Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Permutation groups generated byround functions of
symmetric cryptosystems
A. Caranti1 F. Dalla Volta2 M. Sala31 F. Villani
1Dipartimento di MatematicaUniversità degli Studi di Trento
2Dipartimento di Matematica e ApplicazioniUniversità degli Studi di Milano Bicocca
3Boole CentreUniversity College Cork
Nottingham, 16 May 2007
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Outline
1 MotivationIs DES a group?Trapdoors via imprimitivity
2 Group theory at workImprimitivity of groups generated by round functionsInverse-closed subsets of (finite) fieldsHua and AES
3 Primitive GroupsO’Nan-ScottAbelian regular subgroups and radical rings
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Outline
1 MotivationIs DES a group?Trapdoors via imprimitivity
2 Group theory at workImprimitivity of groups generated by round functionsInverse-closed subsets of (finite) fieldsHua and AES
3 Primitive GroupsO’Nan-ScottAbelian regular subgroups and radical rings
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Keys and transformations
A secrecy system is defined abstractly as a set oftransformations of one space (the set of possiblemessages) into a second space (the set of possiblecryptograms).
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Keys and transformations
A secrecy system is defined abstractly as a set oftransformations of one space (the set of possiblemessages) into a second space (the set of possiblecryptograms). Each particular transformation ofthe set corresponds to enciphering with aparticular key.
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Keys and transformations
A secrecy system is defined abstractly as a set oftransformations of one space (the set of possiblemessages) into a second space (the set of possiblecryptograms). Each particular transformation ofthe set corresponds to enciphering with aparticular key. The transformations are supposedreversible (non-singular) so that uniquedeciphering is possible when the key is known.
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Keys and transformations
A secrecy system is defined abstractly as a set oftransformations of one space (the set of possiblemessages) into a second space (the set of possiblecryptograms). Each particular transformation ofthe set corresponds to enciphering with aparticular key. The transformations are supposedreversible (non-singular) so that uniquedeciphering is possible when the key is known.
C. E. Shannon,Communication theory of secrecy systems.Bell System Tech. J. 28 (1949), 656–715.
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Keys and transformations
A secrecy system is defined abstractly as a set oftransformations of one space (the set of possiblemessages) into a second space (the set of possiblecryptograms). Each particular transformation ofthe set corresponds to enciphering with aparticular key. The transformations are supposedreversible (non-singular) so that uniquedeciphering is possible when the key is known.
C. E. Shannon,Communication theory of secrecy systems.Bell System Tech. J. 28 (1949), 656–715.
In the One-Time Pad
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Keys and transformations
A secrecy system is defined abstractly as a set oftransformations of one space (the set of possiblemessages) into a second space (the set of possiblecryptograms). Each particular transformation ofthe set corresponds to enciphering with aparticular key. The transformations are supposedreversible (non-singular) so that uniquedeciphering is possible when the key is known.
C. E. Shannon,Communication theory of secrecy systems.Bell System Tech. J. 28 (1949), 656–715.
In the One-Time Pad, given a key a
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Keys and transformations
A secrecy system is defined abstractly as a set oftransformations of one space (the set of possiblemessages) into a second space (the set of possiblecryptograms). Each particular transformation ofthe set corresponds to enciphering with aparticular key. The transformations are supposedreversible (non-singular) so that uniquedeciphering is possible when the key is known.
C. E. Shannon,Communication theory of secrecy systems.Bell System Tech. J. 28 (1949), 656–715.
In the One-Time Pad, given a key a, the correspondingtransformation is the translation v 7→ v + a, wherev ∈ V (d , 2) is a message.
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Claude E. Shannon (1916–2001)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Is DES a group?
B. S. Kaliski, Jr, R. L. Rivest, Alan T. Sherman,Is the Data Encryption Standard a group? (Results ofcycling experiments on DES).J. Cryptology 1, no. 1 (1988), 3–36.
• Let Ta be a DES transformation, corresponding to thekey a. The Ta are permutations of the message space,that is, elements of Sym(2d ).
• Suppose {Ta : a} is a group, that is, for all keys a, bthere is a key c such that TaTb = Tc. Then Triple DESwould make no sense, and DES would be exposed to ameet-in-the-middle attack. (Birthday paradox.)
• They perform experiments that suggest that DES is nota group.
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Is DES a group?
B. S. Kaliski, Jr, R. L. Rivest, Alan T. Sherman,Is the Data Encryption Standard a group? (Results ofcycling experiments on DES).J. Cryptology 1, no. 1 (1988), 3–36.
• Let Ta be a DES transformation, corresponding to thekey a. The Ta are permutations of the message space,that is, elements of Sym(2d ).
• Suppose {Ta : a} is a group, that is, for all keys a, bthere is a key c such that TaTb = Tc. Then Triple DESwould make no sense, and DES would be exposed to ameet-in-the-middle attack. (Birthday paradox.)
• They perform experiments that suggest that DES is nota group.
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Is DES a group?
B. S. Kaliski, Jr, R. L. Rivest, Alan T. Sherman,Is the Data Encryption Standard a group? (Results ofcycling experiments on DES).J. Cryptology 1, no. 1 (1988), 3–36.
• Let Ta be a DES transformation, corresponding to thekey a. The Ta are permutations of the message space,that is, elements of Sym(2d ).
• Suppose {Ta : a} is a group, that is, for all keys a, bthere is a key c such that TaTb = Tc. Then Triple DESwould make no sense, and DES would be exposed to ameet-in-the-middle attack. (Birthday paradox.)
• They perform experiments that suggest that DES is nota group.
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Is DES a group?
B. S. Kaliski, Jr, R. L. Rivest, Alan T. Sherman,Is the Data Encryption Standard a group? (Results ofcycling experiments on DES).J. Cryptology 1, no. 1 (1988), 3–36.
• Let Ta be a DES transformation, corresponding to thekey a. The Ta are permutations of the message space,that is, elements of Sym(2d ).
• Suppose {Ta : a} is a group, that is, for all keys a, bthere is a key c such that TaTb = Tc. Then Triple DESwould make no sense, and DES would be exposed to ameet-in-the-middle attack. (Birthday paradox.)
• They perform experiments that suggest that DES is nota group.
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Is DES a group?
B. S. Kaliski, Jr, R. L. Rivest, Alan T. Sherman,Is the Data Encryption Standard a group? (Results ofcycling experiments on DES).J. Cryptology 1, no. 1 (1988), 3–36.
• Let Ta be a DES transformation, corresponding to thekey a. The Ta are permutations of the message space,that is, elements of Sym(2d ).
• Suppose {Ta : a} is a group, that is, for all keys a, bthere is a key c such that TaTb = Tc. Then Triple DESwould make no sense, and DES would be exposed to ameet-in-the-middle attack. (Birthday paradox.)
• They perform experiments that suggest that DES is nota group.
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Is DES a group?
B. S. Kaliski, Jr, R. L. Rivest, Alan T. Sherman,Is the Data Encryption Standard a group? (Results ofcycling experiments on DES).J. Cryptology 1, no. 1 (1988), 3–36.
• Let Ta be a DES transformation, corresponding to thekey a. The Ta are permutations of the message space,that is, elements of Sym(2d ).
• Suppose {Ta : a} is a group, that is, for all keys a, bthere is a key c such that TaTb = Tc. Then Triple DESwould make no sense, and DES would be exposed to ameet-in-the-middle attack. (Birthday paradox.)
• They perform experiments that suggest that DES is nota group.
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Is DES a group?
B. S. Kaliski, Jr, R. L. Rivest, Alan T. Sherman,Is the Data Encryption Standard a group? (Results ofcycling experiments on DES).J. Cryptology 1, no. 1 (1988), 3–36.
• Let Ta be a DES transformation, corresponding to thekey a. The Ta are permutations of the message space,that is, elements of Sym(2d ).
• Suppose {Ta : a} is a group, that is, for all keys a, bthere is a key c such that TaTb = Tc. Then Triple DESwould make no sense, and DES would be exposed to ameet-in-the-middle attack. (Birthday paradox.)
• They perform experiments that suggest that DES is nota group.
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Is DES a group?
B. S. Kaliski, Jr, R. L. Rivest, Alan T. Sherman,Is the Data Encryption Standard a group? (Results ofcycling experiments on DES).J. Cryptology 1, no. 1 (1988), 3–36.
• Let Ta be a DES transformation, corresponding to thekey a. The Ta are permutations of the message space,that is, elements of Sym(2d ).
• Suppose {Ta : a} is a group, that is, for all keys a, bthere is a key c such that TaTb = Tc. Then Triple DESwould make no sense, and DES would be exposed to ameet-in-the-middle attack. (Birthday paradox.)
• They perform experiments that suggest that DES is nota group.
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Further work on DES
K. W. Campbell and M. J. Wiener,DES is not a group.Crypto ’92, LNCS 740, Springer, 1993, 512–520.
Ralph Wernsdorf,The one-round functions of the DES generate thealternating group.Eurocrypt ’92, LNCS 658, Springer, 1993, 99–112.
• Considers the transformations Ra induced by the roundfunctions of DES. These are even permutations.
• Not only they are not a group, but they do generate thelargest possible group Alt(n), of order n!/2.{Ra1Ra2 · · ·Rak } = Alt(n).
• Since Alt(n) is a simple group, it is also generated bythe full DES transformations with independent subkeys.
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Further work on DES
K. W. Campbell and M. J. Wiener,DES is not a group.Crypto ’92, LNCS 740, Springer, 1993, 512–520.
Ralph Wernsdorf,The one-round functions of the DES generate thealternating group.Eurocrypt ’92, LNCS 658, Springer, 1993, 99–112.
• Considers the transformations Ra induced by the roundfunctions of DES. These are even permutations.
• Not only they are not a group, but they do generate thelargest possible group Alt(n), of order n!/2.{Ra1Ra2 · · ·Rak } = Alt(n).
• Since Alt(n) is a simple group, it is also generated bythe full DES transformations with independent subkeys.
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Further work on DES
K. W. Campbell and M. J. Wiener,DES is not a group.Crypto ’92, LNCS 740, Springer, 1993, 512–520.
Ralph Wernsdorf,The one-round functions of the DES generate thealternating group.Eurocrypt ’92, LNCS 658, Springer, 1993, 99–112.
• Considers the transformations Ra induced by the roundfunctions of DES. These are even permutations.
• Not only they are not a group, but they do generate thelargest possible group Alt(n), of order n!/2.{Ra1Ra2 · · ·Rak } = Alt(n).
• Since Alt(n) is a simple group, it is also generated bythe full DES transformations with independent subkeys.
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Further work on DES
K. W. Campbell and M. J. Wiener,DES is not a group.Crypto ’92, LNCS 740, Springer, 1993, 512–520.
Ralph Wernsdorf,The one-round functions of the DES generate thealternating group.Eurocrypt ’92, LNCS 658, Springer, 1993, 99–112.
• Considers the transformations Ra induced by the roundfunctions of DES. These are even permutations.
• Not only they are not a group, but they do generate thelargest possible group Alt(n), of order n!/2.{Ra1Ra2 · · ·Rak } = Alt(n).
• Since Alt(n) is a simple group, it is also generated bythe full DES transformations with independent subkeys.
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Further work on DES
K. W. Campbell and M. J. Wiener,DES is not a group.Crypto ’92, LNCS 740, Springer, 1993, 512–520.
Ralph Wernsdorf,The one-round functions of the DES generate thealternating group.Eurocrypt ’92, LNCS 658, Springer, 1993, 99–112.
• Considers the transformations Ra induced by the roundfunctions of DES. These are even permutations.
• Not only they are not a group, but they do generate thelargest possible group Alt(n), of order n!/2.{Ra1Ra2 · · ·Rak } = Alt(n).
• Since Alt(n) is a simple group, it is also generated bythe full DES transformations with independent subkeys.
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Further work on DES
K. W. Campbell and M. J. Wiener,DES is not a group.Crypto ’92, LNCS 740, Springer, 1993, 512–520.
Ralph Wernsdorf,The one-round functions of the DES generate thealternating group.Eurocrypt ’92, LNCS 658, Springer, 1993, 99–112.
• Considers the transformations Ra induced by the roundfunctions of DES. These are even permutations.
• Not only they are not a group, but they do generate thelargest possible group Alt(n), of order n!/2.{Ra1Ra2 · · ·Rak } = Alt(n).
• Since Alt(n) is a simple group, it is also generated bythe full DES transformations with independent subkeys.
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Further work on DES
K. W. Campbell and M. J. Wiener,DES is not a group.Crypto ’92, LNCS 740, Springer, 1993, 512–520.
Ralph Wernsdorf,The one-round functions of the DES generate thealternating group.Eurocrypt ’92, LNCS 658, Springer, 1993, 99–112.
• Considers the transformations Ra induced by the roundfunctions of DES. These are even permutations.
• Not only they are not a group, but they do generate thelargest possible group Alt(n), of order n!/2.{Ra1Ra2 · · ·Rak } = Alt(n).
• Since Alt(n) is a simple group, it is also generated bythe full DES transformations with independent subkeys.
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Further work on DES
K. W. Campbell and M. J. Wiener,DES is not a group.Crypto ’92, LNCS 740, Springer, 1993, 512–520.
Ralph Wernsdorf,The one-round functions of the DES generate thealternating group.Eurocrypt ’92, LNCS 658, Springer, 1993, 99–112.
• Considers the transformations Ra induced by the roundfunctions of DES. These are even permutations.
• Not only they are not a group, but they do generate thelargest possible group Alt(n), of order n!/2.{Ra1Ra2 · · ·Rak } = Alt(n).
• Since Alt(n) is a simple group, it is also generated bythe full DES transformations with independent subkeys.
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
AES
Ralph Wernsdorf,The round functions of RIJNDAEL generate thealternating group.FSE ’02, LNCS 2365, Springer, 2002, 143–148.
• Ditto for AES.
• Wernsdorf’s proof requires some (computer)calculations. He has a recent approach which is moreconceptual.
• We tried another such approach suggested by. . .
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
AES
Ralph Wernsdorf,The round functions of RIJNDAEL generate thealternating group.FSE ’02, LNCS 2365, Springer, 2002, 143–148.
• Ditto for AES.
• Wernsdorf’s proof requires some (computer)calculations. He has a recent approach which is moreconceptual.
• We tried another such approach suggested by. . .
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
AES
Ralph Wernsdorf,The round functions of RIJNDAEL generate thealternating group.FSE ’02, LNCS 2365, Springer, 2002, 143–148.
• Ditto for AES.
• Wernsdorf’s proof requires some (computer)calculations. He has a recent approach which is moreconceptual.
• We tried another such approach suggested by. . .
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
AES
Ralph Wernsdorf,The round functions of RIJNDAEL generate thealternating group.FSE ’02, LNCS 2365, Springer, 2002, 143–148.
• Ditto for AES.
• Wernsdorf’s proof requires some (computer)calculations. He has a recent approach which is moreconceptual.
• We tried another such approach suggested by. . .
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
AES
Ralph Wernsdorf,The round functions of RIJNDAEL generate thealternating group.FSE ’02, LNCS 2365, Springer, 2002, 143–148.
• Ditto for AES.
• Wernsdorf’s proof requires some (computer)calculations. He has a recent approach which is moreconceptual.
• We tried another such approach suggested by. . .
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Outline
1 MotivationIs DES a group?Trapdoors via imprimitivity
2 Group theory at workImprimitivity of groups generated by round functionsInverse-closed subsets of (finite) fieldsHua and AES
3 Primitive GroupsO’Nan-ScottAbelian regular subgroups and radical rings
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Paterson’s imprimitivity trapdoor
Kenneth G. Paterson,Imprimitive Permutation Groups and Trapdoors inIterated Block Ciphers.FSE ’99, LNCS 1636, Springer, 1999, 201–214.
• Paterson builds a DES-like cryptosystem in which thegroup generated by the round functions is imprimitive.
• The (not immediately apparent) imprimitivity systemacts as a trapdoor.
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Paterson’s imprimitivity trapdoor
Kenneth G. Paterson,Imprimitive Permutation Groups and Trapdoors inIterated Block Ciphers.FSE ’99, LNCS 1636, Springer, 1999, 201–214.
• Paterson builds a DES-like cryptosystem in which thegroup generated by the round functions is imprimitive.
• The (not immediately apparent) imprimitivity systemacts as a trapdoor.
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Paterson’s imprimitivity trapdoor
Kenneth G. Paterson,Imprimitive Permutation Groups and Trapdoors inIterated Block Ciphers.FSE ’99, LNCS 1636, Springer, 1999, 201–214.
• Paterson builds a DES-like cryptosystem in which thegroup generated by the round functions is imprimitive.
• The (not immediately apparent) imprimitivity systemacts as a trapdoor.
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Imprimitivity and trapdoors
• You have a cipherext c, and you are looking for aplaintext p such that c = Ta(p).
• Here a is the unknown key, and Ta the knowncorresponding transformation of the cryptosystem.
• The message space V 3 p, c is of size n, which isassumed to be too big to allow for an exhaustivesearch.
• Suppose you know that the group spanned by all Tb
has an imprimitivity system V1, . . . , Vm, wherem ≈
√n ≈ |Vi |.
• Then a search over m ≈√
n gives us Vi such thatc ∈ Ta(Vi). We could have calculated in advance a setof representatives of the Vi . We need a fastmembership test for the Vi .
• Then we find p through another search over Vi , again ofsize ≈
√n. So we search 2
√n elements instead of n.
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Imprimitivity and trapdoors
• You have a cipherext c, and you are looking for aplaintext p such that c = Ta(p).
• Here a is the unknown key, and Ta the knowncorresponding transformation of the cryptosystem.
• The message space V 3 p, c is of size n, which isassumed to be too big to allow for an exhaustivesearch.
• Suppose you know that the group spanned by all Tb
has an imprimitivity system V1, . . . , Vm, wherem ≈
√n ≈ |Vi |.
• Then a search over m ≈√
n gives us Vi such thatc ∈ Ta(Vi). We could have calculated in advance a setof representatives of the Vi . We need a fastmembership test for the Vi .
• Then we find p through another search over Vi , again ofsize ≈
√n. So we search 2
√n elements instead of n.
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Imprimitivity and trapdoors
• You have a cipherext c, and you are looking for aplaintext p such that c = Ta(p).
• Here a is the unknown key, and Ta the knowncorresponding transformation of the cryptosystem.
• The message space V 3 p, c is of size n, which isassumed to be too big to allow for an exhaustivesearch.
• Suppose you know that the group spanned by all Tb
has an imprimitivity system V1, . . . , Vm, wherem ≈
√n ≈ |Vi |.
• Then a search over m ≈√
n gives us Vi such thatc ∈ Ta(Vi). We could have calculated in advance a setof representatives of the Vi . We need a fastmembership test for the Vi .
• Then we find p through another search over Vi , again ofsize ≈
√n. So we search 2
√n elements instead of n.
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Imprimitivity and trapdoors
• You have a cipherext c, and you are looking for aplaintext p such that c = Ta(p).
• Here a is the unknown key, and Ta the knowncorresponding transformation of the cryptosystem.
• The message space V 3 p, c is of size n, which isassumed to be too big to allow for an exhaustivesearch.
• Suppose you know that the group spanned by all Tb
has an imprimitivity system V1, . . . , Vm, wherem ≈
√n ≈ |Vi |.
• Then a search over m ≈√
n gives us Vi such thatc ∈ Ta(Vi). We could have calculated in advance a setof representatives of the Vi . We need a fastmembership test for the Vi .
• Then we find p through another search over Vi , again ofsize ≈
√n. So we search 2
√n elements instead of n.
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Imprimitivity and trapdoors
• You have a cipherext c, and you are looking for aplaintext p such that c = Ta(p).
• Here a is the unknown key, and Ta the knowncorresponding transformation of the cryptosystem.
• The message space V 3 p, c is of size n, which isassumed to be too big to allow for an exhaustivesearch.
• Suppose you know that the group spanned by all Tb
has an imprimitivity system V1, . . . , Vm, wherem ≈
√n ≈ |Vi |.
• Then a search over m ≈√
n gives us Vi such thatc ∈ Ta(Vi). We could have calculated in advance a setof representatives of the Vi . We need a fastmembership test for the Vi .
• Then we find p through another search over Vi , again ofsize ≈
√n. So we search 2
√n elements instead of n.
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Imprimitivity and trapdoors
• You have a cipherext c, and you are looking for aplaintext p such that c = Ta(p).
• Here a is the unknown key, and Ta the knowncorresponding transformation of the cryptosystem.
• The message space V 3 p, c is of size n, which isassumed to be too big to allow for an exhaustivesearch.
• Suppose you know that the group spanned by all Tb
has an imprimitivity system V1, . . . , Vm, wherem ≈
√n ≈ |Vi |.
• Then a search over m ≈√
n gives us Vi such thatc ∈ Ta(Vi). We could have calculated in advance a setof representatives of the Vi . We need a fastmembership test for the Vi .
• Then we find p through another search over Vi , again ofsize ≈
√n. So we search 2
√n elements instead of n.
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Imprimitivity and trapdoors
• You have a cipherext c, and you are looking for aplaintext p such that c = Ta(p).
• Here a is the unknown key, and Ta the knowncorresponding transformation of the cryptosystem.
• The message space V 3 p, c is of size n, which isassumed to be too big to allow for an exhaustivesearch.
• Suppose you know that the group spanned by all Tb
has an imprimitivity system V1, . . . , Vm, wherem ≈
√n ≈ |Vi |.
• Then a search over m ≈√
n gives us Vi such thatc ∈ Ta(Vi). We could have calculated in advance a setof representatives of the Vi . We need a fastmembership test for the Vi .
• Then we find p through another search over Vi , again ofsize ≈
√n. So we search 2
√n elements instead of n.
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Imprimitivity and trapdoors
• You have a cipherext c, and you are looking for aplaintext p such that c = Ta(p).
• Here a is the unknown key, and Ta the knowncorresponding transformation of the cryptosystem.
• The message space V 3 p, c is of size n, which isassumed to be too big to allow for an exhaustivesearch.
• Suppose you know that the group spanned by all Tb
has an imprimitivity system V1, . . . , Vm, wherem ≈
√n ≈ |Vi |.
• Then a search over m ≈√
n gives us Vi such thatc ∈ Ta(Vi). We could have calculated in advance a setof representatives of the Vi . We need a fastmembership test for the Vi .
• Then we find p through another search over Vi , again ofsize ≈
√n. So we search 2
√n elements instead of n.
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Imprimitivity and trapdoors
• You have a cipherext c, and you are looking for aplaintext p such that c = Ta(p).
• Here a is the unknown key, and Ta the knowncorresponding transformation of the cryptosystem.
• The message space V 3 p, c is of size n, which isassumed to be too big to allow for an exhaustivesearch.
• Suppose you know that the group spanned by all Tb
has an imprimitivity system V1, . . . , Vm, wherem ≈
√n ≈ |Vi |.
• Then a search over m ≈√
n gives us Vi such thatc ∈ Ta(Vi). We could have calculated in advance a setof representatives of the Vi . We need a fastmembership test for the Vi .
• Then we find p through another search over Vi , again ofsize ≈
√n. So we search 2
√n elements instead of n.
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Imprimitivity and trapdoors
• You have a cipherext c, and you are looking for aplaintext p such that c = Ta(p).
• Here a is the unknown key, and Ta the knowncorresponding transformation of the cryptosystem.
• The message space V 3 p, c is of size n, which isassumed to be too big to allow for an exhaustivesearch.
• Suppose you know that the group spanned by all Tb
has an imprimitivity system V1, . . . , Vm, wherem ≈
√n ≈ |Vi |.
• Then a search over m ≈√
n gives us Vi such thatc ∈ Ta(Vi). We could have calculated in advance a setof representatives of the Vi . We need a fastmembership test for the Vi .
• Then we find p through another search over Vi , again ofsize ≈
√n. So we search 2
√n elements instead of n.
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Imprimitivity and trapdoors
• You have a cipherext c, and you are looking for aplaintext p such that c = Ta(p).
• Here a is the unknown key, and Ta the knowncorresponding transformation of the cryptosystem.
• The message space V 3 p, c is of size n, which isassumed to be too big to allow for an exhaustivesearch.
• Suppose you know that the group spanned by all Tb
has an imprimitivity system V1, . . . , Vm, wherem ≈
√n ≈ |Vi |.
• Then a search over m ≈√
n gives us Vi such thatc ∈ Ta(Vi). We could have calculated in advance a setof representatives of the Vi . We need a fastmembership test for the Vi .
• Then we find p through another search over Vi , again ofsize ≈
√n. So we search 2
√n elements instead of n.
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Imprimitivity and trapdoors
• You have a cipherext c, and you are looking for aplaintext p such that c = Ta(p).
• Here a is the unknown key, and Ta the knowncorresponding transformation of the cryptosystem.
• The message space V 3 p, c is of size n, which isassumed to be too big to allow for an exhaustivesearch.
• Suppose you know that the group spanned by all Tb
has an imprimitivity system V1, . . . , Vm, wherem ≈
√n ≈ |Vi |.
• Then a search over m ≈√
n gives us Vi such thatc ∈ Ta(Vi). We could have calculated in advance a setof representatives of the Vi . We need a fastmembership test for the Vi .
• Then we find p through another search over Vi , again ofsize ≈
√n. So we search 2
√n elements instead of n.
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Imprimitivity and trapdoors
• You have a cipherext c, and you are looking for aplaintext p such that c = Ta(p).
• Here a is the unknown key, and Ta the knowncorresponding transformation of the cryptosystem.
• The message space V 3 p, c is of size n, which isassumed to be too big to allow for an exhaustivesearch.
• Suppose you know that the group spanned by all Tb
has an imprimitivity system V1, . . . , Vm, wherem ≈
√n ≈ |Vi |.
• Then a search over m ≈√
n gives us Vi such thatc ∈ Ta(Vi). We could have calculated in advance a setof representatives of the Vi . We need a fastmembership test for the Vi .
• Then we find p through another search over Vi , again ofsize ≈
√n. So we search 2
√n elements instead of n.
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Are imprimitivity systems always linear?
Paterson’s imprimitivity system consists of the cosets of asubspace U of the message space V = V (d , 2).Membership testing is fast here (Gauss).Paterson asks whether subtler trapdoors can be built, usingimprimitivity systems that are not linear.
At the FSE conference where it was presented, AdiShamir told me that he could break the schemeusing a truncated differential attack [. . . ]
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Are imprimitivity systems always linear?
Paterson’s imprimitivity system consists of the cosets of asubspace U of the message space V = V (d , 2).Membership testing is fast here (Gauss).Paterson asks whether subtler trapdoors can be built, usingimprimitivity systems that are not linear.
At the FSE conference where it was presented, AdiShamir told me that he could break the schemeusing a truncated differential attack [. . . ]
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Are imprimitivity systems always linear?
Paterson’s imprimitivity system consists of the cosets of asubspace U of the message space V = V (d , 2).Membership testing is fast here (Gauss).Paterson asks whether subtler trapdoors can be built, usingimprimitivity systems that are not linear.
At the FSE conference where it was presented, AdiShamir told me that he could break the schemeusing a truncated differential attack [. . . ]
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Are imprimitivity systems always linear?
Paterson’s imprimitivity system consists of the cosets of asubspace U of the message space V = V (d , 2).Membership testing is fast here (Gauss).Paterson asks whether subtler trapdoors can be built, usingimprimitivity systems that are not linear.
At the FSE conference where it was presented, AdiShamir told me that he could break the schemeusing a truncated differential attack [. . . ]
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Are imprimitivity systems always linear?
Paterson’s imprimitivity system consists of the cosets of asubspace U of the message space V = V (d , 2).Membership testing is fast here (Gauss).Paterson asks whether subtler trapdoors can be built, usingimprimitivity systems that are not linear.
At the FSE conference where it was presented, AdiShamir told me that he could break the schemeusing a truncated differential attack [. . . ]
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Outline
1 MotivationIs DES a group?Trapdoors via imprimitivity
2 Group theory at workImprimitivity of groups generated by round functionsInverse-closed subsets of (finite) fieldsHua and AES
3 Primitive GroupsO’Nan-ScottAbelian regular subgroups and radical rings
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Imprimitivity systems in AES
• In an AES-like cryptosystems, the group contains thetranslations.
• Then there is a very simple answer to Paterson’squestion here: an imprimitivity system consists indeedof the cosets of a subspace U of the message space V .I.e.
imprimitivity system = { v + U : v ∈ V } ,
where v + U = {v + u : u ∈ U}.• It follows that for u ∈ U and v ∈ V one has
σ(v + u) + σ(v) ∈ U,
where σ is a round function.• An instance of truncated differential cryptanalysis.• This does not lead to an obvious weakness with respect
to TDC, as there are many candidates for the subspaceU. Is there the possibility of a trapdoor here?
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Imprimitivity systems in AES
• In an AES-like cryptosystems, the group contains thetranslations.
• Then there is a very simple answer to Paterson’squestion here: an imprimitivity system consists indeedof the cosets of a subspace U of the message space V .I.e.
imprimitivity system = { v + U : v ∈ V } ,
where v + U = {v + u : u ∈ U}.• It follows that for u ∈ U and v ∈ V one has
σ(v + u) + σ(v) ∈ U,
where σ is a round function.• An instance of truncated differential cryptanalysis.• This does not lead to an obvious weakness with respect
to TDC, as there are many candidates for the subspaceU. Is there the possibility of a trapdoor here?
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Imprimitivity systems in AES
• In an AES-like cryptosystems, the group contains thetranslations.
• Then there is a very simple answer to Paterson’squestion here: an imprimitivity system consists indeedof the cosets of a subspace U of the message space V .I.e.
imprimitivity system = { v + U : v ∈ V } ,
where v + U = {v + u : u ∈ U}.• It follows that for u ∈ U and v ∈ V one has
σ(v + u) + σ(v) ∈ U,
where σ is a round function.• An instance of truncated differential cryptanalysis.• This does not lead to an obvious weakness with respect
to TDC, as there are many candidates for the subspaceU. Is there the possibility of a trapdoor here?
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Imprimitivity systems in AES
• In an AES-like cryptosystems, the group contains thetranslations.
• Then there is a very simple answer to Paterson’squestion here: an imprimitivity system consists indeedof the cosets of a subspace U of the message space V .I.e.
imprimitivity system = { v + U : v ∈ V } ,
where v + U = {v + u : u ∈ U}.• It follows that for u ∈ U and v ∈ V one has
σ(v + u) + σ(v) ∈ U,
where σ is a round function.• An instance of truncated differential cryptanalysis.• This does not lead to an obvious weakness with respect
to TDC, as there are many candidates for the subspaceU. Is there the possibility of a trapdoor here?
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Imprimitivity systems in AES
• In an AES-like cryptosystems, the group contains thetranslations.
• Then there is a very simple answer to Paterson’squestion here: an imprimitivity system consists indeedof the cosets of a subspace U of the message space V .I.e.
imprimitivity system = { v + U : v ∈ V } ,
where v + U = {v + u : u ∈ U}.• It follows that for u ∈ U and v ∈ V one has
σ(v + u) + σ(v) ∈ U,
where σ is a round function.• An instance of truncated differential cryptanalysis.• This does not lead to an obvious weakness with respect
to TDC, as there are many candidates for the subspaceU. Is there the possibility of a trapdoor here?
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Imprimitivity systems in AES
• In an AES-like cryptosystems, the group contains thetranslations.
• Then there is a very simple answer to Paterson’squestion here: an imprimitivity system consists indeedof the cosets of a subspace U of the message space V .I.e.
imprimitivity system = { v + U : v ∈ V } ,
where v + U = {v + u : u ∈ U}.• It follows that for u ∈ U and v ∈ V one has
σ(v + u) + σ(v) ∈ U,
where σ is a round function.• An instance of truncated differential cryptanalysis.• This does not lead to an obvious weakness with respect
to TDC, as there are many candidates for the subspaceU. Is there the possibility of a trapdoor here?
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Imprimitivity systems in AES
• In an AES-like cryptosystems, the group contains thetranslations.
• Then there is a very simple answer to Paterson’squestion here: an imprimitivity system consists indeedof the cosets of a subspace U of the message space V .I.e.
imprimitivity system = { v + U : v ∈ V } ,
where v + U = {v + u : u ∈ U}.• It follows that for u ∈ U and v ∈ V one has
σ(v + u) + σ(v) ∈ U,
where σ is a round function.• An instance of truncated differential cryptanalysis.• This does not lead to an obvious weakness with respect
to TDC, as there are many candidates for the subspaceU. Is there the possibility of a trapdoor here?
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Imprimitivity systems in AES
• In an AES-like cryptosystems, the group contains thetranslations.
• Then there is a very simple answer to Paterson’squestion here: an imprimitivity system consists indeedof the cosets of a subspace U of the message space V .I.e.
imprimitivity system = { v + U : v ∈ V } ,
where v + U = {v + u : u ∈ U}.• It follows that for u ∈ U and v ∈ V one has
σ(v + u) + σ(v) ∈ U,
where σ is a round function.• An instance of truncated differential cryptanalysis.• This does not lead to an obvious weakness with respect
to TDC, as there are many candidates for the subspaceU. Is there the possibility of a trapdoor here?
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Imprimitivity systems in AES
• In an AES-like cryptosystems, the group contains thetranslations.
• Then there is a very simple answer to Paterson’squestion here: an imprimitivity system consists indeedof the cosets of a subspace U of the message space V .I.e.
imprimitivity system = { v + U : v ∈ V } ,
where v + U = {v + u : u ∈ U}.• It follows that for u ∈ U and v ∈ V one has
σ(v + u) + σ(v) ∈ U,
where σ is a round function.• An instance of truncated differential cryptanalysis.• This does not lead to an obvious weakness with respect
to TDC, as there are many candidates for the subspaceU. Is there the possibility of a trapdoor here?
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Imprimitivity systems in AES
• In an AES-like cryptosystems, the group contains thetranslations.
• Then there is a very simple answer to Paterson’squestion here: an imprimitivity system consists indeedof the cosets of a subspace U of the message space V .I.e.
imprimitivity system = { v + U : v ∈ V } ,
where v + U = {v + u : u ∈ U}.• It follows that for u ∈ U and v ∈ V one has
σ(v + u) + σ(v) ∈ U,
where σ is a round function.• An instance of truncated differential cryptanalysis.• This does not lead to an obvious weakness with respect
to TDC, as there are many candidates for the subspaceU. Is there the possibility of a trapdoor here?
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Imprimitivity systems in AES
• In an AES-like cryptosystems, the group contains thetranslations.
• Then there is a very simple answer to Paterson’squestion here: an imprimitivity system consists indeedof the cosets of a subspace U of the message space V .I.e.
imprimitivity system = { v + U : v ∈ V } ,
where v + U = {v + u : u ∈ U}.• It follows that for u ∈ U and v ∈ V one has
σ(v + u) + σ(v) ∈ U,
where σ is a round function.• An instance of truncated differential cryptanalysis.• This does not lead to an obvious weakness with respect
to TDC, as there are many candidates for the subspaceU. Is there the possibility of a trapdoor here?
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
No trapdoors in Rijndael
• There are no such trapdoors in AES/Rijndael.• This depends on certain properties of the components
of AES:• the mixing layer,• the S-boxes.
• In its basic version, AES operates on the vector spaceV = V (128, 2) of dimension 128 over the field F2 withtwo elements.
• AES is byte-oriented:
V = V1 ⊕ · · · ⊕ V16,
where each Vi = V (8, 2).
• The mixing layer makes sure that no nontrivial sum ofthe Vi is sent to itself.
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
No trapdoors in Rijndael
• There are no such trapdoors in AES/Rijndael.• This depends on certain properties of the components
of AES:• the mixing layer,• the S-boxes.
• In its basic version, AES operates on the vector spaceV = V (128, 2) of dimension 128 over the field F2 withtwo elements.
• AES is byte-oriented:
V = V1 ⊕ · · · ⊕ V16,
where each Vi = V (8, 2).
• The mixing layer makes sure that no nontrivial sum ofthe Vi is sent to itself.
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
No trapdoors in Rijndael
• There are no such trapdoors in AES/Rijndael.• This depends on certain properties of the components
of AES:• the mixing layer,• the S-boxes.
• In its basic version, AES operates on the vector spaceV = V (128, 2) of dimension 128 over the field F2 withtwo elements.
• AES is byte-oriented:
V = V1 ⊕ · · · ⊕ V16,
where each Vi = V (8, 2).
• The mixing layer makes sure that no nontrivial sum ofthe Vi is sent to itself.
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
No trapdoors in Rijndael
• There are no such trapdoors in AES/Rijndael.• This depends on certain properties of the components
of AES:• the mixing layer,• the S-boxes.
• In its basic version, AES operates on the vector spaceV = V (128, 2) of dimension 128 over the field F2 withtwo elements.
• AES is byte-oriented:
V = V1 ⊕ · · · ⊕ V16,
where each Vi = V (8, 2).
• The mixing layer makes sure that no nontrivial sum ofthe Vi is sent to itself.
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
No trapdoors in Rijndael
• There are no such trapdoors in AES/Rijndael.• This depends on certain properties of the components
of AES:• the mixing layer,• the S-boxes.
• In its basic version, AES operates on the vector spaceV = V (128, 2) of dimension 128 over the field F2 withtwo elements.
• AES is byte-oriented:
V = V1 ⊕ · · · ⊕ V16,
where each Vi = V (8, 2).
• The mixing layer makes sure that no nontrivial sum ofthe Vi is sent to itself.
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
No trapdoors in Rijndael
• There are no such trapdoors in AES/Rijndael.• This depends on certain properties of the components
of AES:• the mixing layer,• the S-boxes.
• In its basic version, AES operates on the vector spaceV = V (128, 2) of dimension 128 over the field F2 withtwo elements.
• AES is byte-oriented:
V = V1 ⊕ · · · ⊕ V16,
where each Vi = V (8, 2).
• The mixing layer makes sure that no nontrivial sum ofthe Vi is sent to itself.
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
No trapdoors in Rijndael
• There are no such trapdoors in AES/Rijndael.• This depends on certain properties of the components
of AES:• the mixing layer,• the S-boxes.
• In its basic version, AES operates on the vector spaceV = V (128, 2) of dimension 128 over the field F2 withtwo elements.
• AES is byte-oriented:
V = V1 ⊕ · · · ⊕ V16,
where each Vi = V (8, 2).
• The mixing layer makes sure that no nontrivial sum ofthe Vi is sent to itself.
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
No trapdoors in Rijndael
• There are no such trapdoors in AES/Rijndael.• This depends on certain properties of the components
of AES:• the mixing layer,• the S-boxes.
• In its basic version, AES operates on the vector spaceV = V (128, 2) of dimension 128 over the field F2 withtwo elements.
• AES is byte-oriented:
V = V1 ⊕ · · · ⊕ V16,
where each Vi = V (8, 2).
• The mixing layer makes sure that no nontrivial sum ofthe Vi is sent to itself.
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
No trapdoors in Rijndael
• There are no such trapdoors in AES/Rijndael.• This depends on certain properties of the components
of AES:• the mixing layer,• the S-boxes.
• In its basic version, AES operates on the vector spaceV = V (128, 2) of dimension 128 over the field F2 withtwo elements.
• AES is byte-oriented:
V = V1 ⊕ · · · ⊕ V16,
where each Vi = V (8, 2).
• The mixing layer makes sure that no nontrivial sum ofthe Vi is sent to itself.
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
No trapdoors in Rijndael
• The S-box is a map on each Vi = V (8, 2). It is the onlynonlinear component of AES.
• Each Vi is identified with GF(28). (A non-primitivepolynomial is used!)
• The S-box is x 7→ x−1. Well, not quite, 0 7→ 0, that isx 7→ x254, plus a minor tweak with an affine map.
• A role is played by a property of inversion in (finite)fields.
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
No trapdoors in Rijndael
• The S-box is a map on each Vi = V (8, 2). It is the onlynonlinear component of AES.
• Each Vi is identified with GF(28). (A non-primitivepolynomial is used!)
• The S-box is x 7→ x−1. Well, not quite, 0 7→ 0, that isx 7→ x254, plus a minor tweak with an affine map.
• A role is played by a property of inversion in (finite)fields.
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
No trapdoors in Rijndael
• The S-box is a map on each Vi = V (8, 2). It is the onlynonlinear component of AES.
• Each Vi is identified with GF(28). (A non-primitivepolynomial is used!)
• The S-box is x 7→ x−1. Well, not quite, 0 7→ 0, that isx 7→ x254, plus a minor tweak with an affine map.
• A role is played by a property of inversion in (finite)fields.
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
No trapdoors in Rijndael
• The S-box is a map on each Vi = V (8, 2). It is the onlynonlinear component of AES.
• Each Vi is identified with GF(28). (A non-primitivepolynomial is used!)
• The S-box is x 7→ x−1. Well, not quite, 0 7→ 0, that isx 7→ x254, plus a minor tweak with an affine map.
• A role is played by a property of inversion in (finite)fields.
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
No trapdoors in Rijndael
• The S-box is a map on each Vi = V (8, 2). It is the onlynonlinear component of AES.
• Each Vi is identified with GF(28). (A non-primitivepolynomial is used!)
• The S-box is x 7→ x−1. Well, not quite, 0 7→ 0, that isx 7→ x254, plus a minor tweak with an affine map.
• A role is played by a property of inversion in (finite)fields.
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
No trapdoors in Rijndael
• The S-box is a map on each Vi = V (8, 2). It is the onlynonlinear component of AES.
• Each Vi is identified with GF(28). (A non-primitivepolynomial is used!)
• The S-box is x 7→ x−1. Well, not quite, 0 7→ 0, that isx 7→ x254, plus a minor tweak with an affine map.
• A role is played by a property of inversion in (finite)fields.
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
No trapdoors in Rijndael
• The S-box is a map on each Vi = V (8, 2). It is the onlynonlinear component of AES.
• Each Vi is identified with GF(28). (A non-primitivepolynomial is used!)
• The S-box is x 7→ x−1. Well, not quite, 0 7→ 0, that isx 7→ x254, plus a minor tweak with an affine map.
• A role is played by a property of inversion in (finite)fields.
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
No trapdoors in Rijndael
• The S-box is a map on each Vi = V (8, 2). It is the onlynonlinear component of AES.
• Each Vi is identified with GF(28). (A non-primitivepolynomial is used!)
• The S-box is x 7→ x−1. Well, not quite, 0 7→ 0, that isx 7→ x254, plus a minor tweak with an affine map.
• A role is played by a property of inversion in (finite)fields.
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
No trapdoors in Rijndael
• The S-box is a map on each Vi = V (8, 2). It is the onlynonlinear component of AES.
• Each Vi is identified with GF(28). (A non-primitivepolynomial is used!)
• The S-box is x 7→ x−1. Well, not quite, 0 7→ 0, that isx 7→ x254, plus a minor tweak with an affine map.
• A role is played by a property of inversion in (finite)fields.
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Outline
1 MotivationIs DES a group?Trapdoors via imprimitivity
2 Group theory at workImprimitivity of groups generated by round functionsInverse-closed subsets of (finite) fieldsHua and AES
3 Primitive GroupsO’Nan-ScottAbelian regular subgroups and radical rings
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Inversion
In studying Rijndael’s S-box we were led to the followingquestion.Suppose we have an additive subgroup A of the fieldGF(28). Suppose A is closed under taking inverses ofnon-zero elements.Is A a subfield?It is easy to verify that this is indeed the case here. Whatabout the general question for an arbitrary field?Examples:
• A = Ri = { ai : a ∈ R } ⊆ C.
• In GF(52), take A = GF(5)α = { 0, α, 2α,−2α,−α },where α2 = 2.
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Inversion
In studying Rijndael’s S-box we were led to the followingquestion.Suppose we have an additive subgroup A of the fieldGF(28). Suppose A is closed under taking inverses ofnon-zero elements.Is A a subfield?It is easy to verify that this is indeed the case here. Whatabout the general question for an arbitrary field?Examples:
• A = Ri = { ai : a ∈ R } ⊆ C.
• In GF(52), take A = GF(5)α = { 0, α, 2α,−2α,−α },where α2 = 2.
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Inversion
In studying Rijndael’s S-box we were led to the followingquestion.Suppose we have an additive subgroup A of the fieldGF(28). Suppose A is closed under taking inverses ofnon-zero elements.Is A a subfield?It is easy to verify that this is indeed the case here. Whatabout the general question for an arbitrary field?Examples:
• A = Ri = { ai : a ∈ R } ⊆ C.
• In GF(52), take A = GF(5)α = { 0, α, 2α,−2α,−α },where α2 = 2.
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Inversion
In studying Rijndael’s S-box we were led to the followingquestion.Suppose we have an additive subgroup A of the fieldGF(28). Suppose A is closed under taking inverses ofnon-zero elements.Is A a subfield?It is easy to verify that this is indeed the case here. Whatabout the general question for an arbitrary field?Examples:
• A = Ri = { ai : a ∈ R } ⊆ C.
• In GF(52), take A = GF(5)α = { 0, α, 2α,−2α,−α },where α2 = 2.
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Inversion
In studying Rijndael’s S-box we were led to the followingquestion.Suppose we have an additive subgroup A of the fieldGF(28). Suppose A is closed under taking inverses ofnon-zero elements.Is A a subfield?It is easy to verify that this is indeed the case here. Whatabout the general question for an arbitrary field?Examples:
• A = Ri = { ai : a ∈ R } ⊆ C.
• In GF(52), take A = GF(5)α = { 0, α, 2α,−2α,−α },where α2 = 2.
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Inversion
In studying Rijndael’s S-box we were led to the followingquestion.Suppose we have an additive subgroup A of the fieldGF(28). Suppose A is closed under taking inverses ofnon-zero elements.Is A a subfield?It is easy to verify that this is indeed the case here. Whatabout the general question for an arbitrary field?Examples:
• A = Ri = { ai : a ∈ R } ⊆ C.
• In GF(52), take A = GF(5)α = { 0, α, 2α,−2α,−α },where α2 = 2.
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Inversion
In studying Rijndael’s S-box we were led to the followingquestion.Suppose we have an additive subgroup A of the fieldGF(28). Suppose A is closed under taking inverses ofnon-zero elements.Is A a subfield?It is easy to verify that this is indeed the case here. Whatabout the general question for an arbitrary field?Examples:
• A = Ri = { ai : a ∈ R } ⊆ C.
• In GF(52), take A = GF(5)α = { 0, α, 2α,−2α,−α },where α2 = 2.
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Inversion
In studying Rijndael’s S-box we were led to the followingquestion.Suppose we have an additive subgroup A of the fieldGF(28). Suppose A is closed under taking inverses ofnon-zero elements.Is A a subfield?It is easy to verify that this is indeed the case here. Whatabout the general question for an arbitrary field?Examples:
• A = Ri = { ai : a ∈ R } ⊆ C.
• In GF(52), take A = GF(5)α = { 0, α, 2α,−2α,−α },where α2 = 2.
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Inversion
In studying Rijndael’s S-box we were led to the followingquestion.Suppose we have an additive subgroup A of the fieldGF(28). Suppose A is closed under taking inverses ofnon-zero elements.Is A a subfield?It is easy to verify that this is indeed the case here. Whatabout the general question for an arbitrary field?Examples:
• A = Ri = { ai : a ∈ R } ⊆ C.
• In GF(52), take A = GF(5)α = { 0, α, 2α,−2α,−α },where α2 = 2.
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Inversion
Sandro MattareiInverse-closed additive subgroups of fields.Israel J. Math. to appear.
Theorem
Let E be a finite field of characteristic two. Suppose A 6= 0 isan additive subgroup of E which contains the inverses ofeach of its nonzero elements. Then A is a subfield of E.
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Inversion
Sandro MattareiInverse-closed additive subgroups of fields.Israel J. Math. to appear.
Theorem
Let E be a finite field of characteristic two. Suppose A 6= 0 isan additive subgroup of E which contains the inverses ofeach of its nonzero elements. Then A is a subfield of E.
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Two more general results
Theorem
Let E be a field of characteristic different from two and let Abe a non-trivial inverse-closed additive subgroup of E. ThenA is either a subfield of E or the set of elements of tracezero in some quadratic field extension contained in E.
Theorem
Let E be a field of characteristic two and let A be an inverse-closed additive subgroup of E. Then A is an F 2-subspace ofF for some subfield F of E.
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Two more general results
Theorem
Let E be a field of characteristic different from two and let Abe a non-trivial inverse-closed additive subgroup of E. ThenA is either a subfield of E or the set of elements of tracezero in some quadratic field extension contained in E.
Theorem
Let E be a field of characteristic two and let A be an inverse-closed additive subgroup of E. Then A is an F 2-subspace ofF for some subfield F of E.
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Proof of the finite case, characteristic two
Proof.
Hua’s identity, valid in any associative (but not necessarilycommutative) ring, shows
a + ((a − b−1)−1 − a−1)−1 = aba
with a, b, ab − 1 invertible.First of all, 1 ∈ A. This is because A has even order, andeach element different from 0, 1 is distinct from its inverse.Now with b = 1, and a ∈ A \ { 0, 1 } we get that for a ∈ A,also a2 ∈ A. (This is clearly valid also for a = 0, 1.) It followsthat any c ∈ A can be represented in the form c = a2 forsome a ∈ A. Now Hua’s identity yields that A is closedunder products, so that A is a subring, and thus a subfield,of A.
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Proof of the finite case, characteristic two
Proof.
Hua’s identity, valid in any associative (but not necessarilycommutative) ring, shows
a + ((a − b−1)−1 − a−1)−1 = aba
with a, b, ab − 1 invertible.First of all, 1 ∈ A. This is because A has even order, andeach element different from 0, 1 is distinct from its inverse.Now with b = 1, and a ∈ A \ { 0, 1 } we get that for a ∈ A,also a2 ∈ A. (This is clearly valid also for a = 0, 1.) It followsthat any c ∈ A can be represented in the form c = a2 forsome a ∈ A. Now Hua’s identity yields that A is closedunder products, so that A is a subring, and thus a subfield,of A.
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Proof of the finite case, characteristic two
Proof.
Hua’s identity, valid in any associative (but not necessarilycommutative) ring, shows
a + ((a − b−1)−1 − a−1)−1 = aba
with a, b, ab − 1 invertible.First of all, 1 ∈ A. This is because A has even order, andeach element different from 0, 1 is distinct from its inverse.Now with b = 1, and a ∈ A \ { 0, 1 } we get that for a ∈ A,also a2 ∈ A. (This is clearly valid also for a = 0, 1.) It followsthat any c ∈ A can be represented in the form c = a2 forsome a ∈ A. Now Hua’s identity yields that A is closedunder products, so that A is a subring, and thus a subfield,of A.
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Proof of the finite case, characteristic two
Proof.
Hua’s identity, valid in any associative (but not necessarilycommutative) ring, shows
a + ((a − b−1)−1 − a−1)−1 = aba
with a, b, ab − 1 invertible.First of all, 1 ∈ A. This is because A has even order, andeach element different from 0, 1 is distinct from its inverse.Now with b = 1, and a ∈ A \ { 0, 1 } we get that for a ∈ A,also a2 ∈ A. (This is clearly valid also for a = 0, 1.) It followsthat any c ∈ A can be represented in the form c = a2 forsome a ∈ A. Now Hua’s identity yields that A is closedunder products, so that A is a subring, and thus a subfield,of A.
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Proof of the finite case, characteristic two
Proof.
Hua’s identity, valid in any associative (but not necessarilycommutative) ring, shows
a + ((a − b−1)−1 − a−1)−1 = aba
with a, b, ab − 1 invertible.First of all, 1 ∈ A. This is because A has even order, andeach element different from 0, 1 is distinct from its inverse.Now with b = 1, and a ∈ A \ { 0, 1 } we get that for a ∈ A,also a2 ∈ A. (This is clearly valid also for a = 0, 1.) It followsthat any c ∈ A can be represented in the form c = a2 forsome a ∈ A. Now Hua’s identity yields that A is closedunder products, so that A is a subring, and thus a subfield,of A.
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Proof of the finite case, characteristic two
Proof.
Hua’s identity, valid in any associative (but not necessarilycommutative) ring, shows
a + ((a − b−1)−1 − a−1)−1 = aba
with a, b, ab − 1 invertible.First of all, 1 ∈ A. This is because A has even order, andeach element different from 0, 1 is distinct from its inverse.Now with b = 1, and a ∈ A \ { 0, 1 } we get that for a ∈ A,also a2 ∈ A. (This is clearly valid also for a = 0, 1.) It followsthat any c ∈ A can be represented in the form c = a2 forsome a ∈ A. Now Hua’s identity yields that A is closedunder products, so that A is a subring, and thus a subfield,of A.
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Proof of the finite case, characteristic two
Proof.
Hua’s identity, valid in any associative (but not necessarilycommutative) ring, shows
a + ((a − b−1)−1 − a−1)−1 = aba
with a, b, ab − 1 invertible.First of all, 1 ∈ A. This is because A has even order, andeach element different from 0, 1 is distinct from its inverse.Now with b = 1, and a ∈ A \ { 0, 1 } we get that for a ∈ A,also a2 ∈ A. (This is clearly valid also for a = 0, 1.) It followsthat any c ∈ A can be represented in the form c = a2 forsome a ∈ A. Now Hua’s identity yields that A is closedunder products, so that A is a subring, and thus a subfield,of A.
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Proof of the finite case, characteristic two
Proof.
Hua’s identity, valid in any associative (but not necessarilycommutative) ring, shows
a + ((a − b−1)−1 − a−1)−1 = aba
with a, b, ab − 1 invertible.First of all, 1 ∈ A. This is because A has even order, andeach element different from 0, 1 is distinct from its inverse.Now with b = 1, and a ∈ A \ { 0, 1 } we get that for a ∈ A,also a2 ∈ A. (This is clearly valid also for a = 0, 1.) It followsthat any c ∈ A can be represented in the form c = a2 forsome a ∈ A. Now Hua’s identity yields that A is closedunder products, so that A is a subring, and thus a subfield,of A.
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Proof of the finite case, characteristic two
Proof.
Hua’s identity, valid in any associative (but not necessarilycommutative) ring, shows
a + ((a − b−1)−1 − a−1)−1 = aba
with a, b, ab − 1 invertible.First of all, 1 ∈ A. This is because A has even order, andeach element different from 0, 1 is distinct from its inverse.Now with b = 1, and a ∈ A \ { 0, 1 } we get that for a ∈ A,also a2 ∈ A. (This is clearly valid also for a = 0, 1.) It followsthat any c ∈ A can be represented in the form c = a2 forsome a ∈ A. Now Hua’s identity yields that A is closedunder products, so that A is a subring, and thus a subfield,of A.
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Proof of the finite case, characteristic two
Proof.
Hua’s identity, valid in any associative (but not necessarilycommutative) ring, shows
a + ((a − b−1)−1 − a−1)−1 = aba
with a, b, ab − 1 invertible.First of all, 1 ∈ A. This is because A has even order, andeach element different from 0, 1 is distinct from its inverse.Now with b = 1, and a ∈ A \ { 0, 1 } we get that for a ∈ A,also a2 ∈ A. (This is clearly valid also for a = 0, 1.) It followsthat any c ∈ A can be represented in the form c = a2 forsome a ∈ A. Now Hua’s identity yields that A is closedunder products, so that A is a subring, and thus a subfield,of A.
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Proof of the finite case, characteristic two
Proof.
Hua’s identity, valid in any associative (but not necessarilycommutative) ring, shows
a + ((a − b−1)−1 − a−1)−1 = aba
with a, b, ab − 1 invertible.First of all, 1 ∈ A. This is because A has even order, andeach element different from 0, 1 is distinct from its inverse.Now with b = 1, and a ∈ A \ { 0, 1 } we get that for a ∈ A,also a2 ∈ A. (This is clearly valid also for a = 0, 1.) It followsthat any c ∈ A can be represented in the form c = a2 forsome a ∈ A. Now Hua’s identity yields that A is closedunder products, so that A is a subring, and thus a subfield,of A.
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Outline
1 MotivationIs DES a group?Trapdoors via imprimitivity
2 Group theory at workImprimitivity of groups generated by round functionsInverse-closed subsets of (finite) fieldsHua and AES
3 Primitive GroupsO’Nan-ScottAbelian regular subgroups and radical rings
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
More on Hua and AES
Hua’s identity can be used in the cryptanalysis of AES.
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
More on Hua and AES
Hua’s identity can be used in the cryptanalysis of AES.
Joan Daemen and Vincent Rijmen,Two-Round AES Differentialse-print, 2007.
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
More on Hua and AES
Hua’s identity can be used in the cryptanalysis of AES.
Joan Daemen and Vincent Rijmen,Two-Round AES Differentialse-print, 2007.
Theorem
Let T denote a two-round Rijndael transformation. Itoperates on GF(28). Fix 0 6= a ∈ GF(28). Then the set ofinverses of the output differences with input difference a
{
(T (x + a) − T (x))−1 : x ∈ GF(28)}
forms a linear subspace, minus { 0 }.
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
More on Hua and AES
Hua’s identity can be used in the cryptanalysis of AES.
Joan Daemen and Vincent Rijmen,Two-Round AES Differentialse-print, 2007.
Theorem
Let T denote a two-round Rijndael transformation. Itoperates on GF(28). Fix 0 6= a ∈ GF(28). Then the set ofinverses of the output differences with input difference a
{
(T (x + a) − T (x))−1 : x ∈ GF(28)}
forms a linear subspace, minus { 0 }.
Hua’s identity simply tells us that
(T (x + a) − T (x))−1 = a((a−1x)2 + a−1x).
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Outline
1 MotivationIs DES a group?Trapdoors via imprimitivity
2 Group theory at workImprimitivity of groups generated by round functionsInverse-closed subsets of (finite) fieldsHua and AES
3 Primitive GroupsO’Nan-ScottAbelian regular subgroups and radical rings
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
O’Nan-Scott
Our intention would now be to apply the O’Nan-Scottclassification of primitive groups.
Leonard L. ScottRepresentations in characteristic p.The Santa Cruz Conference on Finite Groups, 1979,Proc. Sympos. Pure Math., 37, 319–331.
M. Aschbacher and L. ScottMaximal subgroups of finite groups.J. Algebra 92 (1985), 44–80.
Martin W. Liebeck, Cheryl E. Praeger and Jan Saxl,On the O’Nan-Scott theorem. . .J. Austral. Math. Soc. Ser. A 44 (1988), 389–396
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
O’Nan-Scott
Our intention would now be to apply the O’Nan-Scottclassification of primitive groups.
Leonard L. ScottRepresentations in characteristic p.The Santa Cruz Conference on Finite Groups, 1979,Proc. Sympos. Pure Math., 37, 319–331.
M. Aschbacher and L. ScottMaximal subgroups of finite groups.J. Algebra 92 (1985), 44–80.
Martin W. Liebeck, Cheryl E. Praeger and Jan Saxl,On the O’Nan-Scott theorem. . .J. Austral. Math. Soc. Ser. A 44 (1988), 389–396
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
O’Nan-Scott
Our intention would now be to apply the O’Nan-Scottclassification of primitive groups.
Leonard L. ScottRepresentations in characteristic p.The Santa Cruz Conference on Finite Groups, 1979,Proc. Sympos. Pure Math., 37, 319–331.
M. Aschbacher and L. ScottMaximal subgroups of finite groups.J. Algebra 92 (1985), 44–80.
Martin W. Liebeck, Cheryl E. Praeger and Jan Saxl,On the O’Nan-Scott theorem. . .J. Austral. Math. Soc. Ser. A 44 (1988), 389–396
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
O’Nan-Scott
Our intention would now be to apply the O’Nan-Scottclassification of primitive groups.
Leonard L. ScottRepresentations in characteristic p.The Santa Cruz Conference on Finite Groups, 1979,Proc. Sympos. Pure Math., 37, 319–331.
M. Aschbacher and L. ScottMaximal subgroups of finite groups.J. Algebra 92 (1985), 44–80.
Martin W. Liebeck, Cheryl E. Praeger and Jan Saxl,On the O’Nan-Scott theorem. . .J. Austral. Math. Soc. Ser. A 44 (1988), 389–396
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Primitive Groups
An analysis of the O’Nan-Scott classification shows that the(primitive) group generated by the round functions ofRijndael could be one of the following.
• The alternating group.
• A wreath product in product action.
• An affine group.
We have not been able to finish it off from here.Still, we have a spin-off from the last case.
A. Caranti, F. Dalla Volta and M. SalaAbelian regular subgroups of the affine group andradical rings.Publ. Math. Debrecen 69 (2006), no. 3, 297–308.
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Primitive Groups
An analysis of the O’Nan-Scott classification shows that the(primitive) group generated by the round functions ofRijndael could be one of the following.
• The alternating group.
• A wreath product in product action.
• An affine group.
We have not been able to finish it off from here.Still, we have a spin-off from the last case.
A. Caranti, F. Dalla Volta and M. SalaAbelian regular subgroups of the affine group andradical rings.Publ. Math. Debrecen 69 (2006), no. 3, 297–308.
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Primitive Groups
An analysis of the O’Nan-Scott classification shows that the(primitive) group generated by the round functions ofRijndael could be one of the following.
• The alternating group.
• A wreath product in product action.
• An affine group.
We have not been able to finish it off from here.Still, we have a spin-off from the last case.
A. Caranti, F. Dalla Volta and M. SalaAbelian regular subgroups of the affine group andradical rings.Publ. Math. Debrecen 69 (2006), no. 3, 297–308.
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Primitive Groups
An analysis of the O’Nan-Scott classification shows that the(primitive) group generated by the round functions ofRijndael could be one of the following.
• The alternating group.
• A wreath product in product action.
• An affine group.
We have not been able to finish it off from here.Still, we have a spin-off from the last case.
A. Caranti, F. Dalla Volta and M. SalaAbelian regular subgroups of the affine group andradical rings.Publ. Math. Debrecen 69 (2006), no. 3, 297–308.
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Primitive Groups
An analysis of the O’Nan-Scott classification shows that the(primitive) group generated by the round functions ofRijndael could be one of the following.
• The alternating group.
• A wreath product in product action.
• An affine group.
We have not been able to finish it off from here.Still, we have a spin-off from the last case.
A. Caranti, F. Dalla Volta and M. SalaAbelian regular subgroups of the affine group andradical rings.Publ. Math. Debrecen 69 (2006), no. 3, 297–308.
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Primitive Groups
An analysis of the O’Nan-Scott classification shows that the(primitive) group generated by the round functions ofRijndael could be one of the following.
• The alternating group.
• A wreath product in product action.
• An affine group.
We have not been able to finish it off from here.Still, we have a spin-off from the last case.
A. Caranti, F. Dalla Volta and M. SalaAbelian regular subgroups of the affine group andradical rings.Publ. Math. Debrecen 69 (2006), no. 3, 297–308.
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Primitive Groups
An analysis of the O’Nan-Scott classification shows that the(primitive) group generated by the round functions ofRijndael could be one of the following.
• The alternating group.
• A wreath product in product action.
• An affine group.
We have not been able to finish it off from here.Still, we have a spin-off from the last case.
A. Caranti, F. Dalla Volta and M. SalaAbelian regular subgroups of the affine group andradical rings.Publ. Math. Debrecen 69 (2006), no. 3, 297–308.
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Outline
1 MotivationIs DES a group?Trapdoors via imprimitivity
2 Group theory at workImprimitivity of groups generated by round functionsInverse-closed subsets of (finite) fieldsHua and AES
3 Primitive GroupsO’Nan-ScottAbelian regular subgroups and radical rings
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Abelian regular subgroups and radical rings
Theorem
Let F be a field, and let (V ,+) be a vector space over F .There is a bijection between
• Abelian regular subgroups of the affine group Aff(V ) onV, and
• F-algebra structures (V ,+, ·) such that the resultingring is radical.
Isomorphism classes of algebras correspond to conjugacyclasses of subgroups under the action of GL(V ).
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Abelian regular subgroups and radical rings
Theorem
Let F be a field, and let (V ,+) be a vector space over F .There is a bijection between
• Abelian regular subgroups of the affine group Aff(V ) onV, and
• F-algebra structures (V ,+, ·) such that the resultingring is radical.
Isomorphism classes of algebras correspond to conjugacyclasses of subgroups under the action of GL(V ).
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Abelian regular subgroups and radical rings
Theorem
Let F be a field, and let (V ,+) be a vector space over F .There is a bijection between
• Abelian regular subgroups of the affine group Aff(V ) onV, and
• F-algebra structures (V ,+, ·) such that the resultingring is radical.
Isomorphism classes of algebras correspond to conjugacyclasses of subgroups under the action of GL(V ).
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Abelian regular subgroups and radical rings
Theorem
Let F be a field, and let (V ,+) be a vector space over F .There is a bijection between
• Abelian regular subgroups of the affine group Aff(V ) onV, and
• F-algebra structures (V ,+, ·) such that the resultingring is radical.
Isomorphism classes of algebras correspond to conjugacyclasses of subgroups under the action of GL(V ).
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Abelian regular subgroups and radical rings
Theorem
Let F be a field, and let (V ,+) be a vector space over F .There is a bijection between
• Abelian regular subgroups of the affine group Aff(V ) onV, and
• F-algebra structures (V ,+, ·) such that the resultingring is radical.
Isomorphism classes of algebras correspond to conjugacyclasses of subgroups under the action of GL(V ).
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Related work
D..F. Holt, Robert B. HowlettOn groups which are the product of two abelian groups.J. London Math. Soc. (2) 29 (1984), no. 3, 453–461.
Robert B. HowlettOn the exponent of certain factorizable groups.J. London Math. Soc. (2) 31 (1985), no. 2, 265–271.
Plus work of Y.P. Sysak which can be found in
B. Amberg, S. Franciosi, F. de Giovanni.Products of groups.Oxford Mathematical Monographs, 1992.0-19-853575-9
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Related work
D..F. Holt, Robert B. HowlettOn groups which are the product of two abelian groups.J. London Math. Soc. (2) 29 (1984), no. 3, 453–461.
Robert B. HowlettOn the exponent of certain factorizable groups.J. London Math. Soc. (2) 31 (1985), no. 2, 265–271.
Plus work of Y.P. Sysak which can be found in
B. Amberg, S. Franciosi, F. de Giovanni.Products of groups.Oxford Mathematical Monographs, 1992.0-19-853575-9
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Related work
D..F. Holt, Robert B. HowlettOn groups which are the product of two abelian groups.J. London Math. Soc. (2) 29 (1984), no. 3, 453–461.
Robert B. HowlettOn the exponent of certain factorizable groups.J. London Math. Soc. (2) 31 (1985), no. 2, 265–271.
Plus work of Y.P. Sysak which can be found in
B. Amberg, S. Franciosi, F. de Giovanni.Products of groups.Oxford Mathematical Monographs, 1992.0-19-853575-9
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Related work
D..F. Holt, Robert B. HowlettOn groups which are the product of two abelian groups.J. London Math. Soc. (2) 29 (1984), no. 3, 453–461.
Robert B. HowlettOn the exponent of certain factorizable groups.J. London Math. Soc. (2) 31 (1985), no. 2, 265–271.
Plus work of Y.P. Sysak which can be found in
B. Amberg, S. Franciosi, F. de Giovanni.Products of groups.Oxford Mathematical Monographs, 1992.0-19-853575-9
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
An application
• In the affine group over a finite vector space, an abelianregular subgroup intersects the group of translationsnontrivially.
• There is an example of Hegedus of a nonabelian,regular subgroup of an affine group over a finite vectorspace which has trivial intersection with the group oftranslations.
• There is a (simple) example of an abelian, regularsubgroup of the affine group over an infinite vectorspace which has trivial intersection with the group oftranslations.
Pál HegedusRegular subgroups of the affine groupJ. Algebra 225 (2000), no. 2, 740–742.
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
An application
• In the affine group over a finite vector space, an abelianregular subgroup intersects the group of translationsnontrivially.
• There is an example of Hegedus of a nonabelian,regular subgroup of an affine group over a finite vectorspace which has trivial intersection with the group oftranslations.
• There is a (simple) example of an abelian, regularsubgroup of the affine group over an infinite vectorspace which has trivial intersection with the group oftranslations.
Pál HegedusRegular subgroups of the affine groupJ. Algebra 225 (2000), no. 2, 740–742.
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
An application
• In the affine group over a finite vector space, an abelianregular subgroup intersects the group of translationsnontrivially.
• There is an example of Hegedus of a nonabelian,regular subgroup of an affine group over a finite vectorspace which has trivial intersection with the group oftranslations.
• There is a (simple) example of an abelian, regularsubgroup of the affine group over an infinite vectorspace which has trivial intersection with the group oftranslations.
Pál HegedusRegular subgroups of the affine groupJ. Algebra 225 (2000), no. 2, 740–742.
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
An application
• In the affine group over a finite vector space, an abelianregular subgroup intersects the group of translationsnontrivially.
• There is an example of Hegedus of a nonabelian,regular subgroup of an affine group over a finite vectorspace which has trivial intersection with the group oftranslations.
• There is a (simple) example of an abelian, regularsubgroup of the affine group over an infinite vectorspace which has trivial intersection with the group oftranslations.
Pál HegedusRegular subgroups of the affine groupJ. Algebra 225 (2000), no. 2, 740–742.
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
The example
• Let (V ,+, ·) be the maximal ideal tF [[t ]] of theF -algebra F [[t ]] of formal power series over an arbitraryfield F .
• In Aff(V ) we have the group N of translations.• (V ,+, ·) is a radical ring. Our methods allow us to
construct another abelian, regular subgroup T ofAff(V ). As a group, T is V under the circle operationx ◦ y = x + y + xy , where the element in Tcorresponding to x acts on V via y 7→ y ◦ x .
• One sees that U = { x ∈ V : x · y = 0 for all y ∈ V }corresponds to N ∩ T .
• Since F [[t ]] is a domain, we have N ∩ T = {1} here.• Also, T is torsion-free. If F is a field of positive
characteristic p, then the group N of translations hasexponent p. Thus Aff(V ) has two rather differentabelian regular subgroups here.
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
The example
• Let (V ,+, ·) be the maximal ideal tF [[t ]] of theF -algebra F [[t ]] of formal power series over an arbitraryfield F .
• In Aff(V ) we have the group N of translations.• (V ,+, ·) is a radical ring. Our methods allow us to
construct another abelian, regular subgroup T ofAff(V ). As a group, T is V under the circle operationx ◦ y = x + y + xy , where the element in Tcorresponding to x acts on V via y 7→ y ◦ x .
• One sees that U = { x ∈ V : x · y = 0 for all y ∈ V }corresponds to N ∩ T .
• Since F [[t ]] is a domain, we have N ∩ T = {1} here.• Also, T is torsion-free. If F is a field of positive
characteristic p, then the group N of translations hasexponent p. Thus Aff(V ) has two rather differentabelian regular subgroups here.
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
The example
• Let (V ,+, ·) be the maximal ideal tF [[t ]] of theF -algebra F [[t ]] of formal power series over an arbitraryfield F .
• In Aff(V ) we have the group N of translations.• (V ,+, ·) is a radical ring. Our methods allow us to
construct another abelian, regular subgroup T ofAff(V ). As a group, T is V under the circle operationx ◦ y = x + y + xy , where the element in Tcorresponding to x acts on V via y 7→ y ◦ x .
• One sees that U = { x ∈ V : x · y = 0 for all y ∈ V }corresponds to N ∩ T .
• Since F [[t ]] is a domain, we have N ∩ T = {1} here.• Also, T is torsion-free. If F is a field of positive
characteristic p, then the group N of translations hasexponent p. Thus Aff(V ) has two rather differentabelian regular subgroups here.
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
The example
• Let (V ,+, ·) be the maximal ideal tF [[t ]] of theF -algebra F [[t ]] of formal power series over an arbitraryfield F .
• In Aff(V ) we have the group N of translations.• (V ,+, ·) is a radical ring. Our methods allow us to
construct another abelian, regular subgroup T ofAff(V ). As a group, T is V under the circle operationx ◦ y = x + y + xy , where the element in Tcorresponding to x acts on V via y 7→ y ◦ x .
• One sees that U = { x ∈ V : x · y = 0 for all y ∈ V }corresponds to N ∩ T .
• Since F [[t ]] is a domain, we have N ∩ T = {1} here.• Also, T is torsion-free. If F is a field of positive
characteristic p, then the group N of translations hasexponent p. Thus Aff(V ) has two rather differentabelian regular subgroups here.
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
The example
• Let (V ,+, ·) be the maximal ideal tF [[t ]] of theF -algebra F [[t ]] of formal power series over an arbitraryfield F .
• In Aff(V ) we have the group N of translations.• (V ,+, ·) is a radical ring. Our methods allow us to
construct another abelian, regular subgroup T ofAff(V ). As a group, T is V under the circle operationx ◦ y = x + y + xy , where the element in Tcorresponding to x acts on V via y 7→ y ◦ x .
• One sees that U = { x ∈ V : x · y = 0 for all y ∈ V }corresponds to N ∩ T .
• Since F [[t ]] is a domain, we have N ∩ T = {1} here.• Also, T is torsion-free. If F is a field of positive
characteristic p, then the group N of translations hasexponent p. Thus Aff(V ) has two rather differentabelian regular subgroups here.
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
The example
• Let (V ,+, ·) be the maximal ideal tF [[t ]] of theF -algebra F [[t ]] of formal power series over an arbitraryfield F .
• In Aff(V ) we have the group N of translations.• (V ,+, ·) is a radical ring. Our methods allow us to
construct another abelian, regular subgroup T ofAff(V ). As a group, T is V under the circle operationx ◦ y = x + y + xy , where the element in Tcorresponding to x acts on V via y 7→ y ◦ x .
• One sees that U = { x ∈ V : x · y = 0 for all y ∈ V }corresponds to N ∩ T .
• Since F [[t ]] is a domain, we have N ∩ T = {1} here.• Also, T is torsion-free. If F is a field of positive
characteristic p, then the group N of translations hasexponent p. Thus Aff(V ) has two rather differentabelian regular subgroups here.
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
The example
• Let (V ,+, ·) be the maximal ideal tF [[t ]] of theF -algebra F [[t ]] of formal power series over an arbitraryfield F .
• In Aff(V ) we have the group N of translations.• (V ,+, ·) is a radical ring. Our methods allow us to
construct another abelian, regular subgroup T ofAff(V ). As a group, T is V under the circle operationx ◦ y = x + y + xy , where the element in Tcorresponding to x acts on V via y 7→ y ◦ x .
• One sees that U = { x ∈ V : x · y = 0 for all y ∈ V }corresponds to N ∩ T .
• Since F [[t ]] is a domain, we have N ∩ T = {1} here.• Also, T is torsion-free. If F is a field of positive
characteristic p, then the group N of translations hasexponent p. Thus Aff(V ) has two rather differentabelian regular subgroups here.
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
The example
• Let (V ,+, ·) be the maximal ideal tF [[t ]] of theF -algebra F [[t ]] of formal power series over an arbitraryfield F .
• In Aff(V ) we have the group N of translations.• (V ,+, ·) is a radical ring. Our methods allow us to
construct another abelian, regular subgroup T ofAff(V ). As a group, T is V under the circle operationx ◦ y = x + y + xy , where the element in Tcorresponding to x acts on V via y 7→ y ◦ x .
• One sees that U = { x ∈ V : x · y = 0 for all y ∈ V }corresponds to N ∩ T .
• Since F [[t ]] is a domain, we have N ∩ T = {1} here.• Also, T is torsion-free. If F is a field of positive
characteristic p, then the group N of translations hasexponent p. Thus Aff(V ) has two rather differentabelian regular subgroups here.
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
The example
• Let (V ,+, ·) be the maximal ideal tF [[t ]] of theF -algebra F [[t ]] of formal power series over an arbitraryfield F .
• In Aff(V ) we have the group N of translations.• (V ,+, ·) is a radical ring. Our methods allow us to
construct another abelian, regular subgroup T ofAff(V ). As a group, T is V under the circle operationx ◦ y = x + y + xy , where the element in Tcorresponding to x acts on V via y 7→ y ◦ x .
• One sees that U = { x ∈ V : x · y = 0 for all y ∈ V }corresponds to N ∩ T .
• Since F [[t ]] is a domain, we have N ∩ T = {1} here.• Also, T is torsion-free. If F is a field of positive
characteristic p, then the group N of translations hasexponent p. Thus Aff(V ) has two rather differentabelian regular subgroups here.
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
The example
• Let (V ,+, ·) be the maximal ideal tF [[t ]] of theF -algebra F [[t ]] of formal power series over an arbitraryfield F .
• In Aff(V ) we have the group N of translations.• (V ,+, ·) is a radical ring. Our methods allow us to
construct another abelian, regular subgroup T ofAff(V ). As a group, T is V under the circle operationx ◦ y = x + y + xy , where the element in Tcorresponding to x acts on V via y 7→ y ◦ x .
• One sees that U = { x ∈ V : x · y = 0 for all y ∈ V }corresponds to N ∩ T .
• Since F [[t ]] is a domain, we have N ∩ T = {1} here.• Also, T is torsion-free. If F is a field of positive
characteristic p, then the group N of translations hasexponent p. Thus Aff(V ) has two rather differentabelian regular subgroups here.