The CIA triad is one of the most popular and valuable model of information security (cybersecurity) ensuring in information and communication technologies (ICT). It contains three basic following characteristics: confidentiality, integrity and availability. Confidentiality and integrity provides by cryptographic methods and tools [1-3]. Particularly, integrity provides by hash-functions or EDS as well as confidentiality provides by using symmetric (secret key cryptography, SKC) [2] and assymetric (Public Key Crytpography, PKC) ciphers [3]. The encryption process by symmetric ciphers is faster approximately in 102-103 times and it needs less computational capabilities.

Moreover, all cryptographic methods’ the undeniable advantage is protection the data itself rather than access to it. The principal criterion of choosing cryptosystems is the security level against some categories of cyberattacks. But for some specifical targets, the cryptographic data processing speed (as in the case of PKC or some up-todate applications based on SKC) plays a key role [4-5].

Despite the diversity of modern cryptographic methods and tools, not all of them have required level of efficiency (security and speed) to provide guaranteed data protection. There are many threats related to security breaches and restricted access data leakage in up-to-date ICT. Also the development and cost reduction of ICT positively affects the effectiveness of cryptanalysis, one of the most effective methods of which is linear and differential cryptanalysis (LDC) [6-8].

In the paper [4] two high-performance reliable block ciphers (BC) were proposed and its speed and security against LDC was estimated in comparison with most effective modern BCs like AES, Kalyna etc. Latest research papers [7-11] are oriented on quantitative estimation of BC security against LDC.

As time goes on some algorithms become worn out and outdated (i.e. DES, GOST 28147-89). New more secure and high-speed algorithms are used in modern ICT (web-applications, IoT, blockchain, critical infrastructure). ICT development as well as cryptanalysis methods and tools enforces to cryptographic security methods improvements and creating new ciphers based on these [12-14]. From this viewpoint, the main purpose of this paper is to study the efficiency (security level and speed parameters) of the new advanced BC.

Suppose t , p , r , q are natural numbers, t = 2t , p = 2 p , r = 2r + 1 , n = tp , q = pq , w = p , k = 2n , b = 2q (parameter b defines the quantity of different substitution tables (substitutions), which can be used in the method). Then the r rounded ciphering method  with thesetof cleartext messages (messages to encrypt) Vn = 0,1n , the set of secret keys Vk and the set of round keys Vn+q+w can be described by following sequence of stages:

Stage 1 – Round keys producing

At this stage ther number of round keys Ki , Ki Vn+q+w , i = 1, r is produced from the secret key K , K Vk .

Step 1.1. Decomposing secret key K , K Vk :

K = ( B−4 , B−3 , B−2 , B−1 ) , Bj Vn 2 , j = −4, −1 . (1) Step 1.2. Producing vectors B j , Bj Vn 2 , j = 0, c −1, c = 4r (n + q + w) n :  ( S ( Bj−4 ,W1, p)  ( Bj−2  P1 )  Bj−1  Q1 )  Bj−3  , j mod 4 = 0 Bj = ( S ( Bj−3  Bj−1,W2 , p)  ( Bj−2  P2 )  Q2 )  Bj−4 , j mod 4 = 1 , (2) ( Bj−4  ( S ( Bj−3 )  P3 ,W3 , p)  Bj−1  Q3 )  Bj−2 , j mod 4 = 2   ( S ( Bj−4  P4 ,W4 , p)  Bj−3  Bj−2  Q4 )  Bj−1 , j mod 4 = 3 where  is the Boolean operation of binary vectors coordinate wise addition, X  Y is the dynamic rotate left of bit sequence X for Y times, and X  Y is the dynamic rotate right of the bit sequence X for Y times, Wi , Pi , Qi are some constants, Wi , Pi , Qi Vn 2 , i = 1, 4 .

The substitution S is defined via following formula:

S ( x, y, z ) = ( syz−1 ( xz−1 ) , ... , sy0 ( x0 )) , x = ( xz−1, ... , x0 ) , y = ( yz−1, ... , y0 ) , (3) where x j Vt , y j Vq , sy j is the substitution table for the set Vt (one substitution table is chosen among b possible variants by index y j ), j  0, z −1.

Step 1.3.

Vectors

Ci , Ci Ve , i = 1, r , e = e n 2 , e = 2 (n + q + w) n  areformed by concatenation of vectors

B j ,

Bj Vn 2 , j = 0, c −1, c = 4r (n + q + w) n in inverse order (to form one vector Ci it should be used e number of vectors B j ):

Ci = ( Bc−1−(i−1)e || Bc−1−(i−1)e−1 || ... || Bc−1−(i−1)e−e+1 ) Step 1.4. Calculaion of round keys K i , Ki Vn+q+w , i = 1, r :

Ki = (Ci  i ) mod 2n+q+w .

The obtained keys K i , Ki Vn+q+w , i = 1, r will be used for secret message encryprion and decryption.

Stage 2 – Encryption procedure

At this stage the secret message is encrypted А = ( A1, A2 , A3 ,..., Au ) , А Vnu , Аj Vn , j = 1, u , where u is a natural number.

The encryption function of each Аj Vn , j = 1, u is following:

F = fr, Kr ... f1, K1 . (4) (5) (6)  ( x  k (1) , k (2) , k (3) ) , if i  r fi, Ki ( x) =   S ( x  k (1) , k (2) , p ) , if i = r  , where k (1) , k (2) , k (3) are parts of round key K i ( k = (k (1) , k (2) , k (3) ) , k (1) Vn , k (2) Vq , k (3) Vw ).

The substution S is defined in (3) and the substitution  is defined by follow:  ( x, y, h) = S ( x, y, p ) M (h) , x Vn , y Vq , h Vw where x = ( xp−1, ... , x0 ) , y = ( yp−1, ... , y0 ) , x j Vt , y j Vq .

M (h) is the invertible matrix 2 p  2 p over Galuis field GF ( 2t ) , which depends on h , and the multiplication S ( x, y, p) = ( syp−1 ( xp−1 ) , ... , sy0 ( x0 )) on M (h) in (8) is accomplished over this field in the following way: 1. Parameter sy ( x j ) ( j  0, p −1 ) is decomposed on 2 t  -bit parts.

j ( syj ( x j ) = ( syj ( x j )(1) , syj ( x j )(2) ) , syj ( x j )(1) , syj ( x j )(2) Vt ). 2. The vector B is formed from the part syj ( x j ) ( j  0, p ): 3. Vector B

B = sy0 ( x0(1) ) | | sy0 ( x0(2) ) | | ... | | syp−1 ( xyp−1(1) ) | | syp−1 ( xyp−1(2) ) .

and M (h) multiplying is accomplished over binary vector identification B j j  0, 2 p −1 ( Bj Vt ) of the matrix M ( p) elements.

The round function fi, Ki for all x Vn , Ki Vn+q+w , i 1, r is described as follows: (7) (8) (9) (10) (11)

On the basis of paper [9], for the proposed method analytical upper bounds of the parameters that characterize its practical security against cyberattacks of LDC are obtained as following:

 rBM 2+1 EDP ()  

 rBM 2+1 ELP ()     rBM 2+1 ,

   rBM 2+1 ,  where EDP () is the average probability of differential characteristic  , ELP () is the average probability of linear characteristic  , BM is M matrix branching index,   and the parameters  ,  ,  ,  are defined via the following formulas:  = max d(sj ) ( ,  ) : ,  Vt \ 0, j  0, b −1 ,  = max l(sj ) ( ,  ) : Vt ,  Vt \ 0, j  0, b −1 ,  = max b−1  d(sj ) ( ,  ) : ,  Vt \ 0 ,  b−1 

 j=0   = max b−1 b−1 l(sj ) ( ,  ) : Vt ,  Vt \ 0 .    j=0  (14)

In (11) – (14) d(sj ) is the difference table of the substitution s j ( j  0, b −1) over the bitwise addition operation modulo 2 and l(sj ) ( ,  ) are the tables of linear approximation of the substitution s j ( j  0, b −1) over this operation.

New advanced BC is developed on the basis of proposed method. Such parameters were chosen for he purposes of this BC: t = 8 , t = 2t = 16 (substitution tables capacity), p = 4 , p = 2 p = 8 , r = 4 , r = 2r + 1 = 9 (number of rounds), n = tp = 128 (size of data block in bits), q = 3 , q = pq = 24 , b = 2q = 8 (8 substitution tables are used over the set V16 ), w = 8 , k = 2n = 256 (size of secret keys in bits).

The proposed cipher works with 128-bit data blocks and supports a 256 bits length secret key. When expanding a secret key, the required number of 160-bit round keys is generated ( n + q + w = 128 + 24 + 8 = 160 ). Data blocks and extended keys are represented as 8×2 byte matrix.

For proposed BC the producing round key sprocedure is accomplished via formulas (1) – (5).

At the first step one 256-bit round key K is divided into 4 parts: K = ( B−4, B−3, B−2, B−1 ) 64 bit lentgth for each.

Then at the second step 2 auxilliary 64-bit vectors are calculated B j , j = 0, 44 ( c = 4r (n + q + w) n =

4  9  (128 + 24 + 8) /128 = 45 ). Here with it is used 64-bit constants Wi , Pi , Qi , i = 1, 4 (see the values of these constants in the Table 1). Also in step two the substitution S uses 8 substitution tables 1616 bits.

These substitution tables are set up using the calculation of the field inverse element the GF (2) (C / X )−1  GF (216 ) with the further execution of Affine transformation over

S ( X ) = M  (C / X )−1 + V , (15) where X , C,V  GF (216 ) , and M is the invertible square matrix over GF (2) , size of which is 1616 .

The parameters C , V and M are presented in hexadecimal values in the Table 2 (each row of matrix M is presented as a single hexadecimal number).

AddKeyMod 2 ( state, SubKey(1) ) implies a bitwise modulo 2 addition of 2 corresponding bits of the round key SubKey(1) and the data block state .

MixColumns ( state) operation rempresents the linear transformation of matrix state . During this operation each 8-byte column of data block state is considered as a polynomial over a field GF ( 28 ) with 8 terms, which is multiplied by fixed polynom ( c ( x ) raised to the power of 7 over the modulo x8 + 1 . As a polynomial c ( x ) was chosen the following polinomial: c ( x ) = 3x7 + 7x6 + x5 + 3x4 + 7x3 + 4x2 + 1Dx + 1 (factors are represented in hexadecimal format). As an irreducible polynomial the following polynomial was chosen: m ( x ) = x8 + x7 + x5 + x4 + x + 1 .

Proposed BC encryption procedure Input: 128-bit datab lock state , 160-bit round keys SubKeyi = ( SubKeyi(1) , SubKeyi(2) , SubKeyi(3) ) , i = 0, r , SubKeyi(1) V128 , SubKeyi(2) V24 , SubKeyi(3) V8 .

Output: 128-bit data block state . 1. state = AddKeyMod 2 (state, SubKey0(1) ) ; 2. 2.1. 2.2. 2.3. 2.4.

For i =1, i  r, i + + do state = SubBytes ( state, SubKeyi(2) ,8) ; state = ShiftRows ( state, SubKeyi(3) ) ; state = MixColumns (state) ; state = AddKeyMod 2 (state, SubKeyi(1) ) ; 3. state = SubBytes ( state, SubKeyr(2) ,8) ; 4. state = ShiftRows ( state, SubKeyr(3) ) ; 5. state = AddKeyMod 2 (state, SubKeyr(1) ) ; 6. return state .

Fig. 1. The new BC encryprion procedure pseudocode In SubBytes ( state, SubKey(2) , 8) operation the tabular substitution of every 16 bits of the data block state is performed.

This BC uses 8 tables over the set V16 , where in the choise of the particular table in each round depends on the part of round key SubKey(2) according to the formula (3).

The substitution tables were generated according to the formula (15), the parameters C , V and M , used in generation are presented in Table 2. Substition tables datais selected so that there are no fixed points,and also that for each substitution table of BC the equality for the parameters is executed:  =  = 2−14 .

In ShiftRows ( state, SubKey(3) ) operation depending on the part of the round keys SubKey(3) a byte wise shift of elements in the rows of the matrix state is performed. The length of the round key SubKey(3) part is 8 bit, so each bit of current vector affects on the shift of corresponding row of the matrix state .

For instance, if the first bit of the vector SubKey(3) equals 1, then the values of the columns of the first matrix state row are swapped, if the first bit of the vector SubKey(3) equals 0, then the values of columns are not changed. See decryption procedure pseudocode at the Fig. 2.

Proposed BC decryption procedure Input: 128-bit data block state ,160-bit round keys SubKeyi = ( SubKeyi(1) , SubKeyi(2) , SubKeyi(3) ) , i = 0, r , SubKeyi(1) V128 , SubKeyi(2) V24 , SubKeyi(3) V8 .

Output: 128-bit data-block state . 1. state = AddKeyMod 2 (state, SubKeyr(1) ) ; 2. For i =1, i  r, i + + do 2.1. state = ShiftRows (state, SubKeyr−i+1(3) ) ; 2.2.

state = InvSubBytes ( state, SubKeyr−i+1(2) ) ; 2.3. state = AddKeyMod 2 (state, SubKeyr−i(1) ) ; 2.4. state = InvMixColumns ( state) ; 3. state = ShiftRows ( state, SubKey1(3) ) ; 4. state = InvSubBytes (state, SubKey1(2) ) ; 5. state = AddKeyMod 2 (state, SubKey0(1) ) ; 6. return state .

Fig. 2. The new BC decryption procedure pseudocode state , which is inverse to

The InvMixColumns ( state) operation is a linear transformation of the matrix MixColumns ( state) operation. In this operation every 8GF ( 28 ) byte column of a data block state is considered as a polynomial over a field with 8 terms, which is multiplied by the fixed polynomial d ( x) raised to the power of 7 modulo x8 + 1 .

The following polynomial is chosen as a polynomial d ( x ) = 7 Ax7 + A1x6 + F 8x5 + EEx4 + 29x3 + 89x2 + EBx + 51 (factors are represented in hexadecimal format).

In the InvSubBytes ( state, SubKey(2) ) operation the tabular substitution of each 16 bit of data block state . This operation is inverse to SubBytes ( state, SubKey(2) ) operation, so it uses the inverse substitution tables in comparing with SubBytes ( state, SubKey(2) ) tables. d ( x ) :

For experimental study purposes (security and speed assessment), developed BC was implemented as a console application.

The sequences statistical properties, created using this application (in the counter mode), were investigated in NIST STS statistical tests environments [15] as well as in DIEHARD technique. The statistical portraits of the proposed BC are shown in Fig. 3. For comparison purposes, the results of the sequences testing generated by proposed BC, GOST 28147-89, Kalyna, AES ciphers are given in Table 3.

Generator BBS Kalyna GOST 28147-89 AES Proposed BC As can be seen from the results, proposed BC passed a comprehensive control over the NIST STS (Fig. 3) and DIEHARD techniques and showed no worse results than the ciphers above. The speed characteristics of ciphers are also studied. It has been shown experimentally that the proposed BC is faster than the GOST 28147-89 cipher approximately in 3.11 times, and 1,27 times or the Kalyna and AES ciphers (see Table 4). The research was conducted in the same conditions on Intel (R) Core (TM) i7-2600K CPU 3.4 GHz. Also the security ratings of the proposed BC over the methods of LDC are calculated. Accorfing to (9) – (14) formulas the parameters upper bounds values, characterizing this BC practical security against LDC methods are calculated:  =  = 2−14 , r = 4 , BM = 9 – EDP()  2−294 , ELP()  2−294 and number of round keys r = 9 . This results shows that if the r  9 then the practical security of the proposed BC over the foregoing cryptoanalysis methods [18-21] is provided.

In this paper the cryptographic security method was developed, which can increase the effectiveness of cryptographic security by using new procedures sequence of operations in generating round keys and encryption (using substitution tables with increased capacity and randomized linear and non-linear operations).

On the basis of this method, symmetric BC was developed. The values of parameters upper bounds characterizing its practical resistibility to cyber attacks of LDC are calculated.

Under the same conditions, experimental studies were carried out to evaluate the speed characteristics of ciphers, which showed that proposed BC is faster than the GOST 28147-89 cipher approximately in 3.11 times, and 1,27 times for the Kalyna and AES ciphers.

Also, the statistical properties of the sequences generated by proposed BC were investigated. As a result, it was shown that this BC cipher passed a complex control of the NIST STS and DIEHARD techniques and showed no worse results than other ciphers.

Future research study can be related with practical cryptographic security assessment of proposed BC against other cryptanalysis methods [16-17].

This scientific work was financially supported as a part of Ukrainian Young Scientists Project of Ministry of Education and Science of Ukraine as well as joint project of Shota Rustaveli National Science Foundation of Georgia and Science & Technology Center in Ukraine, Project N6321 [STCU-2016-08].

2. 3.