Rolf Blom
INTERNAL REPORT LiTH-ISY-I-0286
ON PURE CIPHERS
Rolf Blom
1979-04-17
INTERNAL REPORT LiTH-ISY-I-0286
formations of a pure cipher is analysed. An alternative definition of pure ciphers is given and necessary and sufficient conditions for the product of two pure ciphers to be pure is found.
CONTENTS
I Introduction l
II Model and Preliminaries 2
III Pure Ciphers 5
Appendix A lO
Appendix B 12
Figures 14
I. INTRODUCTION
In [l] Shannon gave the definition of a secrecy system which serves as a basis for the information thearetic analysis of ciphers. Within the concept of secrecy sys -tems he defined a special class called pure ciphers. The class of pure ciphers includes for example the wellknown Caesar cipher, Vigenere and Beaufort ciphers, Matrix Sys-tem ciphers and Transposition ciphers of fixed period, when they are used with equiprobable keys.
Section II, contains a brief introduction to the concepts of secrecy systems and pure ciphers. It also contains the specific assumptions we make within the model of secrecy systems. Section III elaborates on the concept of a pure cipher from a group theoretical point of view. An alter -native definition of pure ciphers is given which completely reveals the structure behind a pure cipher. Using t his de-finition i t is possible to derive necessary and sufficient conditions for the product of two pure ciphers to be pure.
2.
II. MODEL AND PRELIHINARIES
Shannon gave the following definition of a secrecy sys-tem in [l
J.
Definition l: A secrecy system (or cipher) is a set of J
uniquely reversible transformations
T
=
{tj(·)}1 of a set of possible messages
M
=
{mn}~
into a set of cryp-tograms E=
{
en
}
~,
the transformations having associated probabilities {p.}.J
A blockdiagram depicting the behaviour of a secrecy system is given in figure l. The message source symbols are trans-formed by the encipherer into cryptogram symbols before transmission over the channel. To recover the message at the receiving end the inverse transformation is per-formed by the decipherer. The transformation and inverse transformation used are specified by the output from the key source. The wiretapper, who tries to find out what the transmitted message really i s, is assumed to know the set of enciphering transformations
T
and the statistics of the message and key sources. Given thi s information the wiretapper tries to estimate the message and/or the key from intercepted cryptograms.A word about notation. A short form for reference to a transformation t.(·) will be simply t .. Thiswill be used
J J
in writing out products of transformations. Hence t. (t.(.)) 1 J will be written as t .t. (·) and when the argument of the
1 J
transformation is irrelevant we also omit the parenthesis and simply write t .t ..
1 J
The class of pure ciphers was defined by Shannon [l) in the following way:
Definition 2: A cipher
T
is pure if for arbitrary tj, tk, t~ ET
there always exists a t i ET
such thatt .
l (l)
and the keys are equiprobable.
T
is the set of encip -hering transformations of the cipher.Theorern 3 in [l] gives the characteristic properties of a pure cipher. The theorem is quoted below.
Theorern l: In a pure systern the messages can be divided into a set of residue classes
c
1
c
2 . . . Cs and thecrypto-grarns into a corresponding set of residue classes
Ci
c2 ...
C~ with the following properties:l) The rnessage residue classes are rnutually exclusive
and collectively contain all possible rnessages. Sirni-larly for the cryptograrn residue classes.
2) Enciphering any rnessage in C. with any key produces
l
a cryptograrn in C~. Deciphering any cryptograrn in C~
l l
with any key leads to a rnessage in C ..
l
3) The nurnber of rnessages in C. , say ~., i s equal to
l l
the nurnber of cryptograrns in C! and is a divisor of J,
l the nurnber of keys.
4) Each rnessage in C. can be enciphered into each
cryp-1
togram in C! by exactly J/~. different keys. Sirnilarly
l l
for decipherrnent.
A proof samewhat different from that in [l] is given in Appendix A. Our proof relies on results derived in section
III.
The irnportance of the class of pure ciphers is due to the fact that in a pure cipher all keys give the same crypt -analytic probler~. Whatever key used to encipher a rnessage, a wiretapper will calculate the sameaposteriori probabilities
4.
of the rnessages. Also, the a posteriori probabilities of the keys will be the same in value, but the values will be associated with different keys when the encryption key varies.
Two ciphers are said to be similar if their sets of en-ciphering transformations l ' and
T"
are related via a transforrna tian g, that is when t" E T" then g t" = = t ' E T' . The rnapping between T" and T' induced by gshould be injective and surjective. The cryptanalytic significance of two ciphers being similar is that because enciphering with t ' is equivalent to encrypting with t 0
.first and then transforroi ng the resul ting cryptog·rarn with g, the cryptanalytic work needed to break two similar ciphers is, at least in theory, the same.
The product of two ciphers
T'
andT"
is a new cipher with T= {t ' t " lt ' E T' t" E T"} as its set of encipher-ing transformations. The prohability of a transformation t = t ' t " ET
is the product of the probabilities of t' and t " .III. PURE CIPHERS
In this seetian we discuss the properties of pure ciphers from a group theoretical point of view. An introduction to the properties of groups can be found in for example
[ 2
J
and [ 3J
•
To start with we explain the notation. The underlying group
that we work in is the multiplicative group G of all in-vertible transformation of
M
ontoM.
G is finite and can be identified with the group of all permutations of N ob -jects.R
andS
will denote subgroups of G. An arbitrary set of elements in G is called a camplex and is denotedby T. Elements of a group or camplex are denoted by possibly indexed lower case letters corresponding to the one
de-- l
nating the group or complex.
T
denotes the set of elements that are the inverses of the elements in T. For a subgroup,R-l
=
R. The number of elements in a camplexT
is denoted byI
T
I.
In the same way the number of elements in a groupR,
the order of the group, is writtenIRI
.
The camplexT=
=
T 1 T"denotes the set of elements {t 1
t "
l
t 1 ET 1t " ET 1 1 } •
A left coset of a subgroup R of G is denoted as gR and a
right coset is denoted as Rg. Observe that the subgroup R i tself i s a coset which is generated by the identity element.
In the following four lemmas we state some useful results.
Lemma l: If T is a camplex in G and TT c T then T is a
subgroup of G.
Proof: see lerrm1a 2. 4 in [ 3 J •
Lemma 2: For any two complexes
T
1,T"
in G the following holds: IT 1 I_~_IT1T"I.2.1T1 11T"l
-6.
Proof: This is obvious from the properties of groups.
Lemma 3: The product
RS
of two subgroupsR
andS
ofG
is a group if and only if
RS
=
SR.
Proof: See lemma 2.8 in [3].
Lemma 4: If
R
andS
are subgroups ofG
then the number of elements in the product setRS
i sJRJL~.l
jRSI
=
TRilST
( 2)andevery element in
RS
can be represented injRnSJ
ways as products rs, where rER, sES.Proof: See theorem 2.B in [3].
We have now collected the necessary background material to proceed with our main task. Let
T
be a pure cipher.- l - l
Then (l) may be written
TT
TcT.
BecauseTT
T
is a sub-- l
set of
T
we havejTT
TI2ITI.
But according to lemma 2,JTI
2
1TT-
1TI,
and we see that (l) is equivalent to( 3)
Multiply (3) with
T-l
from the left and we get( 4)
which according to lemma l shows that
T
-l
T
is a subgroup of G. Lemma 2 applied on (3) shows thatjT-
1T
I
<J
T
I
.
- l
-But also according to lemma 2:
JT
Tj
~ITI.
Hence theorder of
T-lT
is equaJ. toJTI.
Similarly i t can be proved thatTT-l
is a subgroup of orderJTI.
We have now proved a result corresponding to theorem l in [l] which says:Theorem 2: If
T
is a pure cipher then T-1T and TT-l aregroups of order ITI.
As a direct consequence of theorem 2 we have:
Corollary l: If
T
is the set of enciphering transforma-tions of a pure cipher thenT
is a left coset.Proof: Let T-1T = R, then R is a group and ITI = IRI
accor-ding to theorem 2. For t E
T
we have t-1T c R, but lt-1TI = = IRI . Hence t-1T =R and tR=T
which shows thatT
is a left coset.An immediate observation is that every pure cipher is al-ways similar to a subgroup of G.
It is easy to verify that a cipher
T,
whereT
i s a left- l - l
coset, is pure. Let T=gR then
TT
T=
(gR) (gR) (gR)= -l - l -l=gRR g gR=gRR R=gR. We also observe that any right co -set of a subgroup S is a left coset of another subgroup. To verify this, write Sg=g(g-1Sg) and observe that g-1Sg is a group according to lemma l. Together with corollary l this proves the following theorem.
Theorem 3: A cipher is pure if and onl y i f its set of
enciphering transformations
T
i s a coset (left or righ~ inG and the keys are equiprobable.
To follow the path of Shannon in [l] we now answer the question when the product of two pure ciphers is a pure
cipher.
Theorem 4: Let g
1R and g2S denote two pure ciphers. The product cipher
T=
g1Rg2S is pure if and only if
8.
- l
Proof: We start with the if part: g
2 Rg2 - l is group. Then according to lemma 3, (5) implies that g
2 Rg2S is a group.
- l
But T= g
1Rg2S
=
g1g2((g2 Rg2)S) which shows that T is a left coset. What remains to be shown is that all keys are equiprobable. The mappingx~g;
1xg
2
is an inner automorphism- l
of G onto G. Hence Jg2 Rg
2J
=
JRJ. Then lemma 4 shows that each element in (g;1Rg2)S isrepresented by the same number of products (g;1rg
2)s and the keys will be equiprob- -able.
The only if part. For the product to be a pure cipher i t is necessary that T is a left coset. But T= g
1g2(g; 1
Rg2)S
- l
and g
1g2 E
T.
Then (g1g2)T
should be a group, that is-1 -1
(g
2 Rg2)S has to be a group. But g2 Rg2 and S are subgroups in G and according to lemma 3 the product of two subgroups i s a group if and only if they commute which gives (5).
As a corollary to the if part and as a direct consequence of lemma 4 we have
Corollary 2: The product (g
1R) (g2S) of two pure ciphers g
1R and g2S is a cipher with equiprobable keys.
The question of when the product of two pure ciphers that commute is a pure cipher is treated in theorem 2 in [1]. The theorem states that if the two pure ciphers have en-ciphering transformations T' and
T"
respectively andT'T"
=
T" T' then the product cipher T'T" is pure. Thisis obviously true when both T' and
T"
are subgroups accor-ding to theorem 4. But in the general case this is not so. A simple counterexample is given in appendix B. The error in the proof of the theorem depends on the false assump-tion that T'T"=
T" T' implies that (T' )-l T"=
T" (T' )-l We state a modified version of theorem 2 of [l] as a coroll-ary to theorem 4.Corollary 3: If two pure ciphers
R
andS
both are sub -grcups in G andRS
= SR
then the product ciphersRS
andSR
are pure.10.
APPENDIX A
-1 -1
Proof of theorem 1: Let
R
=
T
T
= t0
T,
thenT
= t 0R.With m
0 an arbitrary element of M define S= {rjr(m0) =
= m
0}.
S
is a subgroup ofR
hence ISI is a divisor ofJ = ITI = IRI. Define ~ =J/I SI.
S
gives a cosetparti-tioning of
R
and we may define a set V = {vi}i thatcon-tains exactly one element from each coset. Now define
(18)
and
C' = {t (m)
l
tE T, mE C} (19)Let m. = v . (m
0) and order the elements of R in such away
l l
that t . = t
0r. then t. (m.) = t0r .v. (m0). But for each i
J J J l J l J {r. v.} =R. J l J= . l Hen c e (20)
where, to get the last equality, we used the fact that al l
rj belonging to the same CQset transform m
0 into the same
m. This shows that IC I = IC'
l.
To show that there are exactly J/~ transformations t aking
m into e for arbitrary m E = vk(m
0) and e= - l t0vJ. (m0). t
0vjstvk , t =l,2, . . . , !SI
C and e E C' assume that m = mk =
Then the transformations t. =
l will have this property because
- l . ti(mk)=t
0
vjs~vk vk(m0
)=t0
vjs~(m0
) = t0vj (m0) =e. Th1s proves at the same time that all messages in C are trans-formed into cryptograms belonging to C' because for a fixed m each of the ~ cryptograms can be obtained by J/~
different keys and this accounts for all the keys. A
simi-lar argument shows that all cryptograms in C' are deciphered as messages in C.
Repeating the process described above for a new m E
M
mt
C shows that we obtain mutual ly exclusive residue classes of messages and cryptograms. Thi s process can12.
APPENDIX B
We wish to exhibit a simple example which shows that the
product of two commuting cosets is not necessari ly a coset. Let G be the set of all invertibl e transforma
-tions of
M
= {1,2,3,4} ontoM
.
Let R be a subgrouphav-ing the four elements defined in table Ia and let the
twocosets be generated by ti and tf. The cosets are given
in table Ib and c . Table II contains the elements of the
camplex tiR t i' R = t f R tiR.
Table I r . (m) m J l 2 3 4 t~ (m)= m J t i r j (m) l 2 3 4 l l 2 3 4 l 2 l 3 4 j 2 4 l 2 3 3 3 4 l 2 2 4 2 l 3 j 3 3 4 2 l 4 2 3 4 l 4 l 3 4 2 a) b) t!'(m)= l J m t i' r j (m) l 2 3 4 l 3 l 2 4 j 2 4 3 l 2 3 2 4 3 l
l
l
4l
ll
2 4l
3l
c)The number of elements in the camplex is 16, not a divisor
of
IGI
= 24. But the order of a subgroup ofG
must divide the order of G. Thus the camplex i s not a coset of a sub-group in G.Table II t~t~' (m)
=
l J t " t ' k ,(1, (m) m (i, j) (k, ,(1,) l 2 3 4 (l, l) ( 4 , 2) 3 2 l 4 (1,2) ( 4 , 3) 4 3 2 l (1,3) (4,4) l 4 3 2 (1,4) ( 4, l) 2 l 4 3 ( 2, l) ( 3, 2) l 4 2 3 ( 2, 2) (3,3) 3 l 4 2 ( 2, 3) (3,4) 2 3 l 4 ( 2, 4) (3,1) 4 2 3 l ( 3, l) (2,2) 2 3 4 l (3,2) ( 2, 3) l 2 3 4 ( 3, 3) (2,4) 4 l 2 3 (3,4) (2,1) 3 4 l 2 (4,1) (l, 2) 4 l 3 2 ( 4 , 2) (l, 3) 2 4 l 3 ( 4, 3) (1,4) 3 2 4 l (4,4) (l, l) l 3 2 4,..
m~.ss~12..
me.ssage
enc/phereraypttJ_5'ram
<Sourc.e m
ec4Crn)
ek
k
e
_y
key
.SoureeFigure l. Blockdiagram of a secrecy system
w/re-iopper
d'Bcl;>herer tn;-1:-fe) (cle.rltna.l,o/J
m 1-' ~\.
REFERENCES
[l] C. Shannon, "Communication Theory of Secrecy Systems", Bell System Technical Journal, Vol 28, pp. 656-715,
Oct. 194 9.
[2] B.L. Van der Waerden, "Modern Algebra", Fr iedrich Ungar Publishing Co., New York, 1966.
[3] I.N. Herstein, "Topics in Algebra", Xerox College