Algebraic properties of generalized Rijndael-like ciphers

We provide conditions under which the set of Rijndael functions considered as permutations of the state space and based on operations of the finite field $\GF (p^k)$ ($p\geq 2$ a prime number) is not closed under functional composition. These conditions justify using a sequential multiple encryption to strengthen the AES (Rijndael block cipher with specific block sizes) in case AES became practically insecure. In Sparr and Wernsdorf (2008), R. Sparr and R. Wernsdorf provided conditions under which the group generated by the Rijndael-like round functions based on operations of the finite field $\GF (2^k)$ is equal to the alternating group on the state space. In this paper we provide conditions under which the group generated by the Rijndael-like round functions based on operations of the finite field $\GF (p^k)$ ($p\geq 2$) is equal to the symmetric group or the alternating group on the state space.

💡 Research Summary

The paper investigates the group‑theoretic structure of Rijndael‑like block ciphers when the underlying finite field is generalized from the binary field GF(2^k) to an arbitrary prime‑power field GF(p^k) with p ≥ 2. The authors first recall the classic AES construction: a state is an m × n matrix over the field, and each round consists of four operations – a non‑linear S‑box substitution, a row/column shift, a linear mixing transformation, and the addition of a round key. In the original work of Sparr and Wernsdorf (2008) it was shown that, for GF(2^k), the set of round functions generates the alternating group A_N on the set of all possible states (where N = p^{k·m·n}). This result guarantees that the cipher can realize essentially every even permutation, providing strong diffusion and resistance to certain algebraic attacks.

The present contribution extends this analysis to any prime p. The authors model the S‑box as a power map x ↦ x^e where e is coprime to p^k − 1, ensuring that the substitution is a bijection. They observe that the parity of the permutation induced by the S‑box depends on the parity of e relative to p. Specifically, when p is odd and e is even, the S‑box is an even permutation; when p = 2 or e is odd, the S‑box is odd. The linear mixing matrix M is required to be invertible (det M ≠ 0), which guarantees that the linear layer connects every coordinate of the state and that the composition with the key‑addition layer yields a transitive action on the state space.

Combining these observations, the authors derive precise conditions for the group G generated by the full set of Rijndael‑like round functions:

1. Symmetric group S_N – If at least one round function is an odd permutation (e.g., p = 2 or e odd), then the generated group contains both even and odd permutations, and consequently G = S_N.
2. Alternating group A_N – If p is odd and e is even, every round function is even, and the generated group is the alternating group A_N.

These results subsume the binary‑field case as a special instance and demonstrate that the algebraic closure properties of Rijndael‑like ciphers are not tied to the binary field alone.

The paper then discusses the cryptographic implications. In a scenario where a single encryption uses only even permutations (the alternating group), iterating the cipher (multiple encryption) does not enlarge the reachable permutation set, limiting the security gain from sequential encryption. Conversely, when the parameters are chosen so that the generated group is the full symmetric group, each additional encryption layer can introduce new odd permutations, dramatically expanding the effective key space and thwarting attacks that exploit algebraic structure. This observation provides a concrete justification for employing sequential multiple encryption as a mitigation strategy if AES or a related Rijndael‑like cipher were ever found to be practically insecure.

In summary, the authors provide a rigorous, field‑independent characterization of the permutation group generated by Rijndael‑like round functions, identify exact parity‑based criteria for obtaining either the symmetric or alternating group, and translate these findings into practical guidance for designing resilient block ciphers and for strengthening existing ones through carefully chosen multiple‑encryption schemes.