Encryption Engine Based on Logical Entropy
A practical and didactic approach to encapsulating standard ciphers (such as AES-256-GCM) with a "logical entropy" layer that adds structural variability, configurable diffusion, and authentication of the logic itself. It is designed to integrate seamlessly without compromising compatibility or the infrastructure of any cipher where it is implemented.
Author: Roberto Aleman, ventics.com
License: GNU GPL v3
This document presents a practical, educational approach to wrapping standard ciphers (such as AES-256-GCM) with a layer of "logical entropy" that adds structural variability, configurable diffusion and authentication of the internal logic. It is designed to integrate without breaking compatibility or existing infrastructure.
- Idea central Logical entropy provides additional entropy by dynamically segmenting the plaintext, applying an unpredictable permutation, and performing a reversible mixing step (XOR or Feistel) before the AEAD stage.
- Relationship to modern cryptography The logical layer operates on top of a proven cryptographic engine (AES-GCM), adding structural complexity without weakening the underlying security.
- Purpose Compatibility and reinforcement rather than replacement. It enables an orderly migration path to post?quantum schemes while preserving the same architectural model.
- Inputs
- Seed 512 bits as the master secret.
- Logical nonce 96 bits for deterministic derivations and AEAD.
- Message arbitrary bytes.
- Derivations using HKDF and domain separation
- Kseg segmentation domain key.
- Kperm permutation domain key.
- Kmix mixing/keystream domain key.
- Kaead AEAD key for AES-256-GCM.
- Segmentation
- Deterministic cuts derived from Kseg and the logical nonce produce k segments with no empty pieces.
- Permutation
- Fisher-Yates shuffle using an HMAC-CTR PRNG (Kperm + nonce) yields a reproducible but unpredictable order.
- Mixing (lite mode)
- XOR per segment with a keystream derived from Kmix and the nonce. The operation is reversible.
- AEAD
- AES-256-GCM encrypts the concatenated C' .
- Associated Data includes version, k, hash of cuts, hash of permutation and permuted segment lengths to protect the internal logic.
| Aspect | AES-256-GCM | Logic Entropy Lite |
|---|---|---|
| Source of entropy | Key and nonce | Key, nonce, cuts and permutation |
| Diffusion | High and fixed | Configurable (XOR or Feistel) |
| Authentication scope | Data and optional AD | Data and internal logic authenticated |
| Compatibility | Standard | Wrapping, interoperable |
| Post-quantum posture | ~128 bits effective | Similar plus structural complexity |
| Migration to PQC AEAD | Requires replacement | Logical layer reusable with new AEAD |
- PHP 8+ with OpenSSL enabled.
- Standard extensions: hash, openssl.
- Quick option: copy the
logic_entropy_lite.phpfile into your project. - Distribution: publish as a Composer package if you plan to share or maintain it.
<?php
require 'logic_entropy_lite.php';
$seed512 = random_bytes(64); // 512 bits
$nonce_logic = random_bytes(12); // 96 bits
$msg = "Hola mundo";
$enc = logic_entropy_lite_encrypt($seed512, $nonce_logic, $msg);
echo "Original: {$msg}\n";
echo "Ciphertext (hex): {$enc['ciphertext_hex']}\n";
echo "Tag (hex): {$enc['tag_hex']}\n";
<?php
$rec = logic_entropy_lite_decrypt_full($seed512, $enc);
echo "Reversal (decrypted): {$rec}\n";
The "lite" version adds a layer of structural complexity on top of a proven AEAD (AES-256-GCM). Its practical robustness comes primarily from two independent layers:
- the symmetric security of the underlying AEAD engine (confidentiality and integrity), and
- the authentication of the logic (cuts, permutations, lengths) included in the AD.
- Additional workload for the attacker: it is not enough to attack the AEAD block; the authenticated segmentation and permutation must be reconstructed.
- Extended authentication: the internal logic is covered by AD, so any structural manipulation would break the AEAD verification.
- Configurable diffusion: allows you to adjust the degree of mixing (XOR vs Feistel) to increase diffusion if required.
- Operational compatibility: It integrates without replacing proven cryptographic engines, thus inheriting their basic guarantees.
- Security reduced to that of AEAD: if AES-GCM fails in practice (due to incorrect use, vulnerable implementation, or specific future attacks), the lightweight layer does not fix it; it only increases the practical cost of the attack.
- Dependence on secrecy and nonces: the determination of PRNG and HKDF requires unique secrecy/nonce; reuse of nonce or seeds compromises security.
- Lite model simplifies mixing: XOR-only mode is easily reversible (by design) and offers limited diffusion against advanced crypto analysis; it is not intended to replace strong internal rounds.
- Metadata surface: Although AD authenticates the logic, the inclusion and serialization of metadata must be flawless; errors in formatting or handling of AD can create subtle flaws.
- Not verified by formal analysis: the educational version has not undergone cryptographic auditing or formal testing; construction risks (order of operations, AD packaging) remain.
- Never reuse a nonce with the same AEAD key.
- Version HKDF domains and AD format to support future extensions.
- Optional telemetry: measure diffusion (Hamming distance) to compare modes.
- Parallelization: distribute segments to workers in XOR-only mode; use intra?round parallelism for Feistel in the full model.
- What it delivers A logical entropy layer that strengthens security by treating the message structure as entropy and protecting it via AEAD.
- Why it matters It allows evolution of cryptographic deployments without a disruptive reset of infrastructure and remains aligned with post?quantum readiness by retaining a symmetric core and being portable to future AEAD primitives.
- Real world applicability Suitable for firmware updates on chips, web services, and multi-language deployments. The code is simple, auditable and portable
- The author continues developing the concept of encryption based on logical entropy in a larger project that he is carrying out on his own. This document shows how part of the project allows an existing encryption to be wrapped and given an additional layer of security and integrity.
Legal Notice and Disclaimer:
The code and documentation are published as-is, without any express or implied warranties regarding suitability, safety, or fitness for a particular purpose. The material is offered solely for educational purposes and as a conceptual proposal for a larger project under development. The user is solely responsible for the implementation, testing, deployment, and use of the code or any derivatives. The author and collaborators assume no responsibility for damages, losses, vulnerabilities, misuse, or consequences resulting from the use of this material by third parties. By using this project, you agree to assume all associated risks and to maintain proper security and auditing practices.