Random Permutations: An Analysis of Periodic Block Ciphers

Random Permutations in Cryptanalysis:An Analysis of Periodic Block Ciphers

Shaun Van Ault

[email protected] Valdosta State University

April 4, 2013. Pi Mu Epsilon Induction Ceremony

Shaun Van Ault (Valdosta State University) Random Permutations 1 / 15

Periodic Block Ciphers and Permutations

What is a Periodic Block Cipher?

A message (plaintext ) needs to be sent to another party so thatno third party can easily read the message. The message is firstencoded by a certain algorithm (cipher ). The encrypted messageis now ciphertext that may be transmitted openly.

The receiver gets the ciphertext along with other information suchas a key . Without the key it should be extremely difficult and/ortime-consuming to decrypt the message.

A cipher that encodes small blocks of text of fixed size by iteratinga certain algorithm some number of times is called a periodicblock cipher .

Examples: KeeLoq, 3-DES, AES-256.

Encoding Text using a Permutation

Suppose we want to encode the phrase:

“The quick brown fox jumps over the lazy dog.”

We may break into blocks of 4 characters each.

|The |quic|k br|own |fox |jump|s ov|er t|he l|azy |dog.|

Then permute each block of 4 letters...

|eT h|iqcu|bkr |no w|xf o|mjpu|osv | etr| hle|ya z|gd.o|

...to produce a coded message:

“eT hiqcubkr no wxf omjpuosv etr hleya zgd.o”

Did you notice the permutation was the same in each of theblocks?

q u i c

i q c u

As a permutation σ of the set of positions, {1, 2, 3, 4}:

x 1 2 3 4σ(x) 2 4 1 3

The permutation σ is the key needed to encrypt and decrypt themessage. The key is chosen once, at random.

q u i c

i q c u

x 1 2 3 4σ(x) 2 4 1 3

q u i c

i q c u

x 1 2 3 4σ(x) 2 4 1 3

Iterating the Permutation

Since the permutation σ somehow “mixes up” the message,perhaps more mixing will help make the message harder to crack?

σ : “eT hiqcubkr no wxf omjpuosv etr hleya zgd.o”

σ2 : “ ehTciuqrb k nwo xofpmujvo st rel eh yza.god”

σ3 : “h Teucqi rkbw ono fxupjm vsorte elh z ayo.dg”

σ4 : “The quick brown fox jumps over the lazy dog.”

But after 4 iterations of the encryption algorithm, the originalmessage is revealed!

Exercise: Using blocks of size 5, pick a permutation and encodethe message.

Cycles and Fixed Points

Let Sn be the set of all permutations of the set {1, 2, . . . , n}.

Any σ ∈ Sn can be represented in disjoint cycle notation,σ = γ1γ2 · · · γk .

A “1-cycle” is called a fixed point .

Both the number and the cycle-lengths of the components γi aredetermined uniquely by σ (up to rearrangement of γi ).

Example:

x 1 2 3 4 5 6σ(x) 4 5 3 1 6 2

σ = γ1γ2γ3 = (1, 4)(2, 5, 6)(3).

Example:

x 1 2 3 4 5 6σ(x) 4 5 3 1 6 2

σ = γ1γ2γ3 = (1, 4)(2, 5, 6)(3).

Example:

x 1 2 3 4 5 6σ(x) 4 5 3 1 6 2

σ = γ1γ2γ3 = (1, 4)(2, 5, 6)(3).

Example:

x 1 2 3 4 5 6σ(x) 4 5 3 1 6 2

σ = γ1γ2γ3 = (1, 4)(2, 5, 6)(3).

Example:

x 1 2 3 4 5 6σ(x) 4 5 3 1 6 2

σ = γ1γ2γ3 = (1, 4)(2, 5, 6)(3).

A Little Group Theory

Sn is a group under composition of permutations. The identity ofSn may be written id, or (1)(2) · · · (n) which expresses the fact thatevery point is fixed by the identity.

A permutation of the form σ = (n1, n2, . . . , nr ) is called a cycle .

Example: (1, 2, 4, 3) is a cycle.

x 1 2 3 4σ(x) 2 4 1 3

To decrypt a message whose key is σ, apply the cipher with theinverse σ−1.

Example: If the key is σ = (1, 2, 4, 3), then use σ−1 = (1, 3, 4, 2) todecrypt.

Exercise: Decrypt your 5-block ciphertext using the inverse of yourchosen permutation.

x 1 2 3 4σ(x) 2 4 1 3

If σ = (n1, n2, . . . , nr ) is a cycle, then σr is the identity.

If σ = γ1γ2 · · · γk in disjoint cycle notation, and each γi is a cycle oforder ni , then

σL = id, where L = LCM(n1, n2, . . . , nr )

Moreover, L is the smallest positive number for which this is true.We say the order of σ is L.

Exercise: What is the order of the following permutation?

σ = (1, 5, 13)(2, 12, 9, 3)(4, 7, 6, 10, 11, 8)

A Little Number Theory

We will be interested in counting fixed points of σp forrandomly-chosen permutations σ and various numbers p.

Suppose γ is a cycle of length n ≥ 2

If 1 ≤ p < n, then γp has no fixed points, but γn has n fixed points.Moreover, if p is any multiple of n, then γp has n fixed points.

If σ = γ1γ2 · · · γk , and each γi is a cycle of order ni , then σp has ni

fixed points for each ni that is a divisor of p.

Using the notation n|p (n divides p):

Number of Fixed points of σp =∑

i:ni |p

Let τ(p) = number of positive divisors of p.

Examples: Since 6 has four divisors 1, 2, 3, 6, τ(6) = 4. Since 7 isprime, τ(7) = 2.

Exercise: What are τ(24) and τ(25)?

Graph of τ(x)

A Little Probability Theory

Recall, the expected value of a random variable is the weightedaverage of all possible values the variable can take.

Theorem

The expected number of fixed points of σp, as σ ∈ Sn is chosen atrandom, is asymptotically∗ equal to τ(p).(∗as n → ∞).

Proof.

A generalization of this result is stated and proved inBard-Ault-Courtois (2012), using techniques of Analytic Combinatorics[see Flagolet-Sedgewick (2009)].

Theorem

Proof.

Theorem

Proof.

A Key Recovery Attack

Cracking the Key

Suppose a message has been encrypted using arandomly-chosen permutation σ applied some unknown numberof times (equivalently, σp for some p ∈ N).

To be extra certain that the message has been mixed-up enough,Alice iterates the cipher 1, 081, 079 times.

Bob has the same key σ, but decides to iterate it 1, 081, 080 times.

Is Alice’s or Bob’s message more secure?