Math-Net.Ru All Russian mathematical portal

Size: px

Start display at page:

Download "Math-Net.Ru All Russian mathematical portal"

Brandon Nelson
5 years ago
Views:

1 Math-Net.Ru A Russian mathematica porta G. P. Agibaov, Substitution bock ciphers with functiona keys, Prik. Diskr. Mat., 2017, Number 38, DOI: Use of the a-russian mathematica porta Math-Net.Ru impies that you have read and agreed to these terms of use Downoad detais: IP: September 2, 2018, 02:14:03

2 ПРИКЛАДНАЯ ДИСКРЕТНАЯ МАТЕМАТИКА 2017 Математические методы криптографии 38 МАТЕМАТИЧЕСКИЕ МЕТОДЫ КРИПТОГРАФИИ UDC DOI / /38/4 SUBSTITUTION BLOCK CIPHERS WITH FUNCTIONAL KEYS 1 G. P. Agibaov Nationa Research Tomsk State University, Tomsk, Russia We define a substitution bock cipher C with the paintext and ciphertext bocks in F n 2 and with the keyspace K s 0,n(g) that is the set {f(x) : f(x) = π 2 (g σ 2 ))); σ 1, σ 2 F n 2 ; π 1, π 2 S n }, where s 0 is an integer, 1 s 0 n; g : F n 2 Fn 2 is a bijective vector function g(x) = g 1 (x)g 2 (x)... g n (x) such that every its coordinate function g i (x) essentiay depends on some s i s 0 variabes in the string x = x 1 x 2... x n ; S n is the set of a permutations of the row ( n); π i and σ i are the permutation and negation operations, that is, (π = (i 1 i 2... i n )) (π(a 1 a 2... a n ) = a i1 a i2... a in ), (σ = b 1 b 2... b n ) ((a 1 a 2... a n ) σ = a b 1 1 a b a bn n ) and, for a and b in F 2, a b = a if b = 1 and a b = a if b = 0. Like g, any key f in K s0,n(g) is a bijection on F n 2, f(x) = f 1 (x)f 2 (x)... f n (x), and every its coordinate function f i (x) essentiay depends on not more than s 0 variabes in x. The encryption of a paintext bock x and the decryption of a ciphertext bock y on the key f are defined in C as foows: y = f(x) and x = f 1 (y). Here, we suggest a known paintext attack on C with the threat of discovering the key f that was used. Let P 1, P 2,..., P m be some bocks of a paintext, C 1, C 2,..., C m be the corresponding bocks of a ciphertext, i.e., C = f(p ) for = 1, 2,..., m, and P = P 1 P 2... P n, C = C 1 C 2... C n. The object is to determine the coordinate function f i (x) of f for each i {1, 2,..., n}. The suggested attack consists of two steps, namey we first determine the essentia variabes x i1,..., x is of f i (x) and then compute a Booean function h(x i1,..., x is ) such that h(a i1,..., a is ) = f i (a 1,..., a n ) for a n-tupes (a 1 a 2... a n ) F n 2. For determining the essentia variabes of f i, we construct a Booean matrix inf D(f i ) with the set of rows inf D(f i ), where D(f i ) = {P P j : C i C ji ;, j = 1, 2,..., m}, C i = f i (P ), = 1,..., m, i = 1,..., n, and inf D(f i ) is the subset of a the minima vectors in D(f i ). Then the numbers of essentia variabes for f i are the numbers of coumns in the intersection of a covers of inf D(f i ) with the cardinaities not more than s 0, where a cover of a Booean matrix M is defined as a subset C of its coumns such that each row in M has 1 in a coumn in C. For computing h(x i1,..., x is ), we first set h(p i1,..., P is ) = C i for = 1,..., m and then, if h i is not yet competey determined on F s 2, we increase the number m of known bocks (P i, C i ) of pain- and ciphertexts or extend h i on F s 2 in such a way that the vector function h = h 1h 2... h n with the competey defined coordinate functions is a bijection on F n 2. We aso describe some specia known paintext attacks on substitution bock ciphers with keyspaces being subsets of K s0,n(g). Keywords: substitution ciphers, bock ciphers, functiona keys, cryptanaysis, known paintext attack, Booean functions, essentia variabes, bijective functions. 1 The author was supported by the RFBR-grant no

3 58 G. P. Agibaov 1. Introduction In cryptography, the cryptosystems with the functiona keys are widey used as cryptographic primitives incuding key-stream generators, s-boxes, cryptofiters, cryptocombiners, key hash functions as we as the symmetric and pubic-key ciphers, digita signature schemes. For the author, the research, incuding the definition, characterisation and cryptanaysis of such cryptosystems had beginnings at the 1960-th years. First object of this research was the key-stream generator based on a finite autonomous automaton (state machine) with the output function depending on a bounded number of coordinates of the automaton state and being the key of the generator and of the corresponding stream cipher [1, 2]. Later, two sets of symmetric iterative bock ciphers with the functiona keys were proposed [3]. They were constructed according to the known cryptographic schemes originay suggested by H. Feiste and impemented in the ciphers LUCIFER and DES and, therefore, were named after Lucifer and Feiste respectivey. At the ast years, our research in this area was reated to definitions and cryptanaysis and synthesis methods for some other kinds of cryptagorithms with functiona keys incuding watermarking ciphers [4], finite automata cryptographic generators with two-vaued controed steps [5], and cryptautomata [6] where a cryptautomaton is described by a set C of automata networks and a set K of keys such that the choosing a key in K determines a network in C as a specific cryptographic agorithm. In the case, when the key contains transition and (or) output functions of some components in networks in C, we have a cryptosystem with the functiona keys. In this paper, we describe another cass of cryptosystems with functiona keys, namey that named in the tite. 2. Definition Here is a genera forma mathematica definition of the ciphers under consideration. Let C be a symmetric cipher and C = (X, Y, K, E, D), where X, Y, and K are the sets of paintexts, ciphertexts and keys respectivey and E and D are, respectivey, the encryption and decryption agorithms, E : X K Y, D : Y K X and E(x, k) = y D(y, k) = x for any x X, y Y, and k K. Suppose X = Y = F n 2, K B n, B is a cass of Booean functions having some bounded both computationa and capacity compexities and depending on not more than n variabes such that the mapping f : F n 2 F n 2, defined for x X and f 1 f 2... f n K as f(x) = f 1 (x)f 2 (x)... f n (x), is a bijection. In this case, the cipher C is said to be a substitution bock cipher with functiona keys, or, shorty, a funkeysubcipher. For each bock x = x 1 x 2... x n X, for each key k = f 1 f 2... f n K, and for each ciphertext y Y in it, we have E(x, k) = f(x) and D(y, k) = f 1 (y). Further, these equaities are caed the invertibiity condition of C. Note that in this definition, the bounded compexity of a function means the existence of its practica specification and computation. As usuay, there are two genera probems in the funkeysubcipher theory synthesis and anaysis. The second probem is very typica of bock ciphers and its soving ways significanty depend on the way the first probem is soved. According to the definition above, the first probem consists in generating a proper key space K, namey which is over a set B of Booean functions of a bounded compexity, satisfies the invertibiity conditions, and is great enough to withstand exhaustive search attacks. A method for soving this probem is described in the foowing section.

4 Substitution bock ciphers with functiona keys Synthesis method Let IS n denote the set of a invertibe systems each consisting of n functions in B. Further, we aso consider the systems in IS n as Booean bijective vector functions, that is, as substitutions on F n 2. To synthesize a funkeysubcipher C = (F n 2, K, F n 2, E, D), where K IS n, we need generating the vector functions in IS n as keys in K. Without knowing how to generate a of them, we propose here to generate keys in K as some members of IS n which can be obtained by inverse and permutation operations over bits on inputs and outputs of a chosen or given function in IS n. For this purpose, we, first, introduce some auxiiary notations reated to the permutation and inverse operations and, then, define some subsets of functions in B n. Let S n be the set of a the permutations of numbers 1, 2,..., n, namey S n = = {i 1 i 2... i n : i j {1, 2,..., n}; j k i j i k ; j, k {1, 2,..., n}}. For any permutation π = i 1 i 2... i n S n and any vector v = v 1 v 2... v n, et π(v j ) = v ij, j = 1, 2,..., n, and π(v) = π(v 1 )π(v 2 )... π(v n ) = v i1 v i2... v in. Aso, if v 1, v 2,..., v n are Booean vaues (variabes or constants) and σ = b 1 b 2... b n F n 2, then et v σ = v b 1 1 v b vn bn, where, for any Booean vaues a and b, a b = a if b = 0 and a b = a if b = 1. We say that π(v) and v σ are obtained by, respectivey, permutation and inverse operations π and σ over v. In cases when π = n or σ = , that is, the operations π or σ are identity ones, we write π = 1 or σ = 1 respectivey. Taking any g(x 1, x 2,..., x n ) in IS n, σ 1, σ 2 in F n 2, and π 1, π 2 in S n, we then can define a vector function f : F n 2 F n 2 as f(x) = π 2 (g σ 2 ))), x = x 1 x 2... x n. Particuary, g(x) can be the identica function, that is, for each i in {1, 2,..., n} its coordinate function g i (x) can be equa to x i. In any case, the tabe of the function f(x) is obtained from the tabe of the function g(x) by substituting coumns corresponding to some variabes for inverses (in σ 1 ), transposing (according to π 1 ) coumns corresponding to some variabes, substituting coumns corresponding to some coordinate functions of g(x) for inverses (in σ 2 ), and transposing (according to π 2 ) coumns corresponding to some coordinate functions of the function g(x). In other words, f(x) is computed from the function g(x) by the inversion and transposition of some its inputs and outputs and, ike g, is of a bounded compexity and satisfies the invertibiity condition. Therefore, f(x) IS n. Define K n (g) = {π 2 (g σ 2 ))) : σ 1, σ 2 F n 2, π 1, π 2 S n }. Thus, we get that K n (g) IS n and K n (g) (2 n n!) 2. Any subset K K n (g) of an exponentia cardinaity can be taken as a synthesis resut the key space of a funkeysubcipher C. The foowing subsets of K n (g) are possibe candidates for paying this roe: K n (g, 1) = {g(x σ 1 ) : σ 1 F n 2}, K n (g, 1) 2 n ; K n (g, 2) = {g(π 1 (x)) : π 1 S n }, K n (g, 2) n!; K n (g, 3) = {g )) : σ 1 F n 2, π 1 S n }, K n (g, 3) 2 n n!; K n (g, 4) = {g σ 2 (x) : σ 2 F n 2}, K n (g, 4) 2 n ; K n (g, 5) = {g σ 2 (x σ 1 ) : σ 1, σ 2 F n 2}, K n (g, 5) 2 2n ; K n (g, 6) = {g σ 2 (π 1 (x)) : σ 2 F n 2, π 1 S n }, K n (g, 6) 2 n n!; K n (g, 7) = {g σ 2 )) : σ 1, σ 2 F n 2, π 1 S n }, K n (g, 7) 2 2n n!; K n (g, 8) = {π 2 (g(x)) : π 2 S n }, K n (g, 8) n!; K n (g, 9) = {π 2 (g(x σ 1 )) : σ 1 F n 2, π 2 S n }, K n (g, 9) 2 n n!; K n (g, 10) = {π 2 (g(π 1 (x))) : π 2, π 1 S n }, K n (g, 10) (n!) 2 ;

5 60 G. P. Agibaov K n (g, 11) = {π 2 (g ))) : σ 1 F n 2, π 1, π 2 S n }, K n (g, 11) 2 n (n!) 2 ; K n (g, 12) = {π 2 (g σ 2 (x)) : σ 2 F n 2, π 2 S n }, K n (g, 12) 2 n n!; K n (g, 13) = {π 2 (g σ 2 (x σ 1 )) : σ 1, σ 2 F n 2, π 2 S n }, K n (g, 13) 2 2n n!; K n (g, 14) = {π 2 (g σ 2 (π 1 (x))) : σ 2 F n 2, π 1, π 2 S n }, K n (g, 14) 2 n (n!) 2 ; K n (g, 15) = K n (g). 4. Funkeysubciphers with key functions in a bounded number of essentia variabes Let s 0 and n be some integers, 1 s 0 n, and B s0,n be the set of a Booean functions f(x 1,..., x n ) essentiay depending on not more than s 0 variabes x 1,..., x n, that is, for any f : F n 2 F 2, f(x 1,..., x n ) B s0,n s s 0 i 1,..., i s {1,..., n} g : F s 2 F 2 (f(x 1,..., x n ) = g(x i1,..., x is )). The set of variabes x i1,..., x is satisfying this equation is said to be a sufficient subset of arguments for the function f. If U is a sufficient subset for f and, for any V U, V isn t a sufficient for f, then the variabes in U are said to be essentia arguments for f. For natura s s 0, et Bs,n be the set of a functions in B s0,n essentiay depending on exacty s variabes. It is cear that B s0,n = s 0 Bs,n. We suppose that the number s 0 is sma s=1 s 0 2 s 0 1 enough for accepting functions in B s0,n to be of a bounded compexity. Let IS s0,n denote the set of a bijective Booean vector functions each consisting of n coordinate functions in B s0,n. Baancedness of each coordinate function of a Booean vector function f is the necessary condition (( )( for bijectivity of f. So the cardinaity of IS s0,n n 2 s 0 )) n doesn t exceed the number N s0,n =, that is the number of a n-dimensiona vectors with coordinates being baanced Booean functions in s 0 variabes taken in a possibe ways from the set {x 1,..., x n }. A funkeysubcipher with key functions in a bounded number of essentia variabes is a funkeysubcipher C = (F n 2, K, F n 2, E, D), where K IS s0,n. To synthesize these ciphers, we need generating the key spaces K for them from vector functions in IS s0,n. Here, we propose to do this just in the same way as we have done above in the set IS n using the inverse and permutation operations. Namey, take a vector function g(x 1, x 2,..., x n ) in IS s0,n. Let g = (g 1,..., g n ). By the definition of IS s0,n, for every i {1,..., n}, there exists a natura s i s 0 such that g i Bs i,n, that is, g i essentiay depends on s i variabes. Define K s0,n(g) = {π 2 (g σ 2 ))) : σ 1, σ 2 F n 2, π 1, π 2 S n }, where x = x 1 x 2... x n. Thus, we get that K s0,n(g) IS s0,n and K s0,n(g) (2 n n!) 2. Moreover, for any function f = (f 1,..., f n ) K s0,n(g) and any i {1,..., n}, the number of essentia variabes of f i equas s j, the number of essentia variabes of g j where j = π2 1 (i). Any subset K K s0,n(g) of an exponentia cardinaity can be taken as the key space of the funkeysubcipher C with key functions in a bounded number of essentia variabes. In particuar, this roe can be successfuy payed by the subsets K s0,n(g, j) that are formay defined, just as K n (g, j), j = 1, 2,..., 15, have been done. For exampe, K s0,n(g, 7) = = {g σ 2 )) : σ 1, σ 2 F n 2, π 1 S n }, K s0,n(g, 7) 2 2n n!, and K s0,n(g, 15) = K s0,n(g). The ony difference is in the cass of the function g that, for K n (g, j), beongs to IS n and, for K s0,n(g, j), beongs to IS s0,n.

6 Substitution bock ciphers with functiona keys 61 To produce subsets K K s0,n(g) as key spaces for funkeysubciphers with key functions in a bounded number of essentia variabes, we need to have a capabiity to generate vector Booean functions g = (g 1... g n ) in I s0,n with various vaues of their parameters n, s 0, s 1,..., s n. Unfortunatey, we have no any exhaustive soution of this probem and can ony present now a pair of some restricted reevant methods. Let IS s,n denote the set of a bijective Booean vector functions each consisting of n coordinate functions in B s,n. The methods just mentioned construct functions from IS s,n. The first method is used in the case when s 3 and s n, i.e. n = st for some t N. It is proved in [7] that ISs,s for a s 3. So, we can construct t functions g (i) = g (i) 1... g s (i) ISs,s, i = 1,..., t. Then the function g(x 1,..., x n ) = = g (1) 1 (x 1,..., x s )... g s (1) (x 1,..., x s )g (2) 1 (x s+1,..., x 2s )... g s (2) (x s+1,..., x 2s )... g (t) 1 (x (t 1)s+1,..., x n )... g s (t) (x (t 1)s+1,..., x n ) beongs to ISs,n. The second method starts from g (1) (x 1,..., x s ) = g 1... g s ISs,s too. Then we construct the function g (2) (x 1,..., x s, x s+1 ) = g 1... g s h where h = x s+1 q(x 1,..., x s ) and q Bs 1,s. It is proved in [8] that g (2) ISs,s+1. Repeating this step, we successivey obtain the functions g (3) ISs,s+2 (using the functions h = x s+2 q(x 1,..., x s, x s+1 ) and q Bs 1,s+1),..., g (n+s 1) ISs,n. 5. Cryptanaysis 5.1. C r y p t a n a y s i s p r o b e m In this section, we consider the cryptanaysis probem for funkeysubciphers giving our attention to ciphers with key functions in bounded numbers of essentia variabes. Moreover, we confine the consideration to ciphers with key spaces K = K s0,n(g, j), where g is an arbitrary function in (B s0,n) n and j can be assigned any vaue from {1,..., 15}. However, for some parameter j vaues, the cryptanaysis methods proposed here actuay hod for ciphers with the wider key spaces, particuary with K = K n (g, j). We assume that the cryptanayst expoits a known paintext attack with the threat of tota break (secret key recovery). This means that he possesses some bocks P 1,..., P m of a paintext and corresponding bocks C 1,..., C m of a ciphertext and tries to determine the key that was used, that is, a function f(x) K = K s0,n(g, j) such that C = f(p ) for a {1,..., m}. According to Kerckhoff s principe, it is supposed that the cryptanayst knows the cipher C = (F n 2, K, F n 2, E, D) being used. Particuary, he knows the key space K = K s0,n(g, j) and its parameters g (B s0,n) n, n N, s 0 n, and j {1,..., 15}. The knowedge of the function g(x 1,..., x n ) yieds the knowedge of its inverse g 1, coordinate functions g 1,..., g n in B s0,n and the sets X 1,..., X n of their essentia variabes respectivey, X i X = {x 1,..., x n }, i = 1,..., n. On the base of this information, the cryptanayst has to determine the coordinate functions f 1,..., f n of a key function f(x 1,..., x n ) in K s0,n(g, j) which satisfies the equaities f(p ) = C for a {1,..., m}. Here, for each i {1,..., n}, the function f i beongs to B s0,n, its essentia variabes form a subset U i X, and U i = X i = s i if the permutation π 2 in the expression for K s0,n(g, j) is the identity one. For the cryptanayst, to determine the function f i means to determine the set U i of its essentia variabes and the vaue of f i for each combination of vaues of variabes in U i. Beow we first give a genera soution of the probem comprising the a fifteen partia cases of it and then present specific soutions for some of these cases.

7 62 G. P. Agibaov 5.2. G e n e r a c r y p t a n a y s i s m e t h o d The method concerns the funkeysubcipher C with the genera key space K = K s0,n(g) = = {π 2 (g σ 2 ))) : σ 1, σ 2 F n 2, π 1, π 2 S n } which incudes the partia key spaces K s0,n(g, j) for a j {1,..., 15}. Reca that we have a string of Booean variabes x = x 1 x 2... x n, a vector Booean function g(x) = g 1 (x)g 2 (x)... g n (x) with coordinate functions g 1,..., g n, where g i B s i,n for 1 s i s 0 and i = 1,..., n, the bocks of a pain text P 1,..., P m and the corresponding bocks of a ciphertext C 1,..., C m. Let k K and C = C 1 C 2... C n, = 1,..., m. Denote f(x) = f 1 (x)f 2 (x)... f n (x) = = π 2 (g σ 2 ))). Then f i B s0,n, k = f(x), C = f(p ), and C i = f i (P ), = 1,..., m and i = 1,..., n. Thus, the cryptanaysis probem is as foows: for every i {1,..., n} and given equaities C i = f i (P ), = 1,..., m, determine the function f i (x). The probem is divided into two subprobems: find out essentia variabes of the function f i and compute its vaues for a possibe vaues of these variabes. In connection with the first subprobem, we need to note that the number of essentia variabes of f i depends on whether the permutation π 2 in f(x) = π 2 (g σ 2 ))) is the identity one or not. If the answer is yes, then f i has the same number s i of essentia variabes as g i. Otherwise we can ony say that this number is ess or equa to max{s 1,..., s n } and doesn t exceed s 0. To sove the first subprobem, we now present some auxiiary resuts. Let f (x 1,..., x n ) be a, possiby, partia Booean function given by two subsets M 0 f Fn 2 and M 1 f Fn 2 so that α M b f f (α) = b, b F 2. We first define the foowing sets: D(f ) = {α β : α M 0 f, β M 1 f }, inf D(f ) = {δ : δ D(f ), δ D(f )(δ < δ)}, where for δ = d 1... d n and δ = d 1... d n in F n 2, δ < δ δ δ & t {1,..., n} (d t d t ). Particuary, in our case, D(f i ) = {P P j : C i C ji,, j = 1, 2,..., m}. We next construct the Booean matrix M = inf D(f ) with the set of rows that is equa to inf D(f ). The coumns in M with the numbers 1, 2,..., n are assigned to variabes x 1, x 2,..., x n respectivey. A subset J of them is said to be a cover of M if for each row in M, there is a coumn in J with the vaue 1 in this row. The cover J is minima if it doesn t contain as a subset another cover of M. At ast, we note that in [9] we have proved that a subset of variabes U = {x j1,..., x js } is sufficient for f iff the subset J of coumns in M with the numbers j 1,..., j s is a cover of M, and U is essentia for f iff J is a minima cover of M. Moreover, U is a unique subset of essentia variabes for f iff J is a unique cover of M ; in this case, each row in M is a unit vector e j (with a 1 in the j-th coordinate and 0 s esewhere) and U = {x j1,..., x js } if a the rows in M are e j1,..., e js. Aso, in [10], we have proved that a subset of variabes {x j1,..., x js } is a unique subset of essentia variabes for a function f in B s0,n iff a the covers of the matrix inf D(f ), the cardinaities of which don t exceed s 0, have a non-empty intersection consisting of coumns with the numbers j 1,..., j s. So, finding a unique subset of essentia variabes (if it exists) for the function f i in B s0,n and thus soving the first cryptanaysis subprobem is reduced to computing, for the

8 Substitution bock ciphers with functiona keys 63 matrix inf D(f i ), the intersection of a covers whose cardinaities are not more than s 0. The computationa compexity of this work is O(2 s 0 ). Under the known essentia variabes x i1,..., x isi of f i, any soution of the second cryptanaysis subprobem for i {1,..., n} can be obtained as f i (x) = h i (x i1,..., x isi ), where h i : F s i 2 F 2, the vector function h 1 (x 11,..., x 1s1 )h 2 (x 21,..., x 2s2 )... h n (x n1,..., x nsn ) is a bijection on F n 2, and, for a α = a 1 a 2... a n F n 2, if α = P and {1,..., m}, then h i (a i1,..., a isi ) = C i. In particuar, if for each i {1,..., n}, the set {x i1,..., x isi } is a unique subset of essentia variabes for f i and P = {P i1 P i2... P isi : = 1,..., m} = F s i 2, then the soution f(x) of the cryptanaysis probem for the cipher C is unique and, for i {1,..., n}, it has f i (x) = h i (x i1,..., x isi ), where h i (P i1 P i2... P isi ) = C i, {1,..., m}. In the case of P F s i 2, the foowing probem arises: given a partiay defined Booean function f (x 1,..., x n ) and a subset {i 1,..., i s } {1,..., n}, find (if exists) a competey defined Booean function h(x i1,..., x is ) such that h(a i1 a i2... a is ) = f (a 1 a 2... a n ) for each n-tupe (a 1 a 2... a n ) from the domain of f. This probem is a specia case of the known probem of competing a partia function in a functiona cass and isn t a subject of this research. For making references to the genera cryptanaysis method described here, we name it GCM. The core of GCM is the agorithm for finding, for a given partiay defined Booean function f (x 1,..., x n ) from B s0,n, such a function h(x i1,..., x is ) Bs,n that h(x i1,..., x is ) = f (x 1,..., x n ) on the domain of f. We denote this agorithm by B. As for the parameters of the cryptanaysis probem, namey g, σ 1, σ 2, π 1, π 2, GCM doesn t depend directy on them both in the contents and in a resut. This is not an accidenta fact, but it is because these parameters are not reay the key k of the cipher C, they ony form the expression π 2 (g σ 2 ))) to specify a bijective function f : F n F n which is in fact the key k of C and the resut of GCM execution over the given pairs (P i, C i ), i = 1,..., n S o m e p a r t i c u a r c r y p t a n a y s i s m e t h o d s Some particuar cryptanaysis methods for a cipher C under consideration can be obtained by appying GCM to ciphers C j with key spaces K s0,n(g, j) for j {1,..., 14}. We think of these methods as key space imitations of the genera method and denote by GCM j. For exampe, GCM 9 and GCM 14 are GCM for ciphers with key spaces K = K s0,n(g, 9) = {π 2 (g(x σ 1 )) : σ 1 F n 2, π 2 S n } and K = K s0,n(g, 14) = {π 2 (g σ 2 (π 1 (x))) : σ 2 F n 2, π 1, π 2 S n } respectivey. Now, we consider some other particuar cryptanaysis methods that are not exacty key space imitations of GCM, but give specia soutions to some ciphers C j with imited key spaces. Cases j = 1, 4, 5 Describing cryptanaysis methods in these cases, we imit our exposition to determination of the inverse operations for obtaining f from g. Let g 1 = (g1, g2,..., gn ), f 1 = (f1, f2,..., fn ), σ 1 = σ 11 σ σ 1n, σ 2 = = σ 21 σ σ 2n, P = P 1 P 2... P n, and C = C 1 C 2... C n, = 1, 2,..., m. In the case j = 1, where K = K s0,n(g, 1) = {g(x σ 1 ) : σ 1 F n 2}, the cryptanaysis probem is trivia because, for every {1,..., m}, C = g(p σ 1 ), P σ 1 = g 1 (C ), P σ 1i i = g i (C ), i {1,..., n}, and σ 1i is computed by using the Booean impication (a b = c) (b = 1 c = a),

9 64 G. P. Agibaov namey σ 1i = 1 g i (C ) = P i for a i {1, 2,..., n} and some (any) {1,..., m}, particuary for = 1. By the same reason, the probem is trivia in the case j = 4, where K = K s0,n(g, 4) = = {g σ 2 (x) : σ 2 F n 2}, because C = g σ 2 (P ), C σ 2 = g(p ) and σ 2 is computed by using the same impication: σ 2i = 1 g i (P ) = C i, i = 1, 2,..., n. In the case j = 5, where K = K s0,n(g, 5) = {g σ 2 (x σ 1 ) : σ 1, σ 2 F n 2}, we have C = = g σ 2 (P σ 1 ), C σ 2 = g(p σ 1 ), and P σ 1 = g 1 (C σ 2 ). For every pair (σ 2, ), where σ 2 F n 2 and = 1, 2,..., m, compute the vaue σ (σ 2,) 1 = σ (σ 2,) 11 σ (σ 2,) σ (σ 2,) 1n of the vector σ 1 in F 2 n by using the agorithm of the case j = 1, namey σ (σ 2,) 1i = 1 g i (C σ 2 ) = P i, i = 1,..., m. The resut of the cryptanaysis is a pair (σ 1, σ 2 ) satisfying the equaity σ 1 = σ (σ 2,) 1 for a {1,..., m}. Note that this answer is not sure to be unique. The computationa compexity of the agorithm is O(2 n ). Note that the attacks described in these cases successfuy work on ciphers with K = = K n (g, j) for j = 1, 4, 5 respectivey and g IS n. Case j = 7 In this case, K = K s0,n(g, 7) = {g σ 2 )) : σ 1, σ 2 F n 2, π 1 S n } and the cipher under consideration is C 7 that is the partia case of C, where π 2 = 1. Besides, the ciphers C j for a j {1,..., 6} are partia cases of C 7, and the cryptanaysis probem for them can be soved by any method soving this probem for C 7. The method presented here is an ampification of GCM, namey, instead of method B, a method A is used, which takes into attention the condition π 2 = 1, yieding the fact that a function f i (x) to be found has the same number s i of essentia variabes as the known function g i. So, finding essentia variabes for f i is reduced in A to finding, for the matrix inf D(f i ), a minima cover of the( given ) n cardinaity s i. The computationa compexity of the ast probem doesn t exceed. In other detais, the cryptanaysis method for C 7 coincides with GCM. Some program impementations of agorithms A and B and the resuts of their thorough testing on computers have been presented in [2]. REFERENCES 1. Agibaov G. P. and Levashnikov A. A. Statisticheskoe issedovanie zadachi opoznaniya buevykh funktsiy odnogo kassa [Statistica study of the identifying probem for a cass of Booean functions]. Proc. ASDA Conf., Novosibirsk, 1966, pp (in Russian) 2. Agibaov G. P. and Sungurova O. G. Kriptoanaiz konechno-avtomatnogo generatora kyuchevogo potoka s funktsiey vykhodov v kachestve kyucha [Cryptanaysis of a finite-state keystream generator with an output function as a key]. Vestnik TSU. Priozhenie, 2006, no. 17, pp (in Russian) 3. Agibaov G. P. SIBCiphers simmetrichnye iterativnye bochnye shifry iz buevykh funktsiy s kyuchevymi argumentami [SIBCiphers symmetric iterative bock ciphers composed of Booean functions depending on sma number of variabes]. Prikadnaya Diskretnaya Matematika. Priozhenie, 2014, no. 7, pp (in Russian) 4. Agibaov G. P. Watermarking ciphers. Prikadnaya Diskretnaya Matematika, 2016, no. 1(31), pp Agibaov G. P. and Pankratova I. A. O dvukhkaskadnykh konechno-avtomatnykh kriptograficheskikh generatorakh i metodakh ikh kriptoanaiza [About 2-cascade finite s i

10 Substitution bock ciphers with functiona keys 65 automata cryptographic generators and their cryptanaysis]. Prikadnaya Diskretnaya Matematika, 2017, no. 35, pp (in Russian) 6. Agibaov G. P. Kriptoavtomaty s funktsiona nymi kyuchami [Cryptautomata with functiona keys]. Prikadnaya Diskretnaya Matematika, 2017, no. 36, pp (in Russian) 7. Pankratova I. A. Construction of invertibe vectoria Booean functions with coordinates depending on given number of variabes. Proc. CSIST 2016, Minsk, BSU Pub., 2016, pp Pankratova I. A. Ob obratimosti vektornykh buevykh funktsiy [On the invertibiity of vector Booean functions]. Prikadnaya Diskretnaya Matematika. Priozhenie, 2015, no. 8, pp (in Russian) 9. Agibaov G. P. Minimizatsiya chisa argumentov buevykh funktsiy [Number minimization for variabes a partia Booean function depends on]. Probemy Sinteza Tsifrovykh Avtomatov, Moscow, Nauka Pub., 1967, pp (in Russian) 10. Agibaov G. P. O nekotorykh doopredeeniyakh chastichnoy buevoy funktsii [Some competions of partia Booean function]. Trudy SPhTI, 1970, iss. 49, pp (in Russian)

Math-Net.Ru All Russian mathematical portal

Math-Net.Ru All Russian mathematical portal G. P. Agibalov, I. A. Pankratova, Asymmetric cryptosystems on Boolean functions, Prikl. Diskr. Mat., 2018, Number 40, 23 33 DOI: https://doi.org/10.17223/20710410/40/3