On Pure Ciphers

(1)

Rolf Blom

INTERNAL REPORT LiTH-ISY-I-0286

(2)

ON PURE CIPHERS

Rolf Blom

1979-04-17

INTERNAL REPORT LiTH-ISY-I-0286

(3)

formations of a pure cipher is analysed. An alternative definition of pure ciphers is given and necessary and sufficient conditions for the product of two pure ciphers to be pure is found.

(4)

CONTENTS

I Introduction l

II Model and Preliminaries 2

III Pure Ciphers 5

Appendix A lO

Appendix B 12

Figures 14

(5)

I. INTRODUCTION

In [l] Shannon gave the definition of a secrecy system which serves as a basis for the information thearetic analysis of ciphers. Within the concept of secrecy sys -tems he defined a special class called pure ciphers. The class of pure ciphers includes for example the wellknown Caesar cipher, Vigenere and Beaufort ciphers, Matrix Sys-tem ciphers and Transposition ciphers of fixed period, when they are used with equiprobable keys.

Section II, contains a brief introduction to the concepts of secrecy systems and pure ciphers. It also contains the specific assumptions we make within the model of secrecy systems. Section III elaborates on the concept of a pure cipher from a group theoretical point of view. An alter -native definition of pure ciphers is given which completely reveals the structure behind a pure cipher. Using t his de-finition i t is possible to derive necessary and sufficient conditions for the product of two pure ciphers to be pure.

(6)

2.

II. MODEL AND PRELIHINARIES

Shannon gave the following definition of a secrecy sys-tem in [l

J.

Definition l: A secrecy system (or cipher) is a set of J

uniquely reversible transformations

T

=

{tj(·)}

1 of a set of possible messages

M

=

{mn}~

into a set of cryp-tograms E

=

{

en

}

~,

the transformations having associated probabilities {p.}.

J

A blockdiagram depicting the behaviour of a secrecy system is given in figure l. The message source symbols are trans-formed by the encipherer into cryptogram symbols before transmission over the channel. To recover the message at the receiving end the inverse transformation is per-formed by the decipherer. The transformation and inverse transformation used are specified by the output from the key source. The wiretapper, who tries to find out what the transmitted message really i s, is assumed to know the set of enciphering transformations

T

and the statistics of the message and key sources. Given thi s information the wiretapper tries to estimate the message and/or the key from intercepted cryptograms.

A word about notation. A short form for reference to a transformation t.(·) will be simply t .. Thiswill be used

J J

in writing out products of transformations. Hence t. (t.(.)) 1 J will be written as t .t. (·) and when the argument of the

1 J

transformation is irrelevant we also omit the parenthesis and simply write t .t ..

1 J

The class of pure ciphers was defined by Shannon [l) in the following way:

(7)

Definition 2: A cipher

T

is pure if for arbitrary tj, tk, t~ E

T

there always exists a t i E

T

such that

t .

l (l)

and the keys are equiprobable.

T

is the set of encip -hering transformations of the cipher.

Theorern 3 in [l] gives the characteristic properties of a pure cipher. The theorem is quoted below.

Theorern l: In a pure systern the messages can be divided into a set of residue classes

c

1

c

2 . . . Cs and the

crypto-grarns into a corresponding set of residue classes

Ci

c2 ...

C~ with the following properties:

l) The rnessage residue classes are rnutually exclusive

and collectively contain all possible rnessages. Sirni-larly for the cryptograrn residue classes.

2) Enciphering any rnessage in C. with any key produces

l

a cryptograrn in C~. Deciphering any cryptograrn in C~

l l

with any key leads to a rnessage in C ..

l

3) The nurnber of rnessages in C. , say ~., i s equal to

l l

the nurnber of cryptograrns in C! and is a divisor of J,

l the nurnber of keys.

4) Each rnessage in C. can be enciphered into each

cryp-1

togram in C! by exactly J/~. different keys. Sirnilarly

l l

for decipherrnent.

A proof samewhat different from that in [l] is given in Appendix A. Our proof relies on results derived in section

III.

The irnportance of the class of pure ciphers is due to the fact that in a pure cipher all keys give the same crypt -analytic probler~. Whatever key used to encipher a rnessage, a wiretapper will calculate the sameaposteriori probabilities

(8)

4.

of the rnessages. Also, the a posteriori probabilities of the keys will be the same in value, but the values will be associated with different keys when the encryption key varies.

Two ciphers are said to be similar if their sets of en-ciphering transformations l ' and

T"

are related via a transforrna tian g, that is when t" E T" then g t" = = t ' E T' . The rnapping between T" and T' induced by g

should be injective and surjective. The cryptanalytic significance of two ciphers being similar is that because enciphering with t ' is equivalent to encrypting with t 0

.first and then transforroi ng the resul ting cryptog·rarn with g, the cryptanalytic work needed to break two similar ciphers is, at least in theory, the same.

The product of two ciphers

T'

and

T"

is a new cipher with T= {t ' t " lt ' E T' t" E T"} as its set of encipher-ing transformations. The prohability of a transformation t = t ' t " E

T

is the product of the probabilities of t' and t " .

(9)

III. PURE CIPHERS

In this seetian we discuss the properties of pure ciphers from a group theoretical point of view. An introduction to the properties of groups can be found in for example

[ 2

J

and [ 3

J

•

To start with we explain the notation. The underlying group

that we work in is the multiplicative group G of all in-vertible transformation of

M

onto

M.

G is finite and can be identified with the group of all permutations of N ob -jects.

R

and

S

will denote subgroups of G. An arbitrary set of elements in G is called a camplex and is denoted

by T. Elements of a group or camplex are denoted by possibly indexed lower case letters corresponding to the one

de-- l

nating the group or complex.

T

denotes the set of elements that are the inverses of the elements in T. For a subgroup,

R-l

=

R. The number of elements in a camplex

T

is denoted by

I

T

I.

In the same way the number of elements in a group

R,

the order of the group, is written

IRI

.

The camplex

T=

=

T 1 _T_"

denotes the set of elements {t 1

t "

l

t 1 _ET1

t " ET 1 1 } •

A left coset of a subgroup R of G is denoted as gR and a

right coset is denoted as Rg. Observe that the subgroup R i tself i s a coset which is generated by the identity element.

In the following four lemmas we state some useful results.

Lemma l: If T is a camplex in G and TT c T then T is a

subgroup of G.

Proof: see lerrm1a 2. 4 in [ 3 J •

Lemma 2: For any two complexes

T

1

_,T"

_in _G_the _following holds: IT 1 I_~_IT1T"I.2.1T1 11T"

l

(10)

-6.

Proof: This is obvious from the properties of groups.

Lemma 3: The product

RS

of two subgroups

R

and

S

of

G

is a group if and only if

RS

=

SR.

Proof: See lemma 2.8 in [3].

Lemma 4: If

R

and

S

are subgroups of

G

then the number of elements in the product set

RS

i s

JRJL~.l

jRSI

=

TRilST

( 2)

andevery element in

RS

can be represented in

jRnSJ

ways as products rs, where rER, sES.

Proof: See theorem 2.B in [3].

We have now collected the necessary background material to proceed with our main task. Let

T

be a pure cipher.

- l - l

Then (l) may be written

TT

TcT.

Because

TT

T

is a s

ub-- l

set of

T

we have

jTT

TI2ITI.

But according to lemma 2,

JTI

2 1TT-

1

TI,

and we see that (l) is equivalent to

( 3)

Multiply (3) with

T-l

from the left and we get

( 4)

which according to lemma l shows that

T

-l

T

is a subgroup of G. Lemma 2 applied on (3) shows that

jT-

1

T

I

<

J

T

I

.

- l

-But also according to lemma 2:

JT

Tj

~

_ITI.

Hence the

order of

T-lT

is equaJ. to

JTI.

Similarly i t can be proved that

TT-l

is a subgroup of order

JTI.

We have now proved a result corresponding to theorem l in [l] which says:

(11)

Theorem 2: If

T

is a pure cipher then T-1T and TT-l are

groups of order ITI.

As a direct consequence of theorem 2 we have:

Corollary l: If

T

is the set of enciphering transforma-tions of a pure cipher then

T

is a left coset.

Proof: Let T-1T = R, then R is a group and ITI = IRI

accor-ding to theorem 2. For t E

T

we have t-1T c R, but lt-1TI = = IRI . Hence t-1T =R and tR

=T

which shows that

T

is a left coset.

An immediate observation is that every pure cipher is al-ways similar to a subgroup of G.

It is easy to verify that a cipher

T,

where

T

i s a left

- l - l

coset, is pure. Let T=gR then

TT

T=

(gR) (gR) (gR)= -l - l -l

=gRR g gR=gRR R=gR. We also observe that any right co -set of a subgroup S is a left coset of another subgroup. To verify this, write Sg=g(g-1Sg) and observe that g-1Sg is a group according to lemma l. Together with corollary l this proves the following theorem.

Theorem 3: A cipher is pure if and onl y i f its set of

enciphering transformations

T

i s a coset (left or righ~ in

G and the keys are equiprobable.

To follow the path of Shannon in [l] we now answer the question when the product of two pure ciphers is a pure

cipher.

Theorem 4: Let g

1R and g2S denote two pure ciphers. The product cipher

T=

g

1Rg2S is pure if and only if

(12)

8.

- l

Proof: We start with the if part: g

2 Rg2 _{- l}is group. Then according to lemma 3, (5) implies that g

2 Rg2S is a group.

- l

But T= g

1Rg2S

=

g1g2((g2 Rg2)S) which shows that T is a left coset. What remains to be shown is that all keys are equiprobable. The mapping

x~g;

1

xg

2

is an inner automorphism

- l

of G onto G. Hence Jg₂ Rg

2J

=

JRJ. Then lemma 4 shows that each element in (g;1Rg

2)S isrepresented by the same number of products (g;1rg

2)s and the keys will be equiprob- -able.

The only if part. For the product to be a pure cipher i t is necessary that T is a left coset. But T= g

1g2(g; 1

Rg₂)S

- l

and g

1g2 E

T.

Then (g1g2)

T

should be a group, that is

-1 -1

(g

2 Rg2)S has to be a group. But g2 Rg2 and S are subgroups in G and according to lemma 3 the product of two subgroups i s a group if and only if they commute which gives (5).

As a corollary to the if part and as a direct consequence of lemma 4 we have

Corollary 2: The product (g

1R) (g2S) of two pure ciphers g

1R and g2S is a cipher with equiprobable keys.

The question of when the product of two pure ciphers that commute is a pure cipher is treated in theorem 2 in [1]. The theorem states that if the two pure ciphers have en-ciphering transformations T' and

T"

respectively and

T'T"

=

T" T' then the product cipher T'T" is pure. This

is obviously true when both T' and

T"

are subgroups accor-ding to theorem 4. But in the general case this is not so. A simple counterexample is given in appendix B. The error in the proof of the theorem depends on the false assump-tion that T'T"

=

T" T' implies that (T' )-l T"

=

T" (T' )-l We state a modified version of theorem 2 of [l] as a coroll-ary to theorem 4.

(13)

Corollary 3: If two pure ciphers

R

and

S

both are sub -grcups in G and

RS

= SR

then the product ciphers

RS

and

SR

are pure.

(14)

10.

APPENDIX A

-1 -1

Proof of theorem 1: Let

R

=

T

= t

0

T,

then

T

= t 0R.

With m

0 an arbitrary element of M define S= {rjr(m0) =

= m

0}.

S

is a subgroup of

R

hence ISI is a divisor of

J = ITI = IRI. Define ~ =J/I SI.

S

gives a coset

parti-tioning of

R

and we may define a set V = {vi}i that

con-tains exactly one element from each coset. Now define

(18)

and

C' = {t (m)

l

tE T, mE C} (19)

Let m. = v . (m

0) and order the elements of R in such away

l l

that t . = t

0r. then t. (m.) = t0r .v. (m0). But for each i

J J J l J l J {r. v.} =R. J l _J=. l Hen c e (20)

where, to get the last equality, we used the fact that al l

rj belonging to the same CQset transform m

0 into the same

m. This shows that IC I = IC'

l.

To show that there are exactly J/~ transformations t aking

m into e for arbitrary m E = vk(m

0) and e= _{- l} t0vJ. (m0). t

0vjstvk , t =l,2, . . . , !SI

C and e E C' assume that m = mk =

Then the transformations t. =

l will have this property because

(15)

- l . ti(mk)=t

₀

vjs~vk vk(m

₀

)=t

₀

vjs~(m

₀

) = t

0vj (m0) =e. Th1s proves at the same time that all messages in C are trans-formed into cryptograms belonging to C' because for a fixed m each of the ~ cryptograms can be obtained by J/~

different keys and this accounts for all the keys. A

simi-lar argument shows that all cryptograms in C' are deciphered as messages in C.

Repeating the process described above for a new m E

M

m

t

C shows that we obtain mutual ly exclusive residue classes of messages and cryptograms. Thi s process can

(16)

12.

APPENDIX B

We wish to exhibit a simple example which shows that the

product of two commuting cosets is not necessari ly a coset. Let G be the set of all invertibl e transforma

-tions of

M

= {1,2,3,4} onto

M

.

Let R be a subgroup

hav-ing the four elements defined in table Ia and let the

twocosets be generated by ti and tf. The cosets are given

in table Ib and c . Table II contains the elements of the

camplex tiR t i' R = t f R tiR.

Table I r . (m) m J _l ₂ ₃ ₄ t~ (m)= m J t i r j (m) _l ₂ ₃ ₄ l l 2 3 4 l 2 l 3 4 j 2 4 l 2 3 3 3 4 l 2 2 4 2 l 3 j 3 3 4 2 l 4 2 3 4 l 4 l 3 4 2 a) b) t!'(m)= l J m t i' r j (m) _l ₂ ₃ ₄ l 3 l 2 4 j 2 4 3 l 2 3 2 4 3 l

l

4

l

2 4

l

3

l

c)

The number of elements in the camplex is 16, not a divisor

of

IGI

= 24. But the order of a subgroup of

G

must divide the order of G. Thus the camplex i s not a coset of a sub-group in G.

(17)

Table II t~t~' (m)

=

l J t " t ' k ,(1, (m) m (i, j) (k, ,(1,) l 2 3 4 (l, l) ( 4 , 2) 3 2 l 4 (1,2) ( 4 , 3) 4 3 2 l (1,3) (4,4) l 4 3 2 (1,4) ( 4, l) 2 l 4 3 ( 2, l) ( 3, 2) l 4 2 3 ( 2, 2) (3,3) 3 l 4 2 ( 2, 3) (3,4) 2 3 l 4 ( 2, 4) (3,1) 4 2 3 l ( 3, l) (2,2) 2 3 4 l (3,2) ( 2, 3) l 2 3 4 ( 3, 3) (2,4) 4 l 2 3 (3,4) (2,1) 3 4 l 2 (4,1) (l, 2) 4 l 3 2 ( 4 , 2) (l, 3) 2 4 l 3 ( 4, 3) (1,4) 3 2 4 l (4,4) (l, l) l 3 2 4

(18)

,..

m~.ss~12..

me.ssage

enc/pherer

aypttJ_5'ram

<Sourc.e _m

ec4Crn)

e

k

e

_y

key

.Souree

Figure l. Blockdiagram of a secrecy system

w/re-iopper

d'Bcl;>herer tn;-1:-fe) (

cle.rltna.l,o/J

m 1-' ~

(19)

\.

REFERENCES

[l] C. Shannon, "Communication Theory of Secrecy Systems", Bell System Technical Journal, Vol 28, pp. 656-715,

Oct. 194 9.

[2] B.L. Van der Waerden, "Modern Algebra", Fr iedrich Ungar Publishing Co., New York, 1966.

[3] I.N. Herstein, "Topics in Algebra", Xerox College