C N 0 + M N + 1 0 ) Y 0 ) 1 , M N + 1 = M N + 1 0 , C N = C N 0 , Y = Y 0 ) = = 1 q m 2 · Pr ( M N + 1 = M N + 1 0 ) · C N 0 Z q Pr ( C N = C N 0 ) · · Y 0 Z q \ 0 Pr ( Y = Y 0 ) = = Pr ( S 2 , N + 1 = S 1 , N + 1 0 ) Pr ( M N + 1 = M N + 1 0 } ) .

5.6. S 3 , N + 1 = C N + 1 Independence

Entries of C N + 1 are uniformly and independently distributed in Z q (similarly as in Equations (6) and (A15)):
Pr ( S 3 , N + 1 = S 3 , N + 1 0 ) = Pr ( F 1 ( S 2 , N + 1 ) = S 3 , N + 1 0 X ) = = C N 0 Z q Y 0 Z q \ 0 X 0 Z q M N + 1 0 Z q Pr ( Z = F ( S 3 , N + 1 0 X 0 ) · · ( Y 0 F ( C N , k l 0 + M N + 1 0 ) Y 0 ) 1 , C N = C N 0 , Y = Y 0 , M N + 1 = M N + 1 0 , X = X 0 ) = Pr ( z i j = z i j 0 ) = 1 q m 2 .
Finally, according to (16) and (A16), C N + 1 is also independent of M N + 1 :
Pr ( S 3 , N + 1 = S 3 , N + 1 0 , M N + 1 = M N + 1 0 ) = X 0 Z q C N 0 Z q Y 0 Z q \ 0 Pr ( Z = = F ( S 3 , N + 1 0 X 0 ) ( Y 0 F ( C N 0 + M N + 1 0 ) Y 0 ) 1 , C N = C N 0 , Y = Y 0 , M N + 1 = M N + 1 0 , X = X 0 ) = = 1 q m 2 Pr ( M N + 1 = M N + 1 0 ) = = Pr ( S 3 , N + 1 = S 3 , N + 1 0 ) Pr ( M N + 1 = M N + 1 0 ) .
Now, we can write the conclusions on the ( N + 1 ) -th block:
B(N+1).1 
Entries of S 1 , N + 1 are uniformly distributed in Z q (18), independent of M N + 1 (19) and mutually independent (18);
B(N+1).2 
Entries of S 2 , N + 1 are uniformly distributed in G q (20), independent of M N + 1 (22) and mutually independent (21);
B(N+1).3 
Entries of S 3 , N + 1 = C N + 1 are uniformly distributed in Z q (23), independent of M N + 1 (24) and mutually independent (23).
B(N+1).1B(N+1).3 imply the perfect security of each of the CBC mode (3) blocks.
Proposition 1 implies one more important property of the proposed CBC cipher. The following corollary states, that each block of (3) is independent of previous blocks, i.e., information of the previous blocks does not affect the probability of the current block.
Corollary 2.
If the block cipher is proposed by algorithm (3), then the following properties hold:
Pr ( C i = C i 0 | j = 1 i 1 { C j = C j 0 } ) = Pr ( C i = C i 0 ) , i = 1 , , N .
The proof of Corollary 2 follows directly from the proof of Proposition 1 by applying the same principle of mathematical induction.

6. Resistance of the CBC Mode to the Chosen Plaintext Attack

In this section, we show that due to the perfect secrecy property of the original block cipher, the proposed CBC mode can withstand the chosen plaintext attack. To achieve this goal, we consider the initial block cipher as a random permutation in the matrix space and afterwards show that any effective adversary does not have a significant advantage of winning the defined attack game, which formalizes the CPA security of the CBC mode of our cipher. This provides an additional level of resistance against algebraic cryptanalysis based on the OWF.
The basic idea behind the proof is to perform an in-depth analysis of the CBC mode by inspecting the encryption of the whole massive plaintext while also considering the encryption of a single block. The purpose of this analysis is to show that both approaches do not let any efficient adversary discover any useful information he can use to harm the secrecy of the encrypted data.
Each of the presented approaches can be described by an attack game played between an adversary A (an algorithm seeking security issues) and a challenger—a machine replying to queries sent by A . This technique of proof is highly inspired by the one described in [10]. We think that it clearly demonstrates the essence of the security proof and also find it easy to follow. Note also that throughout this paper all the adversaries are denoted by uppercase calligraphic letters.
Let us examine our block cipher ε as a random permutation. Relying on the fact that the message space and the ciphertext space are the same size (in fact, it is the same space), we denote by C = R a n d ( M ) a random one-to-one mapping, which maps a matrix M M a t m ( Z q ) to a matrix C M a t m ( Z q ) . Consider the following Attack Game aimed at the pseudo-randomness of the encryption algorithm (1), i.e., this game determines if an adversary A can distinguish between a random permutation and an actual encryption function [10]:
Attack Game 1. 
For the block cipher ε = E n c ( K , M ) , D e c ( K , C ) given by algorithm (1) we define two experiments. Then for a value b 0 , 1 we have an Experiment b:
  • The challenger selects a function E b as follows:
    E b = E n c ( K , M ) , if b = 0 ; R a n d ( M ) , otherwise .
  • The adversary A submits a sequence of queries i.e., plaintexts in their matrix form M i , where i = 1 , 2 , ;
  • For the i-th query the challenger computes C i = E b ( M i ) and sends all the C i ’s to an adversary.
  • A outputs b ^ 0 , 1
Denote by W b the random event that in Experiment b A outputs 1. Then A ’s advantage is defined as
B C a d v [ A , ε ] = | Pr ( W 1 ) Pr ( W 0 ) | .
Proposition 2.
For all efficient adversaries A their advantage B C a d v [ A , ε ] in Attack Game 1 is negligible.
Proof. 
Let us assume that the adversary A sends m 2 queries, i.e., matrices M 1 , M 2 , , M m 2 , to its challenger. Since the adversary can choose these queries adaptively, we assume that these matrices are linearly independent. However, due to this assumption matrices M 1 , M 2 , , M m 2 form a basis of the set M a t m ( Z q ) , which is the domain and codomain of both functions E n c ( K , M ) , and R a n d ( M ) . Hence the adversary can construct any matrix M M a t m ( Z q ) since this set is spanned by the linear combinations of the basis matrices. In other words, we have:
M = j = 1 m 2 α j M j .
According to the rules of the Attack Game 1 the challenger replies with the response matrices C i = E b ( M i ) , where i = 1 , 2 , , m 2 . Since both functions E n c ( K , M ) and R a n d ( M ) are one-to-one (by their definitions), all response values are distinct, and since the set M a t m ( Z q ) is the codomain of both these functions, all the responses can be expressed as follows:
C i = j = 1 m 2 β i j M j ,
where i = 1 , 2 , , m 2 . Furthermore, if more queries are made, then all of them together with all of the obtained responses can be expressed in a similar way.
Let us now consider Experiment 0. Relying on the perfect secrecy property of the block cipher ε , we can see that each ciphertext is equally likely, i.e.,
Pr ( E n c ( K , M i ) = C i 0 ) = 1 q m 2 ,
where C i 0 is some fixed matrix. Furthermore, for any query matrix M the coefficients α j in (25) are statistically independent from the coefficients β i j in (26). Note, also, that for any response value C i the coefficients β i j are statistically independent from coefficients β k j , where k < i due to Corollary 2.
However, this behaviour of the encryption function is indistinguishable from a random permutation. In other words, an adversary can win the considered Attack Game if he can somehow tell apart the secret key K = { X , Y , Z } from the set of all possible keys K . Otherwise, both functions E n c ( K , M ) , and R and ( M ) look the same to the adversary. Hence, he can do no better than to randomly pick the secret key K from the set K . For this reason, the advantage the adversary has in the considered Attack Game can be estimated as follows:
B C a d v [ A , ε ] 1 | K | ,
where | K | is the size of the set K . To calculate this value we recall the constrains on the key matrices X , Y , Z :
  • Matrix X does not contain any zero entries and, hence, it comes from the set of ( q - 1 ) m 2 possible matrices;
  • Matrix Y has to be invertible and, hence, there are a total of i = 1 m ( q m q i 1 ) possible choices;
  • Matrix Z does not have any additional constrains and hence all q m 2 possibilities are allowed.
It can now be seen that the expression (27) can be rewritten in the following way:
B C a d v [ A , ε ] 1 ( q 2 q ) m 2 i = 1 m ( q m q i 1 ) .
Evidently, this advantage is negligible. □
Note that Attack Game 1 is used to consider the original block cipher. The following Attack Game can be formulated for a newly defined CBC mode. This game, together with the previously presented Attack Game 1, is essential in the proof of the resistance of the CBC mode of our cipher to the chosen plaintext attack.
Attack Game 2. 
For the probabilistic cipher ε = E n c ( K , μ ) , D e c ( K , c ) given by Algorithm (3), we define two experiments. Then for a value b 0 , 1 , we have Experiment b:
  • The challenger selects a random key K = X , Y , Z ;
  • The adversary A submits a sequence of queries i.e., plaintext pairs ( μ i 0 , μ i 1 ) of equal lengths, where i = 1 , 2 , , Q ;
  • For the i-th query the challenger computes C i = E n c ( K , μ i b ) , where b 0 , 1 is the experiment indicator, and sends all the C i ’s to an adversary.
  • A outputs b ^ 0 , 1
Denote by W b the random event that in Experiment b A outputs 1. Then A ’s advantage is defined as
C P A a d v [ A , ε ] = | Pr ( W 1 ) Pr ( W 0 ) | .
Note that any probabilistic cipher is considered to be CPA secure if A ’s advantage in Attack Game 2 is negligible. We formalize this fact for our cipher in the following proposition:
Proposition 3.
Consider probabilistic cipher ε = E n c ( K , μ ) , D e c ( K , c ) given by Algorithm (3). For all efficient adversaries A , their advantage in Attack Game 2 is expressed as follows:
C P A a d v A , ε = 2 Q 2 l 2 N ,
where Q is the number of queries in Attack Game 2 and l is the total amount of blocks needed to encrypt a plaintext μ i b .
Proof. 
Let us define the following adversaries:
  • A is an adversary which plays the Attack Game 2;
  • B is an adversary interacting with A who plays Attack Game 1 with his own challenger.
Our aim is to show that a collaboration of these adversaries does not have any significant advantage in winning the defined Attack Game 2.
Obviously, the amount of blocks is poly-bounded and can be calculated as follows:
l = | μ | m 2 t ,
where is the ceiling function. Additionally, note that the denominator of the fraction in (28) equals log 2 | M | and hence the size of message space of the CBC mode M and is super-poly. Hence, our strategy for this proof is similar to the one described in Theorem 5.4 of [10].
Note that prior to encrypting the first block of the plaintext μ i b , a challenger randomly selects an initialization vector C 0 and hence the intermediate block S i 1 consists of random uniformly distributed entries. Hence, by the construction of our scheme, the advantage C P A a d v * A , ε of adversary A to win a bit-guessing version of the Attack Game 2 is given by:
C P A a d v * A , ε = | Pr ( W 0 ) 1 2 | .
Moreover, multiple queries involving the same message μ result in distinct ciphertext due to perfect secrecy property of the block cipher and the randomness of the initialization vector. In other words, because picking the same initialization vector is practically an impossible event, the ciphertexts are distinct due to E n c ( K , M j ) being a one-to-one mapping for any block M j . In fact, as was previously proven, the value of E n c ( K , M j ) is indistinguishable from a random permutation and hence B C a d v [ B , ε ] is negligible. Evidently, this includes the first block as well.
All that remains is to define Games 2 and 3 as in Theorem 5.4 of [10] and evaluate the appropriate results. To shorten our paper we omit these steps. □
However, because both the total amount of blocks l and the total amount of queries Q are poly-bounded whereas the size of the message space is super-poly, the advantage C P A a d v A , ε is negligible and hence the CBC mode of the original Shannon cipher is CPA secure.
As an example, we explore the C P A a d v * A , ε of the CBC mode ε defined by (3) when the value of q = 2039 and m = 8 . Then, we have:
C P A a d v A , ε = 2 Q 2 l 2 ( l + 1 ) 2039 64 + 2 ( 2039 2 2039 ) 64 i = 1 8 ( 2039 8 2039 i 1 ) 2 Q 2 l 2 ( l + 1 ) 2039 64 + 2 2110 .
Note that the B C a d v [ B , ε ] 2 2110 is negligible even compared to the first fraction in the above expression and, hence, does not have much of an impact on the C P A a d v A , ε . Ignoring B C a d v [ B , ε ] we obtain the following result:
Q 2 l 2 ( l + 1 ) < 2039 64 2 C P A a d v A , ε .
Then, assuming C P A a d v A , ε = 2 112 and that an adversary can submit 2 112 queries, each query could contain approximately 2 366 blocks. In other words, the size of the message is practically unlimited.
In general, ignoring the B C a d v [ B , ε ] and approximating the expression l 2 l + 1 l in order to have C P A a d v A , ε < 2 112 we obtain a following result:
Q 2 l < 2 113 q m 2 .
Exploring values of q presented in [12] and limiting the message to 2 32 blocks we present the minimal values of the matrix size and the maximal number of queries allowed to achieve the desired adversary advantage in Table 1:
The presented values in Table 1 should be interpreted as follows: for a given value of q (say, 3) any smaller value of m gives an adversary an advantage C P A a d v A , ε > 2 112 even if Q = 1 . For given values of q and m (say, 3 and 10) the presented value of Q is the maximum number of queries the adversary can send before his advantage surpasses the value 2 112 . In other words, when the adversary sends Q + 1 -st query (108-th, if q = 3 and m = 10 ) he obtainss C P A a d v A , ε > 2 112 . All the results presented in Table 1 were calculated using inequality (29), where l = 2 32 .
Note that in our investigation we used Sophie Germain primes q relatively close but smaller than powers of 2. We can see that the maximal amount of queries can be reasonably small. This issue can be easily fixed by slightly increasing the matrix size. As we previously saw, setting q = 2039 and m = 8 practically makes all efforts of any efficient CPA adversary irrelevant. Moreover, we can also settle for a tolerable CPA advantage, say 2 80 , which greatly increases the number of queries required to surpass the chosen value.

7. Conclusions

In this paper, we proposed a new block cipher based on the previously defined Shannon cipher which operates in CBC mode. The construction of our block cipher relies on the link between perfect secrecy and pseudo-random number generators described by Yao in [9]. Moreover, we modified our initial proposal in such a way that the perfect secrecy property remains intact. This fact together with Theorem 5.4 in [10] allowed us to prove that our block cipher is secure against CPA.
In our previous publications, we have shown that MPF is a worthy candidate OWF and hence is suitable for applications in cryptography. Using the described transformation of the initial plaintext in its matrix form, we obtain a block that can be encrypted by executing a single round algorithm (1). Currently, this is a rather unusual idea in symmetric cryptography. However, we think that the proven perfect secrecy property of the original Shannon cipher and CPA security of the newly defined block cipher can aid our proposal to find its place among other secure symmetric ciphers.
It is also worth noting that due to construction, presented in Section 4, no additional rounds are needed to perform data encryption. For this reason, the execution of the encryption process can be parallelized, i.e., we can use extra processors to perform calculations simultaneously for a single block. The latter property is related to the fact that matrix operations can be effectively parallelized up to m 2 parallel computations where m is an order of matrices defining our function. We think that this fact can be used to our advantage resulting in a significant boost in performance. However, in this paper, we only considered the resistance of the proposed CBC mode to chosen-plaintext attack (CPA) and leave its performance analysis for our future publication.

Author Contributions

Conceptualization, K.L. and E.S.; methodology, L.D. and A.M.; software, A.M. and K.L.; validation, L.D., A.M., K.L. and E.S.; formal analysis, L.D. and A.M.; investigation, L.D. and A.M.; resources, A.M. and E.S.; data curation, A.M., K.L. and E.S.; writing—original draft preparation, L.D. and A.M.; writing—review and editing, A.M. and E.S.; supervision, E.S.; project administration, K.L.; funding acquisition, K.L. All authors have read and agreed to the published version of the manuscript.

Funding

This research received no external funding.

Institutional Review Board Statement

This article does not contain any studies with human participants or animals performed by any of the authors.

Informed Consent Statement

Not applicable.

Data Availability Statement

Not applicable.

Conflicts of Interest

The authors declare no conflict of interest.

Appendix A

Here, we present the detailed and comprehensive proof of the second block security of Proposition 1.
In the second block of (3), entries of matrices are of the following form:
s 12 , i j = m 2 , i j + c 1 , i j ; s 22 , i j = z i j · k = 1 m l = 1 m ( f ( s 12 , k l ) ) y i k y l j ; c 2 , i j = s 32 , i j = f 1 ( s 22 , i j ) + x i j .

Appendix A.1. S 12 Independence

Following the proof of the first block (6), s 12 , i j are uniformly distributed in Z q :
Pr ( s 12 , i j = s 12 , i j 0 ) = Pr ( c 1 , i j + m 2 , i j = s i j 0 ) = = m 2 , i j 0 Z q Pr ( c 1 , i j = s 12 , i j 0 m 2 , i j 0 , m 2 , i j = m 2 , i j 0 ) = = m 2 , i j 0 Z q s 21 , i j 0 G q Pr ( x i j = s 12 , i j 0 m 2 , i j 0 f 1 ( s 21 , i j 0 ) Z q , m 2 , i j = m 2 , i j 0 , s 21 , i j = s 21 , i j 0 ) = = 1 q m 2 , i j 0 Z q s 21 , i j 0 G q Pr ( m 2 , i j = m 2 , i j 0 , s 21 , i j = s 21 , i j 0 ) = 1 = 1 q .
Using the same idea as in (7) and (A1), we obtain that S 21 and M 2 are independent:
Pr ( s 12 , i j = s 12 , i j 0 , i , j = 1 m { m 2 , i j = m 2 , i j 0 } ) = = s 21 , i j 0 G q Pr ( x i j = s 12 , i j 0 m 2 , i j 0 f 1 ( s 21 , i j 0 ) , i , j = 1 m { m 2 , i j = m 2 , i j 0 } , s 21 , i j = s 21 , i j 0 ) = = Pr ( s 12 , i j = s 10 ) Pr ( i , j = 1 m { m 2 , i j = m 2 , i j 0 } ) .
In the last step of (A2), we refer to the independence of the entries m 2 , i j and s 21 , i j , which can be proved in this way (analogously to (10)):
Pr ( s 21 , i j = s 21 , i j 0 , i , j = 1 m { m 2 , i j = m i j 0 } ) = c 0 , k l 0 Z q y k l 0 Z q \ 0 m 1 , i j 0 Z q Pr ( z i j = = s 21 , i j 0 ( k = 1 m l = 1 m ( f ( c 0 , k l 0 + m 1 , k l 0 ) ) y i k 0 y l j 0 ) 1 Z q , i , j = 1 m { m 1 , i j = m 1 , i j 0 } , k , l = 1 m { c 0 , k l = c 0 , k l 0 } , k , l = 1 m { y k l = y k l 0 } , i , j = 1 m { m 2 , i j = m 2 , i j 0 } ) = = 1 q · Pr ( i , j = 1 m { m 2 , i j = m 2 , i j 0 } ) = Pr ( s 21 , i j = s 21 , i j 0 ) Pr ( i , j = 1 m { m 2 , i j = m i j 0 } ) .
The third independence of S 12 is that entries of it are mutually independent. In the same way as in (8) and (A1), it follows that:
Pr ( i , j = 1 m { s 12 , i j = s 12 , i j 0 } ) = Pr ( i , j = 1 m { c 1 , i j + m 2 , i j = s 12 , i j 0 } ) = = s 21 , i j 0 G q m 2 , i j 0 Z q Pr ( i , j = 1 m { x i j = s 12 , i j 0 m 2 , i j 0 f 1 ( s 21 , i j 0 ) } , i , j = 1 m { m 2 , i j = m 2 , i j 0 } , i , j = 1 m { s 21 , i j = s 21 , i j 0 } ) = = 1 q m 2 · s 21 , i j 0 G q m 2 , i j 0 Z q Pr ( i , j = 1 m { m 2 , i j = m 2 , i j 0 } , i , j = 1 m { s 21 , i j = s 21 , i j 0 } ) = 1 q m 2 ,
because the double sum at the end of (A4) is equal to 1.

Appendix A.2. S 22 Independence

According to Corollary 1, entries of matrix S 22 are uniformly distributed in G q :
Pr ( s 22 , i j = s 22 , i j 0 ) = 1 q .
To show that S 22 is independent of M 2 , first we prove that C 1 = S 31 is independent of Z :
Pr ( s 31 , i j = s 31 , i j 0 , i , j = 1 m { z i j = z i j 0 } ) = s 21 , i j 0 G q Pr ( x i j = s 31 , i j 0 f 1 ( s 21 , i j 0 ) Z q , i , j = 1 m { z i j = z i j 0 } , s 21 , i j = s 21 , i j 0 ) = = 1 q Pr ( i , j = 1 m { z i j = z i j 0 } ) = Pr ( s 31 , i j = s 31 , i j 0 ) Pr ( i , j = 1 m { z i j = z i j 0 } ) .
Additionally, we need the independence of the entries c 1 , i j = s 31 , i j and m 2 , i j . Similarly as in (16):
Pr ( c 1 , i j = c 1 , i j 0 , i , j = 1 m { m 2 , i j = m 2 , i j 0 } ) = = s 21 , i j 0 G q Pr ( x i j = c 1 , i j 0 f 1 ( s 21 , i j 0 ) , s 21 , i j = s 21 , i j 0 , i , j = 1 m { m 2 , i j = m 2 , i j 0 } ) = = 1 q · s 21 , i j 0 G q Pr ( s 21 , i j = s 21 , i j 0 ) Pr ( i , j = 1 m { m 2 , i j = m 0 } ) = Pr ( c 1 , i j = c 1 , i j 0 ) Pr ( i , j = 1 m { m 2 , i j = m 2 , i j 0 } ) .
Hence, analogously as in (10), (A6) and (A7) imply that matrices S 22 and M 2 are independent:
Pr ( s 22 , i j = s 22 , i j 0 , i , j = 1 m { m 2 , i j = m 2 , i j 0 } ) = = c 1 , k l 0 Z q y k l 0 Z q \ 0 Pr ( z i j = s 22 , i j 0 ( k = 1 m l = 1 m ( f ( c 1 , k l 0 + m 2 , k l 0 ) ) y i k 0 y l j 0 ) 1 , i , j = 1 m { m 2 , i j = m 2 , i j 0 } , k , l = 1 m { c 1 , k l = c 1 , k l 0 } , k , l = 1 m { y k l = y k l 0 } ) = = 1 q · Pr ( i , j = 1 m { m 2 , i j = m 2 , i j 0 } ) = Pr ( s 22 , i j = s 22 , i j 0 ) · · Pr ( i , j = 1 m { m 2 , i j = m 2 , i j 0 } ) ,
with the fact that C 1 and Y are independent:
Pr ( c 1 , i j = c 1 , i j 0 , i , j = 1 m { y i j = y i j 0 } ) = c 0 , i j 0 Z q m 1 , i j 0 Z q z i j 0 Z q Pr ( x i j = c 1 , i j 0 f 1 ( z i j 0 k = 1 m l = 1 m ( f ( c 0 , k l 0 + m 1 , k l 0 ) ) y i k 0 y l j 0 ) , i , j = 1 m { m 1 , i j = m 1 , i j 0 } , i , j = 1 m { c 0 , i j = c 0 , i j 0 } , z i j = z i j 0 , i , j = 1 m { y i j = y i j 0 } ) = 1 q · Pr ( i , j = 1 m { y i j = y i j 0 } ) .
The last step of matrix S 22 is to show the independence between its entries, in the same way as in (11):
Pr ( i , j = 1 m { s 22 , i j = s i j 0 } ) = Pr ( i , j = 1 m { z i j k = 1 m l = 1 m ( f ( s 12 , k l ) ) y i k y l j = s i j 0 } ) = = s 11 , k l 0 Z q y i j 0 Z q \ 0 Pr ( i , j = 1 m { z i j = s i j 0 ( k = 1 m l = 1 m ( f ( s 12 , k l 0 ) ) y i k 0 y l j 0 ) 1 } , k , l = 1 m { s 12 , k l = s 12 , k l 0 } , i , j = 1 m { y i j = y i j 0 } ) = 1 q m 2 .
In the last equality of (A10) we needed two additional independencies: Equations (A11) and (A12). The first is that matrices S 12 and Y are independent:
Pr ( s 12 , i j = s 12 , i j 0 , i , j = 1 m { y i j = y i j 0 } ) = m 2 , i j 0 Z q Pr ( c 1 , i j = s 12 , i j 0 m 2 , i j 0 , m 2 , i j = m 2 , i j 0 , i , j = 1 m { y i j = y i j 0 } ) = = 1 q Pr ( i , j = 1 m { y i j = y i j 0 } ) · m 2 , i j 0 Z q Pr ( m 2 , i j = m 2 , i j 0 ) = = 1 q Pr ( i , j = 1 m { y i j = y i j 0 } ) = Pr ( s 12 , i j = s 12 , i j 0 ) Pr ( i , j = 1 m { y i j = y i j 0 } ) .
The second is that matrices S 12 and Z are independent too:
Pr ( s 12 , i j = s 12 , i j 0 , i , j = 1 m { z i j = z i j 0 } ) = m 2 , i j 0 Z q Pr ( c 1 , i j = s 12 , i j 0 m 2 , i j 0 , m 2 , i j = m 2 , i j 0 , i , j = 1 m { z i j = z i j 0 } ) = = 1 q Pr ( i , j = 1 m { z i j = z i j 0 } ) · m 2 , i j 0 Z q Pr ( m 2 , i j = m 2 , i j 0 ) = 1 q Pr ( i , j = 1 m { y i j = y i j 0 } ) = Pr ( s 12 , i j = s 12 , i j 0 ) Pr ( i , j = 1 m { y i j = y i j 0 } ) .

Appendix A.3. S 32 = C 2 Independence

In order to prove that entries s 32 , i j = c 2 , i j are all uniformly distributed in Z q , first, we need the independence between C 1 and X :
Pr ( c 1 , i j = c 1 , i j 0 , i , j = 1 m { x i j = x i j 0 } ) = Pr ( f 1 ( s 21 , i j ) = c 1 , i j 0 x i j 0 , i , j = 1 m { x i j = x i j 0 } ) = = 1 q P r ( i , j = 1 m { x i j = x i j 0 } ) = Pr ( c 1 , i j = c 1 , i j 0 ) Pr ( i , j = 1 m { x i j = x i j 0 } ) ,
which implies the independence of S 22 and X :
Pr ( s 22 , i j = s 22 , i j 0 , i , j = 1 m { x i j = x i j 0 } ) = = m 2 , i j 0 Z q c 1 , k l 0 Z q y i j 0 Z q \ 0 Pr ( z i j = s 22 , i j 0 · · k = 1 m l = 1 m ( f ( c 1 , k l 0 + m 2 , k l 0 ) ) y i k 0 y l j 0 1 , i , j = 1 m { x i j = x i j 0 } , i , j = 1 m { y i j = y i j 0 } , i , j = 1 n { m 2 , i j = m 2 , i j 0 } , k , l = 1 n { c 1 , k l = c 1 , k l 0 } ) = = = 1 q Pr ( i , j = 1 m { x i j = x i j 0 } ) = Pr ( s 22 , i j = s 22 , i j 0 ) Pr ( i , j = 1 m { x i j = x i j 0 } ) .
This, together with (A13), yields
Pr ( s 32 , i j = s 32 , i j 0 ) = Pr ( f 1 ( s 22 , i j ) = s 31 , i j 0 x i j ) = = 1 q x i j 0 Z q P r ( x i j = x i j 0 ) = 1 q .
The main security condition for the second block, the independence between S 32 = C 2 and M 2 , is satisfied (following the idea of (16)):
Pr ( s 32 , i j = s 32 , i j 0 , i , j = 1 m { m 2 , i j = m 2 , i j 0 } ) = = Pr ( f 1 ( s 22 , i j ) + x i j = s 30 , i , j = 1 n { m 2 , i j = m 2 , i j 0 } ) = = x i j 0 Z q Pr ( s 22 , i j = f ( s 32 , i j 0 x i j 0 ) , i , j = 1 m { m 2 , i j = m 2 , i j 0 } , x i j = x i j 0 ) = = 1 q Pr ( i , j = 1 m { m 2 , i j = m 2 , i j 0 } ) = Pr ( s 32 , i j = s 32 , i j 0 ) · · Pr ( i , j = 1 m { m 2 , i j = m 2 , i j 0 } ) .
Finally, entries of S 32 = C 2 are independent:
Pr ( i , j = 1 m { s 32 , i j = s 32 , i j 0 } ) = Pr ( i , j = 1 m { f 1 ( s 22 , i j ) + x i j = s 32 , i j 0 } ) = = x i j 0 Z q Pr ( i , j = 1 m { f 1 ( s 22 , i j ) = s 32 , i j 0 x i j 0 } , i , j = 1 m { x i j = x i j 0 } ) = = i , j = 1 m Pr ( f 1 ( s 22 , i j ) = s 32 , i j 0 x i j 0 ) = 1 q m 2 .
Additionally, to generalize the analysis of the n-th block, we can show that C 2 is independent of M 3 . To prove this, first, we need the independence between S 22 and M 3 (similarly as in (A8)):
Pr ( s 22 , i j = s 22 , i j 0 , i , j = 1 m { m 3 , i j = m 3 , i j 0 } ) = c 1 , k l 0 Z q y k l 0 Z q \ 0 Pr ( z i j = s 22 , i j 0 · · ( k = 1 m l = 1 m ( f ( c 1 , k l 0 + m 2 , k l 0 ) ) y i k 0 y l j 0 ) 1 , i , j = 1 m { m 3 , i j = m 3 , i j 0 } , k , l = 1 m { c 1 , k l = c 1 , k l 0 } , k , l = 1 m { y k l = y k l 0 } ) = 1 q · Pr ( i , j = 1 m { m 3 , i j = m 3 , i j 0 } ) = = Pr ( s 22 , i j = s 22 , i j 0 ) Pr ( i , j = 1 m { m 3 , i j = m 3 , i j 0 } ) ,
where we used the fact that C 1 and M 3 are independent too, because:
Pr ( c 1 , i j = c 1 , i j 0 , i , j = 1 m { m 3 , i j = m 3 , i j 0 } ) = = s 21 , i j 0 Z q Pr ( x i j = c 1 , i j 0 f 1 ( s 21 , i j 0 ) , s 21 , i j = s 21 , i j 0 , i , j = 1 m { m 3 , i j = m 3 , i j 0 } ) = 1 q Pr ( i , j = 1 m { m 3 , i j = m 3 , i j 0 } ) = = Pr ( c 1 , i j = c 1 , i j 0 ) Pr ( i , j = 1 m { m 3 , i j = m 3 , i j 0 } ) .
Using the same idea as in (A16), (A18) and (A19) imply the independence between C 2 and M 3 :
Pr ( c 2 , i j = c 2 , i j 0 , i , j = 1 m { m 3 , i j = m 3 , i j 0 } ) = = Pr ( f 1 ( s 22 , i j ) + x i j = s 30 , i , j = 1 n { m 3 , i j = m 3 , i j 0 } ) = = x i j 0 Z q Pr ( s 22 , i j = f ( s 32 , i j 0 x i j 0 ) , i , j = 1 m { m 3 , i j = m 3 , i j 0 } , x i j = x i j 0 ) = 1 q Pr ( i , j = 1 m { m 3 , i j = m 3 , i j 0 } ) = Pr ( c 2 , i j = c 2 , i j 0 ) Pr ( i , j = 1 m { m 3 , i j = m 3 , i j 0 } ) .
To generalize the iterative process of the CBC mode, with each block satisfying the condition of security, we need the independence between C 2 and Z :
Pr ( c 2 , i j = c 2 , i j 0 , i , j = 1 m { z i j = z i j 0 } ) = = x i j 0 Z q Pr ( f 1 ( s 22 , i j ) = c 2 , i j 0 x i j 0 , i , j = 1 m { z i j = z i j 0 } , x i j = x i j 0 ) = x i j 0 Z q Pr ( k = 1 m l = 1 m ( f ( s 12 , k l ) ) y i k y l j = = ( z i j 0 ) 1 f ( c 2 , i j 0 x i j 0 ) , x i j = x i j 0 , i , j = 1 m { z i j = z i j 0 } ) =
= = 1 q x i j 0 Z q Pr ( x i j = x i j 0 , i , j = 1 m { z i j = z i j 0 } ) total probability of i , j = 1 m { z i j = z i j 0 } =
= Pr ( c 2 , i j = c 2 , i j 0 ) Pr ( i , j = 1 m { z i j = z i j 0 } ) ,
where we used that S 12 and X are independent, which is easy to prove if we keep the same idea as in (A11).
C 2 and Y are also independently distributed:
Pr ( c 2 , i j = c 2 , i j 0 , i , j = 1 m { y i j = y i j 0 } ) = = s 22 , i j 0 Z q Pr ( x i j = c 2 , i j 0 f 1 ( s 22 , i j 0 ) , i , j = 1 m { y i j = y i j 0 } , s 22 , i j = s 22 , i j 0 ) = Pr ( c 2 , i j = c 2 , i j 0 ) Pr ( i , j = 1 m { y i j = y i j 0 } ) .
Independence of matrices C 2 and X can be easily proved according to (A22), because S 22 is independent of X .

References

  1. Katz, J.; Lindell, Y. Introduction to Modern Cryptography; CRC Press: London, UK, 2020. [Google Scholar]
  2. Feistel, H. Cryptography and Computer Privacy. Sci. Am. 1973, 228, 15–23. [Google Scholar] [CrossRef]
  3. Dworkin, M.J.; Barker, E.B.; Nechvatal, J.R.; Foti, J.; Bassham, L.E.; Roback, E.; Dray, J.F., Jr. Advanced Encryption Standard (AES). In Federal Inf. Process. Stds.; (NIST FIPS); National Institute of Standards and Technology: Gaithersburg, MD, USA, 2001. [Google Scholar]
  4. GOST R 34.12-2015: Block Cipher “Kuznyechik”. Available online: https://www.hjp.at/(de)/doc/rfc/rfc7801.html (accessed on 17 March 2022).
  5. Biryukov, A.; Dunkelman, O.; Keller, N.; Khovratovich, D.; Shamir, A. Key Recovery Attacks of Practical Complexity on AES-256 Variants with up to 10 Rounds. In Advances in Cryptology, Proceedings of the EUROCRYPT 2010, Nice, France, 30 May—3 June 2010; Gilbert, H., Ed.; Lecture Notes in Computer Science; Springer: Berlin/Heidelberg, Germany, 2010; Volume 6110, pp. 299–319. ISBN 978-3-642-13189-9. [Google Scholar]
  6. Diffie, W.; Hellman, M.E. Special Feature Exhaustive Cryptanalysis of the NBS Data Encryption Standard. Computer 1977, 10, 74–84. [Google Scholar] [CrossRef]
  7. AlTawy, R.; Youssef, A.M. A Meet in the Middle Attack on Reduced Round Kuznyechik. IEICE Trans. Fundam. Electron. Commun. Comput. Sci. 2015, 98, 2194–2198. [Google Scholar] [CrossRef]
  8. Courtois, N.T.; Pieprzyk, J. Cryptanalysis of Block Ciphers with Overdefined Systems of Equations. In Advances in Cryptology, Processdings of the ASIACRYPT 2002, Queenstown, New Zealand, 1–5 December 2002; Zheng, Y., Ed.; Lecture Notes in Computer Science; Springer: Berlin/Heidelberg, Germany, 2002; Volume 2501, pp. 267–287. ISBN 978-3-540-00171-3. [Google Scholar]
  9. Yao, A.C. Theory and Application of Trapdoor Functions. In Proceedings of the 23rd Annual Symposium on Foundations of Computer Science (sfcs 1982), Chicago, IL, USA, 3–5 November 1982; IEEE Computer Society: Washington, DC, USA, 1982; pp. 80–91. [Google Scholar]
  10. Boneh, D.; Shoup, V. A Graduate Course in Applied Cryptography. Version 0.5. 2020. Available online: http://toc.cryptobook.us/book.pdf (accessed on 17 March 2022).
  11. Shannon, C.E. Communication Theory of Secrecy Systems. Bell Syst. Tech. J. 1949, 28, 656–715. [Google Scholar] [CrossRef]
  12. Levinskas, M.; Michalkovič, A. Avalanche Effect and Bit Independence Criterion of Perfectly Secure Shannon Cipher Based on Matrix Power. Math. Model. Eng. 2021, 7, 50–53. [Google Scholar]
  13. Mihalkovich, A.; Sakalauskas, E.; Luksys, K. Key Exchange Protocol Defined over a Non-Commuting Group Based on an NP-Complete Decisional Problem. Symmetry 2020, 12, 1389. [Google Scholar] [CrossRef]
  14. Sakalauskas, E.; Luksys, K. Matrix Power S-Box Construction. Cryptology ePrint Archive. 2007. Available online: https://eprint.iacr.org/2007/214.pdf (accessed on 17 March 2022).
  15. Sakalauskas, E.; Dindienė, L.; Kilčiauskas, A.; Lukšys, K. Perfectly Secure Shannon Cipher Construction Based on the Matrix Power Function. Symmetry 2020, 12, 860. [Google Scholar] [CrossRef]
Table 1. Minimal matrix size and maximal number of queries to achieve C P A a d v A , ε < 2 112 for distinct values of q.
Table 1. Minimal matrix size and maximal number of queries to achieve C P A a d v A , ε < 2 112 for distinct values of q.
qmQ
310107
1174891
536 2 30.6
2039444,736
16,776,8993 2 35.5
Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Share and Cite

MDPI and ACS Style

Dindiene, L.; Mihalkovich, A.; Luksys, K.; Sakalauskas, E. Matrix Power Function Based Block Cipher Operating in CBC Mode. Mathematics 2022, 10, 2123. https://doi.org/10.3390/math10122123

AMA Style

Dindiene L, Mihalkovich A, Luksys K, Sakalauskas E. Matrix Power Function Based Block Cipher Operating in CBC Mode. Mathematics. 2022; 10(12):2123. https://doi.org/10.3390/math10122123

Chicago/Turabian Style

Dindiene, Lina, Aleksejus Mihalkovich, Kestutis Luksys, and Eligijus Sakalauskas. 2022. "Matrix Power Function Based Block Cipher Operating in CBC Mode" Mathematics 10, no. 12: 2123. https://doi.org/10.3390/math10122123

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop