1 Bounds on Key Appearance Equivocation for Substitution Ciphers Yuri Borissov and Moon Ho Lee, Senior Member, IEEE Abstract—The average conditional entropy of the key given II. LOWERAND UPPERBOUNDS FORTHEKEY the message and its corresponding cryptogram, H(K|M,C), APPEARANCE EQUIVOCATION which is reffer as a key appearance equivocation, was proposed as a theoretical measure of the strength of the cipher system For basic definitions and notions we reffer to [2],[1] and 7 under a known-plaintext attack by Dunham in 1980. In the [6]. Let a memoryless message source with a discrete finite 0 same work (among other things), lower and upper bounds alphabet M = {1,2,...,N} be given. The probability of a 0 for H(SM|MLCL) are found and its asymptotic behaviour symbol n is denoted by P (n). The cryptogram alphabet C 2 as a function of cryptogram length L is described for simple M substitutionciphersi.e.whenthekeyspaceSM isthesymmetric is taken to be the same as M, and the key space is K⊳SM n group actingon adiscretealphabetM. Inthepresentpaperwe – an arbitrary subgroup of the the symmetric group acting on a consider the same problem when the key space is an arbitrary M. For every π ∈ K the cryptographic transformation T : J π subgroup K⊳SM and generalize Dunham’s result. ML → ML is determined in the following way: If mL = 9 1 Index Terms—key appearance equivocation, substituion ci- m1m2...mL isamessageoflengthL,thenthecryptogramis phers. cL = T (mL) d=ef π(m )π(m )...π(m ). We assume also π 1 2 L ] that the key and message sources are independent, and the T keys are equiprobable, i.e. P (π)=1/|K|. .I I. INTRODUCTION We make use of the followKing lemma: s c Shannon in his seminal paper [2] showed that the condi- Lemma 2.1: LetGbeagroupofsubstitutionsofthefinite [ tional entropies of the key and message given the cryptogram set X. If the set G(i,j)={π ∈G/π(i)=j}, where i and j 2 can be used as a theoreticalmeasure of strength of the cipher are some fixed elements of X, is nonempty, then it is a left v system when assuming unlimited cryptanalytic computational coset by the stabilizer St(i)d=ef {τ ∈G/τ(i)=i}. 4 capabilities.Theseconditionalentropiesarecalledthekeyand Proof: Obviously, if π(i) ∈ G(i,j) then for any α ∈ 6 0 message equivocation, respectively. St(i)wehaveπ◦α(i)=π(i)=j.Conversely,ifπ(i)=jand 2 In general it is diffucult to calculate these equivocations τ(i)=j thenπ−1◦τ(i)=π−1(j)=ihenceπ−1◦τ ∈St(i). 1 explicitly. For that Shannon established in [2] a general 6 lower bound and introduced a random cipher model which In order to state the main theorem we need the following 0 wouldapproximatethebehaviourofcomplexpracticalciphers. definitions: / s Afterward, Hellman [3] reviewed and extended Shannon’s DEFINITION 2.2: The set F(π)d=ef {j/π(j)=j} is called c : information-theoreticapproachandshowedthatrandomcipher a fixed set of π ∈K. v model is conservative in that a randomly chosen cipher is Let us denote by K∗ the set of all substitutions in K i X essentially the worst possible. Later on Blom [4] obtained excluding the identity. r exponentiallytightboundson the keyequivocationfor simple DEFINITION 2.3: Thekey π ∈K∗ is called maximalwhen a substitutionciphers.In [1] to deriveboundsfor simple substi- its fixed set F(π) is maximalin sense of inclusion amongthe tutionciphersonthemessageequivocationintermsofthekey sets F(τ), τ ∈K∗. equivocation, Dunham derived such bounds for so-called key We will denote by K the set of all maximal keys and for max appearance equivocation. This author pointed out also, that anyπ ∈K byP thesumofprobablities P (j). max π j∈F(π) M it can be considered as a theoretical measure of the strength For completeness of exposition we recallPthe defintion of of the cipher system under known-plaintext attack. Another key appearance equivocation: contribution of this subject is the Sgarro’s work [5]. DEFINITION 2.4: In Section II we give the necessary background and state a theorem which gives the bounds on the key appearance H(K|MLCL)d=ef H(K|mLcL)PMLCL(mLcL) equivocation for substitution ciphers when the key space is mLX∈MLcLX∈CL confinedtoasubgroupKofthegroupS ofallsubstitutions M and of a discrete alphabet M. In Section III we discuss four applications of the stated theorem in some particular cases. H(K|mLcL)d=ef PK(k)log(1/PK(k)) Finally, we conclude in Section IV. k:Tk(XmL)=cL The following theorem is a generalization of the result ob- Yuri Borissov is with the Institute of Mathematics and Informatics, Bul- tainedin [1] onthe behaviourofkeyappearanceequivocation garianAcademyofSciences,Sofia1113,Bulgaria.MoonHoLeeiswiththe for simple substitution ciphers as a function of cryptogram Institute of Information and Communication, Chonbuk National University, length. Jeonju561-756,R.Korea. 2 Theorem 2.5: Under the above impossed assumptions, let PML(mL)= Kmax is nonempty and R = max{Pτ/τ ∈ Kmax}. Then the τ∈XKmaxmL∈X[F(τ)]L following inequalities hold: log(2)RL ≤H(K|MLCL)≤log(|K|)|Kmax|RL (Pτ)L ≤|Kmax|RL (3) τ∈XKmax From (2) and (3) substituting in (1), we finally obtain: Remark. The logarithmsare taken for an arbitrary fixed base depending on the unit of entropy measurement. log(2)RL ≤H(K|MLCL)≤log(|K|)|K |RL Proof: Starting from definition of conditional entropy, max using the fact that the keys are equiprobable and applying which is the desired result. Lemma2.1 we consecutively get: Note that Theorem2.5shows the asymptotic tight exponen- H(K|mLcL)PMLCL(mLcL)= tial behaviour of H(K|MLCL) with exponent base R equal to the maximum among sums of symbol probabilities of the mLX∈MLcLX∈CL fixed sets of maximal keys. log(|St(mL)|)PMLCL(mLcL)= mLX∈MLcLX∈CL III. APPLICATIONS We shall consider four applicationsof Theorem2.5. For the log(|St(mL)|) PMLCL(mLcL)= first two applications we assume without loss of generality mLX∈ML cLX∈CL that P (1)≥P (2)≥...≥P (N). M M M 1. Let K = S – the case of simple substitution cipher. log(|St(mL)|)PML(mL), Clearly,maximalMkeysarethetranspositions.Therefore,R = mLX∈ML N−2P (j) = 1−P (N)−P (N −1), |K| = N! 1and j=1 M M M wstahbeirleizeSrto(mf mL)ess=age{TmπL/.Tπ(mL) = mL,π ∈ K} is the P|K2m.axle|t=K(cid:0)=N2(cid:1)A. Th,iswrheesrueltAis obitsaitnheedalitner[n1a]t.ing group acting M M Clearly, if St(mL) 6= {e}, where e is identity, we have: on M. It can be easily seen that maximal keys are the 2≤|St(mL)|≤|K|. Thus the following inequalities hold: substitutions which can be represented as a superposition of log(2) PML(mL)≤H(K|MLCL)≤ cCylcelaerloyf,ltehnegseths3ubanstditudtiisojonisntbteolothnigstcoycAle∗id.enPtriotyceseudbisntgituatsioinn. mL:StX(mL)6={e} thepreviouscasewegetR = N−3P M(j)=1−P (N)− 2 j=1 M M P (N −1)−P (N −2), |KP|=N!/2 and |K |= N . log(|K|) PML(mL) (1) M3. Let d be aMpositive integer. We will considmearxmess(cid:0)a3g(cid:1)es mL:StX(mL)6={e} of length L = kd,k ≥ 1. Since the message source is The fact thatthe message source is memorylessimpliesfor memoryless it is memoryless also over the cartesian product any Ω⊂M and (m1m2...mL)=mL ∈ΩL Md considered as an alphabet. L Let π ∈ S∆, where ∆ = {1,2,...,d}. Define a PML(mL)= PM(ml) mapping Tπ : Md → Md as Tπ(m1m2...md) d=ef XmL XmL Yl=1 mπ(1)mπ(2)...mπ(d).Sinceπ isasubstitution,itfollowsthat T is a substitution of Md. The set {T /π ∈ S } with π π ∆ =( P (m))L superposition operation is a group isomorphic to S and it M ∆ mX∈Ω is a subgroup of SMd. Let R = Pπ. Since Tπ ∈ St(mL) for any mL ∈ [F(π)]L Furthermore it is well known that any π ∈ S∆∗ can be then [F(π)]L ⊂{mL ∈ML/St(mL)6={e}}. Therefore the represented as a superposition of disjoint cycles in a unique way to the order of multipliers. A partition of ∆ corresponds following inequality holds: to this representationand it is notdificultto see that the fixed RL =( PM(m))L = PML(mL)≤ setF(Tπ)consistsofexactlythosemd ∈Mdwhoselettersin m∈XF(π) mL∈X[F(π)]L numberedplacesbelongingto thesame subsetofthe partition of∆, coincide.Therefore,ifwe takeρ∈S∗ differentfromπ ∆ PML(mL) (2) suchthatthepartitionof∆detrminedbyρis”moredetailed”, mL:StX(mL)6={e} then the inclusion F(Tπ) ⊂ F(Tρ) holds. The latter shows that those T are maximal for which π is represented as a On the other hand, if for some mL,St(mL) 6= {e} holds, π superposition of one cycle of length 2 and disjoint to this then there exists a maximal key τ such that mL ∈ [F(τ)]L. cycle identity substitution, i.e. π is a transposition. Therefore we have: Takingintoaccounttheaboveconsiderationsitcanbeeasily PML(mL)≤ computed the rate R3 = Nj=1PM2 (j), the order of subgroup mL:StX(mL)6={e} |K| = d! and the numberPof the maximal keys |Kmax| = d2 (cid:0) (cid:1) 3 for this case. Finally, we note that inequalities of Theorem2.5 now become: d log(2)Rk ≤H(K|MkdCkd)≤log(d!) Rk 3 (cid:18)2(cid:19) 3 4.Letnow,thealphabetMbeafinitefieldwith|M|=N, where N is a power of prime number. Let K be the group of affine transformations g :y =ax+b; a,b∈M,a6=0 Obviously, each affine transformation y = ax + b,a 6= 1 possesses just one fixed point x = b/(1 − a) and when f b runs through M the same does x . Moreover translations f y = x+b,b 6= 0 do not possess any fixed points. Thus, we have R = max{P (n)/n ∈ M}, |K| = N(N −1) and 4 M |K |=N(N −2). max IV. CONCLUSIONS Despite that during the past three decades mainly compu- tational aspects of cryptology have been developped, there is stillplaceforinformation-theoreticinvestigations.Anexample in this direction is the theorem from the present paper which justifies mathematically the intuitive understanding that the recovery of the key in known-plaintext attack on substitution ciphers is more difficult when this key possesses many fixed points. V. ACKNOWLEDGMENT ThisresearchwassupportedinpartbyMinistryofInforma- tion and Communication (MIC) Korea under the IT Foreign Specialist Inviting Program (ITSIP), ITSOC, International CooperativeResearchbyMinistryofScienceandTechnology, KOTEF, and 2nd stage Brain Korea 21. REFERENCES [1] DunhamJ.G.,BoundsonMessageEquivocationforSimpleSubstitution Ciphers,IEEETrans.Inform.Theory,volIT-26,pp.522-527,September 1980. [2] Shannon C.E.,Communication Theory of Secrecy Systems, Bell Syst. Tech.J.,vol.28,pp.656-715, October1949. [3] Hellman M.E.,Anextension of the Shannon theory approach to cryp- tography, IEEE Trans. Inform. Theory, vol IT-23, pp. 289-294, May 1977. [4] BlomR.J.,Boundsonkeyequivocation forsimplesubstitutionciphers, IEEETrans.Inform.Theory,volIT-25,pp.8-18,January1979. [5] Sgarro A., Error Probabilities for Simple Substitution Ciphers, IEEE Trans.Inform.Theory,volIT-29,pp.190-197,March1983. [6] Gallager R., Information Theory and Reliable Communication, New York:Wiley,1968.