The Round Functions of KASUMI Generate the Alternating Group

DOI 10.1515/jmc-2013-0028 Ë J. Math. Cryptol. 2015; 9 (1):23–32

Research Article

Rüdiger Sparr and Ralph Wernsdorf The round functions of KASUMI generate the alternating group

Abstract: We show that the round functions of the KASUMI block cipher for odd and even round type generate the alternating group on the message space. Moreover, under the assumption of independent round keys, we prove that also the KASUMI two-round functions and the KASUMI encryption functions generate the alternating group.

Keywords: KASUMI, block cipher, permutation groups

MSC 2010: 94A60, 20B35

ËË Rüdiger Sparr, Ralph Wernsdorf: Rohde & Schwarz SIT GmbH, Am Studio 3, 12489 Berlin, Germany, e-mail: [email protected], [email protected] Communicated by: Robert Gilman

1 Introduction

KASUMI is a -bit block cipher with -bit key size which is used for the condentiality and integrity algorithms of the Third Generation Partnership Project ( GPP) for mobile communications [7]. KASUMI is based on the MISTY64block cipher [15] and is128 carefully designed to resist conventional dierential and linear cryptanalysis [1]. It has been shown that the four-round3 KASUMI-type permutation is pseudorandom and that the six-round1 KASUMI-type permutation is super-pseudorandom under an adaptive distinguisher model [11]. Furthermore, as shown in [6], KASUMI is susceptible to a related key attack using four related keys, which however is not a security threat for the use of KASUMI in GSM and UMTS applications. Recent further cryptanalysis results about KASUMI can be found in [12, 19]. In this paper we present several new results on group theoretic properties of the KASUMI round functions and component functions. For any block cipher, it is desirable to exclude possible structural defects for the group generated by the round functions, such as an insucient diversity of occurring permutations or imprimitivity. Because of the widespread use for GPP mobile communications, the exclusion of such structural weaknesses appears particularly relevant for the KASUMI block cipher. As shown by Paterson [17], there are DES-like block ciphers which possess a certain3 resistance to linear and dierential cryptanalysis, but can be easily broken since the round functions generate a group which acts imprimitively on the message space. A further purpose for the analysis of group theoretic properties of a block cipher stems from the fact that, if the round functions of the cipher generate the alternating group on the message space, then general security proofs for the cipher are possible with respect to the Markov cipher approach to classical dierential cryptanalysis (cf. [2, 10, 16]). For the DES [4], AES [22], and other ciphers, several results on the cyclic and group theoretic structure of their components have already been found (see [3, 5, 8, 13, 21, 23, 24]). The paper is organized as follows. In Section 2 we provide some notions and facts from the theory of permutation groups which are used in this paper. In Section 3 we give a description of the KASUMI block cipher. In Section 4 we investigate cyclic properties of the internal components of the KASUMI round functions and prove an unexpected property of the FO-functions of KASUMI. In Section 5 we show that the groups generated by the KASUMI round functions for odd and even round type are equal to the alternating group on the message space 64. In Section 6 we show that also the KASUMI two-round functions as well as the KASUMI encryption functions generate the alternating group on the set 64 under the assumption of independent round keys. In Section{0, 1} 7 we nish the paper with some concluding remarks. {0, 1} 24 Ë R. Sparr and R. Wernsdorf, The round functions of KASUMI

2 Group theoretical facts

For any nonempty nite set , the group of bijective mappings of onto itself is denoted by X. If is a natural number and , we also write n instead of X. Every subgroup of X is called a permutation group on . Let be a natural numberX with . A permutationX group X is called -transitiveS n if, for any ~ pair of -tuplesX = {1,1 . . . , n}~ , 1 ~ S with i S j i j for , thereS is a permutation with Xi i ~for .A -transitive0 < permutation~ ≤ |X| group is simply calledG ≤ Stransitive.~ If is a permutation group on~ a set (aand, . . . , a ) ,(b the, . subgroup . . , b ) ∈ X of all a ̸= witha , b ̸= b isi denoted̸= j by a. g ∈ G g(a )For= b multiplei = transitivity1, . . . , ~ 1 we have the following proposition (cf. [25]). G X a ∈ X g ∈ G g(a) = a G Proposition 2.1. Let be a transitive permutation group on a nite set , a natural number with , and . Then is -transitive on if and only if a is -transitive on . G X ~ 0 < ~ < |X| Let be a permutation group with . A subset is called a block of if or a ∈ XX G (~ + 1) X G ~ X \ {a} for every . A block is said to be trivial if or where .A complete nontrivial blockG ≤ systemS for is a partition 1 |X|t =ofn into disjointB ⊆ X subsets i of equalG sizeg(B)with= B g(B)∩,B such= that for everyg ∈ G permutationB ⊆ X and every block i thereB ∈ {X, is a} blockB = j{x}with ix ∈ Xj for . Let X be transitive.G is called{Ximprimitive,...,X } if thereX is a nontrivial blockX of . Otherwise,s 1 < s

Proposition 2.2. A permutation on a nite set with even cardinality is even if and only if its cycle representation contains an even number of cycles (including the cycles of length ).

The degree of a permutation group on a nite set is dened as the number of elements of that are 1 moved by at least one permutation of . The degree of a permutation is dened as the degree of the cyclic group generated by this permutation.G X X We need the subsequent results whichG provide sucient conditions for a permutation group to be the alternating or symmetric group.

Theorem 2.3 (cf. [25, Theorem 13.10]). Let be a prime and a primitive permutation group of degree , which contains an element of order and degree , but which is neither the alternating nor symmetric group. p G n = (a)qp +Ifk and , then . p qp (b) If and , then . q ≤ 7 p ≥ 11 k ≤ 8 Proposition 2.4. Let be a primitive permutation group on the set 2n with . Suppose there is an q ≥ 8 p ≥ 2q − 1 k ≤ 4q − 4 element which contains in its cycle representation a cycle with a prime factor n+1 and for 2n we have G {0, 1} n > 2 g ∈ G 2n p > 2 r = Then2 modisp the alternating or the symmetric group on 2n. r > max8, 4 ⋅ (2 − r)/p − 4. Proof. Suppose is neither the alternating nor symmetric group. Using an appropriate exponentiation of , G {0, 1} we obtain a permutation with cycles of length , where n−1. Hence contains an element of order and degree ,G where 2n . Then , but g 2n q p 2n 1 ≤ q < 2 G p pq pq ≤ 2 − r p ≥ max(11, 2q − 1) which is a contradiction to Theorem 2.3. 2 − pq ≥ r > max8, 4 ⋅ (2 − r)/p − 4 ≥ max(8, 4q − 4) R. Sparr and R. Wernsdorf, The round functions of KASUMI Ë 25

Remark 2.5. As an alternative to Theorem 2.3 and Proposition 2.4, it is also possible to use the theorems [18, Theorem A] or [14, Theorem 1.1] to derive similar sucient conditions for a permutation group to be the alternating or symmetric group.

Theorem 2.6 (cf. [20, Corollary 10.2.2]). Let be a transitive permutation group on a nite set with . If there is an element which contains in its cycle representation a cycle of prime number length with , then is the alternating orG the symmetric group on . X |X| > 7 g ∈ G p |X|/2 < p < |X| − 2 G X 3 Description of KASUMI

2n For every 1 2n we write L for 1 n and R for n+1 2n . The all-zero bit- vector in the set n is denoted by n and elements of m n are identied with elements in mn by concatenation.x = (x We, .write . . , x ) k∈for{0, the 1} left rotationx of (x-bit, . words . . , x ) by bitx positions(x , . and . . , x )for the projection of -bit words {0,to 1} the seven right-most0 bits of . Let ({0,and 1} ) denote the S-boxes of KASUMI,{0, which 1} are nonlinear permutations onrot 7 and 9, respectively16 [7]. Furthermore,k let pr 9 w w S7 S9 2 {0, 1} {0, 1} 7 9 16 16 16 for every ì(v,and w) k= S7(v) ⊕ v for⊕ pr every(S9(w)), (0 , v) ⊕ andS9(w) . For every , the mapping z is dened as (v, w) ∈ {0, 1} × {0, 1} ò (x) = xz⊕ k z k ∈9{0, 1} x ∈ {0, 1} z ∈ {0, 1} FI 16 16 ὔ 16 Obviously, 9, , z, and z are permutations on for every . For all and 32 FI = ì ∘ ò ∘ ì ∘ rot . 96 16 , let z,zὔ R zὔ L R . For every 1 6 with 1 6 , the 32 nonlinear permutationrot ì ò kFIon is dened as {0, 1} z ∈ {0, 1} z, z ∈ {0, 1} x ∈ {0, 1} f (x) = (x , FI (x ⊕ z) ⊕ x ) k = (z , . . . , z ) ∈ {0, 1} z , . . . , z ∈ {0, 1}

FO {0, 1} k z3,z6 z2,z5 z1,z4 16 Let and and or denote the Boolean AND-functionFO = f and∘ f the Boolean∘ f . OR-function on , respectively. For 32 32 every , the linear mixing permutation l on is dened as f f {0, 1} l ∈ {0, 1} l FLL {0,1 1}or R 32 96 32 for every , where R FL1 (x)and = LxL ⊕.rot For(f every(a, l )), a , let (1) and (2) x ∈ {0, 1} a = x ⊕k,lrot (f k (x ,l l )) k,l (k, l)l ∈ {0,k 1} × {0, 1}

The round functions of KASUMI forF odd= FO resp.∘ evenFL round typeF = areFL dened∘ FO . as (t) (t) k,l R k,l L L

64 96 32 for every , R (x), and= x ⊕ resp.F (x ), x . Finally, the KASUMI encryption function enc is dened as x ∈ {0, 1} (k, l) ∈ {0, 1} × {0, 1} (2) (1)t = 1 t =(2)2 (1) enc k8,l8 k7,l7 k2,l2 k1,l1 f for 96 32. 1 1 8 8 f = R ∘ R ∘ ⋅ ⋅ ⋅ ∘ R ∘ R The key schedule of KASUMI is dened as follows. Firstly, the -bit key is divided into eight consecutive ὔ -bit(k values, l ), . . . , (kj, , l ) ∈ {0, 1}. Secondly,× {0, 1} an array of eight -bit values j, , is dened by 128 ὔ 16 K j = 0, . . . , 7 j j j 16 K j = 0, . . . , 7 where K = K ⊕ c , j = 0, . . . , 7,

0 1 2 3

4 5 6 7 c = 0x0123, c = 0x4567, c = 0x89ab, c = 0xcdef, c = 0xfedc, c = 0xba98, c = 0x7654, c = 0x3210. 26 Ë R. Sparr and R. Wernsdorf, The round functions of KASUMI

For , let

ὔ i = 1, . . .i,1 , 8 5 i mod 8 i,2 8 (i+4) mod 8 i,3 13 (i+5) mod 8 i,4 (i+3) mod 8 ὔ ὔ ὔ i,5 (i+2) mod 8 i,6 (i+6) mod 8 i,1 1 i−1 i,2 (i+1) mod 8 z = rot (K ), z = rot (K ), z = rot (K ), z = K , Finally, the round key 96 32 for round is dened as and for z = K i i, z = K , l = rot (K ),i i,1 l =i,6K i . i,1 i,2 .

(k , l ) ∈ {0, 1}96 × {0, 1}32 i k = (z , . . . , z ) l = (l , l ) Remark 3.1. For every and every there is a KASUMI round key i i i = 1,96 . . . , 8 32 such that i i . (k, l) ∈ {0, 1} × {0, 1} i ∈ {1, . . . , 8} (k , l ) ∈ {0, 1} × {0, 1} (k, l) = (k , l ) 4 Properties of the round function components

For , let (t) denote the group generated by the set of permutations

(t) 96 32 t ∈ {1, 2} H k,l In this section we rst prove several cyclic properties for the component functions of KASUMI and show F : k ∈ {0, 1} , l ∈ {0, 1} . that the groups (1) and (2) are equal to the alternating group on the set 32. Furthermore, we prove an unexpected property for the family of FO-permutations.

H H 16 16 {0, 1} Lemma 4.1. (a) For every there is an element with z . 32 96 (b) For every there is an element with k . 16x, y ∈ {0, 1} 16 z ∈ {0, 1}−1 FI (x) = y Proof. (a) For , dene as 9 . x, y ∈ {0,32 1} 16 k ∈ {0, 1} FO (x) =ὔ y ὔ 16 (b) Let and . We can choose elements such that ὔ 1 2 1 2 z1 L 1 and x,ὔ y ∈ {0, 1} . Thenz ∈ {0, 1} ὔ z = ì(rotὔ (x)) ⊕ ì (y) , hence R L z2 R 2 L R z1,z1 R z1 L 1 R R L a, b ∈ {0, 1} z , z ∈ {0, 1} z , z ∈ {0, 1} FI (a ⊕ z ) = z ,zὔ z ,zὔ z ,zὔ R L L zὔ R 2 L a ⊕ b FI (a ⊕ z ) = b2 ⊕2 b 1 1 f 2(a)2 = (a , FI (a ⊕ 2z ) ⊕ a ) = (a , b ) Thus, for any 32 and ὔ 16, there are ὔ ὔ 16 such that f (f1 2(a))3 =3f (a , b ) = b , FI 1(a 2 ⊕ z ) ⊕ b = b.

z ,zὔ z ,zὔ z ,zὔ x, y ∈ {0, 1} z , z , z , z ∈3 {0,3 1}2 2 1 1 z , z ∈ {0, 1} (1) (2) Corollary 4.2. The groups and aref transitive.f (f (x)) = y. 96 Lemma 4.3. (a) k is an even permutation for every . H H 32 (b) l is an even permutation for every . FO k ∈ {0, 1} Proof. (a) Every FO-function is a three-fold composition of permutations of the form FL l ∈ {0, 1}

z,zὔ R zὔ L R where 32 and ὔ 16. For every ὔ 16 we have f (x) = x , FI (x ⊕ z) ⊕ x ,

x ∈ {0, 1} z, z ∈ {0, 1} z,zὔz, z 4∈ {0,3 1} 2 1 32 where , , ὔ , and for all . 1 R L 2 L R f 3 = ÷ ∘ L÷ ∘ z÷ ∘R÷ , 4 L L R Then 1 is an even permutation by [8, Lemma 1], and 2 and 4 are even by [8, Lemma 2]. Finally, 3 is an 16 even permutation÷ (x) = (x , by x ) Proposition÷ (x) = (x 2.2, x because⊕ z) ÷ the(x) number= (x , FI of(x cycles)) of ÷3 (x)is a= multiple(x , x ⊕ ofx ) . x ∈ {0, 1} 32 (b)÷ Every function l, , is a composition÷ l ÷l l, where ÷ ÷ 2 and l FL Ll =R{0, 1} 1 and L L FL =l ℎ ∘ g L 1 or R R R for all 32. If 32 with 16, then . Otherwise, has 32−wt(lL) xed points and g (x) = x , x ⊕ rot (f L (x , l )) l ℎ (x) = x ⊕ rot (fl (x , l )), x 32 32−wt(lL) 32 16 cycles of length , where L denotes the Hamming weight of L. If with R , 31 16 32 16 the mappingx ∈ {0,l 1}has lcycles∈ {0, of 1} length l. Otherwise,= 0 l hasg = idxed points andg 2 cycles of length . 32 (2Thus,− 2 l and )/2l are even permutations2 for everywt(l ) by Proposition 2.2. l l ∈ {0, 1} l ̸= 0 ℎ 2 2 ℎ 2 (2 − 2 )/2 2 g ℎ l ∈ {0, 1} R. Sparr and R. Wernsdorf, The round functions of KASUMI Ë 27

Proposition 4.4. (1) and (2) are equal to the alternating group on the set 32.

Proof. By Corollary 4.2, (1) and (2) are transitive groups. For H H {0, 1}

H H and

(1) the k,l -cycle startingk = (0xbbb0 at , 0x12de, 0xe1b1is of length, 0x84cd, 0x6e33, 0xbd61(here,) the roundl = (0x2e2e key and, 0x8fd1 the), cycle have been (2) found by a random search). By denition, the cycle representation of k,l must contain a cycle with the same length.F Since is a prime0x5ac292d0 number with c = 3 669 513 383 31 32 F c and the groups (1) (2) contain only even permutations, the result follows by Theorem 2.6. 2 < c < 2 − 2 For any subset n, let denote the linear hull of in the vector space n. H ,H 2 In the following section we will prove that the groups generated by the KASUMI round functions of odd and even roundM type⊆ {0, are 1}-transitive.⟨M⟩ For the proof we need theM following result that wasF veried by a computer search with for and for .

2 96 32 (t) 32 32 Lemma 4.5. Let . There are , 1 m , and 1 m such that m = 64 t = 1 m = 62 t = 2 ki,li (t) 32 32 32 for , and k ,l 2 for every . t ∈ {1, 2}i i m ≥ 32 k , . . . , k ∈ {0, 1} l , . . . , l ∈ {0, 1} F (0 ) = 0 96 Contraryi = 1, . to . . ,the m preceding⟨F (x) result, : i = 1, the . . mappings. , m⟩ = F k, x ∈ {0,, 1} have\ {0the} following unexpected property. Proposition 4.6. Let 32. For all and 96 with 32 for , we FO k1 ∈ {0, 1}m ki have 32 for every 25 7. ki 2 ὔ a96∈ {0, 1} 32 m ≥ 32 32 k , . . .25 , k ∈ {0, 1}7 FO (0 ) = a i = 1, . . . , m Proof. Let with ὔ , , and ὔ . We will show ⟨FO (x) : i = 1, . . . , m⟩ ̸= F k xk ∈ {0 } × {0, 1} k k that 7 2 7 k, k ∈ {0, 1} FO (0 ) =LFO R(0 ) x ∈ {0 } × {0, 1} î = FO (x) ⊕ FO (x) Let with 16, and , where 1 6 1 6 î ⊕ î ∈ {0, 1}z2,z×5 {0z1},z×4 {0, 1} . and k = (z , . . . , z ) z , . .L . , z ∈z{0,4 1}L 1 yR= f (f R (x))z5 R 2 L

Let further , where and . Then z3,z6 yk = FI (x ⊕ zL ) ⊕ Rx R y z6= FIL (x3 ⊕ zR) ⊕ y .

u = f (y) = FO (x) L uR = y z6 z4u L= FI1 (y ⊕3 z )R⊕ y

ὔ ὔ ὔ ὔ ὔ 16 ὔ Similarly, for 1 6 with u1 ⊕ u 6= FI FI, and(x ⊕ z ) ⊕ zkὔ ⊕ x, we. obtain

ὔ ὔ ὔ ὔ ὔ ὔ k = (z , . . . , z ) z ,L . . . , zR ∈ {0,z6 1} z4 L u 1= FO3 (x)R

By assumption we have u ⊕ u = FI FI (x ⊕ z ) ⊕ z ⊕ x . ὔ ὔ ὔ ὔ z6 z4 L 1 3 z6 z4 L 1 3 Then, by Proposition A.3 in the Appendix, it follows that FI FI (x ⊕ z ) ⊕ z = FI FI (x ⊕ z ) ⊕ z . ὔ ὔ 7 2 7 L R L R L R

î ⊕ î = u ⊕ u ⊕ u ⊕ u ∈ {0, 1} × {0 } × {0, 1} . 5 Group theoretic properties of the KASUMI round functions

In this section we show that the KASUMI round functions for odd and even rounds generate the alternating group on 64.

Proposition 5.1. Let . For every 64 there are ὔ 96 and ὔ 32 such that {0, 1} (t) (s) . kὔ,lὔ k,l s, t ∈ {1, 2} x, y ∈ {0, 1} k, k ∈ {0, 1} l, l ∈ {0, 1} (R ∘ R )(x) = y 28 Ë R. Sparr and R. Wernsdorf, The round functions of KASUMI

Proof. Let 64. By Lemma 4.1 there are ὔ 96 and ὔ 32 such that

(s) (t) x, y ∈ {0, 1} k,l L R Rk, kand∈ {0, 1}kὔ,lὔ R l, l L∈ {0,L 1}

Then F (x ) = x ⊕ y F (y ) = x ⊕ y .

(t) (s) (t) (s) (s) (t) kὔ,lὔ k,l L R L kὔ,lὔ R k,l L R k,l L L kὔ,lὔ R R L R

For R , letR (t)(xdenote, x ) = thex group⊕ F generatedx ⊕ F (x by) the, x set⊕ F of functions(x ) = x ⊕ F (y ), y = (y , y ).

(t) 96 32 t ∈ {1, 2} G k,l

(1) (2) Proposition 5.2. and are -transitiveR : kpermutation∈ {0, 1} , l groups.∈ {0, 1} . Proof. By Proposition 5.1, (1) and (2) are transitive permutation groups. Let and 64. We have G G 2 (t) −1 (t) (t) −1 (t) (t) (t) (t) (t) ὔ ὔ G G ὔ ὔ ὔ ὔ t ∈ {1, 2} z = 0 ὔ ὔ kn,ln kn,ln k1,l1 k1,l1 k1,l1 k1,l1 kn,ln kn,ln (t) (t) −1 (t) (t) −1 (t) (t) (t) (t) k ,l ὔ ὔ k ,l ὔ ὔ k ,l ὔ ὔ k ,l ὔ ὔ Rn n ∘knR,ln ∘ ⋅ ⋅ ⋅ ∘ R1 1 ∘k1R,l1 (a, b) = a, b ⊕ F1 1 (a) ⊕k1F,l1 (a) ⊕ ⋅ ⋅ ⋅ ⊕ nFn (a) ⊕knF,ln (a),

ὔ ὔ ὔ ὔ 96 32 32 for allR ∘, R1 1 1∘ ⋅1 ⋅ ⋅ ∘ R n ∘nR n n (a, b) = a ⊕ F (b), and⊕ F (b) ⊕ ⋅ ⋅ ⋅ ⊕.F Hence,(b) ⊕ byF Lemma(b), b 4.5, for ὔ ὔ 32 (1) every there are functions z with n ≥ 1 (k , l ), (k , l ), . . . , (k , l ), (k , l ) ∈ {0, 1} × {0, 1} a, b ∈ {0, 1} ὔ ὔ ὔ ὔ c, d, c , d ∈ {0, 1} f,g ∈ Gand

(1) 64 (2) 64 Thus, z is transitive on f(c,and, d) = by(c, the d ) same arguments,g(c, d ) = also(c , d ).z is transitive on . Then (1) and (2) are -transitive permutation groups by Proposition 2.1. G {0, 1} \ {z} G {0, 1} \ {z} A permutation 2n 2n, , is said to be of Feistel-type if there is a mapping n n G G 2 with for all n n. The averageF cycle : {0, 1} length→ {0, of 1} a randomn > 0 permutation on the set 2n is approximatelyf equal : {0, 1} to →2n {0, 1}2n (see [9,F(x, pp. y) 257–258]).= (y, x ⊕ f(y)) It can be shown(x, y) that∈ {0, for 1} every× {0, 1} Feistel-type permutation on 2n, , the cycle representation of contains at least n−1 cycles (see [5, Lemma 3]).{0, 1} Since the KASUMI round functions2 / ln are2 inverse Feistel-type permutations, the average cycle length for every KASUMIF round{0, function 1} n ≥ is4 not greater than 33. Thus, it isF feasible to use Proposition2 2.4 for the proof of the following result.

Theorem 5.3. The groups generated by the KASUMI round functions of odd and even round type are equal to 2 the alternating group on the set 64.

Proof. (1) and (2) are primitive by Proposition 5.2 and contain only even permutations by [8, Corollary 2]. {0, 1} The following two large cycles for the rst resp. second KASUMI round function have been obtained by a randomG search.G For the rst KASUMI round function dened by the cipher key

the cycle starting at k = 0xe18d9e90077d5b59c9c9f1d3e22403is of length . , For the second KASUMI round function dened by the cipher key 0x0211f74b7527ce8b c = 18 375 676 469 ὔ

ὔ ὔ ὔ the cycle starting at k = 0x294635be4374a0fe1b3ae978e199ee18is of length . Since, and are primes with 33 satisfying the condition of Proposition 2.4, the groups (1) and (2) are both equal to the alternating group on the set 64. 0x85346017c65edd91 c = 13 535 443 601 c c c, c > 2 G G Remark 5.4. Since the KASUMI key scheduling maps the set of possible keys onto the set of round keys, the {0, 1} actual KASUMI round functions both for odd and even rounds generate the alternating group on 64.

{0, 1} R. Sparr and R. Wernsdorf, The round functions of KASUMI Ë 29

6 The KASUMI two-round functions generate the alternating group

Let ∗ denote the group generated by the set of KASUMI two-round functions

(2) (1) ὔ 96 ὔ 32 G kὔ,lὔ k,l

∗ where independent round keys areR assumed.∘ R In: k, this k ∈ section,{0, 1} , we l, l show∈ {0, that 1} , is equal to the alternating group on the set 64. Then it follows that also the KASUMI encryption functions with independent round keys generate the alternating group on the message space (cf. Theorem 6.7). G {0, 1} Proposition 6.1. The group ∗ is -transitive, hence primitive.

Proof. The group ∗ is transitive by Proposition 5.1, and we have G 2 (1) −1 (1) (2) (1) −1 (2) (1) G k1,l1 k2,l2 k3,l3 k1,l1 k3,l3 k2,l2 (2) (2) −1 (2) (1) (2) (1) −1 Rk1,l1 ∘k2R,l2 = Rk1,l1 ∘ Rk3,l3 ∘ kR2,l2 ∘kR3,l3 , 96 32 ∗ for all 1 1 2 2 3 3 R ∘ R .= Then,R similar∘ R to∘ theR proof∘ R of Proposition 5.2, it follows that is a -transitive group. (k , l ), (k , l ), (k , l ) ∈ {0, 1} × {0, 1} G Remark 6.2. Similar to the preceding proof we can show that the group generated by the KASUMI en- 2 enc cryption functions enc with independent round keys is -transitive. Thus enc acts primitively on the message space. G f 2 G We say a Feistel-type permutation with for all n n is proper if −1 n . We rst provide a useful lower bound for the number of cycles of compositions consisting of a proper Feistel-type permutation onF 2nF(x,and y) a= more(y, x general⊕ f(y)) type of permutation,(x, y) ∈ {0, 1} which× {0, shows1} that the averagef (0 ) cycle̸= length of such compositions is not greater than n+1. Since ∗ is primitive, this opens up the possibility to use Proposition 2.4 for the{0, 1} proof that ∗ equals the alternating group on the message space (cf. Theorem 6.6). 2 G G Theorem 6.3. Let and for all n n. Let further 2n 2n be a permutation with −1. Then for every proper Feistel-type permutation 2n 2n the cycle representation of n ≥ 1containsè(x, at y) least= (y, x)n−1 cycles.(x, y) ∈ {0, 1} × {0, 1} ÿ : {0, 1} → {0, 1} ÿ ∘ è = è ∘ ÿ F : {0, 1} → {0, 1} Proof. Let n n be a mapping with −1 n and for all ÿ ∘ F 2 n n. We show that every cycle of contains no more than two elements from the set f : {0, 1} → {0, 1} f (0 ) ̸= F(x, y) = (y, x ⊕ f(y)) (x, y) ∈ n n n {0, 1} × {0, 1} ÿ ∘ F

−1 −1 Let . Then Sand= (x, y) ∈ {0, 1} × {0, 1} : f(y) = 0 . . Induction yields

i −i (a, b) ∈ S F(a, b) = è(a, b) ÿ(F(a, b)) = è(ÿ (a, b)) = è(F((ÿ ∘ F) (a, b)))

i0 −i0 for every integer . Let 0 be the(ÿ smallest∘ F) (a, b)integer= èF((ÿ such∘ thatF) (a, b)) or . In the rst case i > 0 i > 0 i0 i0 (ÿ ∘ F) (a,−i0 b) ∈ S (ÿ ∘ F) (a, b) ∈ S

In the second case we have F(ÿ ∘ F) (a, b) = è(ÿ ∘ F) (a, b) = F(ÿ ∘ F) (a, b). −i0 −i0 hence −i0 −i0 i0 . Thus, and i0 are the only elements F(ÿ ∘ F) (a, b) = è(ÿ ∘ F) (a, b), of occurring in the cycle starting from . Since n, the cycle representation of contains at least n−1 cycles.(ÿ ∘ F) (a, b) = è(F((ÿ ∘ F) (a, b))) = (ÿ ∘ F) (a, b) (a, b) (ÿ ∘ F) (a, b) S (a, b) |S| ≥ 2 ÿ ∘ F Corollary 6.4. Let ὔ 2n 2n be two Feistel-type permutations, where is proper. Then the cycle 2 representation of ὔ contains at least n−1 cycles. F, F : {0, 1} → {0, 1} F F ∘ F 2 30 Ë R. Sparr and R. Wernsdorf, The round functions of KASUMI

The average cycle length of a random permutation on the set 64 is a number greater than 58 (see [9, pp. 257–258]). Since the KASUMI round functions are the inverses of proper Feistel-type permutations, we have the following result. {0, 1} 2

Corollary 6.5. The average cycle length for every KASUMI two-round function is not greater than 33.

Theorem 6.6. The group ∗ generated by the KASUMI two-round functions with independent round keys is 2 equal to the alternating group on the message space. G Proof. The group ∗ is primitive by Proposition 6.1 and contains only even permutations by [8, Corollary 2]. The KASUMI cipher key G with the following property has been obtained by random search. The composition of the rst two KASUMI k = 0x6205b5d9ee63edf11f1acea14477d5a9 round functions dened by the cipher key has the cycle

33 of length , where(0x445b1b948ce25f49is a prime with ⋅ ⋅ ⋅ 0x3e72cc3296b66829satisfying the condition) of Proposition 2.4. Hence ∗ is equal to the alternating group on the set 64. c = 28 737 645 371 c c > 2 Theorem 6.7. The group generated by the KASUMI encryption functions with independent round keys is equal G {0, 1} to the alternating group on the message space.

Proof. The group generated by the KASUMI encryption functions with independent round keys is a normal subgroup of ∗ (see [10]). Since the alternating group on 64 is simple, the result follows from Theorem 6.6.

G {0, 1}

7 Conclusions

Possible structural defects of the groups generated by the KASUMI round functions and two-round functions, such as imprimitivity or an insucient diversity of occurring permutations, can be excluded by the results provided in the paper. Furthermore, by Theorem 6.6, for all Markov ciphers corresponding to KASUMI two-round functions, the Markov chains of dierences are irreducible and aperiodic [10]. If the hypothesis of stochastic equivalence holds for the Markov ciphers corresponding to KASUMI two-round functions, then these ciphers are secure against classical dierential cryptanalysis after the application of suciently many two-round functions [10]. Finally, it appears that the methods used here to prove the main results cannot be employed to show that the KASUMI round functions without the linear mixing permutations generate the alternating group on the message space (cf. Proposition 4.6).

A Properties of the FI-permutations

We provide here some properties of the permutations 2 for 7 9 16 and z z 9 for . These properties are used for the proof of Proposition 4.6, but might also be of interest on their own.ì(v, w) = (S7(v) ⊕ v ⊕ pr(S9(w)), (0 , v) ⊕ S9(w)) n n n n n (v, w)For∈ every{0, 1} mapping× {0, 1} FI = ì ∘ ò ∘ ìand∘ rot z ∈, let{0, 1}a denote the derivative of with respect to dened by

f : {0, 1} → {0, 1} a a ∈ {0, 1} D f : {0, 1} → {0, 1} f a for all n. For the derivatives of the permutation with respect to elements of the form 7 9 D f(x) = f(x) ⊕ f(x ⊕ a) we have the following two properties. x ∈ {0, 1} ì a ∈ {0, 1} ×{0 } R. Sparr and R. Wernsdorf, The round functions of KASUMI Ë 31

7 2 7 7 9 7 9 Proposition A.1. a for all and . Proposition A.2. ὔ ὔ 7 9 for every , ὔ ὔ 7 9 and D aì(v, w) ∈ {0,a 1} × {0 } × {0, 1} (v, w) ∈ {0, 1} × {0, 1} a ∈ {0, 1} × {0 } 7 9 . D ì(v, w) ⊕ D ì(v , w ) ∈ {0, 1} × {0 } (v, w) (v , w ) ∈ {0, 1} × {0, 1} a ∈ Proof. Let , ὔ ὔ 7 9 and 9 7 9 . Then {0, 1} × {0 } ὔ ὔ ὔ ὔ ὔ ὔ 2 9 (v, w) (v , w ) ∈ {0, 1} × {0, 1} a = (b, 0 ) ∈ {0, 1} × {0 } ὔ ὔ with ì(v ⊕ b, w ) ⊕ ì(v , w ) = S7(v ⊕. b) ⊕ S7(v ) ⊕ b, 0 , b = ì(v ⊕ b, w) ⊕ ì(v, w) ⊕ (c, 0 ) ὔ ὔ 16 ὔ ὔ 7 2 7 Proposition A.3. Let with ὔ . Then ὔ c = S7(v ⊕ b) ⊕ S7(v ) ⊕ S7(v ⊕ b) ⊕ S7(v) z z z z for every 9 7. y, y , z, z ∈ {0, 1} FI (y) = FI (y ) FI (y⊕x)⊕FI (y ⊕x) ∈ {0, 1} ×{0 }×{0, 1} Proof. Let , ὔ ὔ ὔ with ὔ 7, ὔ 9 and 9 with 7. If ὔ x ∈16{0 } × {0, 1} ὔ ὔ ὔ ὔ 9 with z zὔ , we have z zὔ . Let . By the preceding result we havey = (w, v) y = (w , v ) v, v ∈ {0, 1} w, w ∈ {0, 1} x = (0 , b) b ∈ {0, 1} ὔ ὔ 9 z, z ∈ {0, 1} FI (w, v) = FI (w , v )a ò a(ì(v, w)) = ò (ì(v , w )) a = (b, 0 ) with 7. Then D ì(v, w) ⊕ D ì(v , w ) = (c, 0 ) ὔ ὔ ὔ ὔ 9 9 c ∈ {0, 1} z zὔ z zὔ

Thus, ò ì(v ⊕ b, w) ⊕ ò ì(v ⊕ b, w ) = ò ì(v, w) ⊕ ò ì(v , w ) ⊕ (c, 0 ) = (c, 0 ). ὔ ὔ ὔ 7 2 7 z zὔ z zὔ

Acknowledgement:FI (y ⊕ x) ⊕WeFI would(y ⊕ x) like= toì thankò ì(v Harry⊕ b, w) Reimann ⊕ ìò forì(v valuable⊕ b, w ) comments ∈ {0, 1} and× {0 discussions.} × {0, 1} .

References

[1] 3GPP TR 33.908 V4.0.0 (2001-09), 3rd Generation Partnership Project; Technical Specication Group Services and System Aspects; 3G Security; General Report on the Design, Specication and Evaluation of 3GPP Standard Condentiality and Integrity Algorithms (Release 4), www.3gpp.org. [2] T. Baignères and S. Vaudenay, Proving the security of AES substitution-permutation network, in: Selected Areas in Cryp- tography (SAC 2005), Lecture Notes in Comput. Sci. 3897, Springer, Berlin (2006), 65–81. [3] A. Caranti, F. Dalla Volta and M. Sala, An application of the O’Nan-Scott theorem to the group generated by the round functions of an AES-like cipher, Des. Codes Cryptography 52 (2009), 293–301. [4] Data Encryption Standard (DES), National Institute of Standards and Technology, FIPS Publication 46 (3), 1999. [5] R. Dittmar, G. Hornauer and R. Wernsdorf, SAFER, DES and FEAL: Algebraic properties of the round functions, in: Proceed- ings of PRAGOCRYPT’96, part I, CTU Publishing House, Prague (1996), 55–66. [6] O. Dunkelman, N. Keller and A. Shamir, A practical-time related-key attack on the KASUMI cryptosystem used in GSM and 3G telephony, in: Advances in Cryptology (CRYPTO 2010), Lecture Notes in Comput. Sci. 6223, Springer, Berlin (2010), 393–410. [7] ETSI TS 135 202 V7.0.0 (2007-06), Universal Mobile Telecommunications System (UMTS); Specication of the 3GPP condentiality and integrity algorithms; Document 2: KASUMI specication (3GPP TS 35.202 version 7.0.0 Release 7), www.etsi.org. [8] S. Even and O. Goldreich, DES-like functions can generate the alternating group, IEEE Trans. Inform. Theory 29 (1983), 863–865. [9] W. Feller, An Introduction to Probability Theory and Its Applications, vol. 1, 3rd ed., John Wiley & Sons, New York, 1968. [10] G. Hornauer, W. Stephan and R. Wernsdorf, Markov ciphers and alternating groups, in: Advances in Cryptology (EURO- CRYPT’93), Lecture Notes in Comput. Sci. 765, Springer, Berlin (1994), 453–460. [11] T. Iwata, T. Yagi and K. Kurosawa, On the pseudorandomness of KASUMI type permutations, in: Information Security and Privacy (ACISP 2003), Lecture Notes in Comput. Sci. 2727, Springer, Berlin (2003), 130–141. [12] K. Jia, L. Li, C. Rechberger, J. Chen and X. Wang, Improved cryptanalysis of the block cipher KASUMI, in: Selected Areas in Cryptography (SAC 2012), Lecture Notes in Comput. Sci. 7707, Springer, Berlin (2013), 222–233. [13] T. V. Le, R. Sparr, R. Wernsdorf and Y. Desmedt, Complementation-like and cyclic properties of AES round functions, in: Advanced Encryption Standard (AES 2004), Lecture Notes in Comput. Sci. 3373, Springer, Berlin (2005), 128–141. 32 Ë R. Sparr and R. Wernsdorf, The round functions of KASUMI

[14] M. W. Liebeck and J. Saxl, Primitive permutation groups containing an element of large prime order, J. London Math. Soc. (2) 31 (1985), 237–249. [15] M. Matsui, New block encryption algorithm MISTY, in: Fast Software Encryption (FSE’97), Lecture Notes in Comput. Sci. 1267, Springer, Berlin (1997), 54–68. [16] L. O’Connor and J. Golic, A unied Markov approach to dierential and linear cryptanalysis, in: Advances in Cryptology (ASIACRYPT’94), Lecture Notes in Comput. Sci. 917, Springer, Berlin (1995), 387–397. [17] K. G. Paterson, Imprimitive permutation groups and trapdoors in iterated block ciphers, in: Fast Software Encryption (FSE’99), Lecture Notes in Comput. Sci. 1636, Springer, Berlin (1999), 201–214. [18] C. E. Praeger, On elements of prime order in primitive permutation groups, J. Algebra 60 (1979), 126–157. [19] T. Saito, A single-key attack on 6-round KASUMI, preprint (2011), http://eprint.iacr.org/2011/584. [20] A. Seress, Permutation Group Algorithms, Cambridge University Press, Cambridge, 2002. [21] R. Sparr and R. Wernsdorf, Group theoretic properties of Rijndael-like ciphers, Discr. Appl. Math. 156 (2008), 3139–3149. [22] Specication for the Advanced Encryption Standard (AES), National Institute of Standards and Technology, FIPS Publica- tion 197, 2001. [23] R. Wernsdorf, The one-round functions of the DES generate the alternating group, in: Advances in Cryptology (EURO- CRYPT’92), Lecture Notes in Comput. Sci. 658, Springer, Berlin (1993), 99–112. [24] R. Wernsdorf, The round functions of Rijndael generate the alternating group, in: Fast Software Encryption (FSE 2002), Lecture Notes in Comput. Sci. 2365, Springer, Berlin (2002), 143–148. [25] H. Wielandt, Finite Permutation Groups, Academic Press, New York, 1964.

Received August 6, 2013; revised July 28, 2014; accepted August 7, 2014.