Encryption performance and security of certain wide block ciphers

Abstract

In a context of enhancing the performance of block encryption algorithms there are two well-known approaches. The first one relates to the construction of block cipher modes of operation. This approach is effective, but it requires a specific proof of security. The second approach deals with the construction of a cryptographic algorithm itself. In this paper, we introduce a novel family of schemes with a block size ranging from 256 up to 1056 bits. We call these algorithms Wide Block Ciphers (WBCs). The round transformation of the considered WBCs is based on a shift register with several feedbacks (the design is similar to the generalized Feistel networks). For the encryption transformation, i.e. the composition of round transformations, we study the properties of confusion, diffusion and mixing by methods of the Matrix-Graph Approach. We present a technique for evaluating these properties, which allows us to choose the algorithm parameters (block size, number of feedbacks, feedback locations) and propose the schemes reaching rational compromise between the encryption performance and the security level. The considered algorithms show better performance than other similar algorithms implemented by the original Feistel network with the same number of rounds. Without loss of generality, we focus on 256-3 version (256-bit block and three feedbacks). Developers can use the proposed schemes as building blocks of the algorithms for ensuring information confidentiality and integrity.

Appendices

Appendix A: WBC Schemes

See Figs. 4, 5, 6, 7, 8, and 9.

Fig. 9

Round of the WBC 1056-11

Appendix B: Proofs

1.1 The Proof of Theorem 1

Proof

We prove the Theorem 1 by induction. For \(t=1\) the proposition is obvious, and for any pair (i, j) we obtain \({m_{i,j}^{(1)}=m_{i,j}}\).

Now suppose the proposition be true for \(k<t\) as \(t\ge 2\). Show that the proposition be true for \(k=t\).

Denote by E(j) the set of all vertices from which the arcs go to \(j=1,\ldots ,n\). Without loss of generality, let \(E(j)=\{1,\ldots ,r\}\) for any fixed j, then \(m_{i,j}=0\) as \(i>r\). From the equation \(M^t=M^{t-1}M\) according to the Formula (1) we have

$$\begin{aligned} m_{i,j}^{(t)}=\max \{m_{i,1}^{(t-1)}m_{1,j},\ldots , m_{i,r}^{(t-1)}m_{r,j}\}. \end{aligned}$$

By the inductive hypothesis, \(m_{i,s}^{(t-1)}\) is equal to the greatest value of labels of all the paths of length \(t-1\) from i to s. This means that the product \(m_{i,s}^{(t-1)}m_{s,j}\) is equal to the greatest value of labels of all the paths of length t from i to j, provided that the vertex j is preceded by the vertex \(s, s=1,\ldots , r\). Hence, \(m_{i,j}^{(t)}\) is the greatest value of labels of all the paths of length t from i to j. \(\square \)

1.2 The Proof of Proposition 1

Proof

Let \(\mathrm{prf\,}g=t\), \(M(g)=M\), then \(g^t \in \varPi _n^{\langle 1 \rangle }\). Hence, \(M(g^t)=(1)_n\). In accordance with (2) \(M^t=(1)_n\). Then, \(\exp M \le t\). \(\square \)

1.3 The Proof of Theorem 2

For \(0\le i,j <n\) and \(s=1,\ldots ,t\), we use the following notation:

• \(g^{(s)}\) denotes the transformation on \(P^n\);

• \(\{g_j^{(s)} (x_0,\ldots ,x_{n-1})\}\) denotes the coordinate functions of the transformation \(g^{(s)}\);

• \(\{g_j^{[s]}(x_0,\ldots ,x_{n-1})\}\) denotes the coordinate functions of the product \(g^{(1)}\ldots g^{(s)}\);

• \(g_j^{(s)} (x_0,\ldots ,x_{n-1})=g_j^{(s)}\);

• \(g_j^{[s]}(x_0,\ldots ,x_{n-1})=g_j^{[s]}\);

• \(M_\varTheta (g^{(s)})=(m_{i,j}^{(s)})\);

• \(M_\varTheta (g^{(1)}\ldots g^{(s)})=(\mu _{i,j}^{[s]})\);

• \(M_\varTheta (g^{(1)})\ldots M_\varTheta (g^{(s)})=(m_{i,j}^{[s]})\).

Proof

We prove the result by induction. For \(s=1,\dots ,t\) and \(0\le i,j <n\), in the given notation we prove that \(\mu _{i,j}^{[s]}\le m_{i,j}^{[s]}\).

For \(t=1\) the theorem is obvious. For \(t=2\) by the rule of multiplication of ternary matrices we have

$$\begin{aligned} m_{i,j}^{[2]}=\max \{m_{i,0}^{(1)}m_{0,j}^{(2)},\ldots , m_{i,n-1}^{(1)} m_{n-1,j}^{(2)}\}, \end{aligned}$$

(10)

and for \(0 \le j < n\), by the rule of multiplication of transformations we have

$$\begin{aligned} g_j^{[2]}=g_j^{(2)}(g_0^{(1)},\ldots ,g_{n-1}^{(1)}). \end{aligned}$$

(11)

Let \(g_j^{(2)}\) be a constant function, then \(g_j^{[2]}\) is a constant too, due to (11). Hence, \(\mu _{i,j}^{[2]}=0\), i.e. the theorem is correct.

Let \(g_j^{(2)}\) be a linear function, which essentially depends on arguments, for example on \(x_0,\ldots ,x_r\), where \(r<n\), and for \(r<n-1\) does not essentially depend on \(x_{r+1},\dots ,x_{n-1}\). Then for \(0 \le j < n\), it follows from (11) that

$$\begin{aligned} g_j^{[2]}=a_0g_0^{(1)}+ \ldots +a_rg_r^{(1)}, \end{aligned}$$

(12)

\(a_0,\dots ,a_r\) are non-zero coefficients from the field P.

According to the condition, for \(r<n-1\),

$$\begin{aligned} m_{0,j}^{(2)}=\ldots =m_{r,j}^{(2)}=1, m_{r+1,j}^{(2)}=\ldots =m_{n-1,j}^{(2)}=0, \end{aligned}$$

and from (10) we have

$$\begin{aligned} m_{i,j}^{[2]}=\max \{m_{i,0}^{(1)},\ldots , m_{i,r}^{(1)}\}. \end{aligned}$$

(13)

If functions \(g_0^{(1)},\dots ,g_r^{(1)}\) do not essentially depend on \(x_i\) (i.e., fictitiously depend on \(x_i\)), then from the Formula (12) it follows that \(g_j^{[2]}\) does not essentially depend on \(x_i\). So, \(\mu _{i,j}^{[2]}=0\), and the theorem is correct. If some of the functions \(g_0^{(1)},\ldots ,g_r^{(1)}\) essentially depend on \(x_i\), then there is the linear or nonlinear dependence. Let for \(l\le r\), the functions \(g_0^{(1)},\ldots ,g_l^{(1)}\) linearly depend on \(x_i\), and for \(l<r\), the functions \(g_{l+1}^{(1)},\ldots ,g_r^{(1)}\) nonlinearly depend on \(x_i\). Then for \(l<r\), \(m_{i,0}^{(1)}=\ldots =m_{i,l}^{(1)}=1\), and \(m_{i,l+1}^{(1)}=\ldots =m_{i,r}^{(1)}=2\). Hence, for \(l<r\), \(m_{i,j}^{[2]}=2\) due to (13), so the theorem is correct. For \(l=r\) due to (13) \(m_{i,j}^{[2]}=1\), and due to (12) \(g_j^{[2]}\) fictitiously or linearly depends on \(x_i\). Therefore, \(\mu _{i,j}^{[2]} \le 1\), and the theorem is correct.

Let \(g_j^{(2)}\) be a nonlinear function, such that:

• \(g_j^{(2)}\) nonlinearly depends on \(x_0,\ldots ,x_p\) as \({0< p {\le } r<n}\);

• \(g_j^{(2)}\) linearly depends on \(x_{p+1},\dots ,x_r\) as \(p<r\);

• \(g_j^{(2)}\) fictitiously depends on \(x_{r+1},\dots ,x_{n-1}\) as \(r<n-1\).

Then for \(0 \le i, j < n\) and \(p<r\) the Formula (10) transforms to

$$\begin{aligned} m_{i,j}^{[2]} = \max \{2m_{i,0}^{(1)},\ldots ,2m_{i,p}^{(1)},m_{i,p+1}^{(1)},\ldots ,m_{i,r}^{(1)}\}, \end{aligned}$$

(14)

and for \(0 \le i, j < n\) and \(p=r\), (10) transforms to

$$\begin{aligned} m_{i,j}^{[2]} = \max \{2m_{i,0}^{(1)},\ldots ,2m_{i,r}^{(1)}\}. \end{aligned}$$

(15)

Under these conditions, for \(0 \le j < n\), let us clarify the Formula (11):

$$\begin{aligned} g_j^{[2]}=g_j^{(2)}(g_0^{(1)},\ldots ,g_{r}^{(1)}). \end{aligned}$$

(16)

If \(g_0^{(1)},\dots ,g_r^{(1)}\) fictitiously depend on \(x_i\), then due to (16), \(q_j^{[2]}\) fictitiously depends on \(x_i\). Hence, \(\mu _{i,j}^{[2]}=0\), and the theorem is correct.

Let some of the functions \(g_0^{(1)},\ldots ,f_r^{(1)}\) essentially depend on \(x_i\), i.e. there is linear or nonlinear dependence. If some of the functions \(g_0^{(1)},\ldots ,g_p^{(1)}\) essentially depend on \(x_i\) or some of \(g_{p+1}^{(1)},\ldots ,g_r^{(1)}\) nonlinearly depends on \(x_i\) as \(p<r\), then from (14) and (15) it follows that \(m_{i,j}^{[2]}=2\), and the theorem is correct.

If \(g_0^{(1)},\ldots ,g_p^{(1)}\) fictitiously depend on \(x_i\) as \(p<r\), and some of \(g_{p+1}^{(1)},\ldots ,g_r^{(1)}\) linearly depends on \(x_i\), then due to (14) and (15) \(m_{i,j}^{[2]}=1\). Moreover, it follows from (16) that \(g_j^{[2]}\) fictitiously or linearly depends on \(x_i\). Then \(\mu _{i,j}^{[2]} \le 1\), and for \(t=2\) the theorem is proved.

Thus, the theorem is correct for any two transformations on \(P^n\). Suppose that the theorem is true for \(t-1\), where \(t>2\). Let we prove that the theorem is true for t.

Denote by h the product \(g^{(1)}\ldots g^{(t-1)}\). We obtain that \(g^{(1)}\ldots g^{(t)}=hg^{(t)}\), and

$$\begin{aligned} M_\varTheta (g^{(1)}\ldots g^{(t)})=M_\varTheta (hg^{(t)}). \end{aligned}$$

It is proven above that \(M_\varTheta (hg^{(t)}) \le M_\varTheta (h) M_\varTheta (g^{(t)}).\) By the induction hypothesis,

$$\begin{aligned} M_\varTheta (h)\le M_\varTheta (g^{(1)})\ldots M_\varTheta (g^{(t-1)}). \end{aligned}$$

Hence, \(M_\varTheta (hg^{(t)}) \le M_\varTheta (g^{(1)})\ldots M_\varTheta (g^{(t)}).\)\(\square \)

1.4 The Proof of Theorem 3

Proof

Necessity. Suppose the labeled digraph \(\varGamma \) is \(\langle 2\rangle \)-primitive. For \(t \in \mathbb {N}\), \(\varGamma \) contains the path of length t from i to j with the value “2” of the label. Then, \(\varGamma \) contains the arc labeled “2” for any pair (i, j) of vertices. So, \(\varGamma \) is primitive and contains the arc with the label “2”.

Sufficiency. Let \(\varGamma \) be primitive and \(\exp \varGamma =t\). Then, for any \(i,j=\{0,\ldots ,n-1\}\), there are the paths \(w_{i,j}\) of length t, \(t+1, \ldots \) from i to j in \(\varGamma \). Let us construct the path \(w_{i,j}\) from i to j with the label “2”, such that:

$$\begin{aligned} w_{i,j}=w_i^{[2]} \bullet (\xi (i),s(i)) \bullet w_{s(i),j}(l_i), \end{aligned}$$

where \(l_i=t+d^{[2]}-len\,w_i^{[2]} \ge t\). The path \(w_{i,j}\) exists, because \(d^{[2]}-\mathrm{len\,} w_i^{[2]} \ge 0\), \({\mathrm{len\,}w_{i,j}=d^{[2]}+1+t>t}\). Hence, for any i, j in \(\varGamma \) there is the path of length \(d^{[2]}+1+t\) with the value “2” of the label. Therefore, \(\langle 2 \rangle \exp \varGamma \le 1+d^{[2]}+t\). The upper bound is proven.

On the condition, for \(\tau < \exp \varGamma \), and for some \(i,j\in \{0,\ldots ,n-1\}\), there is no path of length \(\tau \) from i to j in \(\varGamma \). So, the lower bound of \(\langle 2 \rangle \exp \varGamma \) is correct. \(\square \)

1.5 The Proof of Corollary 2

Proof

If the multigraph \(\varGamma '\) is not strongly connected, then in \(\varGamma '\) there are vertices i and j such that j is not reachable from i in any number of steps. Therefore, the label of any path from i to j has the value 0. Hence, due to Corollary 1, the arc (i, j) has the label “0” in the digraph \((\varGamma ')^t\) for any \(t\ge 1\). \(\square \)

1.6 The Proof of Proposition 2

Proof

Let \(\langle 2 \rangle \exp g=t\), \(M_\varTheta (g)=M\), then \(g^t \in \varPi _n^{\langle 2 \rangle }\), hence, \(M_\varTheta (g^t)=(2)_n\). Therefore, \(M^t=(2)_n\), and \(\langle 2 \rangle \exp M \le t\). \(\square \)

1.7 The Proof of Corollary 3

Proof

The left inequality follows from Theorem 3 because \(d^{[2]} \le n-1\) in \(\langle 2\rangle \)-primitive digraph. The right inequality is correct due to the well-known Wielandt result for \(\exp \varGamma \) [25]. \(\square \)

1.8 The Proof of Theorem 4

Denote by \(\pi ^k(z)\) the loop in the vertex z passing k times, where \(0 \le z < n\) and \(k \ge 0\).

Proof

1. 1

   . The digraph \(\varGamma ^l\) is \(\langle 2 \rangle \)-primitive and contains at least l loops. Then, \(\varGamma ^l\) contains the path \(w_{z,j}\) of length no more than \(n-1\) from for any vertex z with a loop to any vertex j. Hence, \(\varGamma \) contains the path \(u_{z,j}\) of length \(l(n-1)\) from any vertex z of the circuit C to any j.

   Denote by \(v_{i,z}\) the shortest path from i to the closest vertex z of the circuit C in \(\varGamma \). We see that \(\mathrm{len\,}v_{i,z} \le n-l\), so \(\varGamma \) contains the path

   $$\begin{aligned} u_{i,z}=w_i^{[2]} \bullet (\xi (i),s(i)) \bullet w_{s(i),z}. \end{aligned}$$

   The length of the path \(u_{i,z}\) at most \(d^{[2]}+1+n-l\), and also \(u_{i,z}\) passes through the arc with the label “2”. Therefore, for any vertices i and j, the path \(u_{i,z} \bullet u_{z,j}\) passes through the arc with the label “2” and has the length at most \(d^{[2]}+1+n+l(n-2)\). Hence, the bound (3) is correct.

2. 2.

   Suppose that the circuit C passes through the arc with the label “2”. Let us attach the loop \(\pi (z)\) to the beginning of the path \(w_{z,i}\) in \(\varGamma ^l\). We see that \(\varGamma ^l\) contains the path \(\pi (z)\bullet w_{z,j}\) of length at most n with the value 2 of the label. Then, \(\varGamma \) contains the path \(u_{z,j}\) of length at most ln with the value 2 of the label. Then, for any vertices i and j, \(\varGamma \) contains the path \(v_{i,z} \bullet u_{z,j}\) of length \(n+l(n-1)\) from i to j with the value “2”of the label. Hence, the bound (4) is correct.

\(\square \)

1.9 The Proof of Theorem 5

Denote by \(\pi ^k(z)\) the loop in the vertex z passing k times, where \(0 \le z < n\) and \(k \ge 0\).

Proof

1. 1.

   Denote by \(w_{s(i),z}\) the shortest path of length \(\tau \) from s(i) to the nearest vertex z with a loop; by \(w_{z,j}\) the shortest path of length \(\theta \) from z to j. For \(p>0\) and \(i,j \in \{0,\dots ,n-1\}\) we construct the path \(w_{i,j}\) passing through the arc with the label “2” and through the vertex z with a loop:

   $$\begin{aligned} w_{i,j}=w_i^{[2]} \bullet (\xi (i),s(i)) \bullet w_{s(i),z} \bullet \pi ^k (z)\bullet w_{z,j}, \end{aligned}$$

   where \(k \ge 0\). Then \(\tau \le n-p, \theta \le n-1\), and \(\mathrm{len}\,w_{i,j} \le d^{[2]} +2n-p+k\), where \(p>0\). Since i, j may take any value in \(\{0,\ldots , n-1\}\) and \(k \ge 0\), we have that \(\langle 2\rangle \exp \varGamma \le d^{[2]}+2n-p\).

2. 2.

   Denote by \(w_{i,z}\) the path of length no more than \(n-m\) from the vertex i to the nearest vertex z with the loop and label “2”; \(w_{z,j}\)– the path of length no more than \(n-1\) from z to j (if \(z=j\) then the path \(w_{z,j}\) is empty). For \(m>0\) and \(i,j \in \{0,\dots ,n-1\}\) construct the path \(w_{i,j}\) passing through the loop with the label “2”: \(w_{i,j}=w_{i,z} \bullet \pi ^k (z) \bullet w_{z,j}\). If \(k>0\), then the path \(w_{i,j}\) passes through the loop with the label “2”, and \(len\,w_{i,j} \le 2n-m-1+k\). Since i, j are arbitrary, and \(k>0\), then \(\langle 2\rangle \exp \varGamma \le 2n-m\).

\(\square \)

1.10 The Proof of Theorem 6

Proof

1. 1.

   From the Frobenius number

   $$\begin{aligned} F(n-1,n)=n^2-3n+1 \end{aligned}$$

   it follows that if \(t=0\), then (5) is not solvable in nonnegative integers \(k_0\) and \(k_1\); however, for any \(t>0\) the equation (5) is solvable. For \(k_0,k_1 \ge 0\) and \(k_0+k_1>0\), any circuit C in \(\varGamma \) consists of the circuit of length n passing \(k_0\) times, and the circuit of length \(n-1\) passing \(k_1\) times.

2. 2.

   For \(t=2,\ldots ,n-2\) the length \(\gamma -n-1+t\) of the circuit C is equal to

   $$\begin{aligned} n^2-3n+3, n^2-3n+4, \ldots , n^2-3n+n-1 \end{aligned}$$

   respectively. This length is not divisible by n or \(n-1\). Hence for \(i=0,1\), we have \(k_i>0\).

   For \(t=2\), let us prove that the pair \((k_0,k_1)\) is unique for the circuit of length \(l_2=\gamma -n+1\). We see that

   $$\begin{aligned} n^2-3n+3=n+(n-3)(n-1), \end{aligned}$$

   so we have \((k_0,k_1)=(1,n-3)\). For the existence of another \((k_0, k_1)\) it is necessary to have the equal lengths of the k-fold passing of the circuit \(C_0\), and l-fold passing of the circuit \(C_1\) , \(k,l\in \mathbb {N}\). Hence, it is necessary to obtain the equality \(kn=l(n-1)\). Only then, in accordance with (5), we have the given length of the circuit corresponds not only to the pair \((k_0,k_1)\), but also to the pairs \((k_0-k,k_1+l)\) or \((k_0+k,k_1-l)\), where both integers are nonnegative. Since \(n-1\) and n are co-prime integers, we see that \((n-1,n)\) is the smallest numbers k and l, such that \(kn=l(n-1)\), are equal \(n-1\) and n respectively. Hence, the pairs \((1-k,n-3+l)\) and \((1+k,n-3-l)\) do not satisfy the specified conditions. For the circuits of length \(t=3,\ldots ,n-2\) the proof is similar.

3. 3.

   For the proof it is sufficient to verify the equation (5) by substituting the specified lengths of circuits and the corresponding pairs \((k_0, k_1)\).

4. 4.

   For \(i,j=0,\ldots ,n-1\), the paths \(w_{i,j} (l)\) are provided by \(l \ge \gamma \), since \(\exp \varGamma = \gamma \). The path \(w_{0,0}(l)\) consist of the circuit \(C_0\) and the circuit of length \(l-n\). Then due to Theorem 6.1, we have \(l \ne \gamma -1\).

\(\square \)

1.11 The Proof of Lemma 1

Proof

The construction of the path \(w_{i,j}(l)\) defined by (6) is correct \(\iff \)\(\varGamma \) contains the circuit C(s) of length \(l-(j-i){\,\mathrm mod\,}{n}\). For different possible pairs (i, j) the length of the path \([i,j]^0\) is equal to sum of lengths \([i,s]^0\) and \([s,j]^0\). This sum takes values \(0,1,\ldots ,n-1\). Then the length of the circuit C(s) takes values \(l,l-1,\ldots ,l-n+1\) respectively. By Theorem 6.1, for \(l \ge \gamma -1\) and \(i,j=0,\ldots ,n-1\) there are the circuits of such lengths in \(\varGamma \). \(\square \)

1.12 The Proof of Theorem 7

Proof

The idea of the proof is to determine the smallest number \(t \in \mathbb {N}\) such that for \(i,j=0,\ldots ,n-1\) each arc (i, j) is labeled with “2” in \(\varGamma ^t\) , and at least one arc is labeled with “0” or “1” in \(\varGamma ^{t-1}\). Let us consider all possible positions of the label “2” at the arcs of \(\varGamma \).

1. 1.

   Both circuits have the arcs labelled with “2”. In particular, the common arc of these circuits labeled with “2”.

   Any path of length \(\gamma \) passes through the arc with label “2”, because it contains at least one of the circuits \(C_0\) or \(C_1\). Then, for \(i,j=0,\ldots ,n-1\) the arc (i, j) in \(\varGamma \) has the label “2”, and we have that \(\langle 2 \rangle \exp \varGamma \le \gamma \). By the definition, \(\langle 2 \rangle \exp \varGamma =\gamma \).

   Due to Lemma 1, for \(i,j=0,\ldots ,n-1\), \(\varGamma \) contains the path \(w_{i,j}(\gamma +n-1)\) defined by (6), the length of the circuit C(s) takes values \(\gamma +n-1,\gamma +n-2,\ldots ,\gamma .\)

2. 2.

   The arc \((n-1,1)\) is labeled with “2”, and all the arcs in the circuit \(C_0\) are labeled with “1”.

   If \(j \ne (i+1){\,\mathrm mod \,}{n}\) then for \(l=\gamma +n-1\) due to (8), the length of C(s) is not equal to \(n^2-n\), and for \(j=i,(i+2){\,\mathrm mod\,}{n},\ldots ,(i+n-1){\,\mathrm mod\,}{n}\), this length takes values \(n^2-n+1,n^2-2n+n-1,\ldots ,n^2-2n+2\) respectively. These values are not divided by n. Therefore, for the specified j we have \(k_1>0\) in the representation (5) for the length of C(s). Hence, for \(j \ne (i+1){\,\mathrm mod\,}{n}\), the circuit C(s) and the path \(w_{i,j} (\gamma +n-1)\) have the label “2”.

   For \(j=(i+1){\,\mathrm mod\,}n\), let us construct the path \(w_{i,j} (\gamma +n-1)\) of length \(n^2-n+1\) in another way: if \(i=0\), then the path \(w_{0,1}(\gamma +n-1)\) consists of the arc (0, 1) and the circuit \(C_1\)n-fold passing from the vertex 1; if \(i \ne 0\), then the path \(w_{0,1}(\gamma +n-1)\) consists of the arc \((i,(i+1){\,\mathrm mod\,}{n})\) and the circuit \(C_1\)n-fold passing from the vertex i. Therefore, in both cases the path contains the circuit \(C_1\) and has the label “2”. Hence, for \(i,j=0,\ldots ,n-1\) the arc (i, j) is labeled with “2” in \(\varGamma ^{\gamma +n-1}\).

   However, in \(\varGamma \) there is no path \(w_{0,0}(\gamma +n-2)\) through the arc \((n-1,1)\). Otherwise, the path completely passes the circuit \(C_1\), so the path consists of the arc (0, 1), the circuit \(C_1\), the path \([1,0]^0\) of length \(n-1\) and the circuit \(C''\) of length \(\gamma -n-1\). So, we have a contradiction, because in \(\varGamma \) there is no \(C''\) due to Theorem 6.1. Hence, in \(\varGamma ^{\gamma +n-2}\) the label of the arc (0, 0) does not equal “2”. Therefore, \(\langle 2 \rangle \exp \varGamma = \gamma +n-1\).

3. 3.

   The arc \((n-1,0)\) is labeled with “2”, the arc (0, 1) and all arcs in \(C_1\) are labeled with “1”; or the arc (0, 1) is labeled with “2”, the arc \((n-1,0)\) and all arcs of \(C_1\) are labeled with “1”.

   If \(j \ne (i+1){\,\mathrm mod\,}n\), then due to (6) for \(l=\gamma +n-1\), \(\mathrm{len \,} C(s)\ne n^2-n\), and for \(j=i,(i+2){\,\mathrm mod\,}{n},\ldots ,(i+n-1){\,\mathrm mod\,}n\), \(\mathrm{len \,} C(s)\) takes values \(n(n-1)+1,(n-1)^2+n-2,\ldots ,(n-1)^2+1\) respectively. These values are not divided by \(n-1\). So, for the specified j, we have \(k_0>0\) in the representation (5) for the length of C(s). Hence, the circuit C(s) and the path \(w_{i,j}(\gamma +n-1)\) are labeled with “2”.

   For \(j=(i+1){\,\mathrm mod\,}{n}\), let us construct the path \(w_{i,j}(\gamma +n-1)\) of length \(n^2-n+1\) as the circuit \(C_0\)\((n-1)\)-fold passing from the vertex i and the arc \((i,(i+1){\,\mathrm mod\,}{n})\). This path has the label “2” because it contains the circuit \(C_0\). Hence, for \(i,j=0,\ldots ,n-1\), the arc (i, j) is labeled with “2” in \(\varGamma ^{\gamma +n-1}\). The path \(w_{0,n-1}(\gamma +n-2)\) consists of the circuit C of length \(\gamma -1\). If the arc \((n-1,0)\) is labeled with “2”, then \(w_{0,n-1} (\gamma +n-2)\) also consists of the path \([0,n-1]^0\) of length \(n-1\). Else if the arc (0, 1) is labeled with “2”, then \(w_{0,n-1}(\gamma +n-2)\) consists of the path \([1,0]^0\) of length \(n-1\). By Theorem 6.3, it follows that the circuit C is uniquely determined as the circuit \(C_1\) passing \(n-1\)-fold times. In both cases, all the arcs of the path \(w_{0,n-1} (\gamma +n-2)\) have the label “1”. Hence, the label “1’ belongs to the arc \((0,n-1)\) in the first case, and to the arc (1, 0) in the second case. Therefore, in both cases we obtain that \(\langle 2\rangle \exp \varGamma = \gamma +n-1\).

4. 4.

   The arcs (0, 1) and \((n-1,0)\) are labeled with “2”. All the arcs of the circuit \(C_1\) are labeled with “1”.

   If \(j \ne i\) and \(j \ne (i+1){\,\mathrm mod\,}{n}\) then for \(l=\gamma +n-2\) in (8) we have that the length of C(s) is not equal to \(n^2-n\) or \((n-1)^2\); for \(j=(i+1){\,\mathrm mod\,}{n}\),\(\dots \), \((i+n-2){\,\mathrm mod\,}{n}\) the length of C(s) takes the values \(n(n-1)-1,n(n-1)-2,\ldots ,(n-1)^2+1\) respectively. These values are not divisible by \(n-1\). Therefore, for \(j=(i+1){\,\mathrm mod\,}{n},\ldots ,(i+n-2){\,\mathrm mod\,}{n}\) circuit C(s) has a representation (5) for \(k_0>0\). Hence, the circuit C(s) and the path \(w_{i,j} (\gamma +n-2)\) are labeled with “2”.

   For \(j=i\) the path \(w_{i,i} (\gamma +n-2)\) of length \(n^2-n\) consists of the circuit \(C_0\) passing \(n-1\)-fold times from the vertex i. It means the path \(w_{i,i} (\gamma +n-2)\) has the label “2”. For \(i=0\) and \(j=n-1\) the path \(w_{0,n-1}(\gamma +n-2)\) of length \(n^2-n\) consists of the path \([0,n-1]^0\) of length \(n-1\) and the circuit \(C_1\) passing \(n-1\)-fold times from the vertex \(n-1\). For \(i \ne 0\) and \(j=(i-1){\,\mathrm mod\,}{n}\) the path \(w_{i,j} (\gamma +n-2)\) also consists of the path \([i,(i-1){\,\mathrm mod\,}{n}]^0\) of length \(n-1\). Hence, the path \(w_{i,j} (\gamma +n-2)\) has the label “2” in all cases. Therefore, for \(i,j=0,\ldots ,n-1\) the arc (i, j) is labeled with “2” in \(\varGamma ^{\gamma +n-2}\).

   The path \(w_{1,n-1} (\gamma +n-3)\) consists of the path \([1,n-1]^0\) of length \(n-2\) and the circuit C of length \(\gamma -1\). By Theorem 6.3, it follows that the circuit C is uniquely determined as the circuit \(C_1\) passing \((n-1)\)-fold times. Hence, this path does not pass through the arc with the label “2”. Hence, the arc \((1,n-1)\) is labeled with “1”in \(\varGamma ^{\gamma +n-3}\). Therefore, we obtain the following result: \(\langle 2\rangle \exp \varGamma = \gamma +n-2\).

\(\square \)

1.13 The Proof of Corollary 4

Proof

For the labeled Wielandt digraph \(\varGamma \), the bound is correct due to Theorem 7. It is known [15] that the set of exponent values has the “gaps”: if the digraph \(\varGamma \) is different from Wielandt, then

$$\begin{aligned} \exp \varGamma \le n^2-3n+4. \end{aligned}$$

Therefore, according to the Corollary 3, we have

$$\begin{aligned} \langle 2 \rangle \exp \varGamma \le n^2-2n+4. \end{aligned}$$

At \(n\ge 3\) this bound is not greater than \(n^2-n+1\). \(\square \)