On Pure and Related Ciphers

Rolf Blom

INTERNAL REPORT LiTH-ISY-I-0451

ABSTRACT

It is possible to forrnulate several properties of a cipher that can be said to make the cipher hornogeneous with

respect to the key, i.e. whatever key used different aspects of the enciphering, deciphering and decrypting processes will be independent of the key choice. We

investigate such properties and define a property called key hornogeneity. The class of key hornogeneus ciphers is shown to include the class of pure ciphers. The algebraic properties of pure ciphers are analyzed in detail. Finally the connection between pure ciphers and key hornogeneus ciphers is investigated.

I. INTRODUCTION 1

II. NOTATION 3

III. MODEL AND PRELIMINARES 4

IV. MAP DECRYPTION 1

o

v.

KEY HOMOGENEITY AND PURE CIPHERS 1 4

VI. PURE CIPHERS 1 7

VII. KEY HOMOGENEITY AND SEMI-PERFECTNESS 26

VIII. FINAL REMARKS 31

APPENDIX A 32

1.

I. INTRODUCTION

Shannon's classical paper [1] presents a model of ciphers and how they are used. This model was developed to facili -tate statistical and information theoretic analysis of ciphers. Such analysis showed that ciphers belonging to a certain class, which Shannon called the class of pure ciphers, which we shall call the class of pure secrecy systems, possess a homogeneity with respect to the key used for enciphering. By this we mean that whatever key used, different aspects of the enciphering, deciphering and decrypting processes will be independent of the key choice. The class of pure secrecy systems is important because i t includes for example the well known Caesar cipher, Vigenere and Beaufort ciphers, Matrix systems and transposition ciphers.

In this paper we wish to analyze and discuss the fund a-mental properties which lies behind the definition of the class of pure ciphers. We also want to display how these properties can be reflected in an algebraic characterization of the set of enciphering transformation of the cipher.

Furthermore we give a simple characterization of a pure cipher's set of enciphering transformations. We use this characterization to analyze properties of products of pure ciphers.

In Section II we explain the notation used in this paper. Section III gives the model and sorne basic definitions .

Section IV is concerned with the cryptanalytic probl~m of a "ciphertext only attack" and a property which exhibits a certain kind of key homogeneity is defined. A key homo-geneity condition that leads to the class of pure ciphers is investigated in Section V. In Section VI we analyze, from a group theoretic point of view, the algebraic struc-ture of the set of enciphering transformations of a pure cipher. This analysis completely reveals the structure of

the set of transformations. We also give necessary and sufficient conditions for the product of two pure ciphers to be pure which by the way corrects an error in Theorern 2 of [1]. Most of the results in this section are fetehed from [2]. Section VII, is concerned with the relation between pure ciphers and the class of key hornogeneus

3.

II . NOTATION

Sets of elements wi l l be denoted by upper case i tal ic

letters. The number of elements in a set

U

wi l l be denoted

IU

I

.

The empty set will be denoted ~ . Elements of a set are denoted by (possibly indexed) lower case letters corre

-sponding to the letter denoting t he set, e.g. u . E

U.

If the -{_

sets are indexed themselves we sometimes use a double index on their elements, e .g. u₁

,

t

E U₁, u₂

,

k

E U₂•

Let U be an arbitrary set of elements. A sequence of length L of symbols in U will simply be written u. If i t' s not clear from context what L is we specify this with u E uL where uL denotes the set of all sequences of length L.

The device of juxtaposing two letters u,v i s so efficient that we wi l l use i t in two different senses, according to the meaning previously announced for the letters. Thus, if v is a transformation and u an element of its domain, vu denotes the value of v for the assignment u. If v and u both are functions, vu will denote the composite function. Using the same convention as above we shall wr it e UV t o denote the set {uv

l

u E U, v E V}. If U is a set of t ran sfor-mation U-1 denotes {u-1iuE U}.

If v is a transformation and u E uL then, wi th a s light abuse of notation, we shall denote by v~ the sequence obtained by letting v transform each element in u.

Let v be a transformation then we define a function v(.) such that v (v) will denote the range of values of v.

III. MODEL AND PRELIMINARES

By the word cipher we understand a description of how a set of rnessages

M

can be enciphered into a set of crypto-grarns E and how the enciphering transformation depends on

the key. The following is a very simple formal definition.

Definition 1: A cipher is a triplet

<M,E,T>

in which

T

is a set of distinct injective transformations from

M

to E ; T E t : M ~ E

The definition is valid for finite as well as infinite sets

M

and

T.

In this paper, however, we only consider the case when all three sets

M,

E

and

T

are finite. The fact that

T

is finite allow us to simply model the key as t he index of the corresponding transformation in

T.

That the t ransforma -tions in

T

are injective guarantees that a cryptogram al-ways has an unique inverse. It also implies t hat I EI~J MI . Observe that we don't exclude ciphers which have

JEI>IM

I

.

To fully specify the cipher and how i t is used we also need to describe how the key is chosen. Shannon proposed that the key should be modelled as a stochastic variable, i.e. the key is ehosen from the set of possible keys according to some prohability distribution. He cal led the cipher together with the prohability distribution of the keys a secrecy system [1] . As the key uniquely determines a trans-formation in T we may just as well define a secrecy system as:

Definition 2: A secrecy system is a pair <C,P> in which C=

<M,E,T>

is a cipher and

P

is a prohability dist ribu-tion on T.

s

.

With

T

finite we may interprete

P

as the set of proba -bilities of the keys, i.e. the prohability of using a certain transformation in

T.

We will use the convention that if T

=

{t .}J

1 and P

=

{p .}J1 then p . is the probabil i ty of

j j j

key

j,

or equivalently of the transformation t j .

A block diagram showing the components and operation of a secrecy system is given in Fig. 1. The symbols from the message source are transformed by the encipherer into cryptogram symbols before they are transmitted over the channel. To recover the cleartext message at the receiving end the inverse transformation is perforned by the decipherer.

The transformation (and its inverse) used are specified by

the output from the randoro key source.

The wiretapper, who wants to know the cleartext message hidden in the cryptogram, is always assumed to know the

secrecy system used and the statistics of the message

source. If the wiretapper doesn't have any other a priori

information he performs what is known as a "ciphert ext only attack". It is the only type of att ack we will t reat in this paper.

IHretapper

-Mes sa ge rncssage Cnciphcrer cryptexjram Decipherer

tj (m) ·l rx.:,stin<l t.. i on

SOurce _m e = _e m = tj(e)

m

j key

Key Sburce

If two ciphers only differ in their respective cryptogram alphabets they will have the same cryptographic strength. We say that such ciphers are similar . More generally we define two ciphers to be similar if they can be transformed into each other. This notion is made precise by:

Definition 3: Two ciphers

c

₁

=

<M

1,E1 ,T1

>

and

c

₂ = <M

2,E2,T2

>

are similar if there exists bijective

o - 1

mapp1ngs f ₁: M

₁

~M

₂

and f

2: E

1

~E

2

such that T1 = f2T2f 1

The significance of two ciphers beeing similar is that they at least in principle give raise to the same decryption problem. This is obvious because by appropriate application of f

1 and f2 we will be able to transform a problem r e-garding the first cipher into a problem regarding the seeond cipher and vice versa.

Now we define sums and products of ciphers and secrecy systems. The product

c

2

*c

1 of two ciphers

c

1 and

c

2 is the cipher which is obtained by first applying a transformation

from

c

1 to a message and then applying a transformation

from

c

2 to the cryptogram from

c

1• Thi s process is often

called a super encryption. Formally we define such a product by:

Definition 4: The product

c

2

*c

1 of two ciphers

c

₁

=

<M

1,E1,T1

>

and

c

2

=

<M2 ,E 2,T2

>

with E1cM2 is a new cipher

c

0

=

c

2

*c

1

=

<M1,E2,T2T1

>

Similarily we define the product of two secrecy systems. Figure 2 i l lustrates this situation.

~lessa ge

Source

7 •

\h re-tapf=e!:

Produc t F.nciphcrcr Product DcciphcJ-.::>r

4 ~(x) Desti -x = t im) f---- e = t,.( x l x = tj(e) - m = _!'lttlion m _e m j k Key Key Source Source # l Il 2

Figure 2. Block diagram of a systern with super encryption,

i.e. a product cipher.

Definition 5: The product

s

₂

*s

₁ of two secrecy systerns

s

₁

=

<<M₁,E

1,T1>,P1> and

s

2

=

<<M2,E2,T2>,P2> with E1c M2

is a secrecy systern

s

0

=

<<M1,E2,T0>,P0> which has

T ₀

=

T ₂ T ₁ and P ₀ , j E P ₀ i s g i ven by

The weighted surn of two secrecy systerns

s

1 and

s

2 models

the secrecy systern which arise when a first probabilist ic choice is made regarding which systern

s

1 or

s

2 to use and

then use the ehosen system. Two probabilities w

1, w2 are

associated with

s

1 and

s

2 respectively and they govern the choice between

s

1 and

s

2. Then the surn i s weighted in the sence that systern

s

1 will be used with weighted w1 and

s

2 with weight w

Definition 6: The weighted sum w₁

s

+ w₂

s

₂, w₁ + w₂ =

of two secrecy systems

s

1

=

<<M,E1,T1>,P1

>

and

s

₂

=

<<M,E

2,T2>,P2> is a new secrecy system

s

0 = <<M,E1

u E

2, T0

>,

P0

>

which has

r

0 =

r

1

u

r

2 and p 0, j E P 0 i s g i ven by 2

Po

·=I

,j i=l w. ,{. to .=t. o , j -<..,-~.. p. o -<..,.c

We also have the following definition of the sum of two

ciphers

Definition 7: The surn

c

1 +

c

2 of two ciphers

c

₁

=

<M,E

1,T1

>

and

c

2

=

<M,E1,T2

>

is a new cipher

c

₀

=

<M,E

1 U E2, T1 U T2>.

Of course the definitions given above can be extended to

sums and products of an arbitrary but finite number of

ciphers or secrecy systems.

From Definitions 6 and 7 i t is obvious that we may represent

a cipher or secrecy systern as a surn of ciphers or secrecy

systems in a lot of different ways. A very useful rep

resen-tation is obtained by dividing a cipher into subciphers in

which all transformations have the same range of values.

Definition 8: The basic representation of a cipher

c

₀

=

<M,E

₀

,T

₀

>

is as a sum of subciphers

Ci

=

<

M

,E

i

,Ti>

such that T.

n

T . = (/J and if t 1

, t" , t 111 E T; t 1 E T . and

,{. J ,{.

v (t 1

)

=

v (t " ) t v (t "1 ) t hen t " E T . , t "1 rf_ T .

,{. ,{.

In an analogous way we define the basic representation of a

9 .

Definition 9: The basic representation of a secrecy system

s

0

=

<C0,P0> is a weighted sum of subsystems s~

=

<C~,P~> such that c

0

=L

c ~ .. With c~ . =

<M,E

~

.

,T.>

~ the prohability

(weight) w. of subsystem

s

.

is given by

~ ~ and if t . .

=

t 0 o then ~l j l .{. p . · =

Po

o/w. ~,j ,-<.. ~ •

Finally we define the two concepts originating the interest resulting in this paper, namely the concepts of pure

ciphers and pure secrecy systems.

Definition 10: A cipher

<M,E,T>

is called a pure cipher if

l

M

l

=

l

E

l

and T-1

T T-

1

c

T

Definition 11: A secrecy system <C,P> is called a pure secrecy system if C is a pure cipher and

P

denotes a uni-form prohability distribution, i.e. the keys are equipro-bable

Observe that the definition of a pure cipher in [1] earre -sponds to our definition of a pure secrecy system.

IV. MAP DECRYPTION

The assumption made in the preceeding section about the

wiretapper's knowledge clearly shows that his only means

for decryption are different statistical measures. The two

most useful measures are the a posteriori prohability of

the message PMIE(~I~> and the key PK(kl~>. Fromthese pro -babilities the wiretapper can obtain MAP (maximum a poste ri-ori) estimates of the message and key respectively by

ehosing as estimates the message ~ and key

k

that maximizes

i t ' s corresponding aposteriori probability. These esti -mates are the best possible because MAP estimates minimize

the prohability of error. An introduction to MAP decoding

can be found in [3] or [4].

In order t o use only one type of notation in this section

we will write the prohability pj of key j as PK(j ).

The wiretapper will always be able to obtain some informa -tion out of the measure PMIE(~I~> unless i t is independent

of ~, i. e.

(1)

Defini t ion 12: A secrecy system <<M,E,T>,P> is nerfeet for

encryption of ML if for all m E ML eq. ( 1) is true.

Obviously a cryptogram cannot correspond to more messages

than the number of keys in the system. Hence for arbitrary

L> O, (1) cannot be satisfied. A condition similar to (1)

and which could be said to be the seeond best property is given in the following definition.

1 1 •

Definition 1 3: A secrecy system <<M,E,T>,P> is semi-J2erfect

if for all L

>

_o'

!!!E ML , e E EL

l

:M("!) . c 1 (.".) i f T -F

0

PM\ E(!!~_\~) ~~!!!. (2)

otherwise

where T = {t E T\ t!!! = e } and c₁ (~) is a function of e

S:t!!! only.

We see that if a secrecy system is semi-perfeet then the wiretapper doesn' t learn anything more than the set ML of

e

possible messages,

( 3)

The following theorem states a rather obious sufficient condition for a cipher to be semi-perfect.

Theorem 1: A secrecy system <<M,E,T>,P> is semi-perfeet if the keys are equiprobable and

( 4) otherwise

where c₂

<s:>

is a function of e only .

Eq. (4) states that if !!! can be enciphered into

s:

then the

number of keys t hat map!!! into e is a function of

s:

only.

Proof: By Bayes' rule the a posteriori prohabil ity of the message can be written as

Comparison of ( 5) _{with the condition} ( 2) _{implies that}

PEIM(~ I!!!l has to satisfy a corresponding condition. We have

p E l M <~IE!l L P _E l _KM-(elk,m)PK_- (k) ( 6) k and l i f tk E T P l (elk,rn) e,rn ( 7) E KM -

-o

otherwise

Hence, if we observe that (7) implies

l T _e,rn l

=

L: P _E l _KM-(e l k ,m) ,

-- -- k

(8)

and use the assumptions of the theorem, we find that

( 9)

otherwise

Substitution of (9) into (5) shows that condit ion (2) is

satisfied which completes the proof.

Theorem 2: If a secrecy system <<M,E,T>,P> has IMI

=

IEI then the conditions in Theorem 1 are necessary and suffi -cient for a cipher to be semi-perfect.

Proof: That the conditions are sufficient i s stated in

Theorem 1. Here we prove the necessity. If IMI

=

IEI then

all transformations in

T

are bijective. This means that a message !:!:! in which al l symbols in M are represented, will be enciphered into a cryptogram ~ which contains al l symbols in E. Hence if e is the cryptogram of !!!,the pair !:!:! and~

uniquely defines the enciphering transformation tk' which

1 3 •

l

T _e,m

l

= L ( 1 o)

Then if (10), (6), (7) and (8) are cornbined we obtain

( 1 1 )

and the necessity of the equiprobability of the keys

follows by substitution of (11) into (5) and the fact that

condition (2) has to be satisfied for arbitrary rnessages

and cryptograrns.

To establish the necessity of (4) we now assurne that the

keys are equiprobable then

P 1 (elm> = (:L P l (elk,m))/ITI

E M - - EKM-

-k

I

T

l ;I

T

I

~~~· ( 1 2)

and the necessity follows by inspection. This cornpletes the

V. KEY HOMOGENEITY AND PURE CIPHERS

It is certainly possible to formulate several different

properties of a cipher that could be said to reveal a homogeneity with respect to the key used for enciphering. One example of ciphers with such a property is the class

of ciphers that gives semi-perfeet secrecy systems. In this

section we will discuss another property which leads directly to the class of pure ciphers.

The basic idea behind this condition is that cryptanalysis

of iritercepted cryptograms should give a set of possible

messages that is independent of the specific key used in

the enciphering of the message. The formal definition of this property, which we will call key homogeneity, is:

Definition 14: A cipher <M,E,T> is key homogeneus (KH) if

for arbi trary !.!! E ML and t

1, t 2 E T the sets of messages that

~

₁

=t

₁

~ and ~

₂

=t

₂

~ can be deciphered into are the same.

The condition in the definition can be visualized as

( 1 3)

where T _e. contains all transformations that have an inverse

for e .. Eq~~(13) should be satisfied for messages of

arbi--~

trary length. For a message ~ which contains all symbols in

M

this means that (13) transforms into an equality between

1 5 •

Corollary 1: Let the basic representation of

c

0 =

<

M

,

E

0

,T

0

>

consist of subciphers c . =

<M

,E

.

,T

.>. Then a necessary

,{. ,{. ,{.

condition for

c

₀ to be KH is that for arbitrary ~,j ,

k

,

l

-l T. t · t.. ,{. -t,K is valid. -1 T . t . o J j,-<- ( 1 4)

In Section VII we wil l discuss sufficient conditions. Fig. 3

shows the set of enciphering transformations of a very

simple KH cipher with !El > !MI.

Figure 3. Line diagrams representing the enciphering

transformations of a KH cipher with !El > !MI.

Let us in correspondence with ML define EL as

e m'

EL = {e € EL

i

T l 0} .

m - m,e ( 1 5)

-

-Then another way to state (13) is that if ~~~ · € EL t hcn

m ML

=

ML,. Furthermore if rn,rn' € ML then there exists

e e - - e

t,t• € T such that trn

=

t 1_{rn' and ML}

=

_{MLt' , . But (13)}

trn m

implies that

M~m

is independent of t. By this we have

Theorem 3: If a cipher <M, E,

T>,

is KH and m,~· E. ML

e t, t ' E. T t hen

( 1 6)

This means that if we encipher a message in ML , the set of

e

messages that a wiretapper possibly could decrypt it into

is independent of the specific message.

We shall now derive a necessary condition for a cipher to be KH. This condition shows that the subciphers in the basic

representation has to be pure ciphers.

Theorem 4: If <M,E

0

,r

0

>

is KH and

<

M

,

Ei

1

T

i>

is one of the

subciphers of its basic representation then

-1

T. (T.) T. = T.

,(. ,(. ,(. ,(. ( 1 7)

Proof: Le t t . t..., t .

.e.

E. T . • Then Corollary 1 g i ves -<.. 1 r<. -<.. 1 -<.. -1 T. t . t..

=

-<.. -<.., r<. - 1 T. t .

.e.

,(. -<.., ( 1 8)

After inversion of both sides in (18) we obtain

-1 -1

t . t... T. t .

.e.

T.

-<.. 1 r<. -<.. -<.. 1 -<..

( 1 9)

which after multiplication from the left with t .

.e.

gives

-<. l

t _-<... _,

.e.

t . k T_-<..-1 _{, ,(.} . = T_,(. . ( 2 o)

But as (20) is valid for arbitrary t .

.e.

'

t . t... E. T . i t implies

-<.. , -<.. , r<. -<.. that (17) is true.

1 7 •

VI. PURE CIPHERS

In this section we discuss properties of pure ciphers with

a starting point in group theory.

The transformations in a group of transformat ions have to

have the same domain of definitions which also have to be

the range of values. This implies that group thearetic re

-sults are directly applicable to endomorphic ciphers, i.e.

ciphers with

M

=

E.

But as will be seen below we will have

use for group theory in other cases also. One important

observation is that if C

=

<M,E,T> and C'

=

<M,M,T'> with

T'

=

fT f:E +M are similar and C is a pure cipher then so

is C' as can be easily checked. It is also evident that the

properties of

T

'

will reflect all interesting properties of

T. This motivates our choice to first study endomorphic

ciphers to obtain some basic results and t hen to consider

arbitrary pure ciphers.

Before we start our analysis we have to define some

addi-tional concepts. We shall also collect some ~seful group

thearetic results. An introduction to the properties of

groups can for example be found in [5] and [6].

The basic group that we work in is the multiplicative group

G of all bijective transformation of

M

on

M

.

G is finite

and can be identified with the group of all permutations of

!MI objects. R and

S

will denote subgroups of G. An arbitrary

set of elements in G is called a complex and is denoted by

T

.

Elements of a group or complex are denoted in the usual

way by possibly indexed lower case letters corresponding to

t he one denoting the group or complex. The order of a group

R,

i.e. the number of elements in R is denoted

I

R

I

.

We also

a subgroup R of G is denoted a gR and a right coset is

denoted as Rg. Observe that the subgroup R itself is a coset which is generated by the identity element.

j

~

~

y

So'..lrce

Fi gure 4. Blockdiagram depicting the relation between the

cipher

<M,E

,T

>

and the endomorphic cipher

<M,M, T'> for which f: E+ M and fT. In the figure

m C M, e E E and e' E M.

Property 1: If

T

is a complex in G and

TT

c

T

then

T

is a

subgroup of G.

Property 2: For any two complexes T', T" in G the

following relations are valid:

!T'

I~I T'T"I~!T'

Il

T

"

l

.

Property 3: The product RS of two subgroups R and

S

of G

1 9 •

Property 4: If

R

and

S

are subgroups of

G

t hen the number of elements in the product set RS is

l

RS

l

( 21 )

and every element in RS can be represent ed in

l

R n S

l

ways as product rs, where r E: R, s E

s.

Proofs of Properties 1, 3 and 4 can be found in [6],

Theorems 2.4, 2.8 and 2.13 respectively. Property 2 is an

immediate consequence of t he properties of a group.

We have now collected the necessary background material to

proceed with our main task. Let

<

M

,

M

,T

>

be a pure cipher,

then the definition states that

TT-

1

T

c

T.

Because

TT

-

1

T

is

a subset of T we have

j

TT-

1

T

I

<

I

T

I

.

But according to Property

2,

I

T

I

<

I

TT-

1

T

I

,

and we see

th~t

(22)

Multiplication of (22) with

T-

1· from the left gives

( 2 3)

-1

which according to Property 1 shows that

T T

is a subgroup

of G. Property 2 applied on (22) shows t hat

!

T-

1

TI~

!

T

i

.

But

also according to Property 2:

j

T-

1

T

I

>

I

T

I

.

Hence the order

of

T-

1

T

is equal to

I

T

!

.

Similarly i t can be proved that

TT-

1 is a subgroup of order jTj. We have now proved a reslult corresponding to Theorem 1 in [1]:

-1 - 1

Theorem 5: If

<

M,

M,T>

is a pure cipher then

T

T

and

TT

As a direct consequence of Theorem 5 we have:

Corollary 2: If

<M,M,T>

is a pure cipher then

T

is a

left coset.

Proof: Let

T- 1T

= R, then R is a group and ITI = IRI

according to Theorem 5. For t E T we have t - 1 T c R, bu t

lt-1Ti

=

IRI. Hence t-1T

=

R and tR

=

T

which shows that

T

is a left coset.

It is easy to verify that a cipher

T,

where

T

is a left

coset, is pure. Let

T

=

gR then

TT- 1T

=

(gR) (gR) - ·l (gR)

=

gRR -lg-1gR -- gRR- 1R R W l b th t . ht

=

=

g . e a so o serve a any r1g

coset of a subgroup S is a left coset of another subgroup. To verify this, write Sg

=

g(g-1Sg) and observe that g-1Sg is a group according to Property 1. Together with Corollary

2 this proves the following Theorem

Theorem 6: A cipher

<M,M,T>

is pure if and only if

T

is

a coset (left or right) in G.

The following result for pure ciphers with

E

~

M

is also readily derived.

Corollary 3: A cipher C =

<M,E,T>

is pure if and only if

T

=

tR where R is a group of transformations from

M

to

M

and T E t : M -+ E •

Proof: First we observe that this corollary is equivalent

to Corollary 2 when

M

= E.

The ''if" part is proved by

direct verification:

TT- 1T

= tR(tR)-1 (tR) = tR =

T

.

To

prove the "only if" part assume that C is pure and that

C'

=

<M,M,T'>

where

T'

= fT is similar to C. Then C' is

pure so according to Theorem 6,

T'

is a left coset

T'

=

t'R; t '

=

ft~

t E T and R is a group. Hence T

=

f- 1T'

=

f-1t'R

=

21 .

This result also shows that Theorem 5 is applicable for

arbitrary pure ciphers.

The characteristics of a pure cipher is stated in Theorem

3 in [1]. The theorem is quoted below.

All the properties stated in the theorem can be identified with general properties of permutation groups (see for example [7, Ch. X]) . However, as i t is these properties

that make pure ciphers interesting we will give a proof

of the theorem.

Theorem 7: In a pure cipher

<M

,

E,T>

the messages can be divided into a set of residue classes c1 c2 .. . cs and the cryptograms into a corresponding set of residue classes

c; c; ...

c~ with the following properties: 1 )

2)

3)

4)

The message residue classes are mutually exclusive

and collectively contain all possible messages. Similarly for the cryptogram residue classes.

Enciphering any message in C. with any key produces

l

a cryptogram in C~. Deciphering any cryptogram in

l

Ci with any key leads to a message in Ci.

The number of messages in C., say

w.,

is equal to

l l

the number of cryptograms i n C~ and is a divisor of

l J, the number of keys.

Each message in C. can be enciphered into each l

cryptogram in c~ by exactly J/w. different keys.

l l

Proof: From Corollary 3 (and Theorem 5) we have that

R

=

T-1 T is a group and that ·T

=

tR for t E T. The order

of R is J =

l

T! .

First we prove that

c

1

=

Rm1 and

c;

=

tC1

=

tRm1 are two

corresponding residue classes. As t is injective

c

1 and

c;

will have the same number of elements. Then assume that m E C

1• This implies that m

=

rm1 for some r E R and that m

can be enciphered into Tm = (tR)rm

1

=

tRm1• This proved

that each message in

c

1 can be enciphered into each crypto

-gran in

c;

and only into these cryptograms. Similarily if

e E C

1

then e = t r ' m

1 for some r' E R and e can be deciphered

-1 -1

into

T

e= (tR) tr'm

1 = Rm1

=

c

1• Furthermore two residue

classes

c

1

=

Rm1 and

c

2

=

Rm2 are either identical or

dis-jont. To prove this assume that m belongs both to

c

1 and

c

₂ but then m = r

1m1 = r 2m2 for some r 1 ,r 2 E R. This implies

-1 -1

that m

2

=

r 2 r 1m1 so

c

2

=

Rm2

=

Rr2 r 1m1

=

Rm1 =

c

1 and

c

₁

=

c

₂. We also observe that Rm

=

Rr

1m1

=

Rm1

=

C1 which

proves that if m belongs to

c

1 then

c

1 = Rm.

At last we prove that the same number of transformations

maps each message in

c

1 into each cryptogram in

c;

.

As

T

= tR we observe that to prove this i t is sufficient to

prove that each message in

c

1 is mapped into each message

in

c

1 by the same number of transformations in R. Define S

to be the set of transformations in R which keep m

1 fixed1

i .e. Sm

1 = m1• S i s a subgroup of R and we note that IS!

must di vide l R

l

=

J. Let m

2 ,m3 E C 1 and de fine Q as the set

of transformations in R that maps m₂ into m₃, i.e. Qm₂ = _m3.

Bu t as m

2 1m3 E C 1 the n m2 = r 2m1 and m3 = r 3m1 for some _-1

r 2 1 r

3 E R. Then r 3m1

=

m3 = Qm2 = Qr 2m1 and m1 = r 3 Qr 2m

which implies that r; 1 Qr

2 c S and l Q

l

~

l S l . On the other hand

. -1 1f q E Q then m 3

=

qm2

=

qr 2m1

=

q r 2sm1

=

qr 2sr 2 m2 so qr 2sr; 1

cQ which gives

I

S

I

~

I

o

l

.

Hence ISI = IQI and we have

proved our point. As the transformation in

T

are bijective

the results proved above also implie that each cryptogram

in

c;

can be deciphered into each message in

c;

by the same

23.

the total number of keys is J and

I

S

I

keystake a given

message into each cryptogram, the number of cryptograms

and hence messages in a residue class must be

J/

I

S

I

which

is a factor in J. This completes the proof of the theorem.

Remark 1: A pure cipher is KH.

Remark 2: The properties of a pure cipher stated above

shows that a pure secrecy system <C,P> is semi-perfect.

Remark 3: The properties of Theorem 7 rema ins true if we

L

consider sequences of messages ~E M instead of single

symbols. To cover this case the only modifications

necessary in the proof is to consider sequences instead

of single symbols.

Remark 4: One way to look upon the residue classes is as

equivalence classes, two messages in the same residue class

are equivalent. A natural way to define this equivalence

relation would be to say that ~

₁

is equivalent to ~

₂

, viz.

~

₁

"'m

2, if there exists t 1 , t2 E T such that t

1

~

1

= t

2

~

2

,

i.e. if ~

₁

and ~

₂

can be enciphered into the same crypto

-gram. It is readily verified that this definition of an

equivalence relation satisfies the reflexivity and

symmetry conditions that an equivalence relation has to

satisfy. However, the transitivity condition demands that

m "' -1

on T

~

₂

and ~

₂

"'~

₃

implies ~

₁

"'~

₃

. This infers conditions

because assume t

₁

~

₁

= t

₂

~

₂

and t

₃

~

₂

= t

₄

~

₃

then

=

t

2

t;

1

t

4

~

3

.

We see that if we have a pure cipher the

transitivity is guaranteed, but we don ' t need such a strong

condition to obtain the transitivity. The last expression

. -1 -1

above can be rewr1tten as ~

₁

= (t

1 t _-1 2) (t3 t

4

)~

3

and a

sufficient condition would be that

T

T

is a group. This

can also be shown to be a necessary condition. The proof

is left as an excercise. Observe that there exists sets

T

To follow the path of Shannon in [1] we now answer the question when the product of two pure ciphers is a pure cipher.

Theorem 8: Let

c

1

=

<M1,E,t1R> and

c

2

=

<M,M1 , t2S> be

two pure ciphers (R and S are groups). The product cipher

c

1

*

c

2 = <M, E, T>; T = t 1 Rt2S is pure if and only if

(26)

Proof: The "if" part: t ;1Rt₂ is a group of transformations.

Then according to Property 3, eq. ( 26) implies that

-1 -1

t

2 Rt2

s

is a group. But T= t 1t 2 (t2 Rt2S) which according to Corollary 3 shows that

c

1

*

c

2 is a pure cipher.

The "only if" part. necessary according

For the product cipher to be pure i t is to Corollary 3 that

T

can be written as

- 1 t E T. But T = t

1t 2 (t2 Rt2S)

T

=

tQ where Q is a group and

-1 and t ₁ t

2 E T. Then t 2 Rt2S has to be a group. So with both -1

S and t

2 Rt2 being groups Property 3 gives (26) as a necessary condition.

The question of when the product of two pure ciphers that commute is a pure cipher is treated in Theorem 2 in [1] . The theorem states that if the two pure ciphers have

en-ciphering transformations T' and T" respect.ively and

T' T"

=

T" T' then the product cipher T' T" is pure. This is true when both

T'

and

T"

are subgroups (Theorem 8). But in

the generel case this is not so. A simple counterexample is given in appendix A. (The error in the proof of the theorem depends on the false assumption that T' T" = T" T' implies

25.

Theorern 9: The product of two pure secrecy systerns is a secrecy systern with equiprobable keys.

Proof: Let

s

₁ = <<M

1,E,t1R>,P1> and

s

2 = <<M,M1,t2S>,P2> be two pure secrecy systerns (R and S are groups). The cipher of the product systern

s

1

*

s

2 is C

=

<M, E, T> where

-1 -1

T= t

1Rt2S

=

t 1t 2(t2 Rt2)S. Both Sand t 2 Rt2 are groups.

Then Property 4 gives that each transformation in

-1

l

-1

(t

2 Rt2) S can be represented as (t2 Rt2)

n

S

l

products (t; 1rt

2)s. As the transformations in

s

1 and

s

2 are equipro-bable this shows that the transformations in

s

1

*

s

2 also will be equiprobable.

VII. KEY HOMOGENEITY AND SEMI-PERFECTNESS

We have shown that a pure cipher is KH and if used with

equiprobable keys i t gives a semi-perfeet secrecy systern. However, a KH semi-perfeet secrecy system is not always a

pur~ secrecy systern. In this section we derive sorne condi

-tians for ciphers to be KH. We also give conditions for

secrecy systerns to be KH and serni-perfect.

Theorern 10: If

c

0 = <M,E0,T0> is KH then the subciphers

c.

=

<

M

,E.

,T.> of its basic representation are pure and

~ l l -1

similar and have t . .

r

.

=R.

~,j ~

Proof: Corollary 1, eq. (14) states that

-1

r.

_~ t_~-_, k

r.

-1 t . o

j j ,~ (27)

which after inversion and rnultiplication from the left

with t . _~, k gives

-l

T.=

t . k t . o

T.

~ ~, j,~ j (28)

-1

But as t .

k

t . 0: E.~

E.

is bijective, (28) provesthat

ej

~, j ,~ j ~ ~

is similar to

c

..

As the subciphers C . all have

I

M

!

=

l

Ej

!

.

j -1 ~ ~

Theorern 4 statesthat

T

.

T

.

T.=

T

.

which irnplies that all

~ ~ ~ ~ .

subciphers are pure ciphers. Then

T

.

= t . .

R

.

for s orne

~ ~,j ~

group

R

..

Substitution of this relation into (27) shows

~

that

R

.

=R

.

for all ~,j. Hence t~1

.r.

=R

where

R

is

~ j ~,j ~

independent of ~- This cornpletes the proof.

We have not succeded in finding a necessary and sufficient

condition for a cipher to be KH. However, we have some

suffici~nt conditions. Assurne that

c

0 = <M,E0,T0

>

has a basic representation as in Theorem 10. Then all subciphers

c.

=

<M,E

.,T.> are pure and similar and T. = t . .

R

forsorne

~ ~ ~ ~ ~, j

27.

follows that all subciphers will generate the same set of

message residue classes (as the residue class that m

belongs to is given by Rm).

Now consider the message set

M~

that a cryptogram s:_ E

E~

can be deciphered into.Obviously, i t can be written as the

union of the message residue classes that e can be de -ciphered into by each subcipher C., i.e .

.{_

u

-<- L e E E. -<-- l (T. e) -<- - ( 2 9)

Now recall that for a cipher to be KH we demand that ML t m

is independent of the transformation t. A sufficient

condition for this to be true would be that each cryptogram

only can be obtained as a transformation of messages from a

single message residue class. Another, equivalent statement

is that if e E

E~

n

E~

then T-:1e

=

T-:1e. To see that this

T . { _ j -{_- J

-makes M.utm independent of t let _-e, _-<-,j .

=

t . _{.{_,J-}.m for an

arbitrary m and use T . = t . . R to get

-<- -<.,j

ML

e . . --<-l j -1 U (T 0 e . .) =

.e.

.{..

-.{_l j e . . E EL - -<.,j

.e.

-1 . T. e . 0 -<- --<-,z -1 ( t . . R) t . . m -<-,j -<-, j

R

m ( 30)

The form of the sufficient condition above does not too

clearly reveal the structural constraints i t imposes on the

sets

T

_,(..

.

.

To reveal

B

L L e E = (E .

n

E 1·) -<- -1 in e. Then

T.

e -<- -tion is valid - 1 - 1 t- ~e E (t. 0R) e -<.,K- j,.c

-these constraints assume that

and that each symbol in

B

is represented

-1

=

Tj

~ implies that the following

rela-( 3 1 )

The right hand side of (31) gives the message residue class

and the left hand side an element in the class. But then

-1 -1 -1

t _~. _,-ke = (t_j. _,~ 0r) e. Let t . = t . 0r E T . then t and

- j ,n j ,~ j ~,k

t~l perform identical transformations of

B

t o

M

.

This

j , n

proves the following theorem:

Theorem 11: A sufficient condi t ion for a cipher to be KH

is that

1 ) the ciphers C.=

<M,E

.

,T

.

>

of its basic representa

-~ ~ ~

tionare pure and similar with T . = t .R.

~ ~

2) the transformation t . a bo ve can be ehoosen in s u ch

,(.

-1

a way that if

B

₌

E.

n

E. t hen t . :

B-t

M

and

-1 ~ j ~

t . :

B-t

M

are identical.

j

Remark: The seeond part of the t heorem implies that if

m

1

F

m2 then t~m

1

# tjm2 which is a useful form when con

-struetian of KH ciphers is considered.

It would have been ni ce to be able to say, as we thought

at first, that Theorem 11 gives the necessary and suffici-ent condition for a cipher to be KH. But t his is not so as

is shown by a counter example in Figure 5. The additional

result we have relates to the case when R in T . = t . . R i s

~ ~,j

transitive. That R is transitive means that for arbitrary m

1 ,m2 E M there exist a r E R such that rm1 = P.12.

Theorem 12: Let

c

₀

=

<

M

,E

₀

,T

₀

>

have subciphers c~ =

=

<

M

,E

.

,T

.

>;T

.

= t .. R in its basic representation. If R

~ ~ ~ ~j

is transitive and there exists at least one ~ such that

E.'-U E.jlct>

~ . . j j =H

(32)

is valid then Theorem 11 also gives the necessary con

-ditians for

c

29.

Eq. (32) states that there exists at least one cryptogram symbol in E

0 which only can be generated by subcipher

c

_.{,

'

.

Proof: Assume that -<- is such that

and t ha t

~

E (E k.

n

E .t) L i s such that ~

₁

=

t-~ 1 e and

r<. ,

m-( 3 3)

m

=

-2

-1

t

.t

,

n~ belong to different message residue classes. Now, if

co

is KH i t must be possible t o decipher each cryptogram e = t . .m

1 into a rnessage in the residue class

.{,f j

-Rm2. But if t . . i s such that one element in m_₁ is en

--- -<-,j

ciphered into e

0 then only transformation in Ti can de -cipher ~· Hence i t can only be deciphered into the residue class R~

₁

and the cipher can't be KH. That such a tran s-formation t . . exists follows from the fact that R is

-<-,j

transitive. By this we have proved that a cryptograrn cannot be deciphered into two different rnessage residue class if the cipher should be KH. This is exactly the condition stated in Theorern 11.

To conclude this section we state a theorern regarding the basic representation of a KH semi-perfeet secrecy systern.

Theorern 13: A KH semi-perfeet secrecy systern is a weighted surn of similar pure subsysterns.

t , , , t2,1 t3, 1 t 4, 1

,,__---c,

o 1

'X:

~1

:~:

_:>(

2 2 ~2 3~3

)\

3

3

~4

3 o 4 _{4 4} r, r2 r3 1 o o 1

1~1

1~1

2 2 _{2 2} 2 2 3 3 3 3 3 3 M= {1,2,3} E₀ = {1,2,3,4r Figure 5. A KH cipher

c

₀

=

C;_= <M₁ E₀'-{i},

does not satisfy

<M

1,E0,T> with subciphers

t .

1R>; i = 1,2,3,4 which

..{.,

31 .

VIII. FINAL REMARKS

The results in the preceeding sections show that the

property of key homogeneity is the natural generalization of the properties held by pure ciphers. For the important case when the message and cryptogram alphahets are of

equal size the statement that a cipher is KH is equivalent to the statement that i t is a pure cipher.

From Section VII we may conclude that if a cipher can be represented as in Theorem 10, KH or not, and i t enciphers a message containing all symbols in t he message alphabet then the cryptanalytic problem is t hat of solving a pure cipher. As this situation ought to be the most common in cryptoanalysis i t emphasises the importance of the concept of pure ciphers. It also gives us reason not to be too disappointed about the fact that we did not succed in finding a simple necessary and sufficient condi tion for a cipher to be KH.

We also note that the concept of semi-perfectness is not

of the kind to generate a class of ciphers that has a simple description. However, i t is useful when discussing MAP decryption of KH ciphers.

APPENDIX A

We wish to exhibit a simple example which shows that the

product of two commuting cosets is not necessarily a coset. Let G be the set of al l invertible transformations of

M

=

{1,2,3,4} onto

M.

Let

R

be a subgroup having the four

elements defined in table I a) and let the two cosets be generated by t; and t;• . The cosets are given in table 1 b) and c). Table I d) contains the elements of the complex

t;Rt1' R =t;' Rt;R.

The number of elements in the complex is 16, not a divisor

of

I

G

I

= 24. But the order of a subgroup of

G

must divide the order of G. Thus the complex is not a coset of a sub

33. Table I l m' l r. (m) J l 2 3 4 l l 2 3 4 j 2 4 l 2 3 3 3 4 l 2 t.' t~ '(m) = t " t ' ( m ) l J k

.t

4 2 3 4 l (i' j) (k,.t) m l 2 3 4 a) (l' l) ( 4 '2) 3 2 l 4 (l '2) ( 4 '3) 4 3 2 l ( l ' 3) ( 4 '4) l 4 3 2 ( l ' 4) ( 4 ' l) 2 l 4 3 lt~(m)= l m' l J

t},

r j (m) l 2 3 4 _{( 2' l) ( 3 '2)} l 4 2 3 l 2 l 3 4 ( 2' 2) ( 3 '3) 3 l 4 2 ( 2 '3) ( 3' 4) 2 3 l 4 ( 2 ' 4) ( 3 'l) 4 2 3 l j 2 4 2 l 3 3 3 4 2 l 4 l 3 4 2 ( 3' l) ( 2 '2) 2 3 4 l ( 3 '2) ( 2 '3) l 2 3 4 b) ( 3' 3) ( 2 '4) 4 l 2 3 ( 3' 4) ( 2 'l) 3 4 l 2 ( 4 'l) (1,2) 4 l 3 2 ( 4 '2) (l ' 3) 2 4 l 3 ( 4 '3) (l '4) 3 2 4 l ( 4 '4) ( l ' l) l 3 2 4 t'.' (m)= l m' l J t" _{l r j (m)} l 2 3 4 j l 3 l 2 4 d) j 2 4 3 l 2 3 2 4 3 l 4 l 2 4 3 c)

l

REFERENCES

[1] Shannon,

c.,

"Communication Theory of Secrecy

Systems", Bell System Technical Journal, Vol. 28,

p p. 6 56-71 5.

[2] Blom, R., "On Pure Ciphers", Internal Publication,

LiTH-ISY-I-0286, Linköping University, 1979.

[3] Wozencraft, J. and Jacobs, I., Principles of

Communication Engineering, Wiley, New York, 1967,

pp. 212-214.

[4] van Trees, H.L., Detection Estimatian and Modulation

Theory, Wiley, New York, 1968, pp. 54-63.

[5] van der Waerden, B.L., Modern Algebra, Friedrich

Ungar Publishing Co., New York, 1966.

[6] Herstein, I.N., Topics in Algebra, Xerox College

Publishing, Walthan, Mass., 1969.

[7] Burnside,

w.,

Theory of Groups of Finite Order, Dover