A note on an infeasible linearization of some block ciphers
aa r X i v : . [ m a t h . G R ] F e b A note on an infeasible linearization of someblock ciphers
Riccardo Aragona ∗ , Anna Rimoldi † , and Massimiliano Sala ‡ Department of Mathematics, University of Trento, Italy
Abstract
A block cipher can be easily broken if its encryption functions can beseen as linear maps on a small vector space. Even more so, if its roundfunctions can be seen as linear maps on a small vector space. We show thatthis cannot happen for the AES. More precisely, we prove that if the AESround transformations can be embedded into a linear cipher acting on avector space, then this space is huge-dimensional and so this embeddingis infeasible in practice. We present two elementary proofs.
Keywords:
AES, block cipher, group theory.
The Advanced Encryption Standard (AES) [10] is nowadays the most widespread blockcipher in commercial applications. It represents the state-of-the-art in block cipherdesign and the only known attack on its full version is the biclique attack [4], which stillrequires an amount of cryptanalytic effort slightly less than the brute-force key-search.Practical attacks on reduced versions of the AES only tackle up to 6 rounds, withthe Partial Sum attack being the most dangerous [8, 1] The best that a designer canhope for a block cipher is that all its encryption functions behave in an unpredictableway (close to random), in particular the designer aims at a cipher behaviour totallydifferent from linear or affine maps.An indication of the cryptographic strength of the AES is that nobody has been able toshow that its encryption functions are any closer to linear maps than arbitrary randomfunctions. However, it might be possible to extend the AES to act on larger spaces,in such a way that the possible non-random behaviour of the AES becomes easier tospot. Generally speaking, the worst scenario for a designer consists of a space largeenough to make the AES linear but small enough to allow practical computations.In this note we prove in two elementary ways, respectively using counting argu-ments (Section 3) and number theory arguments (Section 4), that the round functionsof the AES cipher cannot be embedded into a linear group acting on a vector space W , unless the dimension of W is huge, making this embedding useless in practice.Both proofs show that the smallest degree of a (faithful) representation of the groupgenerated by the round functions of the AES, that is Alt(( F ) ) [12], is at least 2 . ∗ [email protected] † [email protected] ‡ [email protected] ince computing a 2 × matrix is infeasible in practice, our result shows that thisattack cannot be mounted in practice.In 1976 Wagner [14] studied the (faithful) linear representations of Alt(( F ) )and was already able to prove that their minimal degree is 2 . Therefore, we donot claim any new algebraic result in this note. The interest of our note lies in threefacts. First, we provide elementary proofs of our degree estimate, lacking a deepalgebraic background, while Wagner’s proof follows an involved argument relying onrepresentation theory. Second, we show the link between a purely group theory resultand a possible practical application in cryptanalysis, providing thus more assurancein the cipher itself (since the attack cannot be practically mounted). Third, our twoproofs are based on utterly different arguments, one counting the number of groupelements and the other estimating the maximal element order, but do lead to thesame numerical estimate, which we find unexpected and deserves noting.This note is part of the PhD thesis of the second author [11], which was neverbefore published in a peer-reviewed journal. Let n ≥ F = F be the field with 2 elements. Let V = F n be thevector space over F of dimension n . We denote by Sym( V ) and Alt( V ), respectively,the symmetric and alternating group on V . We denote by GL( V ) the group of alllinear permutations of V .Let C be any block cipher such that the plaintext space M coincides with theciphertext space. Let K be the key space. Any key k ∈ K induces a permutation τ k on M . Since M is usually V = F n for some n ∈ N , we can view τ k as an element ofSym( V ). We denote by Γ = Γ( C ) the subgroup of Sym( V ) generated by all the τ k ’s.Unfortunately, the knowledge of Γ( C ) is out of reach for the most important blockciphers, such as the AES [10] and the DES [9]. However, researchers have been ableto compute another related group. Suppose that C is the composition of l rounds (thedivision into rounds is provided in the document describing the cipher). Then any key k would induce l permutations, τ k, , . . . , τ k,l , whose composition is τ k . For any round h , we can consider Γ h ( C ) as the subgroup of Sym( V ) generated by the τ k,h ’s (with k varying in K ). We can thus define the group Γ ∞ = Γ ∞ ( C ) as the subgroup of Sym( V )generated by all the Γ h ’s. Obviously, Γ ≤ Γ ∞ . The group Γ ∞ is traditionally calledthe group generated by the round functions with independent sub-keys. This group isknown for some important ciphers, for the AES we have Proposition 1 ([12]) . Γ ∞ (AES) = Alt( F ) . Remark 1.
The fact that Γ ∞ is the alternating group is not an exception holding onlyfor the AES. Indeed, any block cipher built choosing accurately the cipher components(SBoxes and linear mixing layer) will have Γ ∞ as either the alternating group or thesymmetric group, even if the cipher is defined over a positive characteristic (see [5, 2]). Given a finite group G , we say that G can be linearized if there is an injectivemorphism π : G → GL( W ), for some vector space W (this is called a “faithful rep-resentation” in representation theory). If G can be linearized, then, for any element g ∈ G , an attacker can compute a matrix M g corresponding to the action of g over W (via π ). If the dimension of W is sufficiently small, the matrix computation isstraightforward, since it is enough to evaluate g on a basis of W . In cryptanalysis,this attack would be called a chosen-plaintext attack and can easily be translated intoa known-plaintext attack by collecting enough random plaintext-ciphertext pairs. n this note we show that it is impossible to view Γ ∞ (AES) as a subgroup of GL( W )with W of small dimension. In Cryptography it is customary to present estimates aspowers of two, so our problem becomes to find the smallest m such that Γ ∞ (AES) canbe linearized in GL( F m ).There are two elementary ways to show that a finite group H cannot be contained(as isomorphic image) in a finite group G . The first is to show that | H | > | G | , thesecond is to show that there is η ∈ H such that its order is strictly larger than themaximum element order in G . In Section 3 we present our result using the firstapproach and we show that m ≥
67. In Section 4 we present our result using thesecond approach and we show again that m ≥ In this section we show that the order of Alt( F ) is strictly larger than the order ofGL( F ), so that if Alt( F ) < GL( F m ) then m ≥ V = F n , | Sym( V ) | = 2 n ! , | Alt( V ) | = 2 n !2 | GL( V ) | = n − Y h =0 (2 n − h ) < n . We begin with showing a lemma.
Lemma 1.
The following inequality holds (2 ) < ! < (2 ) . Proof.
Let n = 2 , we have to show 2 n < n ! < n . We first show that 2 n < n ! .Note that the following inequality 12 n − i ≥ n − i +1 − h (1)holds for 1 ≤ i ≤ n − ≤ h ≤ n − i .Clearly 2 n ! > n ⇐⇒ n (2 n − > n · n − n ⇐⇒ (2 n − n − > n − n · n − n − . We apply (1) with i = 1 and h = 1 and so we must prove(2 n − n − > n − n · n − n − , i.e. (2 n − > n − n − ( n − . (2)In a similar way for i = 1 and h = 2, from (2) we obtain(2 n − n − > n − n − ( n − · n − n − , hence 2 n ! > n ⇐⇒ (2 n − > n − n − n − , and so on for all 3 ≤ h ≤ n − we obtain that we must verify(2 n − − > n − n − n − ( n − . hen we proceed by applying (1) for all 2 ≤ i ≤ n − ≤ h ≤ n − i , so thatwe need only to prove(2 n − ( n − − ≥ n − n − P n − i =1 n − i ( n − i ) . In other words, we have to prove1 > n − n − P n − i =1 n − i ( n − i ) , that is, 0 > n − n − n − X i =1 n − i ( n − i ) . (3)But a direct check shows that the right-hand size of (3) holds when n = 2 .We are left with proving the following inequality: 2 n ! < n .We proceed by induction for 2 ≤ n ≤ . In this range a computer computation showsthat n + 2 n n + 2 n < ( n + 1) . (4)When n = 2, we have 2 ! < .Suppose that 2 n ! < n and n ≤ . We have to prove that 2 ( n +1) ! < ( n +1) . Since2 n +1 ! = (2 n · n !(2 n + 1) · · · (2 n + 2 n ) and since 2 n + j ≤ n +1 for all 1 ≤ j ≤ n ,we have2 n !(2 n +1) · · · (2 n +2 n ) < n + n +1 · (2 n +2) · · · (2 n +2 n ) ≤ n +2 n ( n +1) = 2 n +2 n n +2 n and, applying (4), we get 2 n +2 n n +2 n < ( n +1) . Then the claimed inequality 2 n +1 ! < ( n +1) follows.Our result is contained in the following proposition. Proposition 2.
Let W = F m with m ≥ . If G <
GL( W ) , with G isomorphic to Alt( F ) , then m ≥ .Proof. If G <
GL( W ), then | G | ≤ | GL( W ) | . But | Sym( F ) | = 2 ! > thanksto Lemma 1 and so | G | = | Alt( F ) | = | Sym(2 ) | > − > = 2 (2 ) > | GL( F ) | . Remark 2.
We could improve the previous bound to l ≥ by using the finite versionof the Stirling formula: n log ( n ) − n log ( e ) ≤ log ( n !) ≤ n log ( n ) − n log ( e ) + log ( n ) , or equivalently (cid:16) ne (cid:17) n ≤ n ! ≤ n (cid:16) ne (cid:17) n . (5) However, our proof involves only elementary combinatorial arguments, which are notenough to prove (5) , since the latter requires some non-algebraic arguments, such asmathematical analysis. Computing the maximum order of elements
In this section we compare the maximum order of elements in the two groups Alt( F )and GL( F m ). We use permutations of even order. We denote by o( σ ) the order ofany permutation σ .We need the following two theorems. Theorem 1 ([6]) . Let σ ∈ GL( F N ) , with o( σ ) even and N ≥ . Then o( σ ) ≤ N − −
1) = 2 N − − . Moreover, there is σ ∈ GL( F N ) whose order attains the upper bound.Proof. It follows directly from Theorem 1 in [6], with p = q = 2 and N ≥ Theorem 2 (Theorem 5.1.A at p. 145 in [7]) . Let ν ≥ and n = 2 ν . Then Alt( F ν ) contains an element η of order (strictly) greater than e √ (1 / n ln n ) . In order to be able to compare the two estimates coming from Theorem 1 andTheorem 2, we rewrite Theorem 2 as follows, in order to have o( σ ) even. Our proof isan easy adaption of the proof contained in [7]. Theorem 3.
Let ν ≥ and n = 2 ν . Then Alt( F ν ) contains an element η with o( η ) > e √ (1 / n ln n ) and o( η ) even.Proof. Let z be a prime number such that 4 + P ≤ p ≤ z p ≤ n , where the sum runsover distinct prime numbers from 3 to z . Then Alt( F ν ) contains an element η z whosenon-trivial cycles are two transpositions and some cycles with length 3 , . . . , z . Henceo( η z ) = 2 Q ≤ p ≤ z p .If we show that there is a prime number z such that4 + X ≤ p ≤ z p ≤ n and ln(o( η z )) > n ln( n ) , we have done.Let θ ( z ) = ln(o( η z )) = ln(2) + P ≤ p ≤ z ln( p ) and let us denote θ ∗ ( z ) = θ ( z ) − ln(2) = P ≤ p ≤ z ln( p ).Let f ( z ) = z ln( z ) . Since f ( z ) is an increasing function for real z > e , in the case when z is a real number and z ≥
19 (for z = 19 note that 4+ P
128 = 2 ≤ n ),we have that f (4) ln(4) + f (3) ln(3) = 7 < f (19) ln(3) ≤ f ( z ) ln(3) . So, if z ≥
19 and z ∈ R , we can write4 + X
19 such that f (¯ z ) θ ∗ (¯ z ) = n . Such a ¯ z exists because f (19) θ ∗ (19) < < n and f ( z ) θ ∗ ( z ) is an increasing function assuming all values.Since θ ∗ (¯ z ) > ¯ z/ z ≥
19, we have n = f (¯ z ) θ ∗ (¯ z ) = ¯ zθ ∗ (¯ z )ln(¯ z ) < θ ∗ (¯ z )) ln(2 θ ∗ (¯ z )) = 4( θ ∗ (¯ z )) θ ∗ (¯ z )) = f (4( θ ∗ (¯ z )) ) . However we also have f ( n ln( n )) < n . Since f is an increasing function, this showsthat n ln( n ) < θ ∗ (¯ z )) < θ (¯ z )) . It is now enough to consider ˜ z as the largestprime smaller than ¯ z .Now, we compare the estimates from Theorem 1 and Theorem 2. Take n = 2 and η ∈ Alt( F ) such that o( η ) ≥ e t (o( η ) even), where t = p (1 / n ln( n ) = p (1 / ln(2 ). Since e t = e √
128 ln(2) = e √ ln(2) = ( e √ ) , by replacing e with 2 log ( e ) , we obtain e t = (2 log ( e ) √ ) = 2 log ( e ) √ = 2 ǫ , where ǫ ∈ R is about 1.7. According to Theorem 3, o( η ) ≥ e ǫ . If Alt( F ) ⊂ GL( F N ), we then need the the smallest N such that o( η ) ≤ (2 N − −
2) (Theorem 1).In other words we have to see when the following inequality holdso( η ) = e ǫ ≤ (2 N − − . (6)We observe that • if N = 2 , then (6) is false, since 2 ǫ > > − − • if N = 2 , then (6) is true, since 2 ǫ < (1 . < − − m ≥
67 to embed Alt( F ) ⊂ GL( F m ), which is exactlythe same value as in Proposition 2. In this note we provided two elementary proofs, lacking a deep algebraic background,that the round functions of the AES cipher cannot be embedded into a linear groupacting on a vector space W , unless the dimension of W is at least 2 . Since computinga 2 × matrix is infeasible in practice, our result shows that this attack cannotbe mounted in practice. Moreover, since we do not use the specific structure of theAES in our proof of Proposition 2, we note that such result could be used also for anyother block cipher C acting on 128 − bit messages such that the group generated by itsround functions is Alt( F ), e.g. SERPENT [15], or Sym( F ).Moreover we observe that for any block cipher C acting on 64 − bit messages such thatΓ ∞ ( C ) = Alt( F ) (e.g. KASUMI [13] and a special extension of GOST [3]) with asimilar argument of Lemma 1 we obtain(2 ) < ! < (2 ) . Hence | Alt( F ) | = | Sym(2 ) | > − > = 2 (2 ) > | GL( F ) | and so if Alt( F ) < GL( F m ), then m ≥
33. Also in this case, we can conclude thatthe embedding of GOST and KASUMI in a linear cipher is infeasible in practice. inally we note that the infeasibility of this type of linearization of a block cipherprovides an additional motivation to check the size of the group generated by theround functions of a block cipher. In particular, it is important to check the optimalcase when this group is the alternating or the symmetric group. Acknowledgment
The authors would like to thank R¨udiger Sparr and Ralph Wernsdorf for their helpfulsuggestions and interesting comments.
References [1] F. Ald`a, R. Aragona, L. Nicolodi, and M. Sala. Implementation and Improvementof the Partial Sum Attack on 6-Round AES. In
Physical and Data-Link SecurityTechniques for Future Communication Systems , volume 358 of
LNEE , pages 181–195. Springer, 2015.[2] R. Aragona, A. Caranti, F. Dalla Volta, and M. Sala. On the group generated bythe round functions of translation based ciphers over arbitrary finite fields.
FiniteFields and Their Applications , 25:293–305, 2014.[3] R. Aragona, A. Caranti, and M. Sala. The group generated by the round functionsof a GOST-like cipher.
Annali di Matematica Pura e Applicata, Online First ,pages 1–17, 2016.[4] A. Bogdanov, D. Khovratovich, and C. Rechberger. Biclique cryptanalysis of thefull AES. In
Advances in Cryptology–ASIACRYPT 2011 , volume 7073 of
LNCS ,pages 344–371. Springer, 2011.[5] A. Caranti, F. Dalla Volta, and M. Sala. An application of the O’Nan-Scotttheorem to the group generated by the round functions of an aes-like cipher.
Designs, Codes and Cryptography , 52(3):293–301, 2009.[6] M. R. Darafsheh. The maximum element order in the groups related to the lineargroups which is a multiple of the defining characteristic.
Finite Fields and TheirApplications , 14(4):992–1001, 2008.[7] J. D. Dixon and B. Mortimer.
Permutation groups , volume 163. Springer Science& Business Media, 1996.[8] N. Ferguson, J. Kelsey, S. Lucks, B. Schneier, M. Stay, D. Wagner, and D. Whiting.Improved cryptanalysis of rijndael. In
Fast Software Encryption , volume 1978 of
LNCS , pages 213–230. Springer, 2001.[9] National Bureau of Standards. The Data Encryption Standard. Federal Informa-tion Processing Standards Publication (FIPS) 46, 1977.[10] National Institute of Standards and Technology. The Advanced Encryption Stan-dard. Federal Information Processing Standards Publication (FIPS) 197, 2001.[11] A. Rimoldi. On algebraic and statistical properties of AES-like ci-phers. PhD thesis, University of Trento, Department of Mathematics, 2005. http://eprints-phd.biblio.unitn.it/151/1/Provatemplate.pdf .[12] R. Sparr and R. Wernsdorf. Group theoretic properties of Rijndael-like ciphers.
Discrete Appl. Math. , 156(16):3139–3149, 2008.[13] R. Sparr and R. Wernsdorf. The round functions of KASUMI generate the alter-nating group.
Journal of Mathematical Cryptology , 9(1):23–32, 2015.[14] A. Wagner. The faithful linear representation of least degree of S n and A n overa field of characteristic 2. Mathematische Zeitschrift , 151(2):127–137, 1976.
15] R. Wernsdorf. The round functions of SERPENTgenerate the alternating group. preprint , 2000. http://csrc.nist.gov/archive/aes/round2/comments/20000512-rwernsdorf.pdf ..