DOI 10.1515/jmc-2013-0028 Ë J. Math. Cryptol. 2015; 9 (1):23–32 Research Article Rüdiger Sparr and Ralph Wernsdorf The round functions of KASUMI generate the alternating group Abstract: We show that the round functions of the KASUMI block cipher for odd and even round type gen- erate the alternating group on the message space. Moreover, under the assumption of independent round keys, we prove that also the KASUMI two-round functions and the KASUMI encryption functions generate the alternating group. Keywords: KASUMI, block cipher, permutation groups MSC 2010: 94A60, 20B35 ËË Rüdiger Sparr, Ralph Wernsdorf: Rohde & Schwarz SIT GmbH, Am Studio 3, 12489 Berlin, Germany, e-mail: [email protected], [email protected] Communicated by: Robert Gilman 1 Introduction KASUMI is a -bit block cipher with -bit key size which is used for the condentiality and integrity algo- rithms of the Third Generation Partnership Project ( GPP) for mobile communications [7]. KASUMI is based on the MISTY64block cipher [15] and is128 carefully designed to resist conventional dierential and linear crypt- analysis [1]. It has been shown that the four-round3 KASUMI-type permutation is pseudorandom and that the six-round1 KASUMI-type permutation is super-pseudorandom under an adaptive distinguisher model [11]. Furthermore, as shown in [6], KASUMI is susceptible to a related key attack using four related keys, which however is not a security threat for the use of KASUMI in GSM and UMTS applications. Recent further crypt- analysis results about KASUMI can be found in [12, 19]. In this paper we present several new results on group theoretic properties of the KASUMI round functions and component functions. For any block cipher, it is desirable to exclude possible structural defects for the group generated by the round functions, such as an insucient diversity of occurring permutations or im- primitivity. Because of the widespread use for GPP mobile communications, the exclusion of such structural weaknesses appears particularly relevant for the KASUMI block cipher. As shown by Paterson [17], there are DES-like block ciphers which possess a certain3 resistance to linear and dierential cryptanalysis, but can be easily broken since the round functions generate a group which acts imprimitively on the message space. A further purpose for the analysis of group theoretic properties of a block cipher stems from the fact that, if the round functions of the cipher generate the alternating group on the message space, then general security proofs for the cipher are possible with respect to the Markov cipher approach to classical dierential crypt- analysis (cf. [2, 10, 16]). For the DES [4], AES [22], and other ciphers, several results on the cyclic and group theoretic structure of their components have already been found (see [3, 5, 8, 13, 21, 23, 24]). The paper is organized as follows. In Section 2 we provide some notions and facts from the theory of per- mutation groups which are used in this paper. In Section 3 we give a description of the KASUMI block cipher. In Section 4 we investigate cyclic properties of the internal components of the KASUMI round functions and prove an unexpected property of the FO-functions of KASUMI. In Section 5 we show that the groups gener- ated by the KASUMI round functions for odd and even round type are equal to the alternating group on the message space 64. In Section 6 we show that also the KASUMI two-round functions as well as the KASUMI encryption functions generate the alternating group on the set 64 under the assumption of independent round keys. In Section{0, 1} 7 we nish the paper with some concluding remarks. {0, 1} 24 Ë R. Sparr and R. Wernsdorf, The round functions of KASUMI 2 Group theoretical facts For any nonempty nite set , the group of bijective mappings of onto itself is denoted by X. If is a natural number and , we also write n instead of X. Every subgroup of X is called a permutation group on . Let be a natural numberX with . A permutationX group X is called -transitiveS n if, for any ~ pair of -tuplesX = {1,1 . , n}~ , 1 ~ S with i S j i j for , thereS is a permutation with Xi i ~for .A -transitive0 < permutation~ ≤ |X| group is simply calledG ≤ Stransitive.~ If is a permutation group on~ a set (aand, . , a ) ,(b the, . subgroup . , b ) ∈ X of all a ̸= witha , b ̸= b isi denoted̸= j by a. g ∈ G g(a )For= b multiplei = transitivity1, . , ~ 1 we have the following proposition (cf. [25]). G X a ∈ X g ∈ G g(a) = a G Proposition 2.1. Let be a transitive permutation group on a nite set , a natural number with , and . Then is -transitive on if and only if a is -transitive on . G X ~ 0 < ~ < |X| Let be a permutation group with . A subset is called a block of if or a ∈ XX G (~ + 1) X G ~ X \ {a} for every . A block is said to be trivial if or where .A complete nontrivial blockG ≤ systemS for is a partition 1 |X|t =ofn into disjointB ⊆ X subsets i of equalG sizeg(B)with= B g(B)∩,B such= that for everyg ∈ G permutationB ⊆ X and every block i thereB ∈ {X, is a} blockB = j{x}with ix ∈ Xj for . Let X be transitive.G is called{Ximprimitive,...,X } if thereX is a nontrivial blockX of . Otherwise,s 1 < s <isn said to be primitive. Every -transitiveg ∈ G permutation groupX is primitive, but notX conversely.g(X ) = AX permutationi, j ∈ {1, . , t}X is a transpositionG ≤ S if interchangesG two elements and xes all the otherB ⊂ elementsX G of . A permutationG is called even (odd)2 if can be represented as a product of an even (odd) number of transpositions.g ∈ TheS set of all even permutationsg n forms a groupx, which y ∈ X is called the alternating group on theX set andg which is denoted by gn. For any permutation ong ∈ a niteS set of even cardinality, the number of cycles of odd length in its{1, disjoint . , n} cy- cle decomposition mustA be even. Since the cycles of even length are odd permutations, we have the following result. Proposition 2.2. A permutation on a nite set with even cardinality is even if and only if its cycle representation contains an even number of cycles (including the cycles of length ). The degree of a permutation group on a nite set is dened as the number of elements of that are 1 moved by at least one permutation of . The degree of a permutation is dened as the degree of the cyclic group generated by this permutation.G X X We need the subsequent results whichG provide sucient conditions for a permutation group to be the alternating or symmetric group. Theorem 2.3 (cf. [25, Theorem 13.10]). Let be a prime and a primitive permutation group of degree , which contains an element of order and degree , but which is neither the alternating nor symmetric group. p G n = (a)qp +Ifk and , then . p qp (b) If and , then . q ≤ 7 p ≥ 11 k ≤ 8 Proposition 2.4. Let be a primitive permutation group on the set 2n with . Suppose there is an q ≥ 8 p ≥ 2q − 1 k ≤ 4q − 4 element which contains in its cycle representation a cycle with a prime factor n+1 and for 2n we have G {0, 1} n > 2 g ∈ G 2n p > 2 r = Then2 modisp the alternating or the symmetric group on 2n. r > max8, 4 ⋅ (2 − r)/p − 4. Proof. Suppose is neither the alternating nor symmetric group. Using an appropriate exponentiation of , G {0, 1} we obtain a permutation with cycles of length , where n−1. Hence contains an element of order and degree ,G where 2n . Then , but g 2n q p 2n 1 ≤ q < 2 G p pq pq ≤ 2 − r p ≥ max(11, 2q − 1) which is a contradiction to Theorem 2.3. 2 − pq ≥ r > max8, 4 ⋅ (2 − r)/p − 4 ≥ max(8, 4q − 4) R. Sparr and R. Wernsdorf, The round functions of KASUMI Ë 25 Remark 2.5. As an alternative to Theorem 2.3 and Proposition 2.4, it is also possible to use the theorems [18, Theorem A] or [14, Theorem 1.1] to derive similar sucient conditions for a permutation group to be the alternating or symmetric group. Theorem 2.6 (cf. [20, Corollary 10.2.2]). Let be a transitive permutation group on a nite set with . If there is an element which contains in its cycle representation a cycle of prime number length with , then is the alternating orG the symmetric group on . X |X| > 7 g ∈ G p |X|/2 < p < |X| − 2 G X 3 Description of KASUMI 2n For every 1 2n we write L for 1 n and R for n+1 2n . The all-zero bit- vector in the set n is denoted by n and elements of m n are identied with elements in mn by concatenation.x = (x We, .write . , x ) k∈for{0, the 1} left rotationx of (x-bit, . words . , x ) by bitx positions(x , . and . , x )for the projection of -bit words {0,to 1} the seven right-most0 bits of . Let ({0,and 1} ) denote the S-boxes of KASUMI,{0, which 1} are nonlinear permutations onrot 7 and 9, respectively16 [7]. Furthermore,k let pr 9 w w S7 S9 2 {0, 1} {0, 1} 7 9 16 16 16 for every ì(v,and w) k= S7(v) ⊕ v for⊕ pr every(S9(w)), (0 , v) ⊕ andS9(w) .