permutation groups generated by round functions of symmetric
TRANSCRIPT
![Page 1: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/1.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Permutation groups generated byround functions of
symmetric cryptosystems
A. Caranti1 F. Dalla Volta2 M. Sala31 F. Villani
1Dipartimento di MatematicaUniversità degli Studi di Trento
2Dipartimento di Matematica e ApplicazioniUniversità degli Studi di Milano Bicocca
3Boole CentreUniversity College Cork
Nottingham, 16 May 2007
![Page 2: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/2.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Outline
1 MotivationIs DES a group?Trapdoors via imprimitivity
2 Group theory at workImprimitivity of groups generated by round functionsInverse-closed subsets of (finite) fieldsHua and AES
3 Primitive GroupsO’Nan-ScottAbelian regular subgroups and radical rings
![Page 3: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/3.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Outline
1 MotivationIs DES a group?Trapdoors via imprimitivity
2 Group theory at workImprimitivity of groups generated by round functionsInverse-closed subsets of (finite) fieldsHua and AES
3 Primitive GroupsO’Nan-ScottAbelian regular subgroups and radical rings
![Page 4: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/4.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Keys and transformations
A secrecy system is defined abstractly as a set oftransformations of one space (the set of possiblemessages) into a second space (the set of possiblecryptograms).
![Page 5: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/5.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Keys and transformations
A secrecy system is defined abstractly as a set oftransformations of one space (the set of possiblemessages) into a second space (the set of possiblecryptograms). Each particular transformation ofthe set corresponds to enciphering with aparticular key.
![Page 6: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/6.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Keys and transformations
A secrecy system is defined abstractly as a set oftransformations of one space (the set of possiblemessages) into a second space (the set of possiblecryptograms). Each particular transformation ofthe set corresponds to enciphering with aparticular key. The transformations are supposedreversible (non-singular) so that uniquedeciphering is possible when the key is known.
![Page 7: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/7.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Keys and transformations
A secrecy system is defined abstractly as a set oftransformations of one space (the set of possiblemessages) into a second space (the set of possiblecryptograms). Each particular transformation ofthe set corresponds to enciphering with aparticular key. The transformations are supposedreversible (non-singular) so that uniquedeciphering is possible when the key is known.
C. E. Shannon,Communication theory of secrecy systems.Bell System Tech. J. 28 (1949), 656–715.
![Page 8: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/8.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Keys and transformations
A secrecy system is defined abstractly as a set oftransformations of one space (the set of possiblemessages) into a second space (the set of possiblecryptograms). Each particular transformation ofthe set corresponds to enciphering with aparticular key. The transformations are supposedreversible (non-singular) so that uniquedeciphering is possible when the key is known.
C. E. Shannon,Communication theory of secrecy systems.Bell System Tech. J. 28 (1949), 656–715.
In the One-Time Pad
![Page 9: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/9.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Keys and transformations
A secrecy system is defined abstractly as a set oftransformations of one space (the set of possiblemessages) into a second space (the set of possiblecryptograms). Each particular transformation ofthe set corresponds to enciphering with aparticular key. The transformations are supposedreversible (non-singular) so that uniquedeciphering is possible when the key is known.
C. E. Shannon,Communication theory of secrecy systems.Bell System Tech. J. 28 (1949), 656–715.
In the One-Time Pad, given a key a
![Page 10: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/10.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Keys and transformations
A secrecy system is defined abstractly as a set oftransformations of one space (the set of possiblemessages) into a second space (the set of possiblecryptograms). Each particular transformation ofthe set corresponds to enciphering with aparticular key. The transformations are supposedreversible (non-singular) so that uniquedeciphering is possible when the key is known.
C. E. Shannon,Communication theory of secrecy systems.Bell System Tech. J. 28 (1949), 656–715.
In the One-Time Pad, given a key a, the correspondingtransformation is the translation v 7→ v + a, wherev ∈ V (d , 2) is a message.
![Page 11: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/11.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Claude E. Shannon (1916–2001)
![Page 12: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/12.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Is DES a group?
B. S. Kaliski, Jr, R. L. Rivest, Alan T. Sherman,Is the Data Encryption Standard a group? (Results ofcycling experiments on DES).J. Cryptology 1, no. 1 (1988), 3–36.
• Let Ta be a DES transformation, corresponding to thekey a. The Ta are permutations of the message space,that is, elements of Sym(2d ).
• Suppose {Ta : a} is a group, that is, for all keys a, bthere is a key c such that TaTb = Tc. Then Triple DESwould make no sense, and DES would be exposed to ameet-in-the-middle attack. (Birthday paradox.)
• They perform experiments that suggest that DES is nota group.
![Page 13: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/13.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Is DES a group?
B. S. Kaliski, Jr, R. L. Rivest, Alan T. Sherman,Is the Data Encryption Standard a group? (Results ofcycling experiments on DES).J. Cryptology 1, no. 1 (1988), 3–36.
• Let Ta be a DES transformation, corresponding to thekey a. The Ta are permutations of the message space,that is, elements of Sym(2d ).
• Suppose {Ta : a} is a group, that is, for all keys a, bthere is a key c such that TaTb = Tc. Then Triple DESwould make no sense, and DES would be exposed to ameet-in-the-middle attack. (Birthday paradox.)
• They perform experiments that suggest that DES is nota group.
![Page 14: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/14.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Is DES a group?
B. S. Kaliski, Jr, R. L. Rivest, Alan T. Sherman,Is the Data Encryption Standard a group? (Results ofcycling experiments on DES).J. Cryptology 1, no. 1 (1988), 3–36.
• Let Ta be a DES transformation, corresponding to thekey a. The Ta are permutations of the message space,that is, elements of Sym(2d ).
• Suppose {Ta : a} is a group, that is, for all keys a, bthere is a key c such that TaTb = Tc. Then Triple DESwould make no sense, and DES would be exposed to ameet-in-the-middle attack. (Birthday paradox.)
• They perform experiments that suggest that DES is nota group.
![Page 15: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/15.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Is DES a group?
B. S. Kaliski, Jr, R. L. Rivest, Alan T. Sherman,Is the Data Encryption Standard a group? (Results ofcycling experiments on DES).J. Cryptology 1, no. 1 (1988), 3–36.
• Let Ta be a DES transformation, corresponding to thekey a. The Ta are permutations of the message space,that is, elements of Sym(2d ).
• Suppose {Ta : a} is a group, that is, for all keys a, bthere is a key c such that TaTb = Tc. Then Triple DESwould make no sense, and DES would be exposed to ameet-in-the-middle attack. (Birthday paradox.)
• They perform experiments that suggest that DES is nota group.
![Page 16: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/16.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Is DES a group?
B. S. Kaliski, Jr, R. L. Rivest, Alan T. Sherman,Is the Data Encryption Standard a group? (Results ofcycling experiments on DES).J. Cryptology 1, no. 1 (1988), 3–36.
• Let Ta be a DES transformation, corresponding to thekey a. The Ta are permutations of the message space,that is, elements of Sym(2d ).
• Suppose {Ta : a} is a group, that is, for all keys a, bthere is a key c such that TaTb = Tc. Then Triple DESwould make no sense, and DES would be exposed to ameet-in-the-middle attack. (Birthday paradox.)
• They perform experiments that suggest that DES is nota group.
![Page 17: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/17.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Is DES a group?
B. S. Kaliski, Jr, R. L. Rivest, Alan T. Sherman,Is the Data Encryption Standard a group? (Results ofcycling experiments on DES).J. Cryptology 1, no. 1 (1988), 3–36.
• Let Ta be a DES transformation, corresponding to thekey a. The Ta are permutations of the message space,that is, elements of Sym(2d ).
• Suppose {Ta : a} is a group, that is, for all keys a, bthere is a key c such that TaTb = Tc. Then Triple DESwould make no sense, and DES would be exposed to ameet-in-the-middle attack. (Birthday paradox.)
• They perform experiments that suggest that DES is nota group.
![Page 18: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/18.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Is DES a group?
B. S. Kaliski, Jr, R. L. Rivest, Alan T. Sherman,Is the Data Encryption Standard a group? (Results ofcycling experiments on DES).J. Cryptology 1, no. 1 (1988), 3–36.
• Let Ta be a DES transformation, corresponding to thekey a. The Ta are permutations of the message space,that is, elements of Sym(2d ).
• Suppose {Ta : a} is a group, that is, for all keys a, bthere is a key c such that TaTb = Tc. Then Triple DESwould make no sense, and DES would be exposed to ameet-in-the-middle attack. (Birthday paradox.)
• They perform experiments that suggest that DES is nota group.
![Page 19: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/19.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Is DES a group?
B. S. Kaliski, Jr, R. L. Rivest, Alan T. Sherman,Is the Data Encryption Standard a group? (Results ofcycling experiments on DES).J. Cryptology 1, no. 1 (1988), 3–36.
• Let Ta be a DES transformation, corresponding to thekey a. The Ta are permutations of the message space,that is, elements of Sym(2d ).
• Suppose {Ta : a} is a group, that is, for all keys a, bthere is a key c such that TaTb = Tc. Then Triple DESwould make no sense, and DES would be exposed to ameet-in-the-middle attack. (Birthday paradox.)
• They perform experiments that suggest that DES is nota group.
![Page 20: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/20.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Further work on DES
K. W. Campbell and M. J. Wiener,DES is not a group.Crypto ’92, LNCS 740, Springer, 1993, 512–520.
Ralph Wernsdorf,The one-round functions of the DES generate thealternating group.Eurocrypt ’92, LNCS 658, Springer, 1993, 99–112.
• Considers the transformations Ra induced by the roundfunctions of DES. These are even permutations.
• Not only they are not a group, but they do generate thelargest possible group Alt(n), of order n!/2.{Ra1Ra2 · · ·Rak } = Alt(n).
• Since Alt(n) is a simple group, it is also generated bythe full DES transformations with independent subkeys.
![Page 21: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/21.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Further work on DES
K. W. Campbell and M. J. Wiener,DES is not a group.Crypto ’92, LNCS 740, Springer, 1993, 512–520.
Ralph Wernsdorf,The one-round functions of the DES generate thealternating group.Eurocrypt ’92, LNCS 658, Springer, 1993, 99–112.
• Considers the transformations Ra induced by the roundfunctions of DES. These are even permutations.
• Not only they are not a group, but they do generate thelargest possible group Alt(n), of order n!/2.{Ra1Ra2 · · ·Rak } = Alt(n).
• Since Alt(n) is a simple group, it is also generated bythe full DES transformations with independent subkeys.
![Page 22: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/22.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Further work on DES
K. W. Campbell and M. J. Wiener,DES is not a group.Crypto ’92, LNCS 740, Springer, 1993, 512–520.
Ralph Wernsdorf,The one-round functions of the DES generate thealternating group.Eurocrypt ’92, LNCS 658, Springer, 1993, 99–112.
• Considers the transformations Ra induced by the roundfunctions of DES. These are even permutations.
• Not only they are not a group, but they do generate thelargest possible group Alt(n), of order n!/2.{Ra1Ra2 · · ·Rak } = Alt(n).
• Since Alt(n) is a simple group, it is also generated bythe full DES transformations with independent subkeys.
![Page 23: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/23.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Further work on DES
K. W. Campbell and M. J. Wiener,DES is not a group.Crypto ’92, LNCS 740, Springer, 1993, 512–520.
Ralph Wernsdorf,The one-round functions of the DES generate thealternating group.Eurocrypt ’92, LNCS 658, Springer, 1993, 99–112.
• Considers the transformations Ra induced by the roundfunctions of DES. These are even permutations.
• Not only they are not a group, but they do generate thelargest possible group Alt(n), of order n!/2.{Ra1Ra2 · · ·Rak } = Alt(n).
• Since Alt(n) is a simple group, it is also generated bythe full DES transformations with independent subkeys.
![Page 24: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/24.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Further work on DES
K. W. Campbell and M. J. Wiener,DES is not a group.Crypto ’92, LNCS 740, Springer, 1993, 512–520.
Ralph Wernsdorf,The one-round functions of the DES generate thealternating group.Eurocrypt ’92, LNCS 658, Springer, 1993, 99–112.
• Considers the transformations Ra induced by the roundfunctions of DES. These are even permutations.
• Not only they are not a group, but they do generate thelargest possible group Alt(n), of order n!/2.{Ra1Ra2 · · ·Rak } = Alt(n).
• Since Alt(n) is a simple group, it is also generated bythe full DES transformations with independent subkeys.
![Page 25: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/25.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Further work on DES
K. W. Campbell and M. J. Wiener,DES is not a group.Crypto ’92, LNCS 740, Springer, 1993, 512–520.
Ralph Wernsdorf,The one-round functions of the DES generate thealternating group.Eurocrypt ’92, LNCS 658, Springer, 1993, 99–112.
• Considers the transformations Ra induced by the roundfunctions of DES. These are even permutations.
• Not only they are not a group, but they do generate thelargest possible group Alt(n), of order n!/2.{Ra1Ra2 · · ·Rak } = Alt(n).
• Since Alt(n) is a simple group, it is also generated bythe full DES transformations with independent subkeys.
![Page 26: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/26.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Further work on DES
K. W. Campbell and M. J. Wiener,DES is not a group.Crypto ’92, LNCS 740, Springer, 1993, 512–520.
Ralph Wernsdorf,The one-round functions of the DES generate thealternating group.Eurocrypt ’92, LNCS 658, Springer, 1993, 99–112.
• Considers the transformations Ra induced by the roundfunctions of DES. These are even permutations.
• Not only they are not a group, but they do generate thelargest possible group Alt(n), of order n!/2.{Ra1Ra2 · · ·Rak } = Alt(n).
• Since Alt(n) is a simple group, it is also generated bythe full DES transformations with independent subkeys.
![Page 27: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/27.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Further work on DES
K. W. Campbell and M. J. Wiener,DES is not a group.Crypto ’92, LNCS 740, Springer, 1993, 512–520.
Ralph Wernsdorf,The one-round functions of the DES generate thealternating group.Eurocrypt ’92, LNCS 658, Springer, 1993, 99–112.
• Considers the transformations Ra induced by the roundfunctions of DES. These are even permutations.
• Not only they are not a group, but they do generate thelargest possible group Alt(n), of order n!/2.{Ra1Ra2 · · ·Rak } = Alt(n).
• Since Alt(n) is a simple group, it is also generated bythe full DES transformations with independent subkeys.
![Page 28: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/28.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
AES
Ralph Wernsdorf,The round functions of RIJNDAEL generate thealternating group.FSE ’02, LNCS 2365, Springer, 2002, 143–148.
• Ditto for AES.
• Wernsdorf’s proof requires some (computer)calculations. He has a recent approach which is moreconceptual.
• We tried another such approach suggested by. . .
![Page 29: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/29.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
AES
Ralph Wernsdorf,The round functions of RIJNDAEL generate thealternating group.FSE ’02, LNCS 2365, Springer, 2002, 143–148.
• Ditto for AES.
• Wernsdorf’s proof requires some (computer)calculations. He has a recent approach which is moreconceptual.
• We tried another such approach suggested by. . .
![Page 30: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/30.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
AES
Ralph Wernsdorf,The round functions of RIJNDAEL generate thealternating group.FSE ’02, LNCS 2365, Springer, 2002, 143–148.
• Ditto for AES.
• Wernsdorf’s proof requires some (computer)calculations. He has a recent approach which is moreconceptual.
• We tried another such approach suggested by. . .
![Page 31: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/31.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
AES
Ralph Wernsdorf,The round functions of RIJNDAEL generate thealternating group.FSE ’02, LNCS 2365, Springer, 2002, 143–148.
• Ditto for AES.
• Wernsdorf’s proof requires some (computer)calculations. He has a recent approach which is moreconceptual.
• We tried another such approach suggested by. . .
![Page 32: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/32.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
AES
Ralph Wernsdorf,The round functions of RIJNDAEL generate thealternating group.FSE ’02, LNCS 2365, Springer, 2002, 143–148.
• Ditto for AES.
• Wernsdorf’s proof requires some (computer)calculations. He has a recent approach which is moreconceptual.
• We tried another such approach suggested by. . .
![Page 33: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/33.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Outline
1 MotivationIs DES a group?Trapdoors via imprimitivity
2 Group theory at workImprimitivity of groups generated by round functionsInverse-closed subsets of (finite) fieldsHua and AES
3 Primitive GroupsO’Nan-ScottAbelian regular subgroups and radical rings
![Page 34: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/34.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Paterson’s imprimitivity trapdoor
Kenneth G. Paterson,Imprimitive Permutation Groups and Trapdoors inIterated Block Ciphers.FSE ’99, LNCS 1636, Springer, 1999, 201–214.
• Paterson builds a DES-like cryptosystem in which thegroup generated by the round functions is imprimitive.
• The (not immediately apparent) imprimitivity systemacts as a trapdoor.
![Page 35: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/35.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Paterson’s imprimitivity trapdoor
Kenneth G. Paterson,Imprimitive Permutation Groups and Trapdoors inIterated Block Ciphers.FSE ’99, LNCS 1636, Springer, 1999, 201–214.
• Paterson builds a DES-like cryptosystem in which thegroup generated by the round functions is imprimitive.
• The (not immediately apparent) imprimitivity systemacts as a trapdoor.
![Page 36: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/36.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Paterson’s imprimitivity trapdoor
Kenneth G. Paterson,Imprimitive Permutation Groups and Trapdoors inIterated Block Ciphers.FSE ’99, LNCS 1636, Springer, 1999, 201–214.
• Paterson builds a DES-like cryptosystem in which thegroup generated by the round functions is imprimitive.
• The (not immediately apparent) imprimitivity systemacts as a trapdoor.
![Page 37: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/37.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Imprimitivity and trapdoors
• You have a cipherext c, and you are looking for aplaintext p such that c = Ta(p).
• Here a is the unknown key, and Ta the knowncorresponding transformation of the cryptosystem.
• The message space V 3 p, c is of size n, which isassumed to be too big to allow for an exhaustivesearch.
• Suppose you know that the group spanned by all Tb
has an imprimitivity system V1, . . . , Vm, wherem ≈
√n ≈ |Vi |.
• Then a search over m ≈√
n gives us Vi such thatc ∈ Ta(Vi). We could have calculated in advance a setof representatives of the Vi . We need a fastmembership test for the Vi .
• Then we find p through another search over Vi , again ofsize ≈
√n. So we search 2
√n elements instead of n.
![Page 38: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/38.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Imprimitivity and trapdoors
• You have a cipherext c, and you are looking for aplaintext p such that c = Ta(p).
• Here a is the unknown key, and Ta the knowncorresponding transformation of the cryptosystem.
• The message space V 3 p, c is of size n, which isassumed to be too big to allow for an exhaustivesearch.
• Suppose you know that the group spanned by all Tb
has an imprimitivity system V1, . . . , Vm, wherem ≈
√n ≈ |Vi |.
• Then a search over m ≈√
n gives us Vi such thatc ∈ Ta(Vi). We could have calculated in advance a setof representatives of the Vi . We need a fastmembership test for the Vi .
• Then we find p through another search over Vi , again ofsize ≈
√n. So we search 2
√n elements instead of n.
![Page 39: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/39.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Imprimitivity and trapdoors
• You have a cipherext c, and you are looking for aplaintext p such that c = Ta(p).
• Here a is the unknown key, and Ta the knowncorresponding transformation of the cryptosystem.
• The message space V 3 p, c is of size n, which isassumed to be too big to allow for an exhaustivesearch.
• Suppose you know that the group spanned by all Tb
has an imprimitivity system V1, . . . , Vm, wherem ≈
√n ≈ |Vi |.
• Then a search over m ≈√
n gives us Vi such thatc ∈ Ta(Vi). We could have calculated in advance a setof representatives of the Vi . We need a fastmembership test for the Vi .
• Then we find p through another search over Vi , again ofsize ≈
√n. So we search 2
√n elements instead of n.
![Page 40: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/40.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Imprimitivity and trapdoors
• You have a cipherext c, and you are looking for aplaintext p such that c = Ta(p).
• Here a is the unknown key, and Ta the knowncorresponding transformation of the cryptosystem.
• The message space V 3 p, c is of size n, which isassumed to be too big to allow for an exhaustivesearch.
• Suppose you know that the group spanned by all Tb
has an imprimitivity system V1, . . . , Vm, wherem ≈
√n ≈ |Vi |.
• Then a search over m ≈√
n gives us Vi such thatc ∈ Ta(Vi). We could have calculated in advance a setof representatives of the Vi . We need a fastmembership test for the Vi .
• Then we find p through another search over Vi , again ofsize ≈
√n. So we search 2
√n elements instead of n.
![Page 41: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/41.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Imprimitivity and trapdoors
• You have a cipherext c, and you are looking for aplaintext p such that c = Ta(p).
• Here a is the unknown key, and Ta the knowncorresponding transformation of the cryptosystem.
• The message space V 3 p, c is of size n, which isassumed to be too big to allow for an exhaustivesearch.
• Suppose you know that the group spanned by all Tb
has an imprimitivity system V1, . . . , Vm, wherem ≈
√n ≈ |Vi |.
• Then a search over m ≈√
n gives us Vi such thatc ∈ Ta(Vi). We could have calculated in advance a setof representatives of the Vi . We need a fastmembership test for the Vi .
• Then we find p through another search over Vi , again ofsize ≈
√n. So we search 2
√n elements instead of n.
![Page 42: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/42.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Imprimitivity and trapdoors
• You have a cipherext c, and you are looking for aplaintext p such that c = Ta(p).
• Here a is the unknown key, and Ta the knowncorresponding transformation of the cryptosystem.
• The message space V 3 p, c is of size n, which isassumed to be too big to allow for an exhaustivesearch.
• Suppose you know that the group spanned by all Tb
has an imprimitivity system V1, . . . , Vm, wherem ≈
√n ≈ |Vi |.
• Then a search over m ≈√
n gives us Vi such thatc ∈ Ta(Vi). We could have calculated in advance a setof representatives of the Vi . We need a fastmembership test for the Vi .
• Then we find p through another search over Vi , again ofsize ≈
√n. So we search 2
√n elements instead of n.
![Page 43: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/43.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Imprimitivity and trapdoors
• You have a cipherext c, and you are looking for aplaintext p such that c = Ta(p).
• Here a is the unknown key, and Ta the knowncorresponding transformation of the cryptosystem.
• The message space V 3 p, c is of size n, which isassumed to be too big to allow for an exhaustivesearch.
• Suppose you know that the group spanned by all Tb
has an imprimitivity system V1, . . . , Vm, wherem ≈
√n ≈ |Vi |.
• Then a search over m ≈√
n gives us Vi such thatc ∈ Ta(Vi). We could have calculated in advance a setof representatives of the Vi . We need a fastmembership test for the Vi .
• Then we find p through another search over Vi , again ofsize ≈
√n. So we search 2
√n elements instead of n.
![Page 44: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/44.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Imprimitivity and trapdoors
• You have a cipherext c, and you are looking for aplaintext p such that c = Ta(p).
• Here a is the unknown key, and Ta the knowncorresponding transformation of the cryptosystem.
• The message space V 3 p, c is of size n, which isassumed to be too big to allow for an exhaustivesearch.
• Suppose you know that the group spanned by all Tb
has an imprimitivity system V1, . . . , Vm, wherem ≈
√n ≈ |Vi |.
• Then a search over m ≈√
n gives us Vi such thatc ∈ Ta(Vi). We could have calculated in advance a setof representatives of the Vi . We need a fastmembership test for the Vi .
• Then we find p through another search over Vi , again ofsize ≈
√n. So we search 2
√n elements instead of n.
![Page 45: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/45.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Imprimitivity and trapdoors
• You have a cipherext c, and you are looking for aplaintext p such that c = Ta(p).
• Here a is the unknown key, and Ta the knowncorresponding transformation of the cryptosystem.
• The message space V 3 p, c is of size n, which isassumed to be too big to allow for an exhaustivesearch.
• Suppose you know that the group spanned by all Tb
has an imprimitivity system V1, . . . , Vm, wherem ≈
√n ≈ |Vi |.
• Then a search over m ≈√
n gives us Vi such thatc ∈ Ta(Vi). We could have calculated in advance a setof representatives of the Vi . We need a fastmembership test for the Vi .
• Then we find p through another search over Vi , again ofsize ≈
√n. So we search 2
√n elements instead of n.
![Page 46: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/46.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Imprimitivity and trapdoors
• You have a cipherext c, and you are looking for aplaintext p such that c = Ta(p).
• Here a is the unknown key, and Ta the knowncorresponding transformation of the cryptosystem.
• The message space V 3 p, c is of size n, which isassumed to be too big to allow for an exhaustivesearch.
• Suppose you know that the group spanned by all Tb
has an imprimitivity system V1, . . . , Vm, wherem ≈
√n ≈ |Vi |.
• Then a search over m ≈√
n gives us Vi such thatc ∈ Ta(Vi). We could have calculated in advance a setof representatives of the Vi . We need a fastmembership test for the Vi .
• Then we find p through another search over Vi , again ofsize ≈
√n. So we search 2
√n elements instead of n.
![Page 47: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/47.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Imprimitivity and trapdoors
• You have a cipherext c, and you are looking for aplaintext p such that c = Ta(p).
• Here a is the unknown key, and Ta the knowncorresponding transformation of the cryptosystem.
• The message space V 3 p, c is of size n, which isassumed to be too big to allow for an exhaustivesearch.
• Suppose you know that the group spanned by all Tb
has an imprimitivity system V1, . . . , Vm, wherem ≈
√n ≈ |Vi |.
• Then a search over m ≈√
n gives us Vi such thatc ∈ Ta(Vi). We could have calculated in advance a setof representatives of the Vi . We need a fastmembership test for the Vi .
• Then we find p through another search over Vi , again ofsize ≈
√n. So we search 2
√n elements instead of n.
![Page 48: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/48.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Imprimitivity and trapdoors
• You have a cipherext c, and you are looking for aplaintext p such that c = Ta(p).
• Here a is the unknown key, and Ta the knowncorresponding transformation of the cryptosystem.
• The message space V 3 p, c is of size n, which isassumed to be too big to allow for an exhaustivesearch.
• Suppose you know that the group spanned by all Tb
has an imprimitivity system V1, . . . , Vm, wherem ≈
√n ≈ |Vi |.
• Then a search over m ≈√
n gives us Vi such thatc ∈ Ta(Vi). We could have calculated in advance a setof representatives of the Vi . We need a fastmembership test for the Vi .
• Then we find p through another search over Vi , again ofsize ≈
√n. So we search 2
√n elements instead of n.
![Page 49: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/49.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Imprimitivity and trapdoors
• You have a cipherext c, and you are looking for aplaintext p such that c = Ta(p).
• Here a is the unknown key, and Ta the knowncorresponding transformation of the cryptosystem.
• The message space V 3 p, c is of size n, which isassumed to be too big to allow for an exhaustivesearch.
• Suppose you know that the group spanned by all Tb
has an imprimitivity system V1, . . . , Vm, wherem ≈
√n ≈ |Vi |.
• Then a search over m ≈√
n gives us Vi such thatc ∈ Ta(Vi). We could have calculated in advance a setof representatives of the Vi . We need a fastmembership test for the Vi .
• Then we find p through another search over Vi , again ofsize ≈
√n. So we search 2
√n elements instead of n.
![Page 50: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/50.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Are imprimitivity systems always linear?
Paterson’s imprimitivity system consists of the cosets of asubspace U of the message space V = V (d , 2).Membership testing is fast here (Gauss).Paterson asks whether subtler trapdoors can be built, usingimprimitivity systems that are not linear.
At the FSE conference where it was presented, AdiShamir told me that he could break the schemeusing a truncated differential attack [. . . ]
![Page 51: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/51.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Are imprimitivity systems always linear?
Paterson’s imprimitivity system consists of the cosets of asubspace U of the message space V = V (d , 2).Membership testing is fast here (Gauss).Paterson asks whether subtler trapdoors can be built, usingimprimitivity systems that are not linear.
At the FSE conference where it was presented, AdiShamir told me that he could break the schemeusing a truncated differential attack [. . . ]
![Page 52: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/52.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Are imprimitivity systems always linear?
Paterson’s imprimitivity system consists of the cosets of asubspace U of the message space V = V (d , 2).Membership testing is fast here (Gauss).Paterson asks whether subtler trapdoors can be built, usingimprimitivity systems that are not linear.
At the FSE conference where it was presented, AdiShamir told me that he could break the schemeusing a truncated differential attack [. . . ]
![Page 53: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/53.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Are imprimitivity systems always linear?
Paterson’s imprimitivity system consists of the cosets of asubspace U of the message space V = V (d , 2).Membership testing is fast here (Gauss).Paterson asks whether subtler trapdoors can be built, usingimprimitivity systems that are not linear.
At the FSE conference where it was presented, AdiShamir told me that he could break the schemeusing a truncated differential attack [. . . ]
![Page 54: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/54.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Are imprimitivity systems always linear?
Paterson’s imprimitivity system consists of the cosets of asubspace U of the message space V = V (d , 2).Membership testing is fast here (Gauss).Paterson asks whether subtler trapdoors can be built, usingimprimitivity systems that are not linear.
At the FSE conference where it was presented, AdiShamir told me that he could break the schemeusing a truncated differential attack [. . . ]
![Page 55: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/55.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Outline
1 MotivationIs DES a group?Trapdoors via imprimitivity
2 Group theory at workImprimitivity of groups generated by round functionsInverse-closed subsets of (finite) fieldsHua and AES
3 Primitive GroupsO’Nan-ScottAbelian regular subgroups and radical rings
![Page 56: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/56.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Imprimitivity systems in AES
• In an AES-like cryptosystems, the group contains thetranslations.
• Then there is a very simple answer to Paterson’squestion here: an imprimitivity system consists indeedof the cosets of a subspace U of the message space V .I.e.
imprimitivity system = { v + U : v ∈ V } ,
where v + U = {v + u : u ∈ U}.• It follows that for u ∈ U and v ∈ V one has
σ(v + u) + σ(v) ∈ U,
where σ is a round function.• An instance of truncated differential cryptanalysis.• This does not lead to an obvious weakness with respect
to TDC, as there are many candidates for the subspaceU. Is there the possibility of a trapdoor here?
![Page 57: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/57.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Imprimitivity systems in AES
• In an AES-like cryptosystems, the group contains thetranslations.
• Then there is a very simple answer to Paterson’squestion here: an imprimitivity system consists indeedof the cosets of a subspace U of the message space V .I.e.
imprimitivity system = { v + U : v ∈ V } ,
where v + U = {v + u : u ∈ U}.• It follows that for u ∈ U and v ∈ V one has
σ(v + u) + σ(v) ∈ U,
where σ is a round function.• An instance of truncated differential cryptanalysis.• This does not lead to an obvious weakness with respect
to TDC, as there are many candidates for the subspaceU. Is there the possibility of a trapdoor here?
![Page 58: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/58.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Imprimitivity systems in AES
• In an AES-like cryptosystems, the group contains thetranslations.
• Then there is a very simple answer to Paterson’squestion here: an imprimitivity system consists indeedof the cosets of a subspace U of the message space V .I.e.
imprimitivity system = { v + U : v ∈ V } ,
where v + U = {v + u : u ∈ U}.• It follows that for u ∈ U and v ∈ V one has
σ(v + u) + σ(v) ∈ U,
where σ is a round function.• An instance of truncated differential cryptanalysis.• This does not lead to an obvious weakness with respect
to TDC, as there are many candidates for the subspaceU. Is there the possibility of a trapdoor here?
![Page 59: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/59.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Imprimitivity systems in AES
• In an AES-like cryptosystems, the group contains thetranslations.
• Then there is a very simple answer to Paterson’squestion here: an imprimitivity system consists indeedof the cosets of a subspace U of the message space V .I.e.
imprimitivity system = { v + U : v ∈ V } ,
where v + U = {v + u : u ∈ U}.• It follows that for u ∈ U and v ∈ V one has
σ(v + u) + σ(v) ∈ U,
where σ is a round function.• An instance of truncated differential cryptanalysis.• This does not lead to an obvious weakness with respect
to TDC, as there are many candidates for the subspaceU. Is there the possibility of a trapdoor here?
![Page 60: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/60.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Imprimitivity systems in AES
• In an AES-like cryptosystems, the group contains thetranslations.
• Then there is a very simple answer to Paterson’squestion here: an imprimitivity system consists indeedof the cosets of a subspace U of the message space V .I.e.
imprimitivity system = { v + U : v ∈ V } ,
where v + U = {v + u : u ∈ U}.• It follows that for u ∈ U and v ∈ V one has
σ(v + u) + σ(v) ∈ U,
where σ is a round function.• An instance of truncated differential cryptanalysis.• This does not lead to an obvious weakness with respect
to TDC, as there are many candidates for the subspaceU. Is there the possibility of a trapdoor here?
![Page 61: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/61.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Imprimitivity systems in AES
• In an AES-like cryptosystems, the group contains thetranslations.
• Then there is a very simple answer to Paterson’squestion here: an imprimitivity system consists indeedof the cosets of a subspace U of the message space V .I.e.
imprimitivity system = { v + U : v ∈ V } ,
where v + U = {v + u : u ∈ U}.• It follows that for u ∈ U and v ∈ V one has
σ(v + u) + σ(v) ∈ U,
where σ is a round function.• An instance of truncated differential cryptanalysis.• This does not lead to an obvious weakness with respect
to TDC, as there are many candidates for the subspaceU. Is there the possibility of a trapdoor here?
![Page 62: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/62.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Imprimitivity systems in AES
• In an AES-like cryptosystems, the group contains thetranslations.
• Then there is a very simple answer to Paterson’squestion here: an imprimitivity system consists indeedof the cosets of a subspace U of the message space V .I.e.
imprimitivity system = { v + U : v ∈ V } ,
where v + U = {v + u : u ∈ U}.• It follows that for u ∈ U and v ∈ V one has
σ(v + u) + σ(v) ∈ U,
where σ is a round function.• An instance of truncated differential cryptanalysis.• This does not lead to an obvious weakness with respect
to TDC, as there are many candidates for the subspaceU. Is there the possibility of a trapdoor here?
![Page 63: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/63.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Imprimitivity systems in AES
• In an AES-like cryptosystems, the group contains thetranslations.
• Then there is a very simple answer to Paterson’squestion here: an imprimitivity system consists indeedof the cosets of a subspace U of the message space V .I.e.
imprimitivity system = { v + U : v ∈ V } ,
where v + U = {v + u : u ∈ U}.• It follows that for u ∈ U and v ∈ V one has
σ(v + u) + σ(v) ∈ U,
where σ is a round function.• An instance of truncated differential cryptanalysis.• This does not lead to an obvious weakness with respect
to TDC, as there are many candidates for the subspaceU. Is there the possibility of a trapdoor here?
![Page 64: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/64.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Imprimitivity systems in AES
• In an AES-like cryptosystems, the group contains thetranslations.
• Then there is a very simple answer to Paterson’squestion here: an imprimitivity system consists indeedof the cosets of a subspace U of the message space V .I.e.
imprimitivity system = { v + U : v ∈ V } ,
where v + U = {v + u : u ∈ U}.• It follows that for u ∈ U and v ∈ V one has
σ(v + u) + σ(v) ∈ U,
where σ is a round function.• An instance of truncated differential cryptanalysis.• This does not lead to an obvious weakness with respect
to TDC, as there are many candidates for the subspaceU. Is there the possibility of a trapdoor here?
![Page 65: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/65.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Imprimitivity systems in AES
• In an AES-like cryptosystems, the group contains thetranslations.
• Then there is a very simple answer to Paterson’squestion here: an imprimitivity system consists indeedof the cosets of a subspace U of the message space V .I.e.
imprimitivity system = { v + U : v ∈ V } ,
where v + U = {v + u : u ∈ U}.• It follows that for u ∈ U and v ∈ V one has
σ(v + u) + σ(v) ∈ U,
where σ is a round function.• An instance of truncated differential cryptanalysis.• This does not lead to an obvious weakness with respect
to TDC, as there are many candidates for the subspaceU. Is there the possibility of a trapdoor here?
![Page 66: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/66.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Imprimitivity systems in AES
• In an AES-like cryptosystems, the group contains thetranslations.
• Then there is a very simple answer to Paterson’squestion here: an imprimitivity system consists indeedof the cosets of a subspace U of the message space V .I.e.
imprimitivity system = { v + U : v ∈ V } ,
where v + U = {v + u : u ∈ U}.• It follows that for u ∈ U and v ∈ V one has
σ(v + u) + σ(v) ∈ U,
where σ is a round function.• An instance of truncated differential cryptanalysis.• This does not lead to an obvious weakness with respect
to TDC, as there are many candidates for the subspaceU. Is there the possibility of a trapdoor here?
![Page 67: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/67.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
No trapdoors in Rijndael
• There are no such trapdoors in AES/Rijndael.• This depends on certain properties of the components
of AES:• the mixing layer,• the S-boxes.
• In its basic version, AES operates on the vector spaceV = V (128, 2) of dimension 128 over the field F2 withtwo elements.
• AES is byte-oriented:
V = V1 ⊕ · · · ⊕ V16,
where each Vi = V (8, 2).
• The mixing layer makes sure that no nontrivial sum ofthe Vi is sent to itself.
![Page 68: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/68.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
No trapdoors in Rijndael
• There are no such trapdoors in AES/Rijndael.• This depends on certain properties of the components
of AES:• the mixing layer,• the S-boxes.
• In its basic version, AES operates on the vector spaceV = V (128, 2) of dimension 128 over the field F2 withtwo elements.
• AES is byte-oriented:
V = V1 ⊕ · · · ⊕ V16,
where each Vi = V (8, 2).
• The mixing layer makes sure that no nontrivial sum ofthe Vi is sent to itself.
![Page 69: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/69.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
No trapdoors in Rijndael
• There are no such trapdoors in AES/Rijndael.• This depends on certain properties of the components
of AES:• the mixing layer,• the S-boxes.
• In its basic version, AES operates on the vector spaceV = V (128, 2) of dimension 128 over the field F2 withtwo elements.
• AES is byte-oriented:
V = V1 ⊕ · · · ⊕ V16,
where each Vi = V (8, 2).
• The mixing layer makes sure that no nontrivial sum ofthe Vi is sent to itself.
![Page 70: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/70.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
No trapdoors in Rijndael
• There are no such trapdoors in AES/Rijndael.• This depends on certain properties of the components
of AES:• the mixing layer,• the S-boxes.
• In its basic version, AES operates on the vector spaceV = V (128, 2) of dimension 128 over the field F2 withtwo elements.
• AES is byte-oriented:
V = V1 ⊕ · · · ⊕ V16,
where each Vi = V (8, 2).
• The mixing layer makes sure that no nontrivial sum ofthe Vi is sent to itself.
![Page 71: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/71.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
No trapdoors in Rijndael
• There are no such trapdoors in AES/Rijndael.• This depends on certain properties of the components
of AES:• the mixing layer,• the S-boxes.
• In its basic version, AES operates on the vector spaceV = V (128, 2) of dimension 128 over the field F2 withtwo elements.
• AES is byte-oriented:
V = V1 ⊕ · · · ⊕ V16,
where each Vi = V (8, 2).
• The mixing layer makes sure that no nontrivial sum ofthe Vi is sent to itself.
![Page 72: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/72.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
No trapdoors in Rijndael
• There are no such trapdoors in AES/Rijndael.• This depends on certain properties of the components
of AES:• the mixing layer,• the S-boxes.
• In its basic version, AES operates on the vector spaceV = V (128, 2) of dimension 128 over the field F2 withtwo elements.
• AES is byte-oriented:
V = V1 ⊕ · · · ⊕ V16,
where each Vi = V (8, 2).
• The mixing layer makes sure that no nontrivial sum ofthe Vi is sent to itself.
![Page 73: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/73.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
No trapdoors in Rijndael
• There are no such trapdoors in AES/Rijndael.• This depends on certain properties of the components
of AES:• the mixing layer,• the S-boxes.
• In its basic version, AES operates on the vector spaceV = V (128, 2) of dimension 128 over the field F2 withtwo elements.
• AES is byte-oriented:
V = V1 ⊕ · · · ⊕ V16,
where each Vi = V (8, 2).
• The mixing layer makes sure that no nontrivial sum ofthe Vi is sent to itself.
![Page 74: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/74.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
No trapdoors in Rijndael
• There are no such trapdoors in AES/Rijndael.• This depends on certain properties of the components
of AES:• the mixing layer,• the S-boxes.
• In its basic version, AES operates on the vector spaceV = V (128, 2) of dimension 128 over the field F2 withtwo elements.
• AES is byte-oriented:
V = V1 ⊕ · · · ⊕ V16,
where each Vi = V (8, 2).
• The mixing layer makes sure that no nontrivial sum ofthe Vi is sent to itself.
![Page 75: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/75.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
No trapdoors in Rijndael
• There are no such trapdoors in AES/Rijndael.• This depends on certain properties of the components
of AES:• the mixing layer,• the S-boxes.
• In its basic version, AES operates on the vector spaceV = V (128, 2) of dimension 128 over the field F2 withtwo elements.
• AES is byte-oriented:
V = V1 ⊕ · · · ⊕ V16,
where each Vi = V (8, 2).
• The mixing layer makes sure that no nontrivial sum ofthe Vi is sent to itself.
![Page 76: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/76.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
No trapdoors in Rijndael
• The S-box is a map on each Vi = V (8, 2). It is the onlynonlinear component of AES.
• Each Vi is identified with GF(28). (A non-primitivepolynomial is used!)
• The S-box is x 7→ x−1. Well, not quite, 0 7→ 0, that isx 7→ x254, plus a minor tweak with an affine map.
• A role is played by a property of inversion in (finite)fields.
![Page 77: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/77.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
No trapdoors in Rijndael
• The S-box is a map on each Vi = V (8, 2). It is the onlynonlinear component of AES.
• Each Vi is identified with GF(28). (A non-primitivepolynomial is used!)
• The S-box is x 7→ x−1. Well, not quite, 0 7→ 0, that isx 7→ x254, plus a minor tweak with an affine map.
• A role is played by a property of inversion in (finite)fields.
![Page 78: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/78.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
No trapdoors in Rijndael
• The S-box is a map on each Vi = V (8, 2). It is the onlynonlinear component of AES.
• Each Vi is identified with GF(28). (A non-primitivepolynomial is used!)
• The S-box is x 7→ x−1. Well, not quite, 0 7→ 0, that isx 7→ x254, plus a minor tweak with an affine map.
• A role is played by a property of inversion in (finite)fields.
![Page 79: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/79.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
No trapdoors in Rijndael
• The S-box is a map on each Vi = V (8, 2). It is the onlynonlinear component of AES.
• Each Vi is identified with GF(28). (A non-primitivepolynomial is used!)
• The S-box is x 7→ x−1. Well, not quite, 0 7→ 0, that isx 7→ x254, plus a minor tweak with an affine map.
• A role is played by a property of inversion in (finite)fields.
![Page 80: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/80.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
No trapdoors in Rijndael
• The S-box is a map on each Vi = V (8, 2). It is the onlynonlinear component of AES.
• Each Vi is identified with GF(28). (A non-primitivepolynomial is used!)
• The S-box is x 7→ x−1. Well, not quite, 0 7→ 0, that isx 7→ x254, plus a minor tweak with an affine map.
• A role is played by a property of inversion in (finite)fields.
![Page 81: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/81.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
No trapdoors in Rijndael
• The S-box is a map on each Vi = V (8, 2). It is the onlynonlinear component of AES.
• Each Vi is identified with GF(28). (A non-primitivepolynomial is used!)
• The S-box is x 7→ x−1. Well, not quite, 0 7→ 0, that isx 7→ x254, plus a minor tweak with an affine map.
• A role is played by a property of inversion in (finite)fields.
![Page 82: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/82.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
No trapdoors in Rijndael
• The S-box is a map on each Vi = V (8, 2). It is the onlynonlinear component of AES.
• Each Vi is identified with GF(28). (A non-primitivepolynomial is used!)
• The S-box is x 7→ x−1. Well, not quite, 0 7→ 0, that isx 7→ x254, plus a minor tweak with an affine map.
• A role is played by a property of inversion in (finite)fields.
![Page 83: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/83.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
No trapdoors in Rijndael
• The S-box is a map on each Vi = V (8, 2). It is the onlynonlinear component of AES.
• Each Vi is identified with GF(28). (A non-primitivepolynomial is used!)
• The S-box is x 7→ x−1. Well, not quite, 0 7→ 0, that isx 7→ x254, plus a minor tweak with an affine map.
• A role is played by a property of inversion in (finite)fields.
![Page 84: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/84.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
No trapdoors in Rijndael
• The S-box is a map on each Vi = V (8, 2). It is the onlynonlinear component of AES.
• Each Vi is identified with GF(28). (A non-primitivepolynomial is used!)
• The S-box is x 7→ x−1. Well, not quite, 0 7→ 0, that isx 7→ x254, plus a minor tweak with an affine map.
• A role is played by a property of inversion in (finite)fields.
![Page 85: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/85.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Outline
1 MotivationIs DES a group?Trapdoors via imprimitivity
2 Group theory at workImprimitivity of groups generated by round functionsInverse-closed subsets of (finite) fieldsHua and AES
3 Primitive GroupsO’Nan-ScottAbelian regular subgroups and radical rings
![Page 86: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/86.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Inversion
In studying Rijndael’s S-box we were led to the followingquestion.Suppose we have an additive subgroup A of the fieldGF(28). Suppose A is closed under taking inverses ofnon-zero elements.Is A a subfield?It is easy to verify that this is indeed the case here. Whatabout the general question for an arbitrary field?Examples:
• A = Ri = { ai : a ∈ R } ⊆ C.
• In GF(52), take A = GF(5)α = { 0, α, 2α,−2α,−α },where α2 = 2.
![Page 87: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/87.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Inversion
In studying Rijndael’s S-box we were led to the followingquestion.Suppose we have an additive subgroup A of the fieldGF(28). Suppose A is closed under taking inverses ofnon-zero elements.Is A a subfield?It is easy to verify that this is indeed the case here. Whatabout the general question for an arbitrary field?Examples:
• A = Ri = { ai : a ∈ R } ⊆ C.
• In GF(52), take A = GF(5)α = { 0, α, 2α,−2α,−α },where α2 = 2.
![Page 88: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/88.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Inversion
In studying Rijndael’s S-box we were led to the followingquestion.Suppose we have an additive subgroup A of the fieldGF(28). Suppose A is closed under taking inverses ofnon-zero elements.Is A a subfield?It is easy to verify that this is indeed the case here. Whatabout the general question for an arbitrary field?Examples:
• A = Ri = { ai : a ∈ R } ⊆ C.
• In GF(52), take A = GF(5)α = { 0, α, 2α,−2α,−α },where α2 = 2.
![Page 89: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/89.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Inversion
In studying Rijndael’s S-box we were led to the followingquestion.Suppose we have an additive subgroup A of the fieldGF(28). Suppose A is closed under taking inverses ofnon-zero elements.Is A a subfield?It is easy to verify that this is indeed the case here. Whatabout the general question for an arbitrary field?Examples:
• A = Ri = { ai : a ∈ R } ⊆ C.
• In GF(52), take A = GF(5)α = { 0, α, 2α,−2α,−α },where α2 = 2.
![Page 90: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/90.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Inversion
In studying Rijndael’s S-box we were led to the followingquestion.Suppose we have an additive subgroup A of the fieldGF(28). Suppose A is closed under taking inverses ofnon-zero elements.Is A a subfield?It is easy to verify that this is indeed the case here. Whatabout the general question for an arbitrary field?Examples:
• A = Ri = { ai : a ∈ R } ⊆ C.
• In GF(52), take A = GF(5)α = { 0, α, 2α,−2α,−α },where α2 = 2.
![Page 91: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/91.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Inversion
In studying Rijndael’s S-box we were led to the followingquestion.Suppose we have an additive subgroup A of the fieldGF(28). Suppose A is closed under taking inverses ofnon-zero elements.Is A a subfield?It is easy to verify that this is indeed the case here. Whatabout the general question for an arbitrary field?Examples:
• A = Ri = { ai : a ∈ R } ⊆ C.
• In GF(52), take A = GF(5)α = { 0, α, 2α,−2α,−α },where α2 = 2.
![Page 92: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/92.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Inversion
In studying Rijndael’s S-box we were led to the followingquestion.Suppose we have an additive subgroup A of the fieldGF(28). Suppose A is closed under taking inverses ofnon-zero elements.Is A a subfield?It is easy to verify that this is indeed the case here. Whatabout the general question for an arbitrary field?Examples:
• A = Ri = { ai : a ∈ R } ⊆ C.
• In GF(52), take A = GF(5)α = { 0, α, 2α,−2α,−α },where α2 = 2.
![Page 93: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/93.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Inversion
In studying Rijndael’s S-box we were led to the followingquestion.Suppose we have an additive subgroup A of the fieldGF(28). Suppose A is closed under taking inverses ofnon-zero elements.Is A a subfield?It is easy to verify that this is indeed the case here. Whatabout the general question for an arbitrary field?Examples:
• A = Ri = { ai : a ∈ R } ⊆ C.
• In GF(52), take A = GF(5)α = { 0, α, 2α,−2α,−α },where α2 = 2.
![Page 94: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/94.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Inversion
In studying Rijndael’s S-box we were led to the followingquestion.Suppose we have an additive subgroup A of the fieldGF(28). Suppose A is closed under taking inverses ofnon-zero elements.Is A a subfield?It is easy to verify that this is indeed the case here. Whatabout the general question for an arbitrary field?Examples:
• A = Ri = { ai : a ∈ R } ⊆ C.
• In GF(52), take A = GF(5)α = { 0, α, 2α,−2α,−α },where α2 = 2.
![Page 95: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/95.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Inversion
Sandro MattareiInverse-closed additive subgroups of fields.Israel J. Math. to appear.
Theorem
Let E be a finite field of characteristic two. Suppose A 6= 0 isan additive subgroup of E which contains the inverses ofeach of its nonzero elements. Then A is a subfield of E.
![Page 96: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/96.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Inversion
Sandro MattareiInverse-closed additive subgroups of fields.Israel J. Math. to appear.
Theorem
Let E be a finite field of characteristic two. Suppose A 6= 0 isan additive subgroup of E which contains the inverses ofeach of its nonzero elements. Then A is a subfield of E.
![Page 97: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/97.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Two more general results
Theorem
Let E be a field of characteristic different from two and let Abe a non-trivial inverse-closed additive subgroup of E. ThenA is either a subfield of E or the set of elements of tracezero in some quadratic field extension contained in E.
Theorem
Let E be a field of characteristic two and let A be an inverse-closed additive subgroup of E. Then A is an F 2-subspace ofF for some subfield F of E.
![Page 98: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/98.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Two more general results
Theorem
Let E be a field of characteristic different from two and let Abe a non-trivial inverse-closed additive subgroup of E. ThenA is either a subfield of E or the set of elements of tracezero in some quadratic field extension contained in E.
Theorem
Let E be a field of characteristic two and let A be an inverse-closed additive subgroup of E. Then A is an F 2-subspace ofF for some subfield F of E.
![Page 99: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/99.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Proof of the finite case, characteristic two
Proof.
Hua’s identity, valid in any associative (but not necessarilycommutative) ring, shows
a + ((a − b−1)−1 − a−1)−1 = aba
with a, b, ab − 1 invertible.First of all, 1 ∈ A. This is because A has even order, andeach element different from 0, 1 is distinct from its inverse.Now with b = 1, and a ∈ A \ { 0, 1 } we get that for a ∈ A,also a2 ∈ A. (This is clearly valid also for a = 0, 1.) It followsthat any c ∈ A can be represented in the form c = a2 forsome a ∈ A. Now Hua’s identity yields that A is closedunder products, so that A is a subring, and thus a subfield,of A.
![Page 100: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/100.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Proof of the finite case, characteristic two
Proof.
Hua’s identity, valid in any associative (but not necessarilycommutative) ring, shows
a + ((a − b−1)−1 − a−1)−1 = aba
with a, b, ab − 1 invertible.First of all, 1 ∈ A. This is because A has even order, andeach element different from 0, 1 is distinct from its inverse.Now with b = 1, and a ∈ A \ { 0, 1 } we get that for a ∈ A,also a2 ∈ A. (This is clearly valid also for a = 0, 1.) It followsthat any c ∈ A can be represented in the form c = a2 forsome a ∈ A. Now Hua’s identity yields that A is closedunder products, so that A is a subring, and thus a subfield,of A.
![Page 101: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/101.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Proof of the finite case, characteristic two
Proof.
Hua’s identity, valid in any associative (but not necessarilycommutative) ring, shows
a + ((a − b−1)−1 − a−1)−1 = aba
with a, b, ab − 1 invertible.First of all, 1 ∈ A. This is because A has even order, andeach element different from 0, 1 is distinct from its inverse.Now with b = 1, and a ∈ A \ { 0, 1 } we get that for a ∈ A,also a2 ∈ A. (This is clearly valid also for a = 0, 1.) It followsthat any c ∈ A can be represented in the form c = a2 forsome a ∈ A. Now Hua’s identity yields that A is closedunder products, so that A is a subring, and thus a subfield,of A.
![Page 102: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/102.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Proof of the finite case, characteristic two
Proof.
Hua’s identity, valid in any associative (but not necessarilycommutative) ring, shows
a + ((a − b−1)−1 − a−1)−1 = aba
with a, b, ab − 1 invertible.First of all, 1 ∈ A. This is because A has even order, andeach element different from 0, 1 is distinct from its inverse.Now with b = 1, and a ∈ A \ { 0, 1 } we get that for a ∈ A,also a2 ∈ A. (This is clearly valid also for a = 0, 1.) It followsthat any c ∈ A can be represented in the form c = a2 forsome a ∈ A. Now Hua’s identity yields that A is closedunder products, so that A is a subring, and thus a subfield,of A.
![Page 103: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/103.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Proof of the finite case, characteristic two
Proof.
Hua’s identity, valid in any associative (but not necessarilycommutative) ring, shows
a + ((a − b−1)−1 − a−1)−1 = aba
with a, b, ab − 1 invertible.First of all, 1 ∈ A. This is because A has even order, andeach element different from 0, 1 is distinct from its inverse.Now with b = 1, and a ∈ A \ { 0, 1 } we get that for a ∈ A,also a2 ∈ A. (This is clearly valid also for a = 0, 1.) It followsthat any c ∈ A can be represented in the form c = a2 forsome a ∈ A. Now Hua’s identity yields that A is closedunder products, so that A is a subring, and thus a subfield,of A.
![Page 104: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/104.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Proof of the finite case, characteristic two
Proof.
Hua’s identity, valid in any associative (but not necessarilycommutative) ring, shows
a + ((a − b−1)−1 − a−1)−1 = aba
with a, b, ab − 1 invertible.First of all, 1 ∈ A. This is because A has even order, andeach element different from 0, 1 is distinct from its inverse.Now with b = 1, and a ∈ A \ { 0, 1 } we get that for a ∈ A,also a2 ∈ A. (This is clearly valid also for a = 0, 1.) It followsthat any c ∈ A can be represented in the form c = a2 forsome a ∈ A. Now Hua’s identity yields that A is closedunder products, so that A is a subring, and thus a subfield,of A.
![Page 105: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/105.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Proof of the finite case, characteristic two
Proof.
Hua’s identity, valid in any associative (but not necessarilycommutative) ring, shows
a + ((a − b−1)−1 − a−1)−1 = aba
with a, b, ab − 1 invertible.First of all, 1 ∈ A. This is because A has even order, andeach element different from 0, 1 is distinct from its inverse.Now with b = 1, and a ∈ A \ { 0, 1 } we get that for a ∈ A,also a2 ∈ A. (This is clearly valid also for a = 0, 1.) It followsthat any c ∈ A can be represented in the form c = a2 forsome a ∈ A. Now Hua’s identity yields that A is closedunder products, so that A is a subring, and thus a subfield,of A.
![Page 106: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/106.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Proof of the finite case, characteristic two
Proof.
Hua’s identity, valid in any associative (but not necessarilycommutative) ring, shows
a + ((a − b−1)−1 − a−1)−1 = aba
with a, b, ab − 1 invertible.First of all, 1 ∈ A. This is because A has even order, andeach element different from 0, 1 is distinct from its inverse.Now with b = 1, and a ∈ A \ { 0, 1 } we get that for a ∈ A,also a2 ∈ A. (This is clearly valid also for a = 0, 1.) It followsthat any c ∈ A can be represented in the form c = a2 forsome a ∈ A. Now Hua’s identity yields that A is closedunder products, so that A is a subring, and thus a subfield,of A.
![Page 107: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/107.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Proof of the finite case, characteristic two
Proof.
Hua’s identity, valid in any associative (but not necessarilycommutative) ring, shows
a + ((a − b−1)−1 − a−1)−1 = aba
with a, b, ab − 1 invertible.First of all, 1 ∈ A. This is because A has even order, andeach element different from 0, 1 is distinct from its inverse.Now with b = 1, and a ∈ A \ { 0, 1 } we get that for a ∈ A,also a2 ∈ A. (This is clearly valid also for a = 0, 1.) It followsthat any c ∈ A can be represented in the form c = a2 forsome a ∈ A. Now Hua’s identity yields that A is closedunder products, so that A is a subring, and thus a subfield,of A.
![Page 108: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/108.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Proof of the finite case, characteristic two
Proof.
Hua’s identity, valid in any associative (but not necessarilycommutative) ring, shows
a + ((a − b−1)−1 − a−1)−1 = aba
with a, b, ab − 1 invertible.First of all, 1 ∈ A. This is because A has even order, andeach element different from 0, 1 is distinct from its inverse.Now with b = 1, and a ∈ A \ { 0, 1 } we get that for a ∈ A,also a2 ∈ A. (This is clearly valid also for a = 0, 1.) It followsthat any c ∈ A can be represented in the form c = a2 forsome a ∈ A. Now Hua’s identity yields that A is closedunder products, so that A is a subring, and thus a subfield,of A.
![Page 109: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/109.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Proof of the finite case, characteristic two
Proof.
Hua’s identity, valid in any associative (but not necessarilycommutative) ring, shows
a + ((a − b−1)−1 − a−1)−1 = aba
with a, b, ab − 1 invertible.First of all, 1 ∈ A. This is because A has even order, andeach element different from 0, 1 is distinct from its inverse.Now with b = 1, and a ∈ A \ { 0, 1 } we get that for a ∈ A,also a2 ∈ A. (This is clearly valid also for a = 0, 1.) It followsthat any c ∈ A can be represented in the form c = a2 forsome a ∈ A. Now Hua’s identity yields that A is closedunder products, so that A is a subring, and thus a subfield,of A.
![Page 110: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/110.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Outline
1 MotivationIs DES a group?Trapdoors via imprimitivity
2 Group theory at workImprimitivity of groups generated by round functionsInverse-closed subsets of (finite) fieldsHua and AES
3 Primitive GroupsO’Nan-ScottAbelian regular subgroups and radical rings
![Page 111: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/111.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
More on Hua and AES
Hua’s identity can be used in the cryptanalysis of AES.
![Page 112: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/112.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
More on Hua and AES
Hua’s identity can be used in the cryptanalysis of AES.
Joan Daemen and Vincent Rijmen,Two-Round AES Differentialse-print, 2007.
![Page 113: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/113.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
More on Hua and AES
Hua’s identity can be used in the cryptanalysis of AES.
Joan Daemen and Vincent Rijmen,Two-Round AES Differentialse-print, 2007.
Theorem
Let T denote a two-round Rijndael transformation. Itoperates on GF(28). Fix 0 6= a ∈ GF(28). Then the set ofinverses of the output differences with input difference a
{
(T (x + a) − T (x))−1 : x ∈ GF(28)}
forms a linear subspace, minus { 0 }.
![Page 114: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/114.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
More on Hua and AES
Hua’s identity can be used in the cryptanalysis of AES.
Joan Daemen and Vincent Rijmen,Two-Round AES Differentialse-print, 2007.
Theorem
Let T denote a two-round Rijndael transformation. Itoperates on GF(28). Fix 0 6= a ∈ GF(28). Then the set ofinverses of the output differences with input difference a
{
(T (x + a) − T (x))−1 : x ∈ GF(28)}
forms a linear subspace, minus { 0 }.
Hua’s identity simply tells us that
(T (x + a) − T (x))−1 = a((a−1x)2 + a−1x).
![Page 115: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/115.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Outline
1 MotivationIs DES a group?Trapdoors via imprimitivity
2 Group theory at workImprimitivity of groups generated by round functionsInverse-closed subsets of (finite) fieldsHua and AES
3 Primitive GroupsO’Nan-ScottAbelian regular subgroups and radical rings
![Page 116: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/116.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
O’Nan-Scott
Our intention would now be to apply the O’Nan-Scottclassification of primitive groups.
Leonard L. ScottRepresentations in characteristic p.The Santa Cruz Conference on Finite Groups, 1979,Proc. Sympos. Pure Math., 37, 319–331.
M. Aschbacher and L. ScottMaximal subgroups of finite groups.J. Algebra 92 (1985), 44–80.
Martin W. Liebeck, Cheryl E. Praeger and Jan Saxl,On the O’Nan-Scott theorem. . .J. Austral. Math. Soc. Ser. A 44 (1988), 389–396
![Page 117: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/117.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
O’Nan-Scott
Our intention would now be to apply the O’Nan-Scottclassification of primitive groups.
Leonard L. ScottRepresentations in characteristic p.The Santa Cruz Conference on Finite Groups, 1979,Proc. Sympos. Pure Math., 37, 319–331.
M. Aschbacher and L. ScottMaximal subgroups of finite groups.J. Algebra 92 (1985), 44–80.
Martin W. Liebeck, Cheryl E. Praeger and Jan Saxl,On the O’Nan-Scott theorem. . .J. Austral. Math. Soc. Ser. A 44 (1988), 389–396
![Page 118: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/118.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
O’Nan-Scott
Our intention would now be to apply the O’Nan-Scottclassification of primitive groups.
Leonard L. ScottRepresentations in characteristic p.The Santa Cruz Conference on Finite Groups, 1979,Proc. Sympos. Pure Math., 37, 319–331.
M. Aschbacher and L. ScottMaximal subgroups of finite groups.J. Algebra 92 (1985), 44–80.
Martin W. Liebeck, Cheryl E. Praeger and Jan Saxl,On the O’Nan-Scott theorem. . .J. Austral. Math. Soc. Ser. A 44 (1988), 389–396
![Page 119: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/119.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
O’Nan-Scott
Our intention would now be to apply the O’Nan-Scottclassification of primitive groups.
Leonard L. ScottRepresentations in characteristic p.The Santa Cruz Conference on Finite Groups, 1979,Proc. Sympos. Pure Math., 37, 319–331.
M. Aschbacher and L. ScottMaximal subgroups of finite groups.J. Algebra 92 (1985), 44–80.
Martin W. Liebeck, Cheryl E. Praeger and Jan Saxl,On the O’Nan-Scott theorem. . .J. Austral. Math. Soc. Ser. A 44 (1988), 389–396
![Page 120: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/120.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Primitive Groups
An analysis of the O’Nan-Scott classification shows that the(primitive) group generated by the round functions ofRijndael could be one of the following.
• The alternating group.
• A wreath product in product action.
• An affine group.
We have not been able to finish it off from here.Still, we have a spin-off from the last case.
A. Caranti, F. Dalla Volta and M. SalaAbelian regular subgroups of the affine group andradical rings.Publ. Math. Debrecen 69 (2006), no. 3, 297–308.
![Page 121: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/121.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Primitive Groups
An analysis of the O’Nan-Scott classification shows that the(primitive) group generated by the round functions ofRijndael could be one of the following.
• The alternating group.
• A wreath product in product action.
• An affine group.
We have not been able to finish it off from here.Still, we have a spin-off from the last case.
A. Caranti, F. Dalla Volta and M. SalaAbelian regular subgroups of the affine group andradical rings.Publ. Math. Debrecen 69 (2006), no. 3, 297–308.
![Page 122: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/122.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Primitive Groups
An analysis of the O’Nan-Scott classification shows that the(primitive) group generated by the round functions ofRijndael could be one of the following.
• The alternating group.
• A wreath product in product action.
• An affine group.
We have not been able to finish it off from here.Still, we have a spin-off from the last case.
A. Caranti, F. Dalla Volta and M. SalaAbelian regular subgroups of the affine group andradical rings.Publ. Math. Debrecen 69 (2006), no. 3, 297–308.
![Page 123: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/123.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Primitive Groups
An analysis of the O’Nan-Scott classification shows that the(primitive) group generated by the round functions ofRijndael could be one of the following.
• The alternating group.
• A wreath product in product action.
• An affine group.
We have not been able to finish it off from here.Still, we have a spin-off from the last case.
A. Caranti, F. Dalla Volta and M. SalaAbelian regular subgroups of the affine group andradical rings.Publ. Math. Debrecen 69 (2006), no. 3, 297–308.
![Page 124: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/124.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Primitive Groups
An analysis of the O’Nan-Scott classification shows that the(primitive) group generated by the round functions ofRijndael could be one of the following.
• The alternating group.
• A wreath product in product action.
• An affine group.
We have not been able to finish it off from here.Still, we have a spin-off from the last case.
A. Caranti, F. Dalla Volta and M. SalaAbelian regular subgroups of the affine group andradical rings.Publ. Math. Debrecen 69 (2006), no. 3, 297–308.
![Page 125: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/125.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Primitive Groups
An analysis of the O’Nan-Scott classification shows that the(primitive) group generated by the round functions ofRijndael could be one of the following.
• The alternating group.
• A wreath product in product action.
• An affine group.
We have not been able to finish it off from here.Still, we have a spin-off from the last case.
A. Caranti, F. Dalla Volta and M. SalaAbelian regular subgroups of the affine group andradical rings.Publ. Math. Debrecen 69 (2006), no. 3, 297–308.
![Page 126: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/126.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Primitive Groups
An analysis of the O’Nan-Scott classification shows that the(primitive) group generated by the round functions ofRijndael could be one of the following.
• The alternating group.
• A wreath product in product action.
• An affine group.
We have not been able to finish it off from here.Still, we have a spin-off from the last case.
A. Caranti, F. Dalla Volta and M. SalaAbelian regular subgroups of the affine group andradical rings.Publ. Math. Debrecen 69 (2006), no. 3, 297–308.
![Page 127: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/127.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Outline
1 MotivationIs DES a group?Trapdoors via imprimitivity
2 Group theory at workImprimitivity of groups generated by round functionsInverse-closed subsets of (finite) fieldsHua and AES
3 Primitive GroupsO’Nan-ScottAbelian regular subgroups and radical rings
![Page 128: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/128.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Abelian regular subgroups and radical rings
Theorem
Let F be a field, and let (V ,+) be a vector space over F .There is a bijection between
• Abelian regular subgroups of the affine group Aff(V ) onV, and
• F-algebra structures (V ,+, ·) such that the resultingring is radical.
Isomorphism classes of algebras correspond to conjugacyclasses of subgroups under the action of GL(V ).
![Page 129: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/129.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Abelian regular subgroups and radical rings
Theorem
Let F be a field, and let (V ,+) be a vector space over F .There is a bijection between
• Abelian regular subgroups of the affine group Aff(V ) onV, and
• F-algebra structures (V ,+, ·) such that the resultingring is radical.
Isomorphism classes of algebras correspond to conjugacyclasses of subgroups under the action of GL(V ).
![Page 130: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/130.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Abelian regular subgroups and radical rings
Theorem
Let F be a field, and let (V ,+) be a vector space over F .There is a bijection between
• Abelian regular subgroups of the affine group Aff(V ) onV, and
• F-algebra structures (V ,+, ·) such that the resultingring is radical.
Isomorphism classes of algebras correspond to conjugacyclasses of subgroups under the action of GL(V ).
![Page 131: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/131.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Abelian regular subgroups and radical rings
Theorem
Let F be a field, and let (V ,+) be a vector space over F .There is a bijection between
• Abelian regular subgroups of the affine group Aff(V ) onV, and
• F-algebra structures (V ,+, ·) such that the resultingring is radical.
Isomorphism classes of algebras correspond to conjugacyclasses of subgroups under the action of GL(V ).
![Page 132: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/132.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Abelian regular subgroups and radical rings
Theorem
Let F be a field, and let (V ,+) be a vector space over F .There is a bijection between
• Abelian regular subgroups of the affine group Aff(V ) onV, and
• F-algebra structures (V ,+, ·) such that the resultingring is radical.
Isomorphism classes of algebras correspond to conjugacyclasses of subgroups under the action of GL(V ).
![Page 133: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/133.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Related work
D..F. Holt, Robert B. HowlettOn groups which are the product of two abelian groups.J. London Math. Soc. (2) 29 (1984), no. 3, 453–461.
Robert B. HowlettOn the exponent of certain factorizable groups.J. London Math. Soc. (2) 31 (1985), no. 2, 265–271.
Plus work of Y.P. Sysak which can be found in
B. Amberg, S. Franciosi, F. de Giovanni.Products of groups.Oxford Mathematical Monographs, 1992.0-19-853575-9
![Page 134: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/134.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Related work
D..F. Holt, Robert B. HowlettOn groups which are the product of two abelian groups.J. London Math. Soc. (2) 29 (1984), no. 3, 453–461.
Robert B. HowlettOn the exponent of certain factorizable groups.J. London Math. Soc. (2) 31 (1985), no. 2, 265–271.
Plus work of Y.P. Sysak which can be found in
B. Amberg, S. Franciosi, F. de Giovanni.Products of groups.Oxford Mathematical Monographs, 1992.0-19-853575-9
![Page 135: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/135.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Related work
D..F. Holt, Robert B. HowlettOn groups which are the product of two abelian groups.J. London Math. Soc. (2) 29 (1984), no. 3, 453–461.
Robert B. HowlettOn the exponent of certain factorizable groups.J. London Math. Soc. (2) 31 (1985), no. 2, 265–271.
Plus work of Y.P. Sysak which can be found in
B. Amberg, S. Franciosi, F. de Giovanni.Products of groups.Oxford Mathematical Monographs, 1992.0-19-853575-9
![Page 136: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/136.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
Related work
D..F. Holt, Robert B. HowlettOn groups which are the product of two abelian groups.J. London Math. Soc. (2) 29 (1984), no. 3, 453–461.
Robert B. HowlettOn the exponent of certain factorizable groups.J. London Math. Soc. (2) 31 (1985), no. 2, 265–271.
Plus work of Y.P. Sysak which can be found in
B. Amberg, S. Franciosi, F. de Giovanni.Products of groups.Oxford Mathematical Monographs, 1992.0-19-853575-9
![Page 137: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/137.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
An application
• In the affine group over a finite vector space, an abelianregular subgroup intersects the group of translationsnontrivially.
• There is an example of Hegedus of a nonabelian,regular subgroup of an affine group over a finite vectorspace which has trivial intersection with the group oftranslations.
• There is a (simple) example of an abelian, regularsubgroup of the affine group over an infinite vectorspace which has trivial intersection with the group oftranslations.
Pál HegedusRegular subgroups of the affine groupJ. Algebra 225 (2000), no. 2, 740–742.
![Page 138: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/138.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
An application
• In the affine group over a finite vector space, an abelianregular subgroup intersects the group of translationsnontrivially.
• There is an example of Hegedus of a nonabelian,regular subgroup of an affine group over a finite vectorspace which has trivial intersection with the group oftranslations.
• There is a (simple) example of an abelian, regularsubgroup of the affine group over an infinite vectorspace which has trivial intersection with the group oftranslations.
Pál HegedusRegular subgroups of the affine groupJ. Algebra 225 (2000), no. 2, 740–742.
![Page 139: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/139.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
An application
• In the affine group over a finite vector space, an abelianregular subgroup intersects the group of translationsnontrivially.
• There is an example of Hegedus of a nonabelian,regular subgroup of an affine group over a finite vectorspace which has trivial intersection with the group oftranslations.
• There is a (simple) example of an abelian, regularsubgroup of the affine group over an infinite vectorspace which has trivial intersection with the group oftranslations.
Pál HegedusRegular subgroups of the affine groupJ. Algebra 225 (2000), no. 2, 740–742.
![Page 140: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/140.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
An application
• In the affine group over a finite vector space, an abelianregular subgroup intersects the group of translationsnontrivially.
• There is an example of Hegedus of a nonabelian,regular subgroup of an affine group over a finite vectorspace which has trivial intersection with the group oftranslations.
• There is a (simple) example of an abelian, regularsubgroup of the affine group over an infinite vectorspace which has trivial intersection with the group oftranslations.
Pál HegedusRegular subgroups of the affine groupJ. Algebra 225 (2000), no. 2, 740–742.
![Page 141: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/141.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
The example
• Let (V ,+, ·) be the maximal ideal tF [[t ]] of theF -algebra F [[t ]] of formal power series over an arbitraryfield F .
• In Aff(V ) we have the group N of translations.• (V ,+, ·) is a radical ring. Our methods allow us to
construct another abelian, regular subgroup T ofAff(V ). As a group, T is V under the circle operationx ◦ y = x + y + xy , where the element in Tcorresponding to x acts on V via y 7→ y ◦ x .
• One sees that U = { x ∈ V : x · y = 0 for all y ∈ V }corresponds to N ∩ T .
• Since F [[t ]] is a domain, we have N ∩ T = {1} here.• Also, T is torsion-free. If F is a field of positive
characteristic p, then the group N of translations hasexponent p. Thus Aff(V ) has two rather differentabelian regular subgroups here.
![Page 142: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/142.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
The example
• Let (V ,+, ·) be the maximal ideal tF [[t ]] of theF -algebra F [[t ]] of formal power series over an arbitraryfield F .
• In Aff(V ) we have the group N of translations.• (V ,+, ·) is a radical ring. Our methods allow us to
construct another abelian, regular subgroup T ofAff(V ). As a group, T is V under the circle operationx ◦ y = x + y + xy , where the element in Tcorresponding to x acts on V via y 7→ y ◦ x .
• One sees that U = { x ∈ V : x · y = 0 for all y ∈ V }corresponds to N ∩ T .
• Since F [[t ]] is a domain, we have N ∩ T = {1} here.• Also, T is torsion-free. If F is a field of positive
characteristic p, then the group N of translations hasexponent p. Thus Aff(V ) has two rather differentabelian regular subgroups here.
![Page 143: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/143.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
The example
• Let (V ,+, ·) be the maximal ideal tF [[t ]] of theF -algebra F [[t ]] of formal power series over an arbitraryfield F .
• In Aff(V ) we have the group N of translations.• (V ,+, ·) is a radical ring. Our methods allow us to
construct another abelian, regular subgroup T ofAff(V ). As a group, T is V under the circle operationx ◦ y = x + y + xy , where the element in Tcorresponding to x acts on V via y 7→ y ◦ x .
• One sees that U = { x ∈ V : x · y = 0 for all y ∈ V }corresponds to N ∩ T .
• Since F [[t ]] is a domain, we have N ∩ T = {1} here.• Also, T is torsion-free. If F is a field of positive
characteristic p, then the group N of translations hasexponent p. Thus Aff(V ) has two rather differentabelian regular subgroups here.
![Page 144: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/144.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
The example
• Let (V ,+, ·) be the maximal ideal tF [[t ]] of theF -algebra F [[t ]] of formal power series over an arbitraryfield F .
• In Aff(V ) we have the group N of translations.• (V ,+, ·) is a radical ring. Our methods allow us to
construct another abelian, regular subgroup T ofAff(V ). As a group, T is V under the circle operationx ◦ y = x + y + xy , where the element in Tcorresponding to x acts on V via y 7→ y ◦ x .
• One sees that U = { x ∈ V : x · y = 0 for all y ∈ V }corresponds to N ∩ T .
• Since F [[t ]] is a domain, we have N ∩ T = {1} here.• Also, T is torsion-free. If F is a field of positive
characteristic p, then the group N of translations hasexponent p. Thus Aff(V ) has two rather differentabelian regular subgroups here.
![Page 145: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/145.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
The example
• Let (V ,+, ·) be the maximal ideal tF [[t ]] of theF -algebra F [[t ]] of formal power series over an arbitraryfield F .
• In Aff(V ) we have the group N of translations.• (V ,+, ·) is a radical ring. Our methods allow us to
construct another abelian, regular subgroup T ofAff(V ). As a group, T is V under the circle operationx ◦ y = x + y + xy , where the element in Tcorresponding to x acts on V via y 7→ y ◦ x .
• One sees that U = { x ∈ V : x · y = 0 for all y ∈ V }corresponds to N ∩ T .
• Since F [[t ]] is a domain, we have N ∩ T = {1} here.• Also, T is torsion-free. If F is a field of positive
characteristic p, then the group N of translations hasexponent p. Thus Aff(V ) has two rather differentabelian regular subgroups here.
![Page 146: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/146.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
The example
• Let (V ,+, ·) be the maximal ideal tF [[t ]] of theF -algebra F [[t ]] of formal power series over an arbitraryfield F .
• In Aff(V ) we have the group N of translations.• (V ,+, ·) is a radical ring. Our methods allow us to
construct another abelian, regular subgroup T ofAff(V ). As a group, T is V under the circle operationx ◦ y = x + y + xy , where the element in Tcorresponding to x acts on V via y 7→ y ◦ x .
• One sees that U = { x ∈ V : x · y = 0 for all y ∈ V }corresponds to N ∩ T .
• Since F [[t ]] is a domain, we have N ∩ T = {1} here.• Also, T is torsion-free. If F is a field of positive
characteristic p, then the group N of translations hasexponent p. Thus Aff(V ) has two rather differentabelian regular subgroups here.
![Page 147: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/147.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
The example
• Let (V ,+, ·) be the maximal ideal tF [[t ]] of theF -algebra F [[t ]] of formal power series over an arbitraryfield F .
• In Aff(V ) we have the group N of translations.• (V ,+, ·) is a radical ring. Our methods allow us to
construct another abelian, regular subgroup T ofAff(V ). As a group, T is V under the circle operationx ◦ y = x + y + xy , where the element in Tcorresponding to x acts on V via y 7→ y ◦ x .
• One sees that U = { x ∈ V : x · y = 0 for all y ∈ V }corresponds to N ∩ T .
• Since F [[t ]] is a domain, we have N ∩ T = {1} here.• Also, T is torsion-free. If F is a field of positive
characteristic p, then the group N of translations hasexponent p. Thus Aff(V ) has two rather differentabelian regular subgroups here.
![Page 148: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/148.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
The example
• Let (V ,+, ·) be the maximal ideal tF [[t ]] of theF -algebra F [[t ]] of formal power series over an arbitraryfield F .
• In Aff(V ) we have the group N of translations.• (V ,+, ·) is a radical ring. Our methods allow us to
construct another abelian, regular subgroup T ofAff(V ). As a group, T is V under the circle operationx ◦ y = x + y + xy , where the element in Tcorresponding to x acts on V via y 7→ y ◦ x .
• One sees that U = { x ∈ V : x · y = 0 for all y ∈ V }corresponds to N ∩ T .
• Since F [[t ]] is a domain, we have N ∩ T = {1} here.• Also, T is torsion-free. If F is a field of positive
characteristic p, then the group N of translations hasexponent p. Thus Aff(V ) has two rather differentabelian regular subgroups here.
![Page 149: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/149.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
The example
• Let (V ,+, ·) be the maximal ideal tF [[t ]] of theF -algebra F [[t ]] of formal power series over an arbitraryfield F .
• In Aff(V ) we have the group N of translations.• (V ,+, ·) is a radical ring. Our methods allow us to
construct another abelian, regular subgroup T ofAff(V ). As a group, T is V under the circle operationx ◦ y = x + y + xy , where the element in Tcorresponding to x acts on V via y 7→ y ◦ x .
• One sees that U = { x ∈ V : x · y = 0 for all y ∈ V }corresponds to N ∩ T .
• Since F [[t ]] is a domain, we have N ∩ T = {1} here.• Also, T is torsion-free. If F is a field of positive
characteristic p, then the group N of translations hasexponent p. Thus Aff(V ) has two rather differentabelian regular subgroups here.
![Page 150: Permutation groups generated by round functions of symmetric](https://reader031.vdocuments.us/reader031/viewer/2022020703/61fb25b52e268c58cd5ab4b3/html5/thumbnails/150.jpg)
Groupsgenerated by
roundfunctions
Caranti, DallaVolta, Sala &
Villani
MotivationIs DES a group?
Trapdoors viaimprimitivity
Groups atworkImprimitivity
Inversion
Hua and AES
PrimitivityO’Nan-Scott
Radical Rings
The example
• Let (V ,+, ·) be the maximal ideal tF [[t ]] of theF -algebra F [[t ]] of formal power series over an arbitraryfield F .
• In Aff(V ) we have the group N of translations.• (V ,+, ·) is a radical ring. Our methods allow us to
construct another abelian, regular subgroup T ofAff(V ). As a group, T is V under the circle operationx ◦ y = x + y + xy , where the element in Tcorresponding to x acts on V via y 7→ y ◦ x .
• One sees that U = { x ∈ V : x · y = 0 for all y ∈ V }corresponds to N ∩ T .
• Since F [[t ]] is a domain, we have N ∩ T = {1} here.• Also, T is torsion-free. If F is a field of positive
characteristic p, then the group N of translations hasexponent p. Thus Aff(V ) has two rather differentabelian regular subgroups here.