Let $G$ be a group of order $n$ and let $e,d$ be integers such that $ed\equiv 1 \pmod{n}$. Then the exponentiation maps $x \mapsto x^e$ and $y \mapsto y^d$ are inverse maps on $G$.
These maps give us the Pohlig-Hellman exponentiation cipher. The secret key is the two numbers $e$ and $d$. The group $G$ and its order $n$ may or may not be secret. This block cipher is not secure (i.e. not a pseudo-random permutation) and very slow. However, it seems to me that it has some interesting properties when a suitable group is used.
The block cipher can be used in OFB mode: We want to encrypt a message $m = m_1m_2\dots m_k$. The first ciphertext block $c_0 = r_0$ is chosen uniformly at random from $G$, then $$r_i = r_{i-1}^e, \qquad c_i = r_i m_i, \qquad i = 1, 2, \dots, k.$$ Under the assumption that $r,r^e,r^{e^2},\dots,r^{e^k}$ is random-looking, this is secure. (Let me stress that $e$ is secret and $r$ is random.)
This block cipher can be used in CBC mode: We want to encrypt a message $m = m_1m_2\dots m_k$. The first ciphertext block $c_0$ is chosen uniformly at random from $G$, then $$c_i = (c_{i-1} m_i)^e, \qquad i = 1,2,\dots,k.$$ If OFB mode is secure, then this should also be secure, since the ciphertext is the random-looking sequence $c_0,c_0^e,c_0^{e^2},\dots,c_0^{e^k}$ multiplied with some stuff that only depends on the message and $e$.
The block cipher can be used in CTR mode: Let $g\in G$ be a generator, which may be secret and part of the key. We want to encrypt a message $m = m_1m_2\dots m_k$. The first ciphertext block $c_0=r$ is chosen uniformly at random from $G$, then $$c_i = (r g^i)^e m_i, \qquad i=1,2,\dots,k.$$ This is not secure. An easy attack is to observe that $c_i/c_{i-1} = g^e m_i/m_{i-1}$ when $i>1$.
I believe all of this is well-known folklore, but the question is: Has anyone written this up anywhere?
