Rolf Blom
INTERNAL REPORT LiTH-ISY-I-0451
ABSTRACT
It is possible to forrnulate several properties of a cipher that can be said to make the cipher hornogeneous with
respect to the key, i.e. whatever key used different aspects of the enciphering, deciphering and decrypting processes will be independent of the key choice. We
investigate such properties and define a property called key hornogeneity. The class of key hornogeneus ciphers is shown to include the class of pure ciphers. The algebraic properties of pure ciphers are analyzed in detail. Finally the connection between pure ciphers and key hornogeneus ciphers is investigated.
I. INTRODUCTION 1
II. NOTATION 3
III. MODEL AND PRELIMINARES 4
IV. MAP DECRYPTION 1
o
v.
KEY HOMOGENEITY AND PURE CIPHERS 1 4VI. PURE CIPHERS 1 7
VII. KEY HOMOGENEITY AND SEMI-PERFECTNESS 26
VIII. FINAL REMARKS 31
APPENDIX A 32
1.
I. INTRODUCTION
Shannon's classical paper [1] presents a model of ciphers and how they are used. This model was developed to facili -tate statistical and information theoretic analysis of ciphers. Such analysis showed that ciphers belonging to a certain class, which Shannon called the class of pure ciphers, which we shall call the class of pure secrecy systems, possess a homogeneity with respect to the key used for enciphering. By this we mean that whatever key used, different aspects of the enciphering, deciphering and decrypting processes will be independent of the key choice. The class of pure secrecy systems is important because i t includes for example the well known Caesar cipher, Vigenere and Beaufort ciphers, Matrix systems and transposition ciphers.
In this paper we wish to analyze and discuss the fund a-mental properties which lies behind the definition of the class of pure ciphers. We also want to display how these properties can be reflected in an algebraic characterization of the set of enciphering transformation of the cipher.
Furthermore we give a simple characterization of a pure cipher's set of enciphering transformations. We use this characterization to analyze properties of products of pure ciphers.
In Section II we explain the notation used in this paper. Section III gives the model and sorne basic definitions .
Section IV is concerned with the cryptanalytic probl~m of a "ciphertext only attack" and a property which exhibits a certain kind of key homogeneity is defined. A key homo-geneity condition that leads to the class of pure ciphers is investigated in Section V. In Section VI we analyze, from a group theoretic point of view, the algebraic struc-ture of the set of enciphering transformations of a pure cipher. This analysis completely reveals the structure of
the set of transformations. We also give necessary and sufficient conditions for the product of two pure ciphers to be pure which by the way corrects an error in Theorern 2 of [1]. Most of the results in this section are fetehed from [2]. Section VII, is concerned with the relation between pure ciphers and the class of key hornogeneus
3.
II . NOTATION
Sets of elements wi l l be denoted by upper case i tal ic
letters. The number of elements in a set
U
wi l l be denotedIU
I
.
The empty set will be denoted ~ . Elements of a set are denoted by (possibly indexed) lower case letters corre-sponding to the letter denoting t he set, e.g. u . E
U.
If the -{_sets are indexed themselves we sometimes use a double index on their elements, e .g. u1
,
t
E U1, u2,
k
E U2•Let U be an arbitrary set of elements. A sequence of length L of symbols in U will simply be written u. If i t' s not clear from context what L is we specify this with u E uL where uL denotes the set of all sequences of length L.
The device of juxtaposing two letters u,v i s so efficient that we wi l l use i t in two different senses, according to the meaning previously announced for the letters. Thus, if v is a transformation and u an element of its domain, vu denotes the value of v for the assignment u. If v and u both are functions, vu will denote the composite function. Using the same convention as above we shall wr it e UV t o denote the set {uv
l
u E U, v E V}. If U is a set of t ran sfor-mation U-1 denotes {u-1iuE U}.If v is a transformation and u E uL then, wi th a s light abuse of notation, we shall denote by v~ the sequence obtained by letting v transform each element in u.
Let v be a transformation then we define a function v(.) such that v (v) will denote the range of values of v.
III. MODEL AND PRELIMINARES
By the word cipher we understand a description of how a set of rnessages
M
can be enciphered into a set of crypto-grarns E and how the enciphering transformation depends onthe key. The following is a very simple formal definition.
Definition 1: A cipher is a triplet
<M,E,T>
in whichT
is a set of distinct injective transformations fromM
to E ; T E t : M ~ EThe definition is valid for finite as well as infinite sets
M
andT.
In this paper, however, we only consider the case when all three setsM,
E
andT
are finite. The fact thatT
is finite allow us to simply model the key as t he index of the corresponding transformation inT.
That the t ransforma -tions inT
are injective guarantees that a cryptogram al-ways has an unique inverse. It also implies t hat I EI~J MI . Observe that we don't exclude ciphers which haveJEI>IM
I
.
To fully specify the cipher and how i t is used we also need to describe how the key is chosen. Shannon proposed that the key should be modelled as a stochastic variable, i.e. the key is ehosen from the set of possible keys according to some prohability distribution. He cal led the cipher together with the prohability distribution of the keys a secrecy system [1] . As the key uniquely determines a trans-formation in T we may just as well define a secrecy system as:
Definition 2: A secrecy system is a pair <C,P> in which C=
<M,E,T>
is a cipher andP
is a prohability dist ribu-tion on T.s
.
With
T
finite we may interpreteP
as the set of proba -bilities of the keys, i.e. the prohability of using a certain transformation inT.
We will use the convention that if T=
{t .}J1 and P
=
{p .}J1 then p . is the probabil i ty ofj j j
key
j,
or equivalently of the transformation t j .A block diagram showing the components and operation of a secrecy system is given in Fig. 1. The symbols from the message source are transformed by the encipherer into cryptogram symbols before they are transmitted over the channel. To recover the cleartext message at the receiving end the inverse transformation is perforned by the decipherer.
The transformation (and its inverse) used are specified by
the output from the randoro key source.
The wiretapper, who wants to know the cleartext message hidden in the cryptogram, is always assumed to know the
secrecy system used and the statistics of the message
source. If the wiretapper doesn't have any other a priori
information he performs what is known as a "ciphert ext only attack". It is the only type of att ack we will t reat in this paper.
IHretapper
-Mes sa ge rncssage Cnciphcrer cryptexjram Decipherer
tj (m) ·l rx.:,stin<l t.. i on
SOurce m e = e m = tj(e)
m
j key
Key Sburce
If two ciphers only differ in their respective cryptogram alphabets they will have the same cryptographic strength. We say that such ciphers are similar . More generally we define two ciphers to be similar if they can be transformed into each other. This notion is made precise by:
Definition 3: Two ciphers
c
1=
<M1,E1 ,T1
>
andc
2 = <M2,E2,T2
>
are similar if there exists bijectiveo - 1
mapp1ngs f 1: M
1
~M2
and f2: E
1
~E2
such that T1 = f2T2f 1The significance of two ciphers beeing similar is that they at least in principle give raise to the same decryption problem. This is obvious because by appropriate application of f
1 and f2 we will be able to transform a problem r e-garding the first cipher into a problem regarding the seeond cipher and vice versa.
Now we define sums and products of ciphers and secrecy systems. The product
c
2
*c
1 of two ciphersc
1 andc
2 is the cipher which is obtained by first applying a transformationfrom
c
1 to a message and then applying a transformation
from
c
2 to the cryptogram from
c
1• Thi s process is oftencalled a super encryption. Formally we define such a product by:
Definition 4: The product
c
2
*c
1 of two ciphersc
1=
<M1,E1,T1
>
andc
2=
<M2 ,E 2,T2>
with E1cM2 is a new cipherc
0
=
c
2*c
1=
<M1,E2,T2T1>
Similarily we define the product of two secrecy systems. Figure 2 i l lustrates this situation.
~lessa ge
Source
7 •
\h re-tapf=e!:
Produc t F.nciphcrcr Product DcciphcJ-.::>r
4 ~(x) Desti -x = t im) f---- e = t,.( x l x = tj(e) - m = !'lttlion m e m j k Key Key Source Source # l Il 2
Figure 2. Block diagram of a systern with super encryption,
i.e. a product cipher.
Definition 5: The product
s
2*s
1 of two secrecy systernss
1=
<<M1,E1,T1>,P1> and
s
2=
<<M2,E2,T2>,P2> with E1c M2is a secrecy systern
s
0
=
<<M1,E2,T0>,P0> which hasT 0
=
T 2 T 1 and P 0 , j E P 0 i s g i ven byThe weighted surn of two secrecy systerns
s
1 and
s
2 modelsthe secrecy systern which arise when a first probabilist ic choice is made regarding which systern
s
1 or
s
2 to use andthen use the ehosen system. Two probabilities w
1, w2 are
associated with
s
1 and
s
2 respectively and they govern the choice betweens
1 and
s
2. Then the surn i s weighted in the sence that systerns
1 will be used with weighted w1 and
s
2 with weight wDefinition 6: The weighted sum w1
s
+ w2s
2, w1 + w2 =of two secrecy systems
s
1
=
<<M,E1,T1>,P1>
ands
2=
<<M,E2,T2>,P2> is a new secrecy system
s
0 = <<M,E1
u E
2, T0>,
P0>
which hasr
0 =r
1u
r
2 and p 0, j E P 0 i s g i ven by 2Po
·=I
,j i=l w. ,{. to .=t. o , j -<..,-~.. p. o -<..,.cWe also have the following definition of the sum of two
ciphers
Definition 7: The surn
c
1 +
c
2 of two ciphersc
1=
<M,E1,T1
>
andc
2=
<M,E1,T2>
is a new cipherc
0=
<M,E1 U E2, T1 U T2>.
Of course the definitions given above can be extended to
sums and products of an arbitrary but finite number of
ciphers or secrecy systems.
From Definitions 6 and 7 i t is obvious that we may represent
a cipher or secrecy systern as a surn of ciphers or secrecy
systems in a lot of different ways. A very useful rep
resen-tation is obtained by dividing a cipher into subciphers in
which all transformations have the same range of values.
Definition 8: The basic representation of a cipher
c
0=
<M,E
0
,T
0
>
is as a sum of subciphersCi
=
<
M
,E
i
,Ti>
such that T.n
T . = (/J and if t 1, t" , t 111 E T; t 1 E T . and
,{. J ,{.
v (t 1
)
=
v (t " ) t v (t "1 ) t hen t " E T . , t "1 rf_ T .,{. ,{.
In an analogous way we define the basic representation of a
9 .
Definition 9: The basic representation of a secrecy system
s
0
=
<C0,P0> is a weighted sum of subsystems s~=
<C~,P~> such that c0
=L
c ~ .. With c~ . =<M,E
~.
,T.>
~ the prohability(weight) w. of subsystem
s
.
is given by~ ~ and if t . .
=
t 0 o then ~l j l .{. p . · =Po
o/w. ~,j ,-<.. ~ •Finally we define the two concepts originating the interest resulting in this paper, namely the concepts of pure
ciphers and pure secrecy systems.
Definition 10: A cipher
<M,E,T>
is called a pure cipher ifl
M
l
=
l
El
and T-1T T-
1
cT
Definition 11: A secrecy system <C,P> is called a pure secrecy system if C is a pure cipher and
P
denotes a uni-form prohability distribution, i.e. the keys are equipro-bableObserve that the definition of a pure cipher in [1] earre -sponds to our definition of a pure secrecy system.
IV. MAP DECRYPTION
The assumption made in the preceeding section about the
wiretapper's knowledge clearly shows that his only means
for decryption are different statistical measures. The two
most useful measures are the a posteriori prohability of
the message PMIE(~I~> and the key PK(kl~>. Fromthese pro -babilities the wiretapper can obtain MAP (maximum a poste ri-ori) estimates of the message and key respectively by
ehosing as estimates the message ~ and key
k
that maximizesi t ' s corresponding aposteriori probability. These esti -mates are the best possible because MAP estimates minimize
the prohability of error. An introduction to MAP decoding
can be found in [3] or [4].
In order t o use only one type of notation in this section
we will write the prohability pj of key j as PK(j ).
The wiretapper will always be able to obtain some informa -tion out of the measure PMIE(~I~> unless i t is independent
of ~, i. e.
(1)
Defini t ion 12: A secrecy system <<M,E,T>,P> is nerfeet for
encryption of ML if for all m E ML eq. ( 1) is true.
Obviously a cryptogram cannot correspond to more messages
than the number of keys in the system. Hence for arbitrary
L> O, (1) cannot be satisfied. A condition similar to (1)
and which could be said to be the seeond best property is given in the following definition.
1 1 •
Definition 1 3: A secrecy system <<M,E,T>,P> is semi-J2erfect
if for all L
>
o'
!!!E ML , e E ELl
:M("!) . c 1 (.".) i f T -F0
PM\ E(!!~_\~) ~~!!!. (2)
otherwise
where T = {t E T\ t!!! = e } and c1 (~) is a function of e
S:t!!! only.
We see that if a secrecy system is semi-perfeet then the wiretapper doesn' t learn anything more than the set ML of
e
possible messages,
( 3)
The following theorem states a rather obious sufficient condition for a cipher to be semi-perfect.
Theorem 1: A secrecy system <<M,E,T>,P> is semi-perfeet if the keys are equiprobable and
( 4) otherwise
where c2
<s:>
is a function of e only .Eq. (4) states that if !!! can be enciphered into
s:
then thenumber of keys t hat map!!! into e is a function of
s:
only.Proof: By Bayes' rule the a posteriori prohabil ity of the message can be written as
Comparison of ( 5) with the condition ( 2) implies that
PEIM(~ I!!!l has to satisfy a corresponding condition. We have
p E l M <~IE!l L P E l KM-(elk,m)PK- (k) ( 6) k and l i f tk E T P l (elk,rn) e,rn ( 7) E KM -
-o
otherwiseHence, if we observe that (7) implies
l T e,rn l
=
L: P E l KM-(e l k ,m) ,-- -- k
(8)
and use the assumptions of the theorem, we find that
( 9)
otherwise
Substitution of (9) into (5) shows that condit ion (2) is
satisfied which completes the proof.
Theorem 2: If a secrecy system <<M,E,T>,P> has IMI
=
IEI then the conditions in Theorem 1 are necessary and suffi -cient for a cipher to be semi-perfect.Proof: That the conditions are sufficient i s stated in
Theorem 1. Here we prove the necessity. If IMI
=
IEI thenall transformations in
T
are bijective. This means that a message !:!:! in which al l symbols in M are represented, will be enciphered into a cryptogram ~ which contains al l symbols in E. Hence if e is the cryptogram of !!!,the pair !:!:! and~uniquely defines the enciphering transformation tk' which
1 3 •
l
T e,ml
= L ( 1 o)Then if (10), (6), (7) and (8) are cornbined we obtain
( 1 1 )
and the necessity of the equiprobability of the keys
follows by substitution of (11) into (5) and the fact that
condition (2) has to be satisfied for arbitrary rnessages
and cryptograrns.
To establish the necessity of (4) we now assurne that the
keys are equiprobable then
P 1 (elm> = (:L P l (elk,m))/ITI
E M - - EKM-
-k
I
T
l ;I
T
I
~~~· ( 1 2)
and the necessity follows by inspection. This cornpletes the
V. KEY HOMOGENEITY AND PURE CIPHERS
It is certainly possible to formulate several different
properties of a cipher that could be said to reveal a homogeneity with respect to the key used for enciphering. One example of ciphers with such a property is the class
of ciphers that gives semi-perfeet secrecy systems. In this
section we will discuss another property which leads directly to the class of pure ciphers.
The basic idea behind this condition is that cryptanalysis
of iritercepted cryptograms should give a set of possible
messages that is independent of the specific key used in
the enciphering of the message. The formal definition of this property, which we will call key homogeneity, is:
Definition 14: A cipher <M,E,T> is key homogeneus (KH) if
for arbi trary !.!! E ML and t
1, t 2 E T the sets of messages that
~
1
=t1
~ and ~2
=t2
~ can be deciphered into are the same.The condition in the definition can be visualized as
( 1 3)
where T e. contains all transformations that have an inverse
for e .. Eq~~(13) should be satisfied for messages of
arbi--~
trary length. For a message ~ which contains all symbols in
M
this means that (13) transforms into an equality between1 5 •
Corollary 1: Let the basic representation of
c
0 =
<
M
,
E
0
,T
0
>
consist of subciphers c . =
<M
,E
.
,T
.>. Then a necessary,{. ,{. ,{.
condition for
c
0 to be KH is that for arbitrary ~,j ,k
,
l
-l T. t · t.. ,{. -t,K is valid. -1 T . t . o J j,-<- ( 1 4)
In Section VII we wil l discuss sufficient conditions. Fig. 3
shows the set of enciphering transformations of a very
simple KH cipher with !El > !MI.
Figure 3. Line diagrams representing the enciphering
transformations of a KH cipher with !El > !MI.
Let us in correspondence with ML define EL as
e m'
EL = {e € EL
i
T l 0} .m - m,e ( 1 5)
-
-Then another way to state (13) is that if ~~~ · € EL t hcn
m ML
=
ML,. Furthermore if rn,rn' € ML then there existse e - - e
t,t• € T such that trn
=
t 1rn' and ML=
MLt' , . But (13)trn m
implies that
M~m
is independent of t. By this we haveTheorem 3: If a cipher <M, E,
T>,
is KH and m,~· E. MLe t, t ' E. T t hen
( 1 6)
This means that if we encipher a message in ML , the set of
e
messages that a wiretapper possibly could decrypt it into
is independent of the specific message.
We shall now derive a necessary condition for a cipher to be KH. This condition shows that the subciphers in the basic
representation has to be pure ciphers.
Theorem 4: If <M,E
0
,r
0>
is KH and<
M
,
Ei
1T
i>
is one of thesubciphers of its basic representation then
-1
T. (T.) T. = T.
,(. ,(. ,(. ,(. ( 1 7)
Proof: Le t t . t..., t .
.e.
E. T . • Then Corollary 1 g i ves -<.. 1 r<. -<.. 1 -<.. -1 T. t . t..=
-<.. -<.., r<. - 1 T. t ..e.
,(. -<.., ( 1 8)After inversion of both sides in (18) we obtain
-1 -1
t . t... T. t .
.e.
T.-<.. 1 r<. -<.. -<.. 1 -<..
( 1 9)
which after multiplication from the left with t .
.e.
gives-<. l
t -<... ,
.e.
t . k T-<..-1 , ,(. . = T,(. . ( 2 o)But as (20) is valid for arbitrary t .
.e.
'
t . t... E. T . i t implies-<.. , -<.. , r<. -<.. that (17) is true.
1 7 •
VI. PURE CIPHERS
In this section we discuss properties of pure ciphers with
a starting point in group theory.
The transformations in a group of transformat ions have to
have the same domain of definitions which also have to be
the range of values. This implies that group thearetic re
-sults are directly applicable to endomorphic ciphers, i.e.
ciphers with
M
=E.
But as will be seen below we will haveuse for group theory in other cases also. One important
observation is that if C
=
<M,E,T> and C'=
<M,M,T'> withT'
=
fT f:E +M are similar and C is a pure cipher then sois C' as can be easily checked. It is also evident that the
properties of
T
'
will reflect all interesting properties ofT. This motivates our choice to first study endomorphic
ciphers to obtain some basic results and t hen to consider
arbitrary pure ciphers.
Before we start our analysis we have to define some
addi-tional concepts. We shall also collect some ~seful group
thearetic results. An introduction to the properties of
groups can for example be found in [5] and [6].
The basic group that we work in is the multiplicative group
G of all bijective transformation of
M
onM
.
G is finiteand can be identified with the group of all permutations of
!MI objects. R and
S
will denote subgroups of G. An arbitraryset of elements in G is called a complex and is denoted by
T
.
Elements of a group or complex are denoted in the usualway by possibly indexed lower case letters corresponding to
t he one denoting the group or complex. The order of a group
R,
i.e. the number of elements in R is denotedI
R
I
.
We alsoa subgroup R of G is denoted a gR and a right coset is
denoted as Rg. Observe that the subgroup R itself is a coset which is generated by the identity element.
j
~
~
y
So'..lrce
Fi gure 4. Blockdiagram depicting the relation between the
cipher
<M,E
,T
>
and the endomorphic cipher<M,M, T'> for which f: E+ M and fT. In the figure
m C M, e E E and e' E M.
Property 1: If
T
is a complex in G andTT
cT
thenT
is asubgroup of G.
Property 2: For any two complexes T', T" in G the
following relations are valid:
!T'
I~I T'T"I~!T'Il
T
"
l
.
Property 3: The product RS of two subgroups R and
S
of G1 9 •
Property 4: If
R
andS
are subgroups ofG
t hen the number of elements in the product set RS isl
RSl
( 21 )and every element in RS can be represent ed in
l
R n Sl
ways as product rs, where r E: R, s Es.
Proofs of Properties 1, 3 and 4 can be found in [6],
Theorems 2.4, 2.8 and 2.13 respectively. Property 2 is an
immediate consequence of t he properties of a group.
We have now collected the necessary background material to
proceed with our main task. Let
<
M
,
M
,T
>
be a pure cipher,then the definition states that
TT-
1T
cT.
BecauseTT
-
1T
isa subset of T we have
j
TT-
1T
I
<
I
T
I
.
But according to Property2,
I
T
I
<
I
TT-
1T
I
,
and we seeth~t
(22)
Multiplication of (22) with
T-
1· from the left gives( 2 3)
-1
which according to Property 1 shows that
T T
is a subgroupof G. Property 2 applied on (22) shows t hat
!
T-
1TI~
!
T
i
.
Butalso according to Property 2:
j
T-
1T
I
>
I
T
I
.
Hence the orderof
T-
1T
is equal toI
T
!
.
Similarly i t can be proved thatTT-
1 is a subgroup of order jTj. We have now proved a reslult corresponding to Theorem 1 in [1]:-1 - 1
Theorem 5: If
<
M,
M,T>
is a pure cipher thenT
T
andTT
As a direct consequence of Theorem 5 we have:
Corollary 2: If
<M,M,T>
is a pure cipher thenT
is aleft coset.
Proof: Let
T- 1T
= R, then R is a group and ITI = IRIaccording to Theorem 5. For t E T we have t - 1 T c R, bu t
lt-1Ti
=
IRI. Hence t-1T=
R and tR=
T
which shows thatT
is a left coset.
It is easy to verify that a cipher
T,
whereT
is a leftcoset, is pure. Let
T
=
gR thenTT- 1T
=
(gR) (gR) - ·l (gR)=
gRR -lg-1gR -- gRR- 1R R W l b th t . ht
=
=
g . e a so o serve a any r1gcoset of a subgroup S is a left coset of another subgroup. To verify this, write Sg
=
g(g-1Sg) and observe that g-1Sg is a group according to Property 1. Together with Corollary2 this proves the following Theorem
Theorem 6: A cipher
<M,M,T>
is pure if and only ifT
isa coset (left or right) in G.
The following result for pure ciphers with
E
~M
is also readily derived.Corollary 3: A cipher C =
<M,E,T>
is pure if and only ifT
=
tR where R is a group of transformations fromM
toM
and T E t : M -+ E •
Proof: First we observe that this corollary is equivalent
to Corollary 2 when
M
= E.
The ''if" part is proved bydirect verification:
TT- 1T
= tR(tR)-1 (tR) = tR =T
.
Toprove the "only if" part assume that C is pure and that
C'
=
<M,M,T'>
whereT'
= fT is similar to C. Then C' ispure so according to Theorem 6,
T'
is a left cosetT'
=
t'R; t '=
ft~
t E T and R is a group. Hence T=
f- 1T'=
f-1t'R=
21 .
This result also shows that Theorem 5 is applicable for
arbitrary pure ciphers.
The characteristics of a pure cipher is stated in Theorem
3 in [1]. The theorem is quoted below.
All the properties stated in the theorem can be identified with general properties of permutation groups (see for example [7, Ch. X]) . However, as i t is these properties
that make pure ciphers interesting we will give a proof
of the theorem.
Theorem 7: In a pure cipher
<M
,
E,T>
the messages can be divided into a set of residue classes c1 c2 .. . cs and the cryptograms into a corresponding set of residue classesc; c; ...
c~ with the following properties: 1 )2)
3)
4)
The message residue classes are mutually exclusive
and collectively contain all possible messages. Similarly for the cryptogram residue classes.
Enciphering any message in C. with any key produces
l
a cryptogram in C~. Deciphering any cryptogram in
l
Ci with any key leads to a message in Ci.
The number of messages in C., say
w.,
is equal tol l
the number of cryptograms i n C~ and is a divisor of
l J, the number of keys.
Each message in C. can be enciphered into each l
cryptogram in c~ by exactly J/w. different keys.
l l
Proof: From Corollary 3 (and Theorem 5) we have that
R
=
T-1 T is a group and that ·T=
tR for t E T. The orderof R is J =
l
T! .First we prove that
c
1
=
Rm1 andc;
=
tC1=
tRm1 are twocorresponding residue classes. As t is injective
c
1 and
c;
will have the same number of elements. Then assume that m E C1• This implies that m
=
rm1 for some r E R and that mcan be enciphered into Tm = (tR)rm
1
=
tRm1• This provedthat each message in
c
1 can be enciphered into each crypto
-gran in
c;
and only into these cryptograms. Similarily ife E C
1
then e = t r ' m1 for some r' E R and e can be deciphered
-1 -1
into
T
e= (tR) tr'm1 = Rm1
=
c
1• Furthermore two residueclasses
c
1
=
Rm1 andc
2=
Rm2 are either identical ordis-jont. To prove this assume that m belongs both to
c
1 and
c
2 but then m = r1m1 = r 2m2 for some r 1 ,r 2 E R. This implies
-1 -1
that m
2
=
r 2 r 1m1 soc
2=
Rm2=
Rr2 r 1m1=
Rm1 =c
1 andc
1=
c
2. We also observe that Rm=
Rr1m1
=
Rm1=
C1 whichproves that if m belongs to
c
1 then
c
1 = Rm.At last we prove that the same number of transformations
maps each message in
c
1 into each cryptogram in
c;
.
AsT
= tR we observe that to prove this i t is sufficient toprove that each message in
c
1 is mapped into each message
in
c
1 by the same number of transformations in R. Define S
to be the set of transformations in R which keep m
1 fixed1
i .e. Sm
1 = m1• S i s a subgroup of R and we note that IS!
must di vide l R
l
=
J. Let m2 ,m3 E C 1 and de fine Q as the set
of transformations in R that maps m2 into m3, i.e. Qm2 = m3.
Bu t as m
2 1m3 E C 1 the n m2 = r 2m1 and m3 = r 3m1 for some -1
r 2 1 r
3 E R. Then r 3m1
=
m3 = Qm2 = Qr 2m1 and m1 = r 3 Qr 2mwhich implies that r; 1 Qr
2 c S and l Q
l
~
l S l . On the other hand. -1 1f q E Q then m 3
=
qm2=
qr 2m1=
q r 2sm1=
qr 2sr 2 m2 so qr 2sr; 1cQ which gives
I
S
I
~
I
o
l
.
Hence ISI = IQI and we haveproved our point. As the transformation in
T
are bijectivethe results proved above also implie that each cryptogram
in
c;
can be deciphered into each message inc;
by the same23.
the total number of keys is J and
I
S
I
keystake a givenmessage into each cryptogram, the number of cryptograms
and hence messages in a residue class must be
J/
I
S
I
whichis a factor in J. This completes the proof of the theorem.
Remark 1: A pure cipher is KH.
Remark 2: The properties of a pure cipher stated above
shows that a pure secrecy system <C,P> is semi-perfect.
Remark 3: The properties of Theorem 7 rema ins true if we
L
consider sequences of messages ~E M instead of single
symbols. To cover this case the only modifications
necessary in the proof is to consider sequences instead
of single symbols.
Remark 4: One way to look upon the residue classes is as
equivalence classes, two messages in the same residue class
are equivalent. A natural way to define this equivalence
relation would be to say that ~
1
is equivalent to ~2
, viz.~
1
"'m2, if there exists t 1 , t2 E T such that t
1
~1
= t2
~2
,i.e. if ~
1
and ~2
can be enciphered into the same crypto-gram. It is readily verified that this definition of an
equivalence relation satisfies the reflexivity and
symmetry conditions that an equivalence relation has to
satisfy. However, the transitivity condition demands that
m "' -1
on T
~
2
and ~2
"'~3
implies ~1
"'~3
. This infers conditionsbecause assume t
1
~1
= t2
~2
and t3
~2
= t4
~3
then=
t
2
t;
1t
4
~
3
.
We see that if we have a pure cipher thetransitivity is guaranteed, but we don ' t need such a strong
condition to obtain the transitivity. The last expression
. -1 -1
above can be rewr1tten as ~
1
= (t1 t -1 2) (t3 t
4
)~3
and asufficient condition would be that
T
T
is a group. Thiscan also be shown to be a necessary condition. The proof
is left as an excercise. Observe that there exists sets
T
To follow the path of Shannon in [1] we now answer the question when the product of two pure ciphers is a pure cipher.
Theorem 8: Let
c
1
=
<M1,E,t1R> andc
2=
<M,M1 , t2S> betwo pure ciphers (R and S are groups). The product cipher
c
1
*
c
2 = <M, E, T>; T = t 1 Rt2S is pure if and only if(26)
Proof: The "if" part: t ;1Rt2 is a group of transformations.
Then according to Property 3, eq. ( 26) implies that
-1 -1
t
2 Rt2
s
is a group. But T= t 1t 2 (t2 Rt2S) which according to Corollary 3 shows thatc
1
*
c
2 is a pure cipher.The "only if" part. necessary according
For the product cipher to be pure i t is to Corollary 3 that
T
can be written as- 1 t E T. But T = t
1t 2 (t2 Rt2S)
T
=
tQ where Q is a group and-1 and t 1 t
2 E T. Then t 2 Rt2S has to be a group. So with both -1
S and t
2 Rt2 being groups Property 3 gives (26) as a necessary condition.
The question of when the product of two pure ciphers that commute is a pure cipher is treated in Theorem 2 in [1] . The theorem states that if the two pure ciphers have
en-ciphering transformations T' and T" respect.ively and
T' T"
=
T" T' then the product cipher T' T" is pure. This is true when bothT'
andT"
are subgroups (Theorem 8). But inthe generel case this is not so. A simple counterexample is given in appendix A. (The error in the proof of the theorem depends on the false assumption that T' T" = T" T' implies
25.
Theorern 9: The product of two pure secrecy systerns is a secrecy systern with equiprobable keys.
Proof: Let
s
1 = <<M1,E,t1R>,P1> and
s
2 = <<M,M1,t2S>,P2> be two pure secrecy systerns (R and S are groups). The cipher of the product systerns
1
*
s
2 is C=
<M, E, T> where-1 -1
T= t
1Rt2S
=
t 1t 2(t2 Rt2)S. Both Sand t 2 Rt2 are groups.Then Property 4 gives that each transformation in
-1
l
-1(t
2 Rt2) S can be represented as (t2 Rt2)
n
Sl
products (t; 1rt2)s. As the transformations in
s
1 ands
2 are equipro-bable this shows that the transformations ins
1
*
s
2 also will be equiprobable.VII. KEY HOMOGENEITY AND SEMI-PERFECTNESS
We have shown that a pure cipher is KH and if used with
equiprobable keys i t gives a semi-perfeet secrecy systern. However, a KH semi-perfeet secrecy system is not always a
pur~ secrecy systern. In this section we derive sorne condi
-tians for ciphers to be KH. We also give conditions for
secrecy systerns to be KH and serni-perfect.
Theorern 10: If
c
0 = <M,E0,T0> is KH then the subciphers
c.
=<
M
,E.
,T.> of its basic representation are pure and~ l l -1
similar and have t . .
r
.
=R.
~,j ~Proof: Corollary 1, eq. (14) states that
-1
r.
~ t~-, kr.
-1 t . oj j ,~ (27)
which after inversion and rnultiplication from the left
with t . ~, k gives
-l
T.=
t . k t . oT.
~ ~, j,~ j (28)
-1
But as t .
k
t . 0: E.~E.
is bijective, (28) provesthatej
~, j ,~ j ~ ~
is similar to
c
..
As the subciphers C . all haveI
M
!
=l
Ej
!
.
j -1 ~ ~
Theorern 4 statesthat
T
.
T
.
T.=
T
.
which irnplies that all~ ~ ~ ~ .
subciphers are pure ciphers. Then
T
.
= t . .R
.
for s orne~ ~,j ~
group
R
..
Substitution of this relation into (27) shows~
that
R
.
=R
.
for all ~,j. Hence t~1.r.
=R
whereR
is~ j ~,j ~
independent of ~- This cornpletes the proof.
We have not succeded in finding a necessary and sufficient
condition for a cipher to be KH. However, we have some
suffici~nt conditions. Assurne that
c
0 = <M,E0,T0
>
has a basic representation as in Theorem 10. Then all subciphersc.
=
<M,E
.,T.> are pure and similar and T. = t . .R
forsorne~ ~ ~ ~ ~, j
27.
follows that all subciphers will generate the same set of
message residue classes (as the residue class that m
belongs to is given by Rm).
Now consider the message set
M~
that a cryptogram s:_ EE~
can be deciphered into.Obviously, i t can be written as the
union of the message residue classes that e can be de -ciphered into by each subcipher C., i.e .
.{_
u
-<- L e E E. -<-- l (T. e) -<- - ( 2 9)Now recall that for a cipher to be KH we demand that ML t m
is independent of the transformation t. A sufficient
condition for this to be true would be that each cryptogram
only can be obtained as a transformation of messages from a
single message residue class. Another, equivalent statement
is that if e E
E~
n
E~
then T-:1e=
T-:1e. To see that thisT . { _ j -{_- J
-makes M.utm independent of t let -e, -<-,j .
=
t . .{_,J-.m for anarbitrary m and use T . = t . . R to get
-<- -<.,j
ML
e . . --<-l j -1 U (T 0 e . .) =.e.
.{..
-.{_l j e . . E EL - -<.,j.e.
-1 . T. e . 0 -<- --<-,z -1 ( t . . R) t . . m -<-,j -<-, jR
m ( 30)The form of the sufficient condition above does not too
clearly reveal the structural constraints i t imposes on the
sets
T
,(...
.
To revealB
L L e E = (E .n
E 1·) -<- -1 in e. ThenT.
e -<- -tion is valid - 1 - 1 t- ~e E (t. 0R) e -<.,K- j,.c-these constraints assume that
and that each symbol in
B
is represented-1
=
Tj
~ implies that the followingrela-( 3 1 )
The right hand side of (31) gives the message residue class
and the left hand side an element in the class. But then
-1 -1 -1
t ~. ,-ke = (tj. ,~ 0r) e. Let t . = t . 0r E T . then t and
- j ,n j ,~ j ~,k
t~l perform identical transformations of
B
t oM
.
Thisj , n
proves the following theorem:
Theorem 11: A sufficient condi t ion for a cipher to be KH
is that
1 ) the ciphers C.=
<M,E
.
,T
.
>
of its basic representa-~ ~ ~
tionare pure and similar with T . = t .R.
~ ~
2) the transformation t . a bo ve can be ehoosen in s u ch
,(.
-1
a way that if
B
=
E.n
E. t hen t . :B-t
M
and-1 ~ j ~
t . :
B-t
M
are identical.j
Remark: The seeond part of the t heorem implies that if
m
1
F
m2 then t~m1
# tjm2 which is a useful form when con-struetian of KH ciphers is considered.
It would have been ni ce to be able to say, as we thought
at first, that Theorem 11 gives the necessary and suffici-ent condition for a cipher to be KH. But t his is not so as
is shown by a counter example in Figure 5. The additional
result we have relates to the case when R in T . = t . . R i s
~ ~,j
transitive. That R is transitive means that for arbitrary m
1 ,m2 E M there exist a r E R such that rm1 = P.12.
Theorem 12: Let
c
0=
<
M
,E
0
,T
0
>
have subciphers c~ ==
<
M
,E
.
,T
.
>;T
.
= t .. R in its basic representation. If R~ ~ ~ ~j
is transitive and there exists at least one ~ such that
E.'-U E.jlct>
~ . . j j =H
(32)
is valid then Theorem 11 also gives the necessary con
-ditians for
c
29.
Eq. (32) states that there exists at least one cryptogram symbol in E
0 which only can be generated by subcipher
c
.{,'
.
Proof: Assume that -<- is such that
and t ha t
~
E (E k.n
E .t) L i s such that ~1
=
t-~ 1 e andr<. ,
m-( 3 3)
m
=
-2
-1
t
.t
,
n~ belong to different message residue classes. Now, ifco
is KH i t must be possible t o decipher each cryptogram e = t . .m1 into a rnessage in the residue class
.{,f j
-Rm2. But if t . . i s such that one element in m_1 is en
--- -<-,j
ciphered into e
0 then only transformation in Ti can de -cipher ~· Hence i t can only be deciphered into the residue class R~
1
and the cipher can't be KH. That such a tran s-formation t . . exists follows from the fact that R is-<-,j
transitive. By this we have proved that a cryptograrn cannot be deciphered into two different rnessage residue class if the cipher should be KH. This is exactly the condition stated in Theorern 11.
To conclude this section we state a theorern regarding the basic representation of a KH semi-perfeet secrecy systern.
Theorern 13: A KH semi-perfeet secrecy systern is a weighted surn of similar pure subsysterns.
t , , , t2,1 t3, 1 t 4, 1
,,__---c,
o 1'X:
~1:~:
:>(
2 2 ~2 3~3)\
33
~4
3 o 4 4 4 r, r2 r3 1 o o 11~1
1~1
2 2 2 2 2 2 3 3 3 3 3 3 M= {1,2,3} E0 = {1,2,3,4r Figure 5. A KH cipherc
0=
C;_= <M1 E0'-{i},does not satisfy
<M
1,E0,T> with subciphers
t .
1R>; i = 1,2,3,4 which
..{.,
31 .
VIII. FINAL REMARKS
The results in the preceeding sections show that the
property of key homogeneity is the natural generalization of the properties held by pure ciphers. For the important case when the message and cryptogram alphahets are of
equal size the statement that a cipher is KH is equivalent to the statement that i t is a pure cipher.
From Section VII we may conclude that if a cipher can be represented as in Theorem 10, KH or not, and i t enciphers a message containing all symbols in t he message alphabet then the cryptanalytic problem is t hat of solving a pure cipher. As this situation ought to be the most common in cryptoanalysis i t emphasises the importance of the concept of pure ciphers. It also gives us reason not to be too disappointed about the fact that we did not succed in finding a simple necessary and sufficient condi tion for a cipher to be KH.
We also note that the concept of semi-perfectness is not
of the kind to generate a class of ciphers that has a simple description. However, i t is useful when discussing MAP decryption of KH ciphers.
APPENDIX A
We wish to exhibit a simple example which shows that the
product of two commuting cosets is not necessarily a coset. Let G be the set of al l invertible transformations of
M
=
{1,2,3,4} ontoM.
LetR
be a subgroup having the fourelements defined in table I a) and let the two cosets be generated by t; and t;• . The cosets are given in table 1 b) and c). Table I d) contains the elements of the complex
t;Rt1' R =t;' Rt;R.
The number of elements in the complex is 16, not a divisor
of
I
G
I
= 24. But the order of a subgroup ofG
must divide the order of G. Thus the complex is not a coset of a sub33. Table I l m' l r. (m) J l 2 3 4 l l 2 3 4 j 2 4 l 2 3 3 3 4 l 2 t.' t~ '(m) = t " t ' ( m ) l J k
.t
4 2 3 4 l (i' j) (k,.t) m l 2 3 4 a) (l' l) ( 4 '2) 3 2 l 4 (l '2) ( 4 '3) 4 3 2 l ( l ' 3) ( 4 '4) l 4 3 2 ( l ' 4) ( 4 ' l) 2 l 4 3 lt~(m)= l m' l Jt},
r j (m) l 2 3 4 ( 2' l) ( 3 '2) l 4 2 3 l 2 l 3 4 ( 2' 2) ( 3 '3) 3 l 4 2 ( 2 '3) ( 3' 4) 2 3 l 4 ( 2 ' 4) ( 3 'l) 4 2 3 l j 2 4 2 l 3 3 3 4 2 l 4 l 3 4 2 ( 3' l) ( 2 '2) 2 3 4 l ( 3 '2) ( 2 '3) l 2 3 4 b) ( 3' 3) ( 2 '4) 4 l 2 3 ( 3' 4) ( 2 'l) 3 4 l 2 ( 4 'l) (1,2) 4 l 3 2 ( 4 '2) (l ' 3) 2 4 l 3 ( 4 '3) (l '4) 3 2 4 l ( 4 '4) ( l ' l) l 3 2 4 t'.' (m)= l m' l J t" l r j (m) l 2 3 4 j l 3 l 2 4 d) j 2 4 3 l 2 3 2 4 3 l 4 l 2 4 3 c)l
REFERENCES
[1] Shannon,
c.,
"Communication Theory of SecrecySystems", Bell System Technical Journal, Vol. 28,
p p. 6 56-71 5.
[2] Blom, R., "On Pure Ciphers", Internal Publication,
LiTH-ISY-I-0286, Linköping University, 1979.
[3] Wozencraft, J. and Jacobs, I., Principles of
Communication Engineering, Wiley, New York, 1967,
pp. 212-214.
[4] van Trees, H.L., Detection Estimatian and Modulation
Theory, Wiley, New York, 1968, pp. 54-63.
[5] van der Waerden, B.L., Modern Algebra, Friedrich
Ungar Publishing Co., New York, 1966.
[6] Herstein, I.N., Topics in Algebra, Xerox College
Publishing, Walthan, Mass., 1969.
[7] Burnside,