1

A Lattice Based Joint Encryption, Encoding

and Modulation Scheme
Khadijeh Bagheri, Taraneh Eghlidos, Mohammad-Reza Sadeghi, Daniel Panario
Senior Member, IEEE,
arXiv:1906.06280v1 [cs.IT] 14 Jun 2019

Abstract

A new nonlinear Rao-Nam like symmetric key encryption scheme is presented in this paper. QC-
LDPC lattices that are practically implementable in high dimensions due to their low complexity
encoding and decoding algorithms, are used in our design. Then, a joint scheme is proposed which
is capable of encrypting, encoding and data modulation simultaneously. The proposed cryptosystem
withstands all variants of chosen plaintext attacks applied on Rao-Nam like cryptosystems due to its
nonlinearity. The sparseness of the parity-check matrix of QC-LDPC lattices, quasi-cyclic nature of
their generator and parity-check matrices, simple hardware structure for generating intentional error
vector, permutation and nonlinear functions, result in a small key size for our scheme. The lattice codes
related to the lattices used in this paper have high rate which are suitable for bandlimited AWGN
channels. Therefore, the joint scheme based on these lattices facilitates secure, reliable and efficient
data transmission in bandlimited AWGN channels.

I. I NTRODUCTION

The main objective in large scale and high speed communication networks is the design of
a reliable and secure data transmission system. In conventional secure communication systems,
channel encoding is used at the physical layer for error correction while encryption is done at
a higher layer to make the communication confidential. Nowadays, since many communication
devices are constrained in resources or are becoming portable, it is needed to enhance security
without increasing computational or hardware complexity. Rao was the first that joined encryption

K. Bagheri and M.-R Sadeghi are with Faculty of Mathematics and Computer Science, Amirkabir University of Technology
(Tehran Polytechnic), Tehran, Iran (emails: [email protected] and [email protected]).
T. Eghlidos is with Electronics Research Institute, Sharif University of Technology, Iran (e-mail: [email protected]).
D. Panario is with School of Mathematics and Statistics, Carleton University, Canada (e-mail: [email protected]).
Part of this work has been presented in [30].
2

and error correction (based on a linear block code) in a single step [1] to resolve the issue in an
insecure and unreliable channel efficiently. The main purpose of this scheme is to provide both
security and reliable data transmission at the same time using a symmetric-key cryptosystem.

Rao defines the proposed cryptosystem based on binary Goppa codes. It is proved that this
cryptosystem is not secure against chosen-plaintext attacks. To overcome this weakness, Rao and
Nam have introduced a revised symmetric-key cryptosystem [2], [3]. In this paper we use RN to
abbreviate Rao and Nam cryptosystem. Struik and Tilburg have generalized the RN scheme to
any finite field Fq [4]. Barbero and Ytrehus have reduced the secret key size of the RN scheme,
while maintaining the security level of the system [5]. The previous proposed RN-like schemes
have very large key size or low information rate that makes them impractical. Several schemes
have been presented in the literature to modify RN, reduce the key size, increase information rate
and improve security against known attacks. Some of them use quasi-cyclic (QC) codes to reduce
the key size and use low-density parity-check (LDPC) codes to increase the information rate [6],
[7]. Unlike the previous RN-like schemes that scramble, permute or change the codeword bits,
the proposed joint schemes based on QC-LDPC codes in [8], [9] and [10], randomly puncture
the codeword corresponding to a plaintext. The security and the key sizes of these schemes have
been significantly improved. Another joint scheme has been proposed based on low-density
lattice codes (LDLCs) [11] that has practical decoder [12].

All of these RN-like schemes are vulnerable to the message-resent attack [13]. It is an
interesting idea to consider nonlinear layers for RN-like schemes to provide their resistance
against well known chosen plaintext attacks. The RN-like schemes, named SECC (secret error-
correcting codes), use nonlinear codes, or block chaining technique to withstand against the
chosen plaintext attacks, while retaining the error correction performance [14]. ECBC (Error
Correction Based Cipher) is another RN-like scheme that uses a nonlinear function f in its
structure [15]. In parallel, a differential-style attack (chosen-plaintext attack) against ECBC and
SECC has been proposed in [16]. It is shown that the non-linear function f used in ECBC is
particularly vulnerable to this attack and its secret key is recovered in constant time. The security
of [14] and [15] is enhanced to resist the differential attack proposed in [16] by considering a
special design for the nonlinear function f [17]. The authors claim that the proposed scheme is
the most efficient secure channel coding scheme among the previous code based schemes [17].

There is another approach for joining encryption and encoding in a single step. The proposed
schemes in this approach use error correcting codes as a replacement of the AES (Advanced
 3

Encryption Standard) diffusion layer [18], [19]. The message-resend attack [13] is not effective
on these joint AES-coding schemes. In spite of providing error correction, small key size (equal
to AES) and data security against linear and differential attacks, these schemes suffer from higher
computational complexities compared to RN-like schemes.

In the RN-like schemes, the security is embedded in the channel code to enhance the security
of the entire system. They are fast and easy from an implementation standpoint. The earlier
RN-like schemes have smaller error correction capability than error correction codes. Indeed,
to achieve significant error correction capacity, the schemes’ parameters have to be large which
lead to large key size and high computational complexity. However, this issue has been resolved
in recent RN-like schemes [17]. Low power consumption for RN-like schemes is an important
advantage that leads us to concentrate on RN-like schemes. This allows us to use the same
hardware components for error correction and security.

In the conventional joint schemes, modulation is applied on the resulting point that is sent
to the channel. In this paper, we propose an alternative secure wireless communication model
that uses a coded-modulation scheme based on lattices to design an RN-like scheme to merge
encryption, channel encoding and modulation in a single step. Using lattices in designing RN-like
schemes is rare due to the high complexity of lattice encoding and decoding even for legitimate
users. We use a special type of lattices that provide proper efficiency for the proposed scheme.

In general, a digital modulator is used at the output of the channel encoder, which serves
as an interface to the communication channels. The modulator produces signal waveforms that
transmit information. When treating a channel coding as a separate operation independent of
modulation, the coded sequences generally have a smaller channel symbol duration than the
uncoded sequences for the same information rate. Accordingly, the power spectral density (PSD)
of the channel signals changes essentially. On the other hand, if the modulation is designed in
conjunction with the channel coding, error correction can be achieved without leading to any
essential changes in the PSD. The advantages of the coded-modulation schemes, that are the
schemes in which coding and modulation are combined, are highlighted here. This importance
is featured more when designing coding techniques for high-SNR (signal to noise ratio) regimes
or bandlimited channels [20]. Therefore, our goal is to use a proper coded-modulation scheme
in our cryptosystem to provide a secure communication for high-SNR or bandlimited channels.

Based on Shannon’s capacity theorem, an optimal block code for a bandlimited additive white
Gaussian noise (AWGN) channel consists of a dense packing of the code points within a sphere
4

in a high-dimensional Euclidean space. Lattices and trellis codes are two main categories of
packings, for moderate coding gains at moderate complexity [21]. Lattices are most of the
densest known packings. Construction-A of lattices [22] are not among the densest packings
but define a natural mapping from codewords of the underlying code to lattice points in the
Euclidean space. Thus, they are coded-modulation schemes.

A lattice code is defined by a lattice Λ and a shaping region B ⊂ Rn , where its codewords
are all the lattice points that belong to the shaping region B. Lattice codes are a suitable coded-
modulation scheme on bandlimited (high-SNR) AWGN channels [21]. In this paper, we use a
lattice code of some kind of construction-A lattices.

LDPC lattices are the first family of modern lattices [23], [24] with practical decoding
algorithms in high dimensions [25]. It has been shown that these lattices can achieve desirable
performance when compared to other modern lattices [26]. A special sub-class of LDPC lattices,
QC-LDPC lattices, is a construction-A lattices that have practical encoder as well [27]. Due to
the easy construction, linear encoding and decoding complexity and good error performance of
the QC-LDPC lattices, their lattice codes have the potential to become a practical and efficient
coding scheme for the AWGN channel. Furthermore, QC-LDPC lattices have many applications
in the wireless communications [28], [29], as well as in designing symmetric and asymmetric
key encryption schemes [30], [31].

In this paper, we exploit the characteristics of QC-LDPC lattice codes and the efficiency
of this coded-modulations to merge encryption, channel encoding and modulation in a single
step. Due to the hardware reuse, such scheme improves the transmission efficiency, reduces the
system processing delay and saves in hardware usage. More flexibility in terms of design and
technology used for the construction is given, as well. The sparse nature of the parity-check
matrix of the QC-LDPC lattices can be exploited to reduce the key size. Moreover, good error
performance and linear encoding and decoding (time and space) complexities (in terms of the
lattice dimension) of these lattice codes provide an efficient joint scheme that is suitable for
secure communication in bandlimited (high-SNR) AWGN channels.

This paper is organized as follows. In Section II, we present some lattice notation used in
this paper. In Section III, a symmetric key encryption scheme based on QC-LDPC lattices
is presented. We describe a joint encryption, encoding and modulation scheme based on these
lattices in Section IV. In Section V, we give details about the key sizes, computational complexity
of encryption and decryption. Section VI is devoted to the security analysis and numerical results
 5

related to the security of our scheme against different attacks. The comparison with other RN-like
schemes and a summary of the paper are given in Section VII and Section VIII, respectively.

II. P RELIMINARIES

A. Construction of Lattices from Codes

Let Rm be the m-dimensional real vector space with Euclidean norm. An n-dimensional lattice
is a discrete additive subgroup of Rm that is presented by the set of all integer linear combinations
of a given basis of n linearly independent vectors in Rm [22]. Let b1, b2, . . . , bn ∈ Rm , be the
basis vectors of the lattice Λ. The generator matrix for the lattice is the matrix B, where bi is
its i-th row. Therefore, the lattice Λ is defined as Λ = {ξ · B| ξ ∈ Zn }. If m = n, the lattice is
full rank. For more details about lattices and their properties, see [22].
There are many ways to construct lattices from linear codes; many properties of such lattices
can be related to the properties of their underlying codes [22]. In our work Construction-A of
lattices is used that are explained in the sequel.
Let C = C [n, k] ⊆ Znp be a linear code with dimension k and length n, where p is a prime
number. A lattice Λ constructed from the code C based on Construction-A is defined by

Λ = pZn + φ (C) = {pz + φ(c) : c ∈ C, z ∈ Zn },

where φ : Znp → Rn is the embedding function which maps a vector in Znp to its real version [22].
Indeed, Construction-A is a method for generating a lattice by “lifting” a linear code C to the
Euclidean space. In this paper, we use binary linear codes and lattices with p = 2. We consider
a subclass of LDPC lattices [24] that can be obtained from Construction-A [32]. It is interesting
to focus on the quasi-cyclic (QC) version of these lattices for cryptographic purposes.
Definition 2.1: Let C = C [n, k] be a binary linear QC-LDPC code. A QC-LDPC lattice Λ is
a lattice based on Construction-A along with a binary linear QC-LDPC code C which is defined
as Λ = {x ∈ Zn | Hqc · xT ≡ 0 (mod 2)}, where Hqc is the parity-check matrix of C [27].
The generator matrix of a QC-LDPC lattice Λ is the following n × n matrix
   
Ik Ak×(n−k)   GC
GΛ =  = ,
 
   (1)
 0(n−k)×k 2In−k   0(n−k)×k 2In−k 
   
h i
where 0 stands for the zero block, I for an identity block and GC = Ik Ak×(n−k) is the
k×n
systematic form of the generator matrix of C [26].
6

1) Encoding of QC-LDPC lattices: Based on a method for encoding Construction-A lattices

in [22], the encoding of LDPC lattices is introduced in [26] as follows. In order to find a
decoding method for these family of lattices, a translated sublattice of lattice Λ, generated by
(1), is considered. First, the codewords’ components of the binary code C are converted into ±1,
that is, 0 is converted to −1 and 1 is converted to 1. Then, the set Λ(C) = {c+4z | c ∈ C, z ∈ Zn },
where C is a QC-LDPC code with ±1 components, is a lattice which is closed under the addition
λ1 ⊕ λ2 , λ1 + λ2 + (1, . . . , 1), for all λ1, λ2 ∈ Λ(C). Therefore, the encoding algorithm of
sublattice Λ(C) for any integer row vector ξ ∈ Zn can be done with the generator matrix (1) as
E(ξ) = 2ξ · GΛ − 1, where 1 = (1, . . . , 1), E is the encoding function and E(ξ) is a point of the
lattice Λ(C) [26]. Let the points of the lattice Λ(C) be transmitted over an unconstrained AWGN
4(2n−k)/n
channel with noise variance σ 2 . Then, its volume-to-noise ratio is defined as VNR = 2πeσ 2
.
2) Decoding of QC-LDPC lattices: Let x = c + 4z be the transmitted lattice vector of Λ(C)
and y = c + 4z + n be the received vector from the AWGN channel, where n ∼ N (0, σ 2 ). A soft
decision message passing algorithm, that is sum-product algorithm (SPA), is presented in [27] for
decoding QC-LDPC lattices that has low implementation complexity and memory requirements.
These lattices can be decoded in linear time complexity in terms of dimension.

B. RDF-QC-LDPC codes

To have efficient decoding and good performance for QC-LDPC codes, their parity-check
matrix should be free of length-4 cycles.
In this paper, we consider QC-LDPC codes with rate R = (n0 − 1)/n0 with parity-check matrix
described by
h i
Hqc = H0 H1 · · · Hn0 −1 , (2)

where H0, . . . , Hn0 −1 are b × b circulant matrices and have low row/column Hamming weight.
Some algebraic approaches for code design are possible with this particular form of the parity-
check matrix. However, some of them impose constraints on the code length. The proposed
techniques based on Difference Families (DFs) such as Extended Difference Families (EDFs)
and Random Difference Families (RDFs), loosen the constraints using computer aided procedures
[33].
Using these techniques and given the number of circulant blocks n0 with column weight dv ,
the size of the circulant matrices, b, is chosen to ensure the absence of length-4 cycles in the
associated code [33].
 7

For dv = 5 and n0 = 8, the size of circulant matrices is b = 187 by the RDF construction
technique [33]. Therefore, the RDF-QC-LDPC code with these parameters (dv and n0 ) has code
length 1496, dimension 1309, rate R = 7/8 and row weight dc = 40 [33]. However, using the
same parameters, the size of the circulant matrix for the EDF-based solution is b > 200. The
minimum length of QC-LDPC code based on EDF technique for dv = 5 and n0 = 8 is 1600
[33]. Hence, the RDF-based approach allows to design shorter codes compared to those designed
through the EDF approach.
Simulation results of symbol error rate (SER) versus VNR of QC-LDPC lattices based on
EDF and RDF over the AWGN channel are presented in Fig. 1. According to the results of
this figure, RDF based QC-LDPC lattices outperform EDF based QC-LDPC lattices in smaller
dimensions. For example, in SER= 10−5 , an RDF based QC-LDPC lattice with parameters
(k, n) = (1309, 1496), dv = 5 and n0 = 8 has 0.05dB better performance compared to an EDF
based QC-LDPC lattice with (k, n) = (1407, 1608), dv = 5 and n0 = 8.

0
10
EDF−QC−LDPC Lattice, dv=5, n0=8, (k,n)=(1407,1608)
RDF−QC−LDPC Lattice, dv=5, n0=8, (k,n)=(1309,1496)
RDF−QC−LDPC Lattice, dv=7, n0=8, (k,n)=(3150,3600)
−1
10 EDF−QC−LDPC Lattice, dv=3, n0=6, (k,n)=(195,234)
RDF−QC−LDPC Lattice, dv=3, n0=6, (k,n)=(185,222)
EDF−QC−LDPC Lattice, dv=7, n0=2, (k,n)=(127,254)
−2
10 RDF−QC−LDPC Lattice, dv=7, n0=2, (k,n)=(95,190)
Symbol Error Rate (SER)

RDF−QC−LDPC Lattice, dv=7, n0=2, (k,n)=(128,256)

RDF−QC−LDPC Lattice, dv=3, n0=6, (k,n)=(215,258)
−3
10

−4
10

−5
10

−6
10
1 2 3 4 5 6 7 8
VNR(dB)

Fig. 1. Error performance of EDF and RDF based QC-LDPC lattices.

The results of Fig. 1 also show that by using underlying codes with higher rates and increasing
the n0 value, which results in a decrease of dv value, we gain a considerable performance
improvement. For example, in the SER of 10−5 , using an RDF based QC-LDPC lattice with
(k, n) = (215, 258), dv = 3, n0 = 6 gives us 0.5dB performance improvement compared to the
same dimension RDF based QC-LDPC lattice with (k, n) = (128, 256), dv = 7, n0 = 2.
Interesting aspects of the design technique based on RDFs, which is important for crypto-
graphic applications, are generating a large number of equivalent codes with the same code
8

length, dimension and column weight, as well as designing shorter codes compared to those
designed based on DFs and EDFs approaches. All these good features and the easy construction
of RDF-QC-LDPC codes lead us to use them as the underlying codes used in our lattices.
In the rest of this paper, whenever we use a QC-LDPC lattice, we mean that the lattice is
constructed using an RDF QC-LDPC code as its underlying code.

III. S YMMETRIC KEY CRYPTOSYSTEM BASED ON QC-LDPC LATTICES

In this work, we design a new symmetric key encryption scheme using a special type of
lattices, namely QC-LDPC lattices. Defining an appropriate nonlinear function, we enhance the
security of the cryptosystem against chosen plaintext attack, differential or linear type attacks.
We adapt the method presented in [38] to design an invertible nonlinear mapping F for our
encryption scheme where all the operations are performed over the field of real numbers R.
In the structure of this mapping, we use some n × n linear transformations represented by
an n × n binary matrix. We construct the transformation matrices using a companion matrix of
a primitive polynomial in F2 [x] described as follows. The linear transformations corresponding
to these invertible matrices are represented by the linear operators F0, . . . , , F2d −1 , for an integer
number d > 0. The input vector of the mapping F is z = (a, b), where a is an n-tuple vector and b
is a d-tuple binary vector. The input to each linear transformation is an n-tuple vector a in which
ai ∈ Z, for i = 0, . . . , n − 1. Each linear operator Fj , for j = 0, . . . , 2d − 1, transforms an n-tuple
input to an n-tuple output. Then, the output of the linear transformations are passed through
a multiplexer, controlled by the d-tuple vector b which serves as the control line. Indeed, the
control line of the multiplexer is used to select one of the outputs of the linear transformations.
The overall structure of the mapping is shown in Fig. 2.
In this paper, we construct the corresponding matrices for the linear transformations used
in the architecture of F based on the following mathematical method. In this architecture, the
applied linear transformations need to have maximal period. Indeed, the corresponding matrix U
n −1
should have maximal order, that is, U2 = I, where I is the n × n identity matrix, and Um , I,
for m < 2n − 1.
Let g ∈ Fq [x] be a nonzero polynomial of degree n ≥ 1. If g(0) , 0, the order of g is the
least positive integer e, 1 ≤ e ≤ qn − 1, such that g(x)|x e − 1 and it is denoted by or d(g)
[34]. It is known that the order of a primitive polynomial g of degree n is equal to qn − 1. Let
 9

Input vector a (n-tuple)

F0 F1 ... F2d −1

...
Control vector b MUX
(d-tuple)

Output vector F(a, b)

(n-tuple)

Fig. 2. The structure of nonlinear mapping F.

g(x) = x n + an−1 x n−1 + · · · + a1 x + a0 , where a0 , 0, Then, C(g) is the companion matrix of g as

···
 0 1 0 0 


 
 0 0 1 · · · 0 
 .. .. .. ..
 
C(g) =  . . . . .

0 
 
 0
 0 0 ··· 1 
 
 −a0 −a1 −a2 · · · −an−1 
  n×n
Since det(C(g)) = (−1) a0 and g(0) = a0 , 0, the companion matrix of g is an invertible matrix,
n

that is, C(g) ∈ GLn (q) [35]. Furthermore, the order of the polynomial g is related to the order of
companion matrix [35]. It can be verified that the order of C(g) as an element of GLn (q) is equal
to the order of g. It can be shown that the inverse of a companion matrix of the polynomial
g(x) = x n + an−1 x n−1 + an−2 x n−2 + · · · + a1 x + a0 is a companion matrix of the polynomial
r(x) = x n + a1 n−1
a0 x + a2 n−2
a0 x +···+ an−1
a0 x + 1
a0 .
Let us consider a primitive polynomial g ∈ F2 [x] of degree n with g(0) , 0. Therefore,
the order of its corresponding companion matrix satisfies or d(C(g)) = or d(g) = 2n − 1 and
det(C(g)) = (−1)n . We use this companion matrix C(g) that is a binary low dense matrix of
maximum order 2n −1 to construct a nonlinear function F for our proposed scheme. For simplicity
n −2
we write C(g) = U in the sequel. Then, the set S = {I, U, U2, . . . , U2 } contains 2n −1 invertible
binary matrices of dimension n × n.
The mapping F is obtained using 2d linear transformations from the set S indicated by the
linear transformations F0, . . . , , F2d −1 . As a consequence, F : Zn+d −→ Zn is a mapping defined
by F a, b = Fα (a) = aUα , where α = i=0 bi 2 ∈ {0, 1, . . . , 2d − 1} is determined by the vector

Íd−1 i
10

b as the control line of the multiplexer. The public set S and a secret control line b of the
multiplexer define this function. On the other hand, the output F(a, b) = { f1 (a, b), . . . , fn (a, b)}
is the concatenation of the output of 2d linear operators selected according to the logic of
multiplexer [38]. Each component function can be written mathematically as
Ê2d −1
fi (a, b) ≡ D j (b)u ji (a) (mod 2), (3)
j=0

where u ji is the ith row of the matrix U j , and D j (·) is a function defined as D j (b) = Dσ (b) =
(i¯1 ⊕ b1 ) · · · (i¯d ⊕ bd ) over σ = (i1 , . . . , id ) which is the binary representation of j and v̄ is the
complement of v. In a similar way [38], it can be proved that the algebraic degree of each
component function of the proposed mapping F and their nonzero linear combinations is d + 1.

A. Key generation

Encryption is done using the following secret keys that are chosen by the authorized transmitter
and receiver.
1) A random regular (n = n0 b, k = (n0 − 1)b, dc )-QC-LDPC code constructed from RDFs with
a parity-check matrix of size (n − k) × n in the form of (2) and constant row weight dc . This
RDF-QC-LDPC code with the parity-check matrix Hqc is used to construct a QC-LDPC
lattice (according to the previous section).
2) A vector s as l1 -bit initial value (seed) of a linear feedback shift register (LFSR) which
is described using a polynomial q. We use this LFSR to produce an n-tuple intentional
error vector e in the scheme. For reducing the key size and increasing the period of the
resultant keystream, we use a reseeding mechanism for this LFSR at the end of each period.
This mechanism uses the modular division circuit with a different polynomial p for another
LFSR of the same length proposed in [37]. With a proper selection of the polynomials q
and p, the period of the LFSR is equal to (2l1 − 1)2 . Since, the output of each period of
the LFSR is a vector with approximately (2l1 − 1) bits, then the length of the LFSR should
be selected in such a way that the message length n is close to the period of LFSR, that
is, (2l1 − 1) ≈ n. Therefore, we consider l1 = dlog2 ne which implies (2l1 − 1)2 ≈ n2 . Using
this procedure, we can produce n different pseudorandom binary vectors ei , i = 1, . . . , n, of
length n for the encryption algorithm.
3) An n × n block diagonal permutation matrix P = diag(π1, . . . , πv ) formed by q × q sub-
matrices πi , for i = 1, . . . , v, where v = n/q. The diagonal elements πi ’s are permutation
sub-matrices, so the Hamming weight of each row and column is one. We control q ×
 11

q sub-matrices πi , for i = 1, . . . , v, by v different initial values for an LFSR of length

dlog2 qe. We describe it in Section V-C. Since, the sub-matrices πi s are saved instead of the
permutation matrix P, it is needed to save only the corresponding initial value of the LFSR.
We concatenate these initial values and store them in a vector t of length l4 = v dlog2 qe
bits as a key.
4) An l2 -bit initial vector h of an LFSR that controls the multiplexer in the construction of the
nonlinear mapping F. The vector h serves as the control line and the multiplexer outputs
one of the outputs of the linear transformations according to this control line.
Let dv denote the number of nonzero elements in each row/column of Hi in Hqc , thus the
row weight of Hqc is dc = n0 dv . Let Hn0 −1 be non-singular, particularly, this implies that dv is
odd. Then, the systematic generator matrix of this QC-LDPC code is

 (H−1
n0 −1 H0 )
T 

 
 (H−1
n0 −1 H1 )
T 
G C =  Ik ..  , (4)
 

 . 

 

 (H−1
n0 −1 Hn0 −2 )
T 
 k×n
where [ · ]T denotes the transposition operation. Then, the generator matrix GΛ of the corre-
sponding QC-LDPC lattice is obtained by replacing it in Eq. (1).
Since each circulant matrix Hi , for i = 0, . . . , n0 − 1, is completely described by its first row,
the QC-LDPC code with parity-check matrix (2) is given by the first row of these circulant
blocks. Therefore, we save the first row of Hqc instead of the entire matrix.

B. Encryption Algorithm

To encrypt a message m ∈ Zn , an intentional pseudorandom error vector e ∈ F2n is generated

using the LFSR with the secret initial value s and the reseeding mechanism. This error vector
of length n has an arbitrary Hamming weight. Then, the ciphertext is computed as follows
 
y = 2F (m + e), h GΛ − 1 + 2e P


 
= 2xGΛ − 1 + 2e P,

where e is the complement of the vector e in F2 . The nonlinear function F maps the intentionally
corrupted message (m + e) to the vector x = F (m + e), h = (m + e)Uα , in which α = i=0

Íd−1 i
hi 2
and h is the secret control line of the employed multiplexer in F. Indeed, the ciphertext y is the
permutation of the lattice point λ̃ = 2xGΛ − 1 which has been perturbed by the vector 2e.
12

In general, the jth instance of the ciphertext y j ( j ≥ 1) corresponds to the jth instance of the
plaintext m j as follows
 
y j = 2F (m j + e( j) Ne ), h( j) Nh GΛ − 1 + 2e( j) Ne P( j) Np ,

where ( j)N is considered as j mod N. The numbers Ne, Nh and Np express the total possibilities
of the intentional error vector e, the multiplexer select logic h and the permutation matrix P,
respectively. Indeed, the vectors e and h and the permutation matrix P are changed corresponding
to the output of the used LFSRs in their producing process. For simplicity, in the following, we
ignore their subscripts.
As each lattice point λ̃ = 2xGΛ − 1 is a vector with odd components, we must add 2e instead
of e as intentional error vector in the encryption process. Otherwise, 2xGΛ − 1 + e is a vector
with some even components that reveals the perturbed positions. Moreover, based on Section
II-A1, each lattice point in Λ(C) can be expressed as a vector of the form c + 4z, where c ∈ C
(converted into ±1) and z ∈ Zn . When we add the vector 2e to a lattice point in the encryption
process, we get
c + 4z + 2e = c0 + 4z0,

where c0 is a vector with components ±1 and z0 ∈ Zn . Hence, λ̃ + 2e is another lattice point that
gives no information about the intentional error vector e.

C. Decryption Algorithm

For decryption, the authorized receiver must be aware of the intentional error vector e that
the transmitter uses by encrypting each plaintext. In addition, both the authorized receiver and
transmitter need to use the same LFSR with the same seed s as a part of the secret key.
Therefore, if they use the modular division circuit for generating the pseudorandom error vector
e simultaneously, they can use the same error vector e for encryption and decryption. Hence,
the decryption is done by employing the following steps:
1) Multiply the ciphertext y by P−1 = PT and get

y0 = yPT = 2xGΛ − 1 + 2e.

2) Subtract 2e from y0 to get 2xGΛ − 1.

3) Recover the vector x = F (m + e), h by adding the vector 1 to y0 − 2e and multiplying the

result by 21 G−1
Λ , where
− 12 Ak×(n−k)
 
Ik
G−1 =  .
 
Λ 1 
 0(n−k)×k 2 I(n−k) 
 
 13

4) Apply the inverse of the function F on x using the secret vector h and recover the
intentionally corrupted message vector m0 = m + e.
5) Retrieve the original message m by computing m0 − e.
We can use this system for communication in which the ciphertext is transmitted over a noisy
channel. This entails some modifications to our cryptosystem to present a joint scheme that can
process encryption, channel coding and modulation in a single step which is discussed in the
next section.

IV. T HE PROPOSED J OINT E NCRYPTION , CHANNEL CODING AND MODULATION SCHEME

In this section, we use QC-LDPC lattices to introduce a joint scheme to provide secure
communication over bandwidth-limited (high-SNR) AWGN channels.
For communications over a noisy power constrained AWGN channel, the encoding operation
must be accompanied by a shaping method. This prevents the transmission power of a codeword
from being unnecessarily increased. Indeed, we make sure that only lattice points that belong
to a shaping region are actually used. Then, instead of mapping the message vector m to the
lattice point mGΛ in Λ, it should be mapped to another lattice point m0GΛ , belonging to the
shaping region.
Some known shaping methods in the literature are hypercube shaping, Voronoi shaping and
spherical shaping. In theoretical approaches, the infinite lattice is intersected with a spherical
shaping to produce a power-constrained lattice code. Due to the high computational complexity of
this shaping, we consider an efficient hypercube shaping algorithm that has minimum complexity
among other shaping methods for QC-LDPC lattices to obtain finite lattice constellations [28].
Thus, we choose a signal constellation formed by a QC-LDPC lattice together with a hypercube
shaping region for process of the mapping. Indeed, each message is modulated to one of the
constellation points using QC-LDPC lattice encoding and a suitable shaping method.

A. The Proposed Encryption Algorithm

The ciphertext of the proposed symmetric key encryption scheme is in the following form:
 
y = 2F (m + e), h GΛ − 1 + 2e P.


(5)

All operations, such as applying the function F on m0 = m+e and computing the lattice point λ̃ =
2xGΛ − 1, and so on, are computed over the real numbers R. Therefore, the resulting ciphertext
y may have large components, even if we restrict the message components. While transmitting
14

the ciphertext over a noisy power constrained AWGN channel, the encrypting operation must be
accompanied by a shaping method. In this way, the vector λ̃ is limited to a region around the
origin that leads to the reduction of ciphertext transmission power.
On the other hand, the matrices Ui s (i = 0, . . . , 2n − 2) in the set S have no structure and may
be dense enough. We have observed that some columns in Ui s are all one vectors. Therefore,
even by applying a shaping method on x = F(m0, h) = m0Uα , where α = i=0
Íd−1 i
hi 2 , the vector
x may be mapped into a big hypercube with high complexity. Thus, we restrict the components
of the input integer vector m to the following finite constellation before shaping:

m2i ∈ {x ∈ Z | −Li ≤ x ≤ −1 } , i = 1, . . . , n/2, (6)

m2i−1 ∈ {x ∈ Z | 0 ≤ x ≤ Li − 1 } , i = 1, . . . , n/2,

2i−1 ≤ Li , for i = 1, . . . , 2 .
0 ≤ 0 and 0 ≤ m0
where Li ’s are positive integers. In this way, −Li ≤ m2i n

Therefore, the vector x in the worst case lies in an n-dimensional hypercube around the origin
such that xi ∈ {x ∈ Z | − 2n Li ≤ x ≤ 2n Li }.
In our proposed scheme, it is desirable to design an optimal finite constellation for the entries
of m such that the sizes of the entries of x = m0Uα become as small as possible. Designing
such constellation could be an interesting problem for future work.
In the next step, we compute the lattice point λ = xGΛ in the encryption process. Since all
operations are performed over real numbers, the entries of xGΛ can also be large. Therefore,
to make the scheme practical, we use a hypercube shaping method to keep the corresponding
entries of the ciphertext vector as small as possible. Indeed, instead of mapping the vector x to
the lattice point λ = xGΛ in the infinite lattice Λ, it is mapped to a lattice point λ0 = x0GΛ
inside an n-dimensional hypercube such that |λi0 | ≤ nLi − 1, for i = 1, . . . , n.
In the first step we enforce that − 2n Li ≤ xi ≤ n
2 Li , for i = 1, . . . , n. Therefore, the needed
restriction condition of the input vector to a finite constellation for the shaping algorithm is
satisfied. Thus, we consider a new lattice point

λ0 = x0GΛ = (x − zL)GΛ, (7)

instead of λ = xGΛ , where L = diag(nL1 − 1, . . . , nLn − 1) is an n × n diagonal matrix. The vector

z is an integer vector of length n that is chosen such that the new lattice point components lie
in an n-dimensional hypercube around the origin [28]. To find the vector z, we first solve the
 15

system of linear equations obtained from (7) and then choose an integer z such that |λi0 | ≤ nLi −1,
for i = 1, . . . , n. Therefore, we have

i = 1, . . . , k,

 xi − zi (nLi − 1)
λi =
0


 2(xi − zi (nLi − 1)) + kj=1 x 0j a j,i−k , i = k + 1, . . . , n,
 Í

where a ji is the ( j, i)-th entry of the matrix A in GΛ . We consider zi = 0, for 1 ≤ i ≤ k that
leads to xi0 = xi and |λi0 | = |xi | ≤ nLi − 1. Moreover, for k + 1 ≤ i ≤ n, we have −nLi + 1 ≤
Ík Ík
j=1 x j a j,i−k j=1 x j a j,i−k
2(xi − zi (nLi −1))+ kj=1 x j a j,i−k ≤ nLi −1, or − 21 + nLxii−1 + 2(nL 1
+ xi
+
Í
i −1) ≤ zi ≤ 2 nL i −1 2(nL i −1)
.
The above interval contains only one integer number, thus it has the unique solution zi =
j  m
nLi −1 xi + 2
1 1 Ík
j=1 a j,i−k x j .
Indeed, we convert the vector x to x0 = x − zL, in order to embed the vector λ0 = x0GΛ to
the following hypercube
(  )
− n
L ≤ x ≤ n
L i = 1, . . . , k,

i i i
L = x ∈ Zn  2 2
. (8)

 −nLi + 1 ≤ xi ≤ nLi − 1 i = k + 1, . . . , n
Replacing x by the converted vector x0, in the relation (5), the transmitted vector over the noisy
AWGN channel is expressed as y = (2x0GΛ − 1 + 2e)P.
The encryption algorithm is shown in Fig. 3. The information rate of a lattice code Γ of
length n (in bits/symbol) is defined to be R = log2 (|Γ|)/n [11]. Since the points of the lattice
code Γ = (2Λ ∩ L) −1 are in bijective correspondence with the information integer vectors m,
according to Eq.(6), the information rate of this lattice code is R = i=1
Ín
log2 (2Li )/n.

Fig. 3. The proposed joint encryption, encoding and modulation scheme based on QC-LDPC lattice codes

B. The Proposed Decryption Algorithm

The authorized receiver (Bob) attempts to decrypt the possibly erroneous received vector
r = (2x0GΛ − 1 + 2e)P + ech , where ech is the AWGN channel noise that is drawn from an i.i.d.
Gaussian distribution with variance σ 2 .
16

Using the secret keys {s, h, Hqc, t}, the ciphertext is decrypted as follows:
1) The received vector r is multiplied by P−1 = PT to get

r0 = rPT = (2x0GΛ − 1 + 2e) + ech PT .

2) Having the secret vector s, the corresponding error vector e and r00 = r0 − 2e are computed.
3) The vector r00 = 2x0GΛ − 1 + ech PT is decoded using Hqc by applying the SPA iterative
decoding algorithm of QC-LDPC lattices [27]. Then λ̃0 = 2x0GΛ − 1 is obtained.
4) The vector x is recovered from the shaped lattice point λ̃0 using Algorithm 1.

Algorithm 1 Recover original vector

1: procedure MOD(λ̃ 0, (L1, . . . , Ln ), G−1
Λ )
j  m
λ̃0 +1
2: x0 ← 2 G−1
Λ
3: for i = 1 : n do
4: if mod(xi0, (nLi − 1)) < n
2 Li then
5: ri ← mod(xi0, (nLi − 1))
6: else
7: ri ← mod(xi0, (nLi − 1)) − (nLi − 1)
8: end if
9: end for
10: return x = (r1, . . . , rn ).
11: end procedure

5) Retrieving the vector m0 = m + e from the vector x = m0Uα is equivalent to computing

m0 = x(Uα )−1 by the secret vector h, in which α = i=0
Íd−1 i
hi 2 . Then, subtracting the vector
e from m0 recovers the original message m.

V. E FFICIENCY

The efficiency of the cryptosystem is measured in terms of the key size and the computational
complexity of encryption and decryption processes.

A. Complexity

Encryption is performed by computing m0 = m+e, then mapping it to the vector x = m0Uα by

the function F through a multiplexer controlled by the binary vector h. The vector x is converted
to the vector x0 using a hypercube shaping method and then encoded by a QC-LDPC lattice to
a lattice point λ̃0 = 2x0GΛ − 1. By adding the intentional error vector 2e and multiplying the
 17

whole combination by the permutation matrix P, the overall system becomes non-systematic.
Therefore, an estimation of the computational complexity, caused by the encryption algorithm
is given as

Cencr ypt =Cadd (e) + Ccompute (F(m0, h)) + Cshaping (xGΛ ) + Cencode (x0) + Cadd (2e) + Cproduct P .

In the encryption process, the terms Cadd (e), Cadd (2e) and Cproduct P have lower order
complexity, which are linear, than other terms. Indeed, the complexity of the encryption process
is upper-bounded by the complexity of Ccompute (F((m + e), h)) + Cshaping (xGΛ ) + Cencode (x0).
The time and space complexities of QC-LDPC lattice encoding are linear in terms of the
dimension of lattice [27]. The overall computational complexity of the hypercube shaping for
a λ = xGΛ ∈ Λ is O(nwc ), where wc is the average number of nonzero elements in a row
of GΛ [26]. Since F(m0, h) = m0Uα , where α = i=0 hi 2 , then Ccompute (F(m0, h)) is equal to
Íd−1 i

the computational complexity of vector m0 = (m + e) times matrix Uα . The function can be

implemented using a similar pipelined architecture proposed in [38]. Let α = h0 + 2h1 + 22 h2 +
· · · + 2d−1 hd−1 , then Uα = Uh0 · (U2 )h1 · (U2 )h2 · · · (U2
2 d−1
)hd−1 , where hi s are 0 or 1. Indeed,
d−1
the proposed function can be implemented using the matrices U, U2, . . . , U2 and d number
of 2-to-1 multiplexers instead of all matrices (2d numbers) in S and one 2d -to-1 multiplexer.
Therefore, its computational complexity is of order O(n2 ). As a consequence, the complexity
of the encryption process is of order O(n2 ), in terms of lattice dimension n. Since, we have d
stages in the pipeline, the latency of the architecture is O(d).
Using similar arguments, the decryption complexity is expressed as

Cdecr ypt =Cproduct PT + Cadd (−2e) + Cdecode (r00) + CMOD (λ̃0) + Ccompute (F −1 (x)) + Cadd (−e).

Since the dominant terms that have much larger effect on the implementation complexity are
Cdecode (r00), CMOD (λ̃0) and Ccompute (F −1 (x)), the decryption complexity is upper-bounded by the
complexity of Cdecode (r00) + CMOD (λ̃0) + Ccompute (F −1 (x)).
The QC-LDPC lattice decoding has computational complexity of O(ndv I), where I is the
maximum number of iterations required by the decoding algorithm to correct the error and dv
is the column weight of the parity-check matrix Hqc . Hence, QC-LDPC lattices have linear
computational complexity in the lattice dimension [27].
The information integer components xi are recovered from xi0 after multiplication by the
matrix G−1
Λ followed by a simple modulo operation that is explained in Algorithm 1. Therefore,
CMOD (λ̃0) = Cmult (G−1 −1
Λ ), where according to the structure of GΛ , it can be demonstrated that
18

it is equal to complexity of the encoding algorithm of QC-LDPC lattices which is linear in

terms of lattice dimension. The computational complexity of applying F −1 (x) is equivalent to
multiplication of the matrix (Uα )−1 to the vector x. In the same way, its computational complexity
is of order O(n2 ). Hence, the total computational complexity for decryption is bounded by O(n2 ).
The complexity of computing the nonlinear function F and F −1 is a bottleneck for our scheme.
Indeed, we had to sacrifice the linear complexity of our design to prevent some chosen plaintext
attacks like differential attack against the proposed scheme. However, designing another nonlinear
function which can be implemented with linear complexity is desirable and open for further
research.

B. Message expansion
According to Section IV-A, the shaped vectors 2x0GΛ − 1 ∈ 2Λ − 1 are uniformly distributed
over the hypercube 2L − 1, where L is presented in Eq. (8). Therefore, the ciphertext y =
(2x0GΛ − 1 + 2e)P belongs to the following set

 −nLi − 1 ≤ xi ≤ nLi + 1 i = 1, . . . , k,

  

.

 n


x∈Z  (9)

  −2nLi + 1 ≤ xi ≤ 2nLi − 1 i = k + 1, . . . , n 

 
For simplicity, we consider Li = L, for i = 1, . . . , n. Then, the information rate of our cryptosys-
tem is R = log2 (2L). Furthermore, according to Eq. (6), the integer vector m is restricted
to the finite constellation mi ∈ {−L, . . . , L − 1}, for i = 1, . . . , n. Therefore, the plaintext
size is at most ndlog2 (2L)e bits and the number of bits required to derive a ciphertext is
(n − k)dlog2 (4nL − 1)e + k dlog2 (2nL + 3)e. Therefore, the message expansion of our cryptosystem
is
(n − k)dlog2 (4nL − 1)e + k dlog2 (2nL + 3)e
.
ndlog2 (2L)e
If we consider the parameters n0 = 6, dv = 3 and b = 43 that introduce a QC-LDPC lattice
with (k, n) = (215, 258), this ratio approaches 1 as L approaches infinity. Moreover, the message
expansion of our cryptosystem, belongs to the interval [1, 5.6], for L ≥ 2 and the proposed
parameters.

C. Key size

The secret key that needs to be exchanged between the sender and authorized receiver consists
of an initial value s of the l1 -bit LFSR for generating the error vector e, the parity-check matrix
Hqc for decoding of QC-LDPC lattices, the d-bit vector h that determines the selection logic of
 19

the multiplexer for nonlinear mapping F, and the vector t correspond to the permutation matrix
P.
In the proposed encryption scheme, the random error vector e is generated using an l1 -bit
LFSR along with a modular division circuit proposed in [37]. Therefore, we store the initial
vector s of the LFSR that requires a memory of approximately l1 = dlog2 ne bits.
The required memory for saving the vector h is l2 bits. We consider it in order for the cryp-
tosystem to be secure against different cryptanalysis. Here we consider it of size approximately
7dlog2 ne.
To save the secret key Hqc , we can just save the nonzero positions of the first rows of (Hi )b×b ,
for i = 0, . . . , n0 − 1, and keep it as the secret parity-check matrix. Thus, its storage involves at
most l3 = dv dlog2 ben0 memory bits, where dv is the row/column Hamming weight of Hi , for
i = 0, . . . , n0 − 1.
We use an efficient hardware structure for the permutation of a vector that is based on a
shift register and some multiplexers [17]. By this method, for different message blocks, we
generate different permutation matrices. Under this low hardware complexity, we can reduce the
key size of the scheme compared to other joint schemes as well as be secure against known
attacks. The designed hardware structure for permuting a vector by P, is shown in Fig. 4 that

Fig. 4. Hardware design for vector permutation by the matrix P.

serves a buffer, an LFSR and some q-to-1 multiplexers. In this structure, an LFSR of size
γ = dlog2 qe generates data control line of the q-to-1 multiplexers. For permuting the n-tuple
20

vector λ00 = 2x0GΛ − 1 + 2e in the last step of the encryption process, we divide it into q-tuple
vectors λ00i , for i = 1, . . . , v. Then, the first q-tuple vector λ001 is stored in the buffer and is given
as the input of the q-to-1 multiplexers. Each component of λ00i belongs to the hypercube defined
in Eq. (9). Therefore, each component can be considered with maximum r = dlog2 (4nL − 1)e
bits. Then, we need r multiplexers with q inputs in order to the r bits of each component of
λ00i be permuted simultaneously and result in the same component after permutation. In this
way, according to the control line generated by the LFSR, the multiplexers select one of the
bits from the input vector λ001 j , for j = 1, . . . , q, as the output. By the next output of the LFSR,
the multiplexer selects another component of the input vector. Finally, the q-tuple vector λ001 is
permuted at the end of the first period of the LFSR which is 2γ − 1 = q, where γ is the size
of the initial vector. Then, the second q-tuple vector λ002 is stored in the buffer and the initial
value of the LFSR is changed. In the same way, λ002 is permuted after reaching the period of
the LFSR. Therefore, each of λ00i , for i = 1, . . . , v, is permuted at the end of a period of the
LFSR. Indeed, each permutation matrix πi , for i = 1, . . . , v, is controlled by the corresponding
initial vector of the LFSR to determine the selection logic of the multiplexers. Since the q × q
permutation sub-matrices πi , for i = 1, . . . , v, are saved instead of the permutation matrix P, it
is needed to save only the corresponding initial vector of the LFSR. Thus, the required memory
bits for storing the permutation matrix P is l4 = v dlog2 qe bits.
Hence, the actual key length of the proposed cryptosystem is equal to l1 + l2 + l3 + l4 =
dlog2 ne + 7dlog2 ne + dv dlog2 ben0 + v dlog2 qe bits.
For the proposed QC-LDPC lattice with (k, n) = (215, 258) and parameters n0 = 6, dv = 3
and b = 43, we can choose q = 43 for the permutation matrix P and l2 = 61 for the vector
h. Therefore, the key size of the proposed scheme is equal to 214 bits. This key size is small
comparing with those of the proposed code and lattice based cryptography.
We summarize the operation characteristics of the proposed scheme in terms of its parameters
in TABLE I.

VI. S ECURITY OF THE PROPOSED S CHEME

In general, security of the RN-like cryptosystems is considered against four potential attacks
reported in the literature including brute force attack, differential-style attack [16], Rao-Nam
attack [2], Struik-Tilburg attack [4] and message-resend attack [13].
 21

TABLE I
O PERATION CHARACTERISTICS OF THE PROPOSED SCHEME .

Plaintext size (bit) ndlog2 (2L)e

Ciphertext size (bit) (n − k)dlog2 (4nL − 1)e + k dlog2 (2nL + 3)e
Key size (bit) 8dlog2 ne + dv dlog2 ben0 + v dlog2 qe
Information rate R = log2 (2L)
Decryption Ops. O(n2 )
Encryption Ops. O(n2 )

The last three attacks are performed based on the linearity of the encoding step in the
encryption process. They are not applicable here because the use of the nonlinear function
F in the encryption algorithm prevents such attacks from being successful.
Rao-Nam attack is applied on any RN-like cryptosystems to estimate the encryption matrix
from a large set of plaintext-ciphertext pairs [2]. The security of the RN-like schemes against
this kind of attacks depends mostly on the Hamming weight of the intentional error vectors.
This attack succeeds only if the ratio of the Hamming weight of the intentional error vector over
n is small and it does not if its average Hamming weight is approximately n/2 [2]. According
to the applied method for producing the intentional error e in our scheme, it has the Hamming
weight n/2 on average. In this method, the length of e is equal to the period of the LFSR.
Indeed, the output string (one cycle) of the LFSR is considered as the intentional error e. On
the other hand, applying the nonlinear function F on the plaintext before its encoding, does not
allow to estimate the encryption matrix from a large set of plaintext-ciphertext pairs. Therefore,
Rao-Nam attack can not be applied on the proposed scheme.
Struik-Tilburg attack requires enciphering an arbitrary message m until all distinct ciphertexts
are obtained [4]. This attack is based on deriving the rows of the encryption matrix GΛ by
constructing unit vectors from the chosen plaintext or by solving a set of linear equations.
The proposed scheme is not vulnerable to Struik-Tilburg attack and message-resent attack [13],
because the plaintext is transformed by means of an invertible and nonlinear function F before
its encoding.
It is known that the security of nonlinear cryptosystems is determined by the intentionally
random error vectors and the nonlinear function F [16]. Indeed, the encoding step and the
permutation step increase further the security of the nonlinear system. The main attack against
nonlinear cryptosystems is a differential-style attack that is a chosen plaintext attack [16]. In the
22

sequel, the security of the proposed cryptosystem is analyzed against Brute-Force and Differential
attacks.

A. Brute-Force Attacks

The purpose of this attack is the enumeration of all possible secret keys {s, h, Hqc, t} in the
proposed scheme until a meaningful message is obtained.

1) The matrix Hqc is the parity-check matrix (free of length-4 cycles) of an RDF-QC-LDPC
code with code rate R = (n0 −1)/n0 , code length n = bn0 and column weight dv . An attacker
looks for the parity-check matrix corresponding to the used RDF-QC-LDPC code having
public parameters b, dv, n0 . For large enough parameters b and n0 , it has been demonstrated
that there are a large number of different RDF-QC-LDPC codes with the same code length,
dimension and row/column weight of the parity-check matrices [33]. The number of different
QC-LDPC codes free of length-4 cycles with the parameters b, dv, n0 that can be designed
through the RDF-based approach, is lower bounded by [33, Theorem 4.12]

v −1
  n n0 −1 dÖ
j 2 − b mod 2 + ( j 2 − 1)/2 + l · dv · (dv − 1)
 
1 b 0Ö b
NRDF (b, dv, n0 ) ≥ − .
b dv l=0 j=1
b− j b− j

For the proposed parameter b = 43, dv = 3 and n0 = 6, there are 261 different RDF-QC-
LDPC codes with n = 258 and code rate R = 5/6.
2) We use an LFSR with l1 = dlog2 ne-bit initial vector and a modular division circuit to
generate the vector e. With a suitable choice of the feedback polynomial used in the circuit,
the total choice of random vector e is (2l1 − 1)2 ≈ (2 dlog2 ne )2 . For our example, this number
is approximately equal to 218 .
3) The l2 -bit vector h determines the image of the nonlinear mapping F. The total number of
the different vectors h is 2l2 that is 261 , for our cryptosystem.
4) Each permutation matrix πi , for i = 1, . . . , v, of the block diagonal permutation matrices P is
controlled by different initial vectors of the LFSR of size dlog2 qe. The number of different
initial vectors for this LFSR is 2 dlog2 qe . Therefore, there are 2 dlog2 qe different candidates for
each πi , for i = 1, . . . , v. Hence, the total number of different permutation matrices P is
 v
equal to 2 dlog 2 qe , that is approximately 236 for q = 43 and v = 6.

Consequently, the complexity of the brute force attack is approximately 2176 which indicates
a high order of security.
 23

B. Differential Cryptanalysis

The jth instance of the ciphertext in our cryptosystem is considered as

 
y j = 2F (m j + e( j) Ne ), h( j) Nh GΛ − 1 + 2e( j) Ne P( j) Np ,

which varies with the number of clock cycles. The first round of the encryption is only used
in the chosen plaintext attack proposed in [16]. Indeed, the ciphertexts are computed for each
message after resetting the encryption machine. Since, an attacker call y1 for different chosen
plaintexts, the subscripts of mi and yi are ignored for the time being and m(i) and y(i) represent
the plaintext and the corresponding ciphertext used in the ith call of y1 . In our scheme, y(β) , for
β = 0, . . . , 2l , is considered as the βth instance of the ciphertext corresponding to the plaintext
m(β) as follows
 
0 
y(β) = 2 F (m(β) + e1 ), h1 GΛ − 1 + 2e1 P1 .

This attack has three steps: estimate the permuted generator matrix GΛ P1 , recover the inten-
tional vector e1 , and decode the ciphertext. In the first step, the attacker computes the ciphertext
corresponding to the first round of the encryption for the binary plaintext m(β) , for β = 0, . . . , 2l ,
in which the last (n − k) bit of message is equal to zero. Since,
 
y(β) = 2x0(β) GΛ − 1 + 2e1 P1
 
= 2(x(β) − zL)GΛ − 1 + 2e1 P1,

the attacker computes

 
y(β) (mod L) = 2x(β) GΛ − 1 + 2e1 P1
 
= 2F((m(β) + e1 ), h1 )GΛ − 1 + 2e1 P1 .

Then, for β = 0, . . . , 2l , the attacker has

y(β) (mod L) + 1
v(β) = = F((m(β) + e1 ), h1 )GΛ P1 + e1 P1 .
2
Indeed, the attacker computes

v(i) = F((m(i) + e1 ), h1 )GΛ P1 + e1 P1,

for i = 1, · · · , 2l , to obtain
Õ2l Õ2l
v(β) = F((m(β) + e1 ), h1 )GΛ P1 + e1 P1
β=1 β=1
Õ2l Õ2l
= F((m(β) + e1 ), h1 )GΛ P1 + e1 P1 .
β=1 β=1
24

On the other hand, according to Eq. (1), we have

h i
F((m (β)
+ e1 ), h1 )GΛ P1 = F((m (β)
+ e1 ), h1 )[1:k] GC P1 + F((m (β)
+ e1 ), h1 )[k+1:n] 0 2In−k P1,

where GC is the systematic form of the generator matrix of the used QC-LDPC code (Eq. (4))
and x[1:k] denotes the entries 1 to k of the vector x. Therefore, recovering GC is sufficient for
determining the GΛ and the attacker has the following steps to recover GΛ P1
Õ2l Õ l 
2
(β)
v ≡ F ((m + e1 ), h1 ) GC P1 (mod 2),
0 (β)
β=1 β=1

where F 0(a, b) = { f1 (a, b) (mod 2), . . . , fk (a, b) (mod 2)} and fi (a, b) (mod 2)’s are the Boolean
functions defined in Eq. (3). The algebraic degree of each component function and their nonzero
linear combination is d + 1 [38]. Therefore, the algebraic degree of function F 0 is equal to d + 1.
Let L[u1, . . . , ul ] be the list of all 2l possible linear combinations of u1, . . . , ul where ui ∈ F2n
is a vector with a 1 in the ith position and zeros in all the other positions. We recall that the
lth derivative of a Boolean function f (x) is defined as ∆u(l)i ,...,ui f (x) = c∈L[u1,...,ul ] f (x + c) [39].
Í
1 l
Therefore, since m(β) s are binary vectors with zero components in the last (n − k) positions,
Õ2l Õ
v(β) (mod 2) = ­­ F 0((m(β) + e1 ), h1 )®® G C P1
© ª
β=1
«m ∈L[ui1 ,...,uil ]
(β)
¬
 
= ∆(l)
u i ,...,u i F 0
(e1 1 G C P1 .
, h ) (10)
1 l

When l = deg(F 0) and ui1, . . . , uil are chosen in which, for ρ = 1, . . . , l, i ρ ≤ k, then
∆u(l)i ,...,ui F 0(e1, h1 ) is a constant vector independent of e1 . Hence, Eq. (10) returns a linear
1 l

equation with respect to GC P1 . If the attacker has k such linear independent equations, then
he can find GC P1 . Therefore, the attacker computes Eq. (10) for other messages, at least k
times, to prepare a system of k linear equations with respect to GC P1 and then solve it. The
0
complexity of the first step of the attack is O(k × 2deg(F ) ). Since the vector h is secret, the
attacher needs 2d−1 guesses. Hence, the overall complexity of recovering GC P1 is of order
0
O(k × 2d−1 × 2deg(F ) ) = O(k × 2d−1 × 2d+1 ) = O(k × 22d ). For the proposed QC-LDPC lattice
with (k, n) = (215, 258) and d = 61, the complexity of the attack is 2129 .
The next steps of this attack involve recovering e1 and decrypting the ciphertext using P1 .
The first instance of the ciphertext is given as

v(1) = F((m(1) + e1 ), h1 )GΛ P1 + e1 P1 . (11)

The attacker applies it to m(1) = (0, . . . , 0), obtaining

v(1) ≡ F 0(e1, h1 )GC P1 + e1 P1 (mod 2). (12)

 25

Since GC P1 has been estimated in the previous step, the attacker should estimate F 0(e1, h1 ) and
F 0(e1, h1 )GC P1 for all possible vectors e1 and h1 . The corresponding e1 P1 can be computed using
Eq. (12), that is, v(1) (mod 2) ⊕ F 0(e1, h1 )GC P1 = e1 P1 . Recovering the matrix P1 , based on this
equation, requires vq2 search for the different choices for (e1, h1 ). Indeed, Eq. (12) constructs a
linear system of equations x = e1 P1 in terms of the P1 entries as its variables. With P1 as a block
diagonal matrix, we have x = (e1[1:q] π1, e1[q+1:2q] π2, . . . , e1[(v−1)q+1:vq] πv ), where e1[(i−1)q+1:iq] is
the ith q bits of e1 . Moreover, each sub-permutation matrix has one nonzero component in
each column, leading to the equation x j = e1[( j−1)q+1: jq] π j has q2 solutions. Therefore, there
are vq2 solutions for P1 in this system. The complexity of finding {ee1, he1, P
f1 } that satisfy Eq.
(12) is O(2(l1 +l2 ) × vq2 ). The attacker repeats the same work to find {e1, h1, P1 } satisfying Eq.
(11) using an arbitrary message with complexity O(2(l1 +l2 ) × vq2 ). Then, the attacker compares
f1 } and {e1, h1, P1 } in order to verify the suitable set for this step. Hence, the complexity
{ee1, he1, P
of estimating {e1, h1, P1 } is approximately O(2(l1 +l2 +1) × 2vq2 ), which is almost O(284 ) for the
proposed scheme. At this moment, the attacker can decrypt any v(1) using {e1, h1, P1 } and GC P1 .
Hence, the overall complexity for decrypting v(1) is O(k×22d +2(l1 +l2 +1+1) ×2vq2 ) ≈ O(2129 ). Since
the intentional error vector and permutation matrix change with each message, the encryption
matrix GC Pi and each vector ei Pi change in the ith round of encryption, while hi s are known
after estimation of h1 . Therefore, for recovering all keys, the attacker can consider the zero
vector as a message and compute the ciphertext v(2) = F(e2, h2 )GΛ P2 + e2 P2 .
0
Next, GC P2 is estimated with complexity of order O(k ×2deg(F ) ) = O(k ×2d+1 ), approximately
O(270 ) in our case. Furthermore, P2 is computed based on the above equation of v(2) in the similar
way as mentioned above. The complexity of computing the other encryption matrix GC Pi , for
i = 3, . . ., in each round is O(270 ). Thus, the overall complexity of this attack is O(2129 +Np ×270 ),
where Np is the number of possible permutations. As a consequence, the overall complexity for
the proposed parameters is O(2129 +236 ×270 ) ≈ O(2129 ). Therefore, with the proposed parameters,
we achieve a security level of 128-bit.

VII. C OMPARISON

In this section, we compare our proposed lattice based cryptosystem with [12], [17] and[19],
in which [12] is a lattice based joint scheme (based on LDLC lattices) and the others are based
on error correcting codes. Moreover, in TABLE II, we review a number of previous schemes
that join error correction and encryption in one process to enable efficient implementations.
26

Although, the existing schemes based on lattices and error correcting codes are not in the same
category, we also point out the results of the joint schemes based on error correcting codes to
provide an intuition about the counterpart of lattice based schemes.
The recent work of Stuart and Deepthi [17] is an RN-like scheme based on QC-LDPC codes
that strengthen the cryptosystem against differential attacks. It has the smallest key size among
other RN-like schemes and its complexity of encryption and decryption is of O(n2 ) due to the
used nonlinear function in its design. Similar to other RN-like schemes, the output of this scheme
is fed into a modulator to transmit through an AWGN channel.

TABLE II
C OMPARISON OF THE PROPOSED SCHEME WITH OTHER SECURE CHANNEL CODING SCHEMES .

Cryptosystem Underlying code, C(n, k) Information rate key size

Rao [1] Goppa code, C(1024, 524), coding rate= 0.51 N/A 2 Mbits
Rao and Nam [2] Hamming code, C(72, 64), coding rate= 0.89 N/A 18 kbits
Sobhi Afshar et al. [6] EG-QC-LDPC code, C(2044, 1024), coding rate= 0.5 N/A 2.5 kbits
Hooshmand et al. [7] EDF-QC-LDPC code, C(2470, 2223), coding rate= 0.9 N/A 3.55 kbits
Esmaeiliet et al. [9] QC-LDPC code, C(2048, 1536), coding rate= 0.75 N/A 2.191 kbits
Esmaeili and Gulliver [10] QC-LDPC code, C(2048, 1536), coding rate= 0.75 N/A 2.22 kbits
Adamo et al. (ECBC) [15] LDPC code, C(256, 128), coding rate= 0.5 N/A 82 kbits.
Pisek et al. [19] QC-LDPC code, C(128, 256), coding rate= 0.5 N/A 128 bits
Stuart and Deepthi [17] EDF-QC-LDPC code, C(124, 248), coding rate= 0.5 N/A 182 bits
LDLC lattice based cryptosystem [12] Latin square LDLC lattice, n = 104 symbols N/A 3 Mbits
The proposed lattice based cryptosystem RDF-QC-LDPC code, C(258, 215), L = 16 5 214 bits

The most efficient joint AES-coding scheme is proposed in [19], where QC-LDPC codes are
embedded in each round of the AES encryption and decryption. This scheme consists of two
parts for encryption and channel coding, with the encryption part which is more powerful than
classical AES. The coding part of the proposed scheme outperforms other conventional joint
AES-coding schemes. It applies the same parity-check matrix for the encryption and encoding
parts. Promising ideas such as using lower triangular matrices and the quasi-cyclic structure of
the LDPC code and using the same hardware resource for both parts, reduce power consumption
compared to other joint AES-coding schemes [19]. Encryption and channel coding cannot be
applied simultaneously in [19] and the output of encryption is fed into the encoder and then the
resulting data is passed through the QPSK modulator to transmit via an AWGN channel.
Unlike the proposed schemes in TABLE II, we have merged these three steps into a single
step using efficient lattices in our cryptosystem. This provides less delay, lower implementation
complexity and better error performance in overall for high SNR or bandlimited channels. The
 27

column three in TABLE II describes the average information bits per symbol in the transmission
which is not available for other schemes. If we want compute the average information bits per
symbol in the transmission of a joint scheme, the coding rate of the used code in the structure of
the scheme should multiply with the rate of a modulation that will be applied after. Since after
encoding the rate of the joint schemes is less than 1, they should use high order modulation
to compensate this low rate for bandlimited AWGN channels. For example, with the proposed
parameters in TABLE II, the information rate of our scheme is 5. To reach the same information
rate with the code based schemes like [17] and [19], which have coding rate 0.5, should use a
high order modulation like 1024−QAM after coding step (0.5 × 10 = 5). However, applying high
order modulation makes the error performance weaker. Therefore, code based schemes are not
appropriate for bandlimited channels without combining them with high order modulation. In
contrast, the lattice codes are high order modulation schemes with error correction capability and
provide high information rate. Since there are not such a complete setting about concatenation
of AES-joint schemes or RN-like schemes and a high order modulation in the literature, we can
not have a fair comparison about the overall error performance of joint schemes based on codes
and our proposed scheme. Our lattice based scheme is the first candidate introducing a scheme
for secure communication on bandlimited channels.

In the sequel, we compare the key size of our cryptosystem with the LDLC lattice based
scheme. In [12], Latin square LDLCs are used to provide a joint encryption and encoding scheme.
The encryption and decryption complexity of the proposed LDLC based scheme is O(n2 β) and
O(n2 δ), respectively, where β and δ are the maximum required memory to save each entry of
its rational generator matrix and its secret key in binary form, respectively, and n is the lattice
dimension [12]. On the other hand, the ciphertext c is transmitted through an “unconstrained”
power AWGN channel. Indeed, the shaping is removed to decrease the encryption complexity,
while the computational complexity of the encryption/encoding grows rapidly due to the existence
of unbounded lattice points and its average transmitted power becoming too large.

The Latin square LDLC lattices are introduced by the parity-check matrix H which is an n × n
Latin square. This matrix is determined by a generating sequence set H = {h1, h2, . . . , hd }, where
hi s are nonzero values at the appropriate locations of the used Latin square H. The generating
sequence set H is considered as the secret key of the LDLC based scheme, instead of its
corresponding parity-check matrix H [12]. In this way, the legitimate receiver has to construct
the same parity-check matrix H using the secret key H and is able to recover the original message
28

in decryption. It can be shown that the generating set H does not result in a unique parity-check
matrix for the Latin square LDLC that is used for decryption, and then the qualified receiver
is not able to decrypt the ciphertexts correctly. As there are L(n) = n! A∈Bn (−1)σ0 (A) per(A)
Í

n ,
n × n Latin squares, where Bn is the set of all binary n × n matrices, σ0 (A) is the number of zero
entries in matrix A and per(A) is the permanent of matrix A [36], there are at least L(n)/(n− d)!
different parity-check matrices for Latin square LDLCs with the given generating set H . Thus,
for successful decryption, the generating set H should be replaced with the parity-check matrix
H as the secret key in [12]. In this way, since the position of each non-zero entry along with
its value has to be saved, the memory consumption for saving H is nd r + 2dlog2 (n)e bits, ,

where r is the maximum number of bits required for saving hi , for i = 1, . . . , d.

The secret key of the proposed LDLC based scheme is K = {H, P}, where P = {p1, p2, . . . , pd }
is the set of indexes such that 1 ≤ pi ≤ n, for 1 ≤ i ≤ d [12]. Therefore, the key size
of an LDLC based cryptosystem, when considering the parity-check matrix H, is at most
d n(r + 2dlog2 (n)e) + dlog2 (n)e bits. In the same level of security (128 bits), the key size

of the LDLC based cryptosystem for an LDLC with parameters n = 104, d = 7 and r = 16 is
3080098 bits; while the key size for our cryptosystem is equal to 214 bits with a (258, 215)-QC-
LDPC code, b = q = 43, dv = 3, n0 = 6 and dc = 18 that is much smaller. As a consequence,
our proposed cryptosystem has a small key size compared to other RN-like cryptosystems that
can also do modulation simultaneously.

VIII. C ONCLUSION

In this paper, we have proposed a new RN-like encryption scheme using QC-LDPC lattices.
Moreover, we have exploited lattice codes related to these lattices to join encryption, channel
coding and modulation in a single step that is suitable for resource limited applications. The
proposed nonlinear cryptosystem is secure against all variants of chosen plaintext attacks against
RN-like encryption schemes. The main advantages of the proposed scheme are its high infor-
mation rate, small key size and low hardware complexity. As a consequence, the joint scheme
provides high speed and efficient implementation as well as secure and reliable data transmission
for bandlimited AWGN channels.

R EFERENCES

[1] T. N. R. Rao, Joint encryption and error correction schemes, Proc. 11th annual International Symp. on Computer
Architecture, ISCA’84, pp. 240–241, 1984.
 29

[2] T. N. R. Rao and K. H. Nam, A private-key algebraic-coded cryptosystem, In: Advances in Cryptology, Crypto’86, LNCS,
263, pp. 35–48, Springer Berlin Heidelberg, 1986.
[3] T. N. R. Rao and K. H. Nam, Private-key algebraic-code encryptions, IEEE Trans. Inf. Theory, 35, pp. 829–33, 1989.
[4] R. Struik and J. Tilburg, The Rao-Nam scheme is insecure against a chosen-plaintext attack, In: Advances in Cryptology,
Crypto’87, LNCS, 293, pp. 445–457, Springer Berlin Heidelberg, 1988.
[5] A. I. Barbero and O. Ytrehus, Modifications of the Rao-Nam cryptosystem, In Proceedings of International Conf. on Coding
Theory, Crypto. and Related Areas (ICCC98), pp. 1–13.
[6] A. A. Sobhi Afshar, T. Eghlidos and M. R. Aref, Efficient secure channel coding based on quasi-cyclic low-density parity-
check codes, IET Comm., 3, pp. 279–292, 2009.
[7] R. Hooshmand, T. Eghlidos and M. Aref, Improving the Rao-Nam secret key cryptosystem using regular EDF-QC-LDPC
codes, ISeCure, 4, no. 1, pp. 3–14, 2012.
[8] M. Esmaeili, M. Dakhilalian and T.A. Gulliver, New secure channel coding scheme based on randomly punctured quasi-
cyclic low-density parity check codes, IET Comm., 8, no. 14, pp. 2556–2562, 2014.
[9] M. Esmaeili and T. A. Gulliver, Joint channel coding-cryptography based on random insertions and deletions in QC-LDPC
codes, IET Comm., 9, no. 12, pp. 1555–1560, 2015.
[10] M. Esmaeili and T. A. Gulliver, A secure code based cryptosystem via random insertions, deletions, and errors, IEEE
Comm. Letters, 20, no. 5, pp. 870–873, 2016.
[11] N. Sommer, M. Feder and O. Shalvi, Low-Density Lattice Codes, IEEE Trans. Inf. Theory, 54, pp. 1561–1586, 2008.
[12] R. Hooshmand and M. R. Aref, Efficient secure channel coding scheme based on low-density Lattice codes, IET Comm.,
10, no. 11, pp. 1365–1373, 2016.
[13] T. A. Berson, Failure of the McEliece public-key cryptosystem under message-resend and related-message attack, In:
Advances in Cryptology, CRYPTO’97, LNCS.
[14] T. Hwang and T. Rao, Secret error-correcting codes (SECC), in Proceedings of the 8th annual international Cryptology
Conf. on Advances in Cryptology, CRYPTO’88, LNCS 403, pp. 540–563, 1990.
[15] O. Adamo, F. Shengli and M. R. Varanasi, Physical Layer Error Correction Based Cipher, IEEE Global TeleComm. Conf.,
GLOBECOM’10, pp. 1–5.
[16] Q. Chai and G. Gong, Differential Cryptanalysis of Two Joint Encryption and Error Correction Schemes, IEEE Global
TeleComm. Conf., GLOBECOM’11, Houston, TX, USA, pp. 1–6.
[17] C. M. Stuart and P. P. Deepthi, Nonlinear Cryptosystem Based on QC-LDPC Codes for Enhanced Security and Reliability
with Low Hardware Complexity and Reduced Key Size, Wirel. Pers. Comm., pp. 1–21, 2017.
[18] C. N. Mathur, K. Narayan, and K. Subbalakshmi, High diffusion cipher: Encryption and error correction in a single
cryptographic primitive, in Applied Crypto. and Network Security, Springer Berlin Heidelberg, pp. 309–324, 2006.
[19] E. Pisek, S. Abu-Surra, R. Taori, J. Dunham and D. Rajan, Enhanced Cryptcoding: Joint Security and Advanced Dual-Step
Quasi-Cyclic LDPC Coding, IEEE Global Comm. Conf., GLOBECOM’15, San Diego, CA, pp. 1–7.
[20] G. Ungerboeck, Channel coding with multilevel/phase signals, IEEE Trans. Inf. Theory, 28, no. 1, pp. 55–67, 1982.
[21] G. D. Forney and G. Ungerboeck, Modulation and coding for linear Gaussian channels, IEEE Trans. Inf. Theory, 44, no.
6, pp. 2384–2415, 1998.
[22] J. H. Conway and N. J. A. Sloane, “Sphere Packing, Lattices and Groups,” 3r d edition, Springer-Verlag, New York, 1998.
[23] M.-R. Sadeghi and D. Panario, Low-Density Parity-Check lattices based on Construction D 0 and cycle-free Tanner graphs,
Algebraic Coding Theory and Info. Theory, AMS DIMACS, 28, pp. 85–95, 2005.
[24] M.-R. Sadeghi, A. H. Banihashemi and D. Panario, Low-Density Parity-Check Lattices: construction and decoding analysis,
IEEE Trans. Inf. Theory, 52, pp. 4481–4495, 2006.
30

[25] L. Safarnejad, M.-R. Sadeghi, FFT based sum-product algorithm for decoding LDPC lattices, IEEE Comm. Letters 16,
no. 9, pp. 1504–1507, 2012.
[26] H. Khodaiemehr, D. Kiani and M.-R. Sadeghi, One-Level LDPC Lattice Codes for the Relay Channels, Iran Workshop on
Comm. and Inf. Theory, IWCIT 2015.
[27] H. Khodaiemehr, M.-R. Sadeghi and A. Sakzad, Practical Encoder and Decoder for Power Constrained QC LDPC-lattice
Codes, IEEE Trans. Comm., 65, no. 2, pp. 486–500, 2017.
[28] H. Khodaiemehr, D. Kiani and M.-R. Sadeghi, LDPC Lattice Codes for Full-Duplex Relay Channels, IEEE Trans. Comm.,
65, no. 2, pp. 536–548, Feb. 2017.
[29] H. Khodaiemehr, M.-R. Sadeghi, and D. Panario, Construction of fulldiversity 1-level LDPC lattices for block-fading
channels, in IEEE International Symp. on Inf. Theory, ISIT’16, Barcelona, Spain, July 10-15, pp. 2714–2718.
[30] K. Bagheri, M.-R. Sadeghi, T. Eghlidos and D. Panario, A secret key encryption scheme based on 1-level QC-LDPC lattices,
In Proc. of 13th International ISC (Iranian Society of Cryptology) Conf. on Inf. Security and Cryptology (ISCISC’16), IEEE,
pp. 20–25.
[31] K. Bagheri, M.-R. Sadeghi and T. Eghlidos, An Efficient Public Key Encryption Scheme Based on QC-MDPC Lattices, in
IEEE Access, vol. 5, pp. 25527–25541, 2017.
[32] M.-R. Sadeghi and A. Sakzad, On the performance of 1-level LDPC lattices, Iran Workshop on Comm. and Inf. Theory
(IWCIT 2013 ), pp. 1–5, 2013.
[33] M. Baldi, “QC-LDPC Code-Based Cryptography,” Springer, Berlin, 2014.
[34] G. L. Mullen, and D. Panario, Handbook of Finite Fields, Chapman & Hall/CRC, 2013.
[35] M.R. Darafsheh, Order of elements in the groups related to the general linear group, Finite Fields and Their Applications,
11, no. 4, pp. 738–747, 2005.
[36] J.-Y. Shao and W.-D. Wei, A formula for the number of Latin squares, Discrete Mathematics, 110, pp. 293–296, 1992.
[37] P.-P. Deepthi and P.-S. Sathidevi, Hardware stream cipher based on LFSR and modular division circuit, International
Journal of Electronics, Circuits and Systems, 2, 224–232, 2008.
[38] D. Mukhopadhyay and D. R. Chowdhury A parallel efficient architecture for large cryptographically robust n× k (k > n/2)
Mappings, IEEE Trans. on Computers, 60, no. 3, pp. 375–385, 2011.
[39] X. Lai, Higher order derivatives and differential cryptanalysis, Proceedings of the Symp. on Comm., Coding and Crypto.,
pp. 227–233, 1994.