Define a commutative block cipher with keyspace the finite set $K$, and data space the finite set $S$, to be an application $$\begin{align} E:K\times S&\mapsto S\\ (k,x)&\mapsto E(k,x)\text{ also noted }E_k(x)\\ \text{such that }&\forall k\in K,\forall x\in S, \forall y\in S,\text{ if }E(k,x)=E(k,y)\text{ then }x=y\\ \text{and }&\forall k\in K,\forall k'\in K, \forall x\in S,E(k',E(k,x))=E(k,E(k',x))\\ \end{align}$$ Note: the first property states that the application $E_k$ from $S$ to $S$ is injective, implying that it is a permutation of $S$ given this is a finite set, and that's standard for a cipher; the second property is what makes the cipher commutative.
Question: what commutative block cipher do we have that is
- conjectured computationally indistinguishable with effort polynomial in $\log(|K|)$ from a random permutation for unknown random fixed key $k$, assuming the attacker can obtain ciphertext for iteratively chosen plaintext;
- efficiently computable, at least in the encryption direction (and preferably for decryption as well)?
If there was none: do we have some proof this can't be achieved?
In this answer, I explored a variant of the Pohlig-Hellman Exponentiation Cipher $(k,x)\mapsto E_k(x)=x^k\pmod p$ but stalled with something that remains distinguishable from a random permutation due to a multiplicative property similar to that of naked RSA: $\forall k\in K,\forall x\in S, \forall y\in S, E_k(x\cdot y\bmod p)=E_k(x)\cdot E_k(y)\bmod p$.
Update: the question as is was perfectly answered by poncho. Here is take two.
