View metadata, citation and similar papers at core.ac.uk brought to you by CORE provided by Elsevier - Publisher Connector Discrete Applied Mathematics 156 (2008) 3139–3149 www.elsevier.com/locate/dam Group theoretic properties of Rijndael-like ciphers Rudiger¨ Sparr∗, Ralph Wernsdorf Rohde & Schwarz SIT GmbH, 12489 Berlin, Germany Received 27 February 2007; received in revised form 24 October 2007; accepted 19 December 2007 Available online 10 March 2008 Abstract We provide conditions for which the round functions of an `-bit Rijndael-like block cipher generate the alternating group on the set f0; 1g`. These conditions show that the class of Rijndael-like ciphers whose round functions generate the alternating group on their message space is large, and includes both the actual Rijndael and the block cipher used by the compression function of the WHIRLPOOL hash function. The result indicates that there is no trapdoor design for a Rijndael-like cipher based on the imprimitivity of the group action of its proper round functions which is difficult to detect. c 2008 Elsevier B.V. All rights reserved. Keywords: Cryptography; Permutation groups; Block ciphers; Rijndael; Hash functions 1. Introduction An SP network is an iterated block cipher in which each round realizes Shannon’s principle of confusion and diffusion [29] by the use of substitutions and permutations, respectively. A widely-used class of SP networks is defined by invertible confusion and diffusion layers, followed by the XOR-operation of the round key with the state. Here the confusion layer is a parallel application of nonlinear substitutions to the subblocks of the state, while the diffusion layer is a linear transformation of the entire state. An important example of such an SP network is the Rijndael block cipher [8,9], which is defined for various block bit sizes `b and key bit lengths `k, where `b; `k 2 f128; 160; 192; 224; 256g. The versions for the block size of 128 bit and key length of 128, 192, and 256 bits were adopted by the NIST as the Advanced Encryption Standard (AES) [24]. Rijndael is designed to have the maximum known immunity against differential cryptanalysis [3] and linear cryptanalysis [18] (see [26]). Since the end of the AES selection process much research has focused on the structural and algebraic aspects of Rijndael, which includes the analysis of several alternative representations of the AES as well as some group theoretic investigations of the AES components (see, e.g., [2,6,11,17,21,32]). The exploration of the structural properties of a block cipher can yield new insights, which may provide the foundation for a further cryptanalysis of the cipher. In the case of the AES, algebraic relations and simple algebraic representations of the cipher have been found [11,21] which might provide useful starting points for further cryptanalytic work. In this paper we provide several new results on group theoretic properties of Rijndael-like ciphers with applications to some important block ciphers. For several block ciphers, including the DES [22] and AES, results on the group ∗ Corresponding author. Fax: +49 30 65884 180. E-mail addresses: [email protected] (R. Sparr), [email protected] (R. Wernsdorf). 0166-218X/$ - see front matter c 2008 Elsevier B.V. All rights reserved. doi:10.1016/j.dam.2007.12.011 3140 R. Sparr, R. Wernsdorf / Discrete Applied Mathematics 156 (2008) 3139–3149 theoretic properties of their components have already been found (see, e.g., [10,17,30–32]). A first motivation for the investigation of the group theoretic structure of a block cipher is to exclude undesirable properties, such as short cycles or non-trivial factor groups for the group generated by the round functions of the cipher. For example, it was shown in [27] that if the group generated by the round functions of a block cipher acts imprimitively on the state space, then there is an exploitable weakness in the cipher. Moreover, it is possible to give examples of DES-like block ciphers, which have a trapdoor with respect to this property, but nevertheless possess a certain resistance against classical linear and differential cryptanalysis (see [27]). A further motivation to study the group theoretic properties of a block cipher stems from a connection to the Markov cipher approach to classical differential cryptanalysis [16, 25]. If it can be shown that the round functions of a block cipher generate the alternating group on the message space, then for all corresponding Markov ciphers the chain of differences is irreducible and aperiodic, which means that after sufficiently many rounds of the cipher all differences become equally probable [12]. As the AES round functions generate the alternating group on the state space [32], after sufficiently many AES rounds all differences will roughly be equally probable with respect to the Markov cipher theory approach (see also [1, Section 3.2]). However, as shown in [20], it is not sufficient for a block cipher to be practically strong if the group generated by the round functions of the cipher is large. This corresponds to our results found in this paper for the class of Rijndael- like SP networks (cf. Remark 2 and Theorems 3 and 4). Furthermore, as pointed out in [7], for a given set of round functions which generates a large permutation group on the message space, it might be possible to approximate this set by another set of round functions which generates only a small permutation group on the message space. Our results show that the class of Rijndael-like ciphers whose round functions generate the alternating group on their message space is large and includes both the actual Rijndael and the block cipher used by the compression function of the WHIRLPOOL hash function [13]. This indicates that for Rijndael-like ciphers there is no trapdoor design based on the imprimitivity of the group action of its proper round functions which is difficult to detect. The paper is organized as follows. In Section 2 we provide some notions and facts from the theory of permutation groups which are used in this paper. In Section 3 we prove some properties of groups generated by the round functions of a Rijndael-like SP network, which we call SP functions in this paper. Furthermore, we provide conditions for the substitution and the linear diffusion layer of SP functions such that the group generated by those functions is equal to the alternating group on the state space. In Section 4 we first define our model for a Rijndael-like block cipher, which is intended to have sufficient generality to comprise most ciphers being similar to the actual Rijndael. Then we derive conditions for Rijndael-like round functions such that the group generated by these functions is equal to the alternating group on the state space. In Section 5 we apply the results obtained in the preceding sections to the actual Rijndael block cipher [9] and show that the round functions of Rijndael for every block size of 32 · n bits, n 2 f4; 5; 6; 7; 8g, generate the alternating group on the set f0; 1g32n. Here we also study some consequences of this result for the security of Rijndael. In Section 6 we show that the round functions of the block cipher used by the compression function of the WHIRLPOOL hash function [13] generate the alternating group on the set f0; 1g512. Furthermore, we study the impact of this result for the security goals of WHIRLPOOL, like preimage resistance, second preimage resistance, and collision resistance. In Section 7 we conclude the paper. 2. Preliminaries 2.1. Notation The finite field of cardinality q is denoted by GF.q/ and the set of all m × n-matrices over GF.q/ is denoted mn by Mm;n.GF.q//, where we write Mn.GF.q// instead of Mn;n.GF.q//. Elements of GF.q/ are identified with mn matrices b 2 Mm;n.GF.q// via the mapping ι V GF.q/ ! Mm;n.GF.q//, a 7! b, defined by bi j D aniC j , for all 0 ≤ i < m, 0 ≤ j < n. For any b 2 Mm;n.GF.q//, we write wH .b/ for the Hamming weight of b, which is defined as the number of non-zero entries of b. We write . f ◦ g/.x/ D f .g.x// for compositions of functions f; g. The cardinality of a set X is denoted by jXj. 2.2. Group theoretical background In this section we present some background from the theory of permutation groups which is used in this paper. For any nonempty finite set X, the group of all bijective mappings of X to itself is denoted by SX and is called the R. Sparr, R. Wernsdorf / Discrete Applied Mathematics 156 (2008) 3139–3149 3141 symmetric group on X. If n > 0 is a natural number and X D f1;:::; ng, we write Sn instead of SX . Any subgroup of SX is called a permutation group on X. Let `; n denote natural numbers such that 0 < ` ≤ n. A permutation group G ≤ Sn is called `-transitive if, for any pair of `-tuples .a1;:::; a`/ and .b1;:::; b`/ with ai 6D a j ; bi 6D b j for i 6D j, there is a permutation g 2 G with g.ai / D bi for i D 1; : : : ; `. A 1-transitive permutation group is said to be transitive. If G is a permutation group on a set X and a 2 X, the subgroup of all g 2 G such that g.a/ D a is denoted by Ga. For multiple transitivity the following proposition holds (cf.