## Imprimitive permutation groups and trapdoors in iterated block ciphers (1999)

Venue: | in Fast Software Encryption (L.R. Knudsen, ed), Lecture Notes in Computer Science 1636 (Springer–Verlag |

Citations: | 9 - 1 self |

### BibTeX

@INPROCEEDINGS{Paterson99imprimitivepermutation,

author = {Kenneth G. Paterson and Kenneth G. Paterson},

title = {Imprimitive permutation groups and trapdoors in iterated block ciphers},

booktitle = {in Fast Software Encryption (L.R. Knudsen, ed), Lecture Notes in Computer Science 1636 (Springer–Verlag},

year = {1999},

pages = {201--214}

}

### Years of Citing Articles

### OpenURL

### Abstract

block, cipher, trapdoor, cryptanalysis, linear, differential, permutation, group An iterated block cipher can be regarded as a means of producing a set of permutations of a message space. Some properties of the group generated by the round functions of such a cipher are known to be of cryptanalytic interest. It is shown here that if this group acts imprimitively on the message space then there is an exploitable weakness in the cipher. It is demonstrated that a weakness of this type can be used to construct a trapdoor that appears to be difficult to detect. An example of a DES-like cipher, resistant to both linear and differential cryptanalysis that generates an imprimitive group and is easily broken, is given. Some implications for block cipher design are noted.

### Citations

584 | Differential Cryptanalysis of the DES-like Cryptosystems
- Biham, Shamir
- 1993
(Show Context)
Citation Context ... of the DES. Numerous attacks have been made on versions of the DES with modied S-boxes: see for example the early critique of DES in [10], the dierential attacks on the DES with modied S-boxes in =-=[2]-=- and the attack of [15] on the proposals of [13]. Each S-box in the appendix has the following properties, similar to those given in [5] for the DES S-boxes: S1 Each S-box has six bits of input, four ... |

481 |
Linear cryptanalysis method for DES cipher
- Matsui
(Show Context)
Citation Context ...hese give only partial information about keys and require rather large S-box components to be present in the cipher. Knowledge of the trapdoor allows an efficient attack based on linear cryptanalysis =-=[21]-=-. Unfortunately, the work of [32] shows that these trapdoors are either easily detected or yield only attacks requiring infeasible numbers of plaintext/ciphertext pairs. In contrast, our trapdoor can ... |

380 |
Differential Cryptanalysis of the Data Encryption Standard
- Biham, Shamir
- 1993
(Show Context)
Citation Context ... security of DES. Numerous attacks have been made on versions of DES with modified S-boxes: see for example the early critique of DES in [11], the differential attacks on DES with modified S-boxes in =-=[3]-=- and the attack of [16] on the proposals of [14]. Each S-box in the appendix has the following properties, similar to those given in [5] for the DES S-boxes: S1 Each S-box has six bits of input, four ... |

260 |
A course in the theory of groups
- Robinson
- 1996
(Show Context)
Citation Context ...utation Groups and Trapdoors in Iterated Block Ciphers 203 SM . We can then use notions from the theory of permutation groups to study such ciphers. The necessary algebraic background can be found in =-=[29]-=- or [31]. The encryption functions of a particular iterated block cipher are obtained by the composition of round functions, that is, a set of keyed invertible functions on M, which we denote by {Rk :... |

251 |
Finite Permutation Groups
- Wielandt
- 1964
(Show Context)
Citation Context ...Groups and Trapdoors in Iterated Block Ciphers 203 SM . We can then use notions from the theory of permutation groups to study such ciphers. The necessary algebraic background can be found in [29] or =-=[31]-=-. The encryption functions of a particular iterated block cipher are obtained by the composition of round functions, that is, a set of keyed invertible functions on M, which we denote by {Rk : M → M, ... |

129 |
Nonlinearity Criteria for Cryptographic Functions
- Meier, Staffelbach
- 1990
(Show Context)
Citation Context ...made of our example. Firstly, the S-boxes are incomplete (that is, not every output bit of the S-boxes depends on every input bit). This goes against a generally accepted design principle for S-boxes =-=[1,15, 22]-=- and would arouse suspicion. A close examination of the S-boxes and their interaction with the P permutation would then reveal our trapdoor. Incompleteness in the S-boxes also leads to a block cipher ... |

124 | A.: Cryptanalysis of Skipjack Reduced to 31 Rounds Using Impossible Differentials
- Biham, Biryukov, et al.
- 1999
(Show Context)
Citation Context ...e degree of resistance to differential cryptanalysis in its basic form. We note however that the our cipher is probably susceptible to more sophisticated attacks based on truncated [18] or impossible =-=[19,2]-=- differentials. 5 Trapdoor Design Each S-box in the appendix has the following property: By property P1, the combination of P followed by E moves two of the four outputs of the S-box (say qi and qj) s... |

119 | S.: Markov ciphers and differential cryptanalysis - Lai, Massey, et al. - 1991 |

74 |
The Data Encryption Standard (DES) and its strength against attacks
- Coppersmith
- 1994
(Show Context)
Citation Context ...on, and was performed whilst the author was visiting ETH Zurich. L. Knudsen (Ed.): FSE’99, LNCS 1636, pp. 201–214, 1999. c○ Springer-Verlag Berlin Heidelberg 1999s202 K.G. Paterson in the negative in =-=[5]-=- and a lower bound of 10 2499 was obtained in [4] for the size of this generated group. Thus the attacks of [13] are not applicable to DES. However the ability of a cipher (or its round functions) to ... |

55 |
Structured Design of Substitution-Permutation Encryption Networks
- Kam, Davida
- 1979
(Show Context)
Citation Context ...made of our example. Firstly, the S-boxes are incomplete (that is, not every output bit of the S-boxes depends on every input bit). This goes against a generally accepted design principle for S-boxes =-=[1,15, 22]-=- and would arouse suspicion. A close examination of the S-boxes and their interaction with the P permutation would then reveal our trapdoor. Incompleteness in the S-boxes also leads to a block cipher ... |

37 |
Markov Ciphers and Di erential Cryptanalysis
- Lai, Massey, et al.
- 1991
(Show Context)
Citation Context ...ed in [4] for the size of this generated group. Thus the attacks of [12] are not applicable to the DES. In [11], the groups generated by the round function of \mini-versions" of the block cipher IDEA =-=[17]-=- were calculated. However the ability of a cipher (or its round functions) to generate a large group does not alone guarantee security: an example of a weak cipher generating the symmetric group on th... |

31 |
Structured design of cryptographically good S-boxes
- Adams, Tavares
- 1990
(Show Context)
Citation Context ...made of our example. Firstly, the S-boxes are incomplete (that is, not every output bit of the S-boxes depends on every input bit). This goes against a generally accepted design principle for S-boxes =-=[1,15, 22]-=- and would arouse suspicion. A close examination of the S-boxes and their interaction with the P permutation would then reveal our trapdoor. Incompleteness in the S-boxes also leads to a block cipher ... |

29 |
Generators for Certain Alternating Groups with Applications to Cryptography
- Coppersmith, Grossman
- 1975
(Show Context)
Citation Context ...or example, if either of these groups is “small” in size then the cipher may be regarded as having a weakness, since not every possible permutation of the message space can be realised by the cipher, =-=[6,8]-=-. Moreover, multiple encryption may offer little or no additional security if these groups are small. Attacks on ciphers whose encryptions generate small groups were given in [13]. Naturally, much att... |

28 | Practically Secure Feistel Ciphers
- Knudsen
- 1993
(Show Context)
Citation Context ...we define an f function as follows: we divide the input r to the f function into two halves r1,r2 ∈ V16 and define f(r, k) =(f1(r1,k),f2(r2,k)) where fi : V16 × K → V16 are arbitrary. It was shown in =-=[17]-=- that the fi can be chosen so that the iterated block cipher with round function (l, r)Rk =(r, l ⊕ f(r, k)) is secure against linear and differential cryptanalysis. We model an attack based on two com... |

27 |
Results of an initial attempt to cryptanalyze the NBS data encryption standard,” Information System Lab
- Hellman, Merkle, et al.
- 1976
(Show Context)
Citation Context ...dule). We note that the selection of S-boxes is critical to the security of DES. Numerous attacks have been made on versions of DES with modified S-boxes: see for example the early critique of DES in =-=[11]-=-, the differential attacks on DES with modified S-boxes in [3] and the attack of [16] on the proposals of [14]. Each S-box in the appendix has the following properties, similar to those given in [5] f... |

22 | DES Is Not a Group
- Campbell, Wiener
- 1994
(Show Context)
Citation Context ...ing ETH Zurich. L. Knudsen (Ed.): FSE’99, LNCS 1636, pp. 201–214, 1999. c○ Springer-Verlag Berlin Heidelberg 1999s202 K.G. Paterson in the negative in [5] and a lower bound of 10 2499 was obtained in =-=[4]-=- for the size of this generated group. Thus the attacks of [13] are not applicable to DES. However the ability of a cipher (or its round functions) to generate a large group does not alone guarantee s... |

20 |
DES-like fùnctions c m generate the alternating group
- Even
- 1983
(Show Context)
Citation Context ...or example, if either of these groups is “small” in size then the cipher may be regarded as having a weakness, since not every possible permutation of the message space can be realised by the cipher, =-=[6,8]-=-. Moreover, multiple encryption may offer little or no additional security if these groups are small. Attacks on ciphers whose encryptions generate small groups were given in [13]. Naturally, much att... |

18 |
Shamir: Differential Cryptanalysis of the Full 16-round DES
- Biham, Adi
- 1991
(Show Context)
Citation Context ...then an output bit from S-box k cannot aect a centre bit of S-box j. 4.2 Security Against Linear and Dierential Attacks Here we estimate the resistance of our example to linear [18] and dierential =-=[2, 3]-=- cryptanalysis. We begin by estimating the complexity of a linear attack. By property S2 and Lemma 3 of [18], the best linear expression that is built up roundby-round and involves input bits to round... |

14 |
Is the Data Encryption Standard a Group? (Results of Cycling Experiments on DES
- Jr, Rivest, et al.
- 1988
(Show Context)
Citation Context ...ised by the cipher, [6,8]. Moreover, multiple encryption may offer little or no additional security if these groups are small. Attacks on ciphers whose encryptions generate small groups were given in =-=[13]-=-. Naturally, much attention has been devoted to groups associated with the DES algorithm. Early studies in [6] and [8] concentrated on the groups generated by a set of “DES-like functions”, of which t... |

13 |
Cycle Structure of the DES with Weak and Semiweak Keys
- Moore, Simmons
- 1987
(Show Context)
Citation Context ...n that the actual round functions of DES generate the alternating group. The question of whether the 2 56 encryptions of the full DES algorithm themselves form a group, or generate a small group (see =-=[13,23]-=-), was answered ⋆ This work was supported by The Royal Society through its European Science Exchange Programme and the Swiss National Science Foundation, and was performed whilst the author was visiti... |

13 |
The Cryptanalysis of FEAL4 with 20 Chosen Plaintexts
- Murphy
- 1990
(Show Context)
Citation Context ...n an output bit from S-box k cannot affect a centre bit of S-box j. 4.2 Security against Linear and Differential Attacks Here we estimate the resistance of our example to linear [21] and differential =-=[24, 3]-=- cryptanalysis. We begin by estimating the complexity of a linear attack. By property S2 and Lemma 3 of [21], the best linear expression that is built up round-by-round and involves input bits to roun... |

10 |
Linear Structures in Blockciphers
- Evertse
- 1988
(Show Context)
Citation Context ...possible to deduce the complete session key by another exhaustive search. We have a divide-and-conquer attack on the session key. This latter attack is then closely related to the attacks of [27] and =-=[9]-=- on ciphers whose round functions possess linear factors and linear structures respectively. For example, when M = Vn and the Yi consist of a linear subspace U of Vn and its cosets, we have a special ... |

10 |
Cryptanalysis of Iterated Block Ciphers
- Harpes
- 1996
(Show Context)
Citation Context ...bgroup generated by the t-round cipher itself has a block structure. Attacks exploiting a block structure holding probablistically may also be powerful and worth examining. In this respect the thesis =-=[10]-=- is particularly relevant. Acknowledgements The author would like to thank Jim Massey for his encouragement during this research, and Lars Knudsen for patiently answering many questions and for his hu... |

10 | Construction of DES-like S-boxes Based on Boolean Functions Satisfying the SAC
- Kim
- 1991
(Show Context)
Citation Context ...de on versions of DES with modified S-boxes: see for example the early critique of DES in [11], the differential attacks on DES with modified S-boxes in [3] and the attack of [16] on the proposals of =-=[14]-=-. Each S-box in the appendix has the following properties, similar to those given in [5] for the DES S-boxes: S1 Each S-box has six bits of input, four bits of output. S2 The best linear approximation... |

10 |
The One-Round Functions of the DES Generate the Alternating Group
- Wernsdorf
- 1993
(Show Context)
Citation Context ... which the actual round functions of DES form a subset. It was shown that these functions can generate the alternating group, a desirable property. Further work on this theme can be found in [26]. In =-=[30]-=- it was shown that the actual round functions of DES generate the alternating group. The question of whether the 2 56 encryptions of the full DES algorithm themselves form a group, or generate a small... |

7 | A family of trapdoor ciphers
- Rijmen, Preneel
- 1997
(Show Context)
Citation Context ...ised, it can easily be made undetectable if the cipher design is not made public. We conclude by giving some implications of our work and ideas for future research. We mention here the recent work of =-=[28]-=- in which block ciphers containing partial trapdoors are constructed: these give only partial information about keys and require rather large S-box components to be present in the cipher. Knowledge of... |

6 | A Weak Cipher that Generates the Symmetric Group
- Murphy, Paterson, et al.
- 1994
(Show Context)
Citation Context ... ability of a cipher (or its round functions) to generate a large group does not alone guarantee security: an example of a weak cipher generating the symmetric group on the message space was given in =-=[25]-=-. The most that can be said is that a small group may lead to an insecurity. Here we examine properties of the groups related to a block cipher more refined than simply their size. Consider the follow... |

6 |
DES has no per round linear factors
- Reeds, Manferdelli
- 1985
(Show Context)
Citation Context ... then be possible to deduce the complete session key by another exhaustive search. We have a divide-and-conquer attack on the session key. This latter attack is then closely related to the attacks of =-=[27]-=- and [9] on ciphers whose round functions possess linear factors and linear structures respectively. For example, when M = Vn and the Yi consist of a linear subspace U of Vn and its cosets, we have a ... |

6 |
Iterative Characteristics of DES and s -DES
- Knudsen
- 1993
(Show Context)
Citation Context ...attacks have been made on versions of the DES with modied S-boxes: see for example the early critique of DES in [10], the dierential attacks on the DES with modied S-boxes in [2] and the attack of =-=[15]-=- on the proposals of [13]. Each S-box in the appendix has the following properties, similar to those given in [5] for the DES S-boxes: S1 Each S-box has six bits of input, four bits of output. S2 The ... |

5 |
Iterative Characteristics of DES and s 2
- Knudsen
- 1992
(Show Context)
Citation Context ...rous attacks have been made on versions of DES with modified S-boxes: see for example the early critique of DES in [11], the differential attacks on DES with modified S-boxes in [3] and the attack of =-=[16]-=- on the proposals of [14]. Each S-box in the appendix has the following properties, similar to those given in [5] for the DES S-boxes: S1 Each S-box has six bits of input, four bits of output. S2 The ... |

4 |
No Per Round Linear Factors
- Reeds, Manferdelli, et al.
- 1985
(Show Context)
Citation Context ... then be possible to deduce the complete session key by another exhaustive search. We have a divide-and-conquer attack on the session key. This latter attack is then closely related to the attacks of =-=[23]-=- and [9] on ciphers whose round functions possess linear factors and linear structures respectively. For example, when M = V n and the Y i consist of a linear subspace U of V n and its cosets, we have... |

3 |
Applications of higher order differentials and partial differentials
- Knudsen
- 1995
(Show Context)
Citation Context ...ssesses a reasonable degree of resistance to differential cryptanalysis in its basic form. We note however that the our cipher is probably susceptible to more sophisticated attacks based on truncated =-=[18]-=- or impossible [19,2] differentials. 5 Trapdoor Design Each S-box in the appendix has the following property: By property P1, the combination of P followed by E moves two of the four outputs of the S-... |

3 |
Permutation generators of alternating groups
- Pieprzyk, Zhang
- 1990
(Show Context)
Citation Context ...ions”, of which the actual round functions of DES form a subset. It was shown that these functions can generate the alternating group, a desirable property. Further work on this theme can be found in =-=[26]-=-. In [30] it was shown that the actual round functions of DES generate the alternating group. The question of whether the 2 56 encryptions of the full DES algorithm themselves form a group, or generat... |

2 | Cryptanalysis of Rijmen-Preneel trapdoor ciphers
- Wu, Bao, et al.
- 1998
(Show Context)
Citation Context ...n about keys and require rather large S-box components to be present in the cipher. Knowledge of the trapdoor allows an efficient attack based on linear cryptanalysis [21]. Unfortunately, the work of =-=[32]-=- shows that these trapdoors are either easily detected or yield only attacks requiring infeasible numbers of plaintext/ciphertext pairs. In contrast, our trapdoor can be inserted into a block cipher w... |

1 |
Markov Ciphers and Alternating Groups." Presented at Rump Session
- Hornauer, Stephan, et al.
- 1993
(Show Context)
Citation Context ...that G and the Gt act on the message space M. The groups Gt are hard to compute in practice, but we have the following result relating them to the group G generated by the round functions: Theorem 1 (=-=[12]-=-). With notation as above, Gt is a normal subgroup of G. Moreover the group generated by the t-round encryptions with round keys from a particular key-schedule is a subgroup of Gt. Example 1. DES (des... |

1 |
A 128-bit Block Cipher,” available online at http://www.ii.uib.no/ larsr/papers/deal.ps Revised
- Knudsen, “DEAL
- 1998
(Show Context)
Citation Context ...e degree of resistance to differential cryptanalysis in its basic form. We note however that the our cipher is probably susceptible to more sophisticated attacks based on truncated [18] or impossible =-=[19,2]-=- differentials. 5 Trapdoor Design Each S-box in the appendix has the following property: By property P1, the combination of P followed by E moves two of the four outputs of the S-box (say qi and qj) s... |