Computer Science Department - Tehnical Report ... - Semantic Scholar
Technion - Computer Science Department - Tehnical Report CS0207 - 1981
DES-LIKE FUNCTIONS CAN GENERATE THE ALTERNATING GROUP by
S.Even * and O. Goldreich Technical Report #207 Hay 1981
* The
was supported by the Fund for the Promotion of Research at the Technion. res~arch
'Ii
cr'
•
Technion - Computer Science Department - Tehnical Report CS0207 - 1981
ABSTRACT A set of transformations defined.
on~
binary vectors of length
These transfonnations are similar to those of the DES and
therefore are ca"led DES-functions. pennutatiuns generat€d' by Group of the set of binM'Y
t~ ,
It is proved that the group of
DES:..functi ons .i s exactly the Alternati ng ~
n-vectors.
.
'
•
...
"
•
n is
- 1 -
..
Introduction
Technion - Computer Science Department - Tehnical Report CS0207 - 1981
In the design of bJock
cip~ers
* , it is considered a virtue if the
encipherment can perform all the (2 n)! permutations on the n-vectors. However, this is an impractical target since such a system would require a key of length 1092(2~)! ~ n.2 n. Thus, one is inclined to weaken the requirement and seek a cryptosystem in which one can perform every permutation by repeated Coppersmith
a~d
enciph~rments.
Grossman [1] defined k-functions and explored
the group of all permutations generated by them.
It was mentioned that
such functions are similar to some
and thus the use of
such to cryptography should
b~
b~ock-ciphers
studied.
The DES is a well-known and used [2J block cipher.
..
DES-functions which 9perate on
~estricted
We define
constant blocks and are
similar to the structure used in the DES. We show tha: such functions can generate
th~
Alternating. Group and thus have the same strength as
k-functions. Definai ons (1) Vn is the v.ector space of dimention n over GF(2). (2) Sx is the group of all permutati~n on a set X, and is called the' Symetric Group of X. (3)
AX is the group of all even permutations on a set X, called the Alternating Group of X. it can be
•
e~Rressed
A permutation is called even iff
by an even number· of
tran~positions
(i.e. cycles
of 1ength two).
I
*
Ciphers in vectors crf
whi~h the messa.,ges ~ fixed length n
and the cryptograms are blnary are called block ciphers.
- 2 -
(4)
Technion - Computer Science Department - Tehnical Report CS0207 - 1981
•
Let 1 < k '< n.
Define a k-function on Vn to be a transformation
on Vn determiQed by the subset {t'}~+ll J J= c- {i}~,= 1 and a function f: Vk + V as follows: l
cr.
(al,···,a.
, k+1
, ... ,a)o = (al, ... ,a.
, k....l
n
where the symbol
~
denotes addition module 2.
Notlce'that for any k-fu~cfion
a,
a
2
is a permutation on V . n We denote by Gk the >suhgrour of Sv
proving that a
generated by k.-functions.
By a D~S-function- on V2n we mean a transformation of on V2n determined by a functiQn f: V + Y as follows: n n (x,y) of = (y, x @ f(y)), where x ,YE Vn and the symbo1 (£l denotes . the bit by b{t
addit~on
Notice that we can
•
= identity,
.,;'n.
,n,
(5)
(±) f(a. , ... ,a. ), ... ,a) , '1 1 k. n
(x,~)af
=
modulo 2.
~tite
(x (±) 'f(~) ,~).
0t = af~e where (x,~)e = (y,i) and 2 Al-so, e 'and a~ are the identity trans-
formation and therefore, both are permutations. Thus, all DES- functions are permutations .. Since a f = 0fe and e = 0f where fo(Z) = On o for all it follows thpt the group of permutations generated by
z,
e and the set of all generated by
th~
af's
is identical with the group of permutations
DES-function, denoted D2n .
Theorem 1
•
,
(b)
For any n > 1 , D2n
Proof:
= AV
2n
The proof will De based on a theorem of Coppersmith and Gross-
man [1],. (hereafter referred to
C~~Theorem)
stati ng that:
'- 3 -
If n > 4 and 2
(j)
Technion - Computer Science Department - Tehnical Report CS0207 - 1981
.
For any n > 1, For any
(i i i)
Fact 2
~
k
then
n-2,
G·k,n
= AV .
"
(i i )
O
~
~a)
h >
can
Gn- 1 n ,
=:
n
Sv . n
1, G is a group, of affine transformations on V . ),n n
b~ pro~e~
by
9ir~ctly '1.,
O2
Lemma 2:
For every .n > 1,
[)
n
~
AV ~ 2n
:::) -G 2 . '2n'- 2 , n"
l.
CG-Theorem (.i')' il1)pl ies that G . 2,20
= AV2n.' Thus,
AV ~ 02." :::) G2 2 = AV ' 2n n, n 2n
•
Q.E.D.
• Remark:
The9rem 1 can be strengthened to yield the same results for
DES-function~
determji'led by functio'hs Whose value depends on two entries
out of n of'the vector.
~o
make thjs statement pr-ecise we shall define
a 2-Restricted DES-function on V2n to be a DES-function Sf on V2n i -1 n-i determined by a function f: Vn ~ Vn ' such that f(z) = 0 g(z. ,z. )0 Jl
and
g:
V2
~
J2
Vl .
By cons i-deri hg the deta'i 1s Of th~ proof of Theorem i, we notice that the proof is actually valid when we restrlct the DES-functions to be 2-restricted DES-functi ons '.
• •
Proof of Lemma 1: ny definition (5) anq the discussion following it, it is sufficient to show that
Of and
e are even permutations.
- 4 -
Sublemma 1.1:
Technion - Computer Science Department - Tehnical Report CS0207 - 1981
•
Proof: if
For any n
1,
>
8 is an even permutation .
e exchanges, in pairs, a vector ex,y) with the vector (y,x) _ _ x ~ y;
1(2n n n-l n and therefore can be expressed by 2 2 -2):: 2 • (2 -1) Thus~
transpositions.
is even.
8
o Sublenma 1.2:
If
then for every
n>l,
v
f:
n
+
V, a f n
is an even
p,ermutat ion. Proo(:
Let 6 denote the all-zero vector and #(f,a) = {z: f(z) = a}. If #(f,6):: 2n then af~ is th~ identity permutation, which is an even
.
exchanges, in pairs, the vector (x,y) with f the vector (x G> f(y),y) -where, f(y) ~ 6; and therefore can be expressed by ~. (2 n _ ~·(f,6)). 2n = 2n- l • (2 n - #(f,a)) transpositions. Since n > 1, permutation.
Otherwise a
this number is even.
n
•
Co~bining
the
s~blemmas,
we see that every permutation in
expressed by an even number of transpositions, hence
D2n can be
O2 '= AV n 2n Q.E.D.
Proof of Lemma f:
We will show that every 2-function can be expressed
by a sequence of DES-functions. Denotation:
Let
a: x,J. 1
in pairs, the vector a.1 ~ a., J
(al,···,a.1- l,a.,a·+l,···,a. 1,a.,a·+ ,···,a 2n ). J 1 J1 J l
with the vector
Sublemma 2.1: "
denote the permutation on V that exchanges, 2n (al,···,a.1- l,a..1 ,a'+l,···,a. 1 J- 1,a.,a·+ J J l ,···,a 2n ),
For any 1
~'i ~
n,
n
< j ~
2n,
as a sequential applicatioR of DES-functions . ...
a ex .. 1 ,J
can be expressed
- 5ex Express cr. .
Proof:
Technion - Computer Science Department - Tehnical Report CS0207 - 1981
fl(i)
1
=
oi-1
where
,J
_ )on-i Z1j n
fZ(i)
= o(j-n)-lZion-(j-n)
and
fo(i)
On ,
=
o With no loss of generality we consider only three cases in the proof of Lemma 2. Denotati on:
Let C[f : {'J ,J'}'] denote the 2-functi on on +1 l 2
V2n deter-
'it
mined by the Boolean function
f and the
intege~s
as follows:
jl,j2' i
(a 1' ... , a.1 ,'.•. , a2n )C[f. = (al,···,a.@f(a. ,a. ), ... ,a 2 ) . {.J v J'}'] 2 +1 Jl
1
,Case 1:
i .i n, jl,j2 > n. when:!
•
Express C.[f:{jl,j2}+i]
f (z) = Oi..;l f (z(, n )' l J r-
Express
Case 2:
According to
~ublemma
z(' ))On-i J 2-n
G[f. {' J' } '] . Jl' 2 +1
J2
n
by the sequence -
and f o ( z)
=
°. n
by the sequence
2.] and Case 1, this sequence can be expressed
by DES-functions, Express
C
ex C ex where t crjl,t [f:{t,j2}+i] ~jl,t'
i~
Case 3:
i,Jl
~n,
j2> no.'
that t , j2 and n < t
~
[ f: {j.l ' j 2 }+ i
] by the sequence
chosen to be some integer such
2n.
t
Again, accorqing to Sublemma 2'.1 and Case 1, this s'equence can be expressed by DES-functions. Q.E.D.
- 6 -
We now generalize Theorem 1 to a partition of the vector to m parts
Technion - Computer Science Department - Tehnical Report CS0207 - 1981
which can be permuted and operated only in a restricted manner. Definition:
A Generalized Block Processor of m blocks of length
n
each (denoted GBP(n,m)), by the set {n,m of : f
is a permutation group on Vmon ' generated is a Vn + Vn function} u {en,m: p is a permutation p (Xl'X2""'Xm)0~,m
= (xl (D
of {1,2, ... ,m}},
where
(xl,x2, .. ·,xm)e~,m
= (X p (1),X p(2), ... ,X p(m)) where
x = (x l ,x 2 '· .. ,xm).
Notice that GBP(n,2) ~ P2n'
Definition: of length
f(x 2),x 2 ,·· .,xm) and XiEV n . Denote
Let A be a N x N non-singular matrix and
N, we define the affine transformation of A and
the transformation ,AA.B on Vn determined by XAA,S the arith~~tic is in the field GF(2).
• •
be a vector
13
=
AX
+
B
S,
to be
where
Note that every.affine trqnsformation is a permutation . Theorem 2:
(i) (ii)
GBP(n,m) = AV . nom For any m > 2 GBP(l,m) is the group of affine transFor any
n > 1, m >
formations on Vm' Proof:
(i)
Clearly, Lemma 1 can be extended to yield GBP(n,m)
~
AV
nom
In the proof of the extension of Lemma 2 additional cases may occur. Without loss of generality we will consider the case of i 2 n, n < jl
~
. 2 3n. 2n < J2
2n,
0.ex t can be app l'1e d t 0 re duce th'1S case t 0 Case 1 0 f J2' the proof of Lemma 2, where t is chosen such th~t t ; jl and n < t < 2n. (ii)
Clearly, all
o~,m and all e~,m are affine transformations. To
show that every affine transformation can be expressed by GBP(l,m)
we
express the matrix A of the transformation as a product of elementary matrices.
Given an affine transformation
AA,S we can express it by the
following sequence of affine transformations:
- 7 -
AI ,B, where A. q
Technion - Computer Science Department - Tehnical Report CS0207 - 1981
elementary matrix,
B.J
1
is an
is a vector with one non-zero component,
a
is
I i.s the identity matri x, and A = AI). • AI)._l ... Al , B = B + B2 + ... + Bq It is easy to see that each of the transformal tions in the sequence can be expressed by permutations in GBP(l,m).
the all-zero vector,
Q.E.D. Note that the type of generalization made in the Remark following Theorem 1 can be made here too. It can be shown that ;very afTine transformation on Vm, where m > 2, is an ,even permutation on V. Thus, (ii) implies that m GBP(l ,m)
•
c
A for Vm
m~
2.
This inclusion is proper.
- eREF~RENCES
Technion - Computer Science Department - Tehnical Report CS0207 - 1981
• [1]
Coppersmith D., ana Grossman E., "Generators for, Certai n A1terni!ti ng 'Groups wtth App 1i cati ons to Cryptpgraphy", • SIAr·1 J. Appl. ~·1ath., Vol. 29, No.4, December 1975, pp. 624-627.
[2J
Data Encryption Standard. Information
..!
~rocessing
National Bureau of Standards, Federal
Standard Publication, No. 46, January 1977.
DES-LIKE FUNCTIONS CAN GENERATE THE ALTERNATING GROUP by
S.Even * and O. Goldreich Technical Report #207 Hay 1981
* The
was supported by the Fund for the Promotion of Research at the Technion. res~arch
'Ii
cr'
•
Technion - Computer Science Department - Tehnical Report CS0207 - 1981
ABSTRACT A set of transformations defined.
on~
binary vectors of length
These transfonnations are similar to those of the DES and
therefore are ca"led DES-functions. pennutatiuns generat€d' by Group of the set of binM'Y
t~ ,
It is proved that the group of
DES:..functi ons .i s exactly the Alternati ng ~
n-vectors.
.
'
•
...
"
•
n is
- 1 -
..
Introduction
Technion - Computer Science Department - Tehnical Report CS0207 - 1981
In the design of bJock
cip~ers
* , it is considered a virtue if the
encipherment can perform all the (2 n)! permutations on the n-vectors. However, this is an impractical target since such a system would require a key of length 1092(2~)! ~ n.2 n. Thus, one is inclined to weaken the requirement and seek a cryptosystem in which one can perform every permutation by repeated Coppersmith
a~d
enciph~rments.
Grossman [1] defined k-functions and explored
the group of all permutations generated by them.
It was mentioned that
such functions are similar to some
and thus the use of
such to cryptography should
b~
b~ock-ciphers
studied.
The DES is a well-known and used [2J block cipher.
..
DES-functions which 9perate on
~estricted
We define
constant blocks and are
similar to the structure used in the DES. We show tha: such functions can generate
th~
Alternating. Group and thus have the same strength as
k-functions. Definai ons (1) Vn is the v.ector space of dimention n over GF(2). (2) Sx is the group of all permutati~n on a set X, and is called the' Symetric Group of X. (3)
AX is the group of all even permutations on a set X, called the Alternating Group of X. it can be
•
e~Rressed
A permutation is called even iff
by an even number· of
tran~positions
(i.e. cycles
of 1ength two).
I
*
Ciphers in vectors crf
whi~h the messa.,ges ~ fixed length n
and the cryptograms are blnary are called block ciphers.
- 2 -
(4)
Technion - Computer Science Department - Tehnical Report CS0207 - 1981
•
Let 1 < k '< n.
Define a k-function on Vn to be a transformation
on Vn determiQed by the subset {t'}~+ll J J= c- {i}~,= 1 and a function f: Vk + V as follows: l
cr.
(al,···,a.
, k+1
, ... ,a)o = (al, ... ,a.
, k....l
n
where the symbol
~
denotes addition module 2.
Notlce'that for any k-fu~cfion
a,
a
2
is a permutation on V . n We denote by Gk the >suhgrour of Sv
proving that a
generated by k.-functions.
By a D~S-function- on V2n we mean a transformation of on V2n determined by a functiQn f: V + Y as follows: n n (x,y) of = (y, x @ f(y)), where x ,YE Vn and the symbo1 (£l denotes . the bit by b{t
addit~on
Notice that we can
•
= identity,
.,;'n.
,n,
(5)
(±) f(a. , ... ,a. ), ... ,a) , '1 1 k. n
(x,~)af
=
modulo 2.
~tite
(x (±) 'f(~) ,~).
0t = af~e where (x,~)e = (y,i) and 2 Al-so, e 'and a~ are the identity trans-
formation and therefore, both are permutations. Thus, all DES- functions are permutations .. Since a f = 0fe and e = 0f where fo(Z) = On o for all it follows thpt the group of permutations generated by
z,
e and the set of all generated by
th~
af's
is identical with the group of permutations
DES-function, denoted D2n .
Theorem 1
•
,
(b)
For any n > 1 , D2n
Proof:
= AV
2n
The proof will De based on a theorem of Coppersmith and Gross-
man [1],. (hereafter referred to
C~~Theorem)
stati ng that:
'- 3 -
If n > 4 and 2
(j)
Technion - Computer Science Department - Tehnical Report CS0207 - 1981
.
For any n > 1, For any
(i i i)
Fact 2
~
k
then
n-2,
G·k,n
= AV .
"
(i i )
O
~
~a)
h >
can
Gn- 1 n ,
=:
n
Sv . n
1, G is a group, of affine transformations on V . ),n n
b~ pro~e~
by
9ir~ctly '1.,
O2
Lemma 2:
For every .n > 1,
[)
n
~
AV ~ 2n
:::) -G 2 . '2n'- 2 , n"
l.
CG-Theorem (.i')' il1)pl ies that G . 2,20
= AV2n.' Thus,
AV ~ 02." :::) G2 2 = AV ' 2n n, n 2n
•
Q.E.D.
• Remark:
The9rem 1 can be strengthened to yield the same results for
DES-function~
determji'led by functio'hs Whose value depends on two entries
out of n of'the vector.
~o
make thjs statement pr-ecise we shall define
a 2-Restricted DES-function on V2n to be a DES-function Sf on V2n i -1 n-i determined by a function f: Vn ~ Vn ' such that f(z) = 0 g(z. ,z. )0 Jl
and
g:
V2
~
J2
Vl .
By cons i-deri hg the deta'i 1s Of th~ proof of Theorem i, we notice that the proof is actually valid when we restrlct the DES-functions to be 2-restricted DES-functi ons '.
• •
Proof of Lemma 1: ny definition (5) anq the discussion following it, it is sufficient to show that
Of and
e are even permutations.
- 4 -
Sublemma 1.1:
Technion - Computer Science Department - Tehnical Report CS0207 - 1981
•
Proof: if
For any n
1,
>
8 is an even permutation .
e exchanges, in pairs, a vector ex,y) with the vector (y,x) _ _ x ~ y;
1(2n n n-l n and therefore can be expressed by 2 2 -2):: 2 • (2 -1) Thus~
transpositions.
is even.
8
o Sublenma 1.2:
If
then for every
n>l,
v
f:
n
+
V, a f n
is an even
p,ermutat ion. Proo(:
Let 6 denote the all-zero vector and #(f,a) = {z: f(z) = a}. If #(f,6):: 2n then af~ is th~ identity permutation, which is an even
.
exchanges, in pairs, the vector (x,y) with f the vector (x G> f(y),y) -where, f(y) ~ 6; and therefore can be expressed by ~. (2 n _ ~·(f,6)). 2n = 2n- l • (2 n - #(f,a)) transpositions. Since n > 1, permutation.
Otherwise a
this number is even.
n
•
Co~bining
the
s~blemmas,
we see that every permutation in
expressed by an even number of transpositions, hence
D2n can be
O2 '= AV n 2n Q.E.D.
Proof of Lemma f:
We will show that every 2-function can be expressed
by a sequence of DES-functions. Denotation:
Let
a: x,J. 1
in pairs, the vector a.1 ~ a., J
(al,···,a.1- l,a.,a·+l,···,a. 1,a.,a·+ ,···,a 2n ). J 1 J1 J l
with the vector
Sublemma 2.1: "
denote the permutation on V that exchanges, 2n (al,···,a.1- l,a..1 ,a'+l,···,a. 1 J- 1,a.,a·+ J J l ,···,a 2n ),
For any 1
~'i ~
n,
n
< j ~
2n,
as a sequential applicatioR of DES-functions . ...
a ex .. 1 ,J
can be expressed
- 5ex Express cr. .
Proof:
Technion - Computer Science Department - Tehnical Report CS0207 - 1981
fl(i)
1
=
oi-1
where
,J
_ )on-i Z1j n
fZ(i)
= o(j-n)-lZion-(j-n)
and
fo(i)
On ,
=
o With no loss of generality we consider only three cases in the proof of Lemma 2. Denotati on:
Let C[f : {'J ,J'}'] denote the 2-functi on on +1 l 2
V2n deter-
'it
mined by the Boolean function
f and the
intege~s
as follows:
jl,j2' i
(a 1' ... , a.1 ,'.•. , a2n )C[f. = (al,···,a.@f(a. ,a. ), ... ,a 2 ) . {.J v J'}'] 2 +1 Jl
1
,Case 1:
i .i n, jl,j2 > n. when:!
•
Express C.[f:{jl,j2}+i]
f (z) = Oi..;l f (z(, n )' l J r-
Express
Case 2:
According to
~ublemma
z(' ))On-i J 2-n
G[f. {' J' } '] . Jl' 2 +1
J2
n
by the sequence -
and f o ( z)
=
°. n
by the sequence
2.] and Case 1, this sequence can be expressed
by DES-functions, Express
C
ex C ex where t crjl,t [f:{t,j2}+i] ~jl,t'
i~
Case 3:
i,Jl
~n,
j2> no.'
that t , j2 and n < t
~
[ f: {j.l ' j 2 }+ i
] by the sequence
chosen to be some integer such
2n.
t
Again, accorqing to Sublemma 2'.1 and Case 1, this s'equence can be expressed by DES-functions. Q.E.D.
- 6 -
We now generalize Theorem 1 to a partition of the vector to m parts
Technion - Computer Science Department - Tehnical Report CS0207 - 1981
which can be permuted and operated only in a restricted manner. Definition:
A Generalized Block Processor of m blocks of length
n
each (denoted GBP(n,m)), by the set {n,m of : f
is a permutation group on Vmon ' generated is a Vn + Vn function} u {en,m: p is a permutation p (Xl'X2""'Xm)0~,m
= (xl (D
of {1,2, ... ,m}},
where
(xl,x2, .. ·,xm)e~,m
= (X p (1),X p(2), ... ,X p(m)) where
x = (x l ,x 2 '· .. ,xm).
Notice that GBP(n,2) ~ P2n'
Definition: of length
f(x 2),x 2 ,·· .,xm) and XiEV n . Denote
Let A be a N x N non-singular matrix and
N, we define the affine transformation of A and
the transformation ,AA.B on Vn determined by XAA,S the arith~~tic is in the field GF(2).
• •
be a vector
13
=
AX
+
B
S,
to be
where
Note that every.affine trqnsformation is a permutation . Theorem 2:
(i) (ii)
GBP(n,m) = AV . nom For any m > 2 GBP(l,m) is the group of affine transFor any
n > 1, m >
formations on Vm' Proof:
(i)
Clearly, Lemma 1 can be extended to yield GBP(n,m)
~
AV
nom
In the proof of the extension of Lemma 2 additional cases may occur. Without loss of generality we will consider the case of i 2 n, n < jl
~
. 2 3n. 2n < J2
2n,
0.ex t can be app l'1e d t 0 re duce th'1S case t 0 Case 1 0 f J2' the proof of Lemma 2, where t is chosen such th~t t ; jl and n < t < 2n. (ii)
Clearly, all
o~,m and all e~,m are affine transformations. To
show that every affine transformation can be expressed by GBP(l,m)
we
express the matrix A of the transformation as a product of elementary matrices.
Given an affine transformation
AA,S we can express it by the
following sequence of affine transformations:
- 7 -
AI ,B, where A. q
Technion - Computer Science Department - Tehnical Report CS0207 - 1981
elementary matrix,
B.J
1
is an
is a vector with one non-zero component,
a
is
I i.s the identity matri x, and A = AI). • AI)._l ... Al , B = B + B2 + ... + Bq It is easy to see that each of the transformal tions in the sequence can be expressed by permutations in GBP(l,m).
the all-zero vector,
Q.E.D. Note that the type of generalization made in the Remark following Theorem 1 can be made here too. It can be shown that ;very afTine transformation on Vm, where m > 2, is an ,even permutation on V. Thus, (ii) implies that m GBP(l ,m)
•
c
A for Vm
m~
2.
This inclusion is proper.
- eREF~RENCES
Technion - Computer Science Department - Tehnical Report CS0207 - 1981
• [1]
Coppersmith D., ana Grossman E., "Generators for, Certai n A1terni!ti ng 'Groups wtth App 1i cati ons to Cryptpgraphy", • SIAr·1 J. Appl. ~·1ath., Vol. 29, No.4, December 1975, pp. 624-627.
[2J
Data Encryption Standard. Information
..!
~rocessing
National Bureau of Standards, Federal
Standard Publication, No. 46, January 1977.
