Provably Secure Encryption Schemes With Zero Setup and Linear Speed by Using Rubik’s Cubes

Recently, new paradigms for designing modern cryptographic schemes were proposed based on Rubik’s rotations. However, most of them lack rigorous provable security reductions. Enlightened by this interesting progress, we present a novel method for designing encryption schemes by using Rubik’s groups. Different from most naive designs of permutation ciphers based on Rubik’s cubes, our proposals are probabilistic encryption schemes that combine some of the newest cryptographic primitives with modern coding theory. More specifically, under the intractability assumption of the conjugacy decision problem over Rubik’s groups, the proposed schemes have provable security reductions (in the random oracle model). Furthermore, the proposed schemes have two remarkable performance advantages: zero setup and linear encryption/decryption speed. In addition, the processes of encoding/encryption and decryption/decoding are demonstrated graphically.


I. INTRODUCTION
As an ancient, heuristic and classic cryptographic method, the permutation cipher is not new to us. The Rubik's cube, perhaps one of the best-selling iconic puzzle tools, is also well known to us, even in our childhood. Recently, very interesting progress has been made by researchers trying to bridge these subjects: many cryptographic schemes, such as Cayley hash functions [17], [18], key agreement protocols [16], image encryption schemes [5], [12], digital watermarking schemes [26], and zero-knowledge protocols [21], were proposed based on Rubik's groups. However, most of them lack provable security reductions, and some even lay their security basis on a taken-for-granted hardness assumption: recovering of a Rubik's cube with random configuration (RRC for short). Today, we know that the RRC problem over a 3 × 3 × 3 Rubik's cube is so easy that it can be solved within 20 steps [19].
Therefore, it is interesting to design new Rubik's cryptographic schemes by following the paradigm of The associate editor coordinating the review of this manuscript and approving it for publication was Junggab Son . modern cryptography: provable security reductions under well-established models and falsifiable intractability assumptions. In this paper, we present two encryption schemes by using Rubik's groups. Compared to the existing permutation cipher based on Rubik's cubes, our proposals have the following essential differences: • Our proposals couple two mainstream methods for designing modern cryptography: permutation and substitution. This technique contribution comes from an easy but seemingly neglected, method for mapping messages as arrows with four different directions and then embedding them onto the 54 facets of the Rubik's cube.
• Our proposals are probabilistic encryption schemes that, under the intractability assumption of the conjugacy decision problem over Rubik's groups, have rigorous provable security reductions (in the random oracle model).
• Last but not less significant, our proposal has two remarkable performance advantages: zero-setup and linear encryption/decryption speed. VOLUME  The rest of the contents are organized as follows. Necessary preliminaries, including group theoretical aspects about Rubik's groups and intractability assumptions, are given in Section II. Our main contributions, including an encoding/decoding method, two encryption schemes, and security reductions, are presented in Section III. Performance evaluations and tests are provided in Section IV, and concluding remarks are given in Section V.

II. RUBIK'S GROUPS AND INTRACTABILITY ASSUMPTIONS
Let us take a 3 × 3 × 3 Rubik's cube as an example. This Rubik's cube consists of 54 small facets, numbered from 1 to 54, located in 6 faces, labelled U, L, F, R, D and B, representing the upper face, left face, front face, right face, down face and back face, respectively ( Figure 1). Each face can rotate 90 • clockwise or anti-clockwise each time. 1 Each rotation incurs a new rearrangement of the 54 facets in the 6 faces, and we call this a configuration (see Figure 2 for an example). Clearly, all the possible configurations of the Rubik's cube consist of a subgroup, denoted R, of the symmetric group S 48 considering that the six center facets remain, although rotated, at the center of the corresponding faces. In fact, the order of R is [9] (cf. Page 93) However, in this paper, we associate a finite generated group to the Rubik's cube in the following way (cf. Page 92 of [9] for more details): where 1 is the identity that indicates an empty rotation or, equivalently, doing nothing. That is, R takes each face rotation as a generator, and the relations among the generators come from the fact that 4 continuous rotations of a face 90 • clockwise result in the original configuration of the Rubik's cube. Moreover, the reverse of each face rotation (i.e., anti-clockwise 90 • rotation), is equivalent to rotating the same face 3 times continuously, and for convenience, we use U , L , F , R , D , B to indicate the reverse rotations of the corresponding faces. Apparently, R is a non-Abelian group, and thus, the conjugator search problem, defined below, over R is nontrivial. Definition 1 (Conjugacy Decision Problem, CDP): Given a group G and two elements x, y ∈ G, decide whether x and y are conjugate to each other (i.e., ∃z ∈ G such that x = z −1 yz).
Definition 2 (Conjugator Search Problem, CSP): Given a group G and two elements x, y ∈ G that are conjugate, find z ∈ G such that x = z −1 yz.
Apparently, for any Abelian group G, both the CDP and CSP are trivial, since every pair of two elements (x, y) ∈ G are conjugated to each other and every element z ∈ G can be viewed as a conjugator of the pair (x, y). However, for a non-Abelian group G, this problem is nontrivial. In fact, in the generic group model, the CDP is unsolvable [15]. On the one hand, we know that for the permutation group, the CDP has no polynomial time methods [20] (cf. Page 53). On the other hand, during the past two decades, based on the intractability assumption of the CSP and CDP over braid groups, several cryptographic schemes were proposed by using braid groups [1], [6], [10], [11], [22]- [25]. Considering that the Rubik's group is a subgroup of the permutation group S 48 , which is in turn a subgroup of the braid group B 48 [7], this progress gives us the confidence to lay the security of our new encryption scheme on the intractability assumptions of the conjugacy problems, including CDP and CSP, over the Rubik's groups.

III. OUR PROPOSALS
The general architecture of our proposal is given below in Figure 3, of which the encryption (resp. decryption) algorithm consists of steps 1 , 2 , and 3 (resp. 4 , 5 , and 6 ), respectively. The details of these steps are given in the subsequent subsections.

A. ENCODING/DECODING METHODS AND VISUALIZATION
With the purpose of encrypting messages by using the Rubik's cube, we first need to design a method for encoding messages on the Rubik's cube. Different from the traditional method of describing message letters directly on the Rubik's facets, we introduce the following encoding and decoding method: • Encode. We can use two bits to indicate four arrows with different directions, i.e. ↑, →, ↓ and ←. Now without loss of generality, we assume that each message is a 108-bit string 2 and each message can be described on the 54 Rubik's facets as a string of arrows. That is, to encode a message m = (m 1 m 2 · · · m 108 ) 2 on a 3 × 3 × 3 Rubik's cube, we use the following steps: where α(·) maps a 2-bit string to an arrow, i.e., α(00) =↑, α(01) =→, α(10) =↓ and α(11) =←, while f i indicates the arrow assigned to the i-th facet. -Assign the 54 facets (i.e. f 1 , · · · , f 54 ) to the six faces of the Rubik's cube as if it were the original configuration 3 .
-Regard the configuration as if it were original and then number the 54 facets on the six faces from 1 to 54 (ref. Figure 1.(a)). Then, assign f i as the arrow on the i-th facet for i = 1, · · · , 54.
indicates the reverse process for transform- 2 Padding necessary 0 in the left if not. 3 This means not rotating the Rubik's cube to the original configuration.
For further illustrations, the message m = 111001100011000011010111110000001001 001001111001011000011010111000000111 011010001111101100011110010010110100 (2) can be assigned as the arrows depicted in Figure 2.

B. ENCRYPTION/DECRYPTION ALGORITHMS
Our secret key encryption scheme, denoted S 1 , consists of the following three steps: • Setup. Over a 3 × 3 × 3 Rubik's cube, the message space and the ciphertext space are set as respectively.
• KeyGen. A random rotating sequence k ∈ R with the proper 4 word length can be used as a secret key.
• Encrypt. Upon input of a secret key k ∈ R and a 108-bit message m, perform the following steps: -Choose a random rotation sequence r ∈ R; -Encode the message m to the 54 facets of the Rubik's cube; -Perform rotation k (i.e. the reverse rotation of k); -Perform rotation r; -Perform rotation k; -Decode the arrows on the 54 facets of the Rubik's cube to a 108-bit string m ; -Output c = (m , r).
• Decrypt. Upon input of a secret key k ∈ R and a ciphertext c = (m , r), perform the following steps: -Check whether m is a 108-bit string: If not, return ⊥, which indicates that c is an invalid ciphertext; otherwise, continue; -Check whether r is a valid rotating sequence: If not, return ⊥; otherwise, continue; -Encode m to the 54 facets of the Rubik's cube; -Perform rotation k ; -Perform rotation r ; -Perform rotation k; -Decode the arrows on the 54 facets of the Rubik's cube to a 108-bit message m; -Output m. Remark 2: Note that scheme S 1 does not work in the following two cases:  4 Here, the adjective word proper has two aspects. First, the sequence should be long enough to resist guessing attacks. Second, we should take into consideration the so-called equivalent key problem. That is, two words in R with different word lengths might express the same value according to R's generating relations. message m ∈ M, we have Decrypt(k, Encrypt(k, m)) = m. Proof: To see the correctness, it is enough to notice that after the encryption process, the ciphertext c = (m , r) consists of a random rotation r and a transformed message m that is encoded in the configuration k · r · k. Thus, after the decryption process, we obtain the confirmation (k · r · k) · (k · r · k) = 1 which is just the original configuration for encoding message m during the encryption process.
Example 1: Supposing that the secret key is k = FBUURFLLD and r = RLFBUDRFBU , the message given by (2) is encrypted as See Figure 5.(a). The decryption view is also given in Figure 5. (b).

FIGURE 5. Encryption and decryption views.
Remark 3: Note that although the message is always encoded in the original configuration, God's algorithm and other Rubik's solvers do not threaten the security of the above encryption scheme. In fact, without knowing the secret key k, we can view the encryption algorithm as a black box that takes as input a message m ∈ M and outputs a ciphertext c = (m , r) ∈ M × R, where r is selected at random and is thus totally independent of k. That is, the ciphertext does not output the final configuration k · r · k. Thus, no one, except the decryption, knows which configuration is used for calling Rubik's solvers. A more rigorous security proof is presented in the following theorem.
Theorem 2 (IND-CPA): The above encryption scheme S 1 is indistinguishable against a chosen plaintext attack (IND-CPA), assuming that the CDP problem is intractable over the Rubik's group R. More specifically, if there is a probabilistic polynomial time adversary A that can, within time t, break the IND-CPA security of this scheme with a non-negligible advantage , then there is a probabilistic polynomial time algorithm B that can, within time t , solve the CDP problem over R with a non-negligible advantage such that t ≈ t + t enc and = , where t enc indicates the time for performing one encryption.
Proof: Suppose that B's CDP challenge instance is given by (x, y) ∈ R. Without loss of generality, assume that the word length of x is less than that of y. Then, upon receiving two equal-length challenge messages m 0 and m 1 from adversary A, B performs the following steps:

Now, it is
A's duty to output a bit b , i.e., a guess for b, based on the decision of which of the two challenge messages m 0 and m 1 is concealed in c * . Upon receiving b from A, B judges whether b = b: If so, B outputs 1, which indicates that the given CDP challenge is an Yes-instance; otherwise, B randomly outputs 1 or 0.
To proceed, let us determine B's advantages and running time for solving the CDP challenge. Apparently, only if (x, y) is a conjugate pair, i.e., y = z xz for some z ∈ R, c * is a valid ciphertext of the message m b . In this case, A's advantage in breaking the IND-CPA security of the scheme (i.e. guessing correctly b = b) is equally transferred to B's advantage in making correct decisions regarding whether x and y are conjugated to each other. On the other hand, whenever A's guess is incorrect, B makes a random decision by outputting 1 or 0 randomly. In this case, B has no advantage in solving the given CDP challenge. This suggests that = . In addition to calling A, B's extra running time for the above reduction process is similar to performing one-time encryption, considering that the rotation y is similar to rotating z , x and z oneby-one, for some possible and unknown z such that y = z xz. Therefore, t ≈ t + t enc .
Remark 4: Enlightened by the so-called FO technique [8], the security of the above encryption scheme can be further improved. The enhanced scheme, denoted S 2 , consists of the following core points:

IV. PERFORMANCE EVALUATION
Let us proceed to evaluate the performance of our proposal based on the asymptotic complexity, as well as the running time.
Asymptotically, the performance of the above schemes is determined mainly by the word length of the involved rotations. Without loss of generality, we assume that both the secret key rotation sequence and the random rotation sequence used for encryption should be sufficiently long to resist brute force attack. Now, suppose that we want to ensure λ-bit entropy in the involved random rotations by using random rotations that are as long as basic rotations. VOLUME 8, 2020 Then, we have 5 12 ≥ 2 λ .
Thus, it is enough to set ≈ 0.28λ. That is, a random rotation sequence that consists of 28 random basic rotations contains 100-bit entropy. Now, the asymptotical performance with respect to the system security parameter λ is summarized in Table 1. This suggests that our proposal has the following two remarkable merits: • Zero setup. In the Setup algorithm, we just need to reach agreement on the definitions of the message space M, the ciphertext space C, and the involved hash function H for Scheme S 2 . That is, for real implementation, we do not need to perform any computations in this step, and the hash function H can be instantiated with any secure cryptographic hashes, such as SHA256 and SM3.
• Linear encryption/decryption speed. In practice, we can implement the basic rotations within the time complexity O(1) by using a precomputed table. Thus, it is easy to see that, for an 108-bit message, both the encryption and the decryption can be finished linearly with the word length of the involved random rotations.
For long messages, we can divide them into several blocks and then encrypting/decryptiong them one-byone. Recall those cryptosystems with provable security reductions, such as RSA-based ones (with modulus n) and ECC-based ones (with modulus q = p m ), the best computational complexities of encryption/decryption algorithms that we can expected are O(log 2 n log log n) and O(log 2 q log log q), respectively. 6 That is, they are quadratic or even higher with respect to the length of the modulus -the system security parameters. This comparison says that in a theoretical perspective, the proposed schemes are considerably fast. In practical, to test the real running time of our proposal, we implement the basic rotations by using the following software/hardware environments: • OS: Windows 10, Visual Studio 2017, Microsoft Visual C++ (Compiler: cl) • CPU: Intel Core I&-6700K, 8 Cores, 4.0 5 Here, the base is 12 instead of 6 since the random rotation sequence can be viewed as a sentence defined over an alphabet with size 12. 6 Since we need to perform at least one time exponential operation modulo n or q. Over 10 6 random tests, the average running time for each basic rotation is approximately 0.015 microseconds (or equivalently, 15 nanoseconds). Thus, with the suggested parameter settings, i.e., = 28 for ensuring 100-bit entropy in involved random rotations, the main workload of encryption/decryption of our scheme S 1 (resp. S 2 ) can be finished within 1.26 (resp. 2.52) microseconds.
The comparisons between our proposal and other 19 typical cryptosystems -divided into 7 categories according to whether and what hardness assumptions are based on -are listed in Table 2. Note that since the message block sizes of different cryptosystems are always different, a fair comparison way is to use the amortized 1-bit encryption/decryption speed. That is, if the claimed encryption/decryption speed is x milliseconds for messages with block size L bits, then the amortized 1-bit encryption/decryption speed is x × 1000/L microseconds. 10 In particular, for image encryption, we view the message block size as the total bit-length of the image. For instance, Lian et al.'s chaos-based image encryption scheme can encrypt the Lena image of size 3 × 512 × 512 in 349 ms [2], then the amortized 1-bit encryption speed is 349×1000 3×512×512 ≈ 0.444µs. From this table, we can see that the amortized 1-bit encryption/decryption speed of our proposal is considerably fast. More specifically, the performance advantages of our proposal can be summarized as follows: • Nearly 3 (resp. 2) times faster than in encryption than the symmetric scheme DES/CRT (resp. AES/CBC-256), of which assembly language routines were used for speed optimization [4].
• Over 3 times faster in encryption than the scheme RSA-2048, which is even implemented with a small encryption exponential e = 17 [4] (and thus suffering from the so-called small exponential attack).
• Nearly 1000 times faster in encryption than the ECC type scheme ECIES over the finite filed GF(p) with a 256-bit prime p.
• Significantly faster in encryption than other chaos-based encryption schemes and Rubik-based schemes: -For chaos-based image encryption, since the decryption does not required to exactly recover every bit, instead of using provable security models such as CPA and CCA, we always discuss its security in a heuristic manner by using the metrics such as the number of pixels changing rate (NPCR), the unified average changing intensity (UACI) and so on, the encryption can be made even fast. Even so, our provable CPA-secure scheme S 1 is still 3, 10, and 30 times faster than the schemes Faraja (2013), Wong (2008) and Liao (2005), respectively. -For chaos-based data encryption, our provable CCA-secure scheme S 2 is nearly 150 and 300 times faster than the schemes Liao (2010) and Li (2018), respectively. -For Rubik-based image encryption, our scheme S 1 is nearly 150 times faster than the scheme Loukha (2012). -For Rubik-based data encryption, our scheme S 2 is over 3 times faster than the scheme Dhanda (2018).
To further illustrate our idea even clearly, the processes of encoding/encryption and decryption/decoding are demonstrated graphically with Unity (Ver: 2019.3.2f1), a wellknown real-time 3D development platform. The source codes for these tests and illustrations are available at https://github.com/flowerlet/RubikEnc.

V. CONCLUSIONS
It is interesting to couple the mainstream techniques of modern cryptography and the well-known Rubik's cube. Indeed, with proper message mapping methods, Rubik's rotations are not only permutations but also substitutions. Thus, any n × n × n(n ≥ 3) Rubik's cube can be viewed as a compact physical transformation device for modern cryptography and is suitable for the proposed method. The larger n is, the denser the message embedding achieved, although setting n to 3 is sufficiently secure and efficient. Most existing Rubik's cryptographic proposals lack of provable security reductions, while in this paper, we bridge this gap by laying the security of our proposals within falsifiable intractability assumptions: the conjugacy decision problem over Rubik's groups. In addition, there are two remarkable merits in our proposal: zero setup and linear encryption/decryption speed.