An application of the ONan-Scott theorem to the group generated by the round functions of an AES-like cipher

AN APPLICA TION OF THE O’NAN-SCOTT THEOREM TO THE GR OUP GENERA TED BY THE R OUND FUNCTIONS OF AN AES-LIKE CIPHE R A. CARANTI, F. DALLA V OL T A, AND M. SALA Abstract. In a previous pap er, w e had prov ed that the per mut ation gro up generated by the r ound functions of an AES-lik e cipher is primitiv e. Here we apply the O’Nan Scott cla ssification of primitive groups to prove that this gro up is the alternating group. 1. Introduction According t o Shannon [Sha49, p. 657], a cipher “is defined abstractly as a set of transformations”. C opp ersmith and Grossman [CG75], and later in 1988 Kaliski, Riv est and Sherman [KRS88], called att ention to the group generated b y a cipher. One of the motiv ations for the w ork of Kaliski et al. is that a t that time T riple DES w as b eing suggested a s an improv eme nt to DES. This meant replacing the use of single D ES transformation T a , where a is a k ey , with the comp osition T a T b T c , where a, b , c are three D ES k eys. If it was the case that the transformations of DES form a group, then T riple DES w ould ha v e b een of course no more than DES itself. More generally , Kaliski et al. show ed that if the group g enerated b y the transforma t io ns of a cipher is to o small, t hen the cipher is expo sed to certain cryptanalytic attack s. It was later pro v ed by W ernsdorf [W er93] that the group generated b y the round functions of DES (whic h are ev en p ermutations) is the alternating group. This implies that the group generated b y the D ES tr a nsformations with indep enden t subk eys is also the alternating group. (W e are not a w are of any w ork in this con text that tries to t a k e accoun t of the k ey sc hedule.) W ernsdorf use d ad ho c methods in [W er02] to pro v e that the p ermutation g roup G generated by the round functions of AES is the alternating group. (Here, to o, these functions are ev en p ermutations.) Sparr and W ernsdorf ha v e recen tly give n another, p ermu tatio n group theoretic pro of in [SW08]. The goa l of this pap er is to giv e a differen t pro of of this fact, building upon our earlier pap er [CDVS08]. There w e had pro v ed that the group G is primitive. Date : 15 Mar ch 200 9. 2000 Mathematics Su bje ct Classific ation. Primary 9 4A60; secondary 20B15 20E 2 2. Key wor ds and phr ases. cryptosystems, Rijndael, AE S, gro ups ge ne r ated by ro und functions, primitive gr oups, O’Nan-Scott, wreath pro ducts, affine groups. First author partially supp or ted b y MIUR-Italy via PRIN 20060 1434 0 -002 “Lie algebras a nd rings. Groups. Cry ptography”. Sec ond a utho r partia lly supp orted by MIUR-Ita ly via PRIN 2007 “Group theory and applications”. 2 A. CARAN TI, F. D ALLA V OL T A, AND M. SALA In the course of doing that we a nswe red a question of Paterson [P at99] ab out the p ossibilit y o f embedding a trap do or in a cipher b y ha ving the group generated b y the cipher act imprimitiv ely . In this pap er w e w ork under certain cryptographic assumptions (see Section 2) that are a stripp ed do wn, simplified v ersion of those o f [CD VS08]. (These are also satisfied by AES.) W e firs t giv e, for the con v enience of the reader, a short group-theoretic version of the main result of [CD VS08] under these assumptions. W e then app eal to the O’Nan-Scott classification of primitiv e groups t o pro ve that the group generated by the round functions of a cryptosystem satisfying o ur assumptions is the alternating gro up. W e a re v ery grateful to Ralph W ernsdorf f o r sev eral useful suggestions. 2. Pre liminaries In the rest of the pap er, we tend to adopt the notation of [DR02]. Let V = V ( d , 2), the v ector space of dimension d o ve r the field GF(2) with tw o elemen ts, b e the state (or message) space. V has n = 2 d elemen ts. F or an y v ∈ V , consider the translation by v , that is the map σ v : V → V , w 7→ w + v . In particular, σ 0 is the iden tit y map on V . The set T = { σ v : v ∈ V } is an elemen tary ab elian, regular subgroup o f Sym( V ). In fa ct, the map (2.1) V → T v 7→ σ v is an isomorphism of the additiv e gro up V on to the multiplic ative group T . W e consider a key-alternating blo ck cipher (see Section 2.4.2 of [DR0 2]) which consists of a fixed num ber of iterations of a function of the form ρσ k , where k ∈ V . Suc h a function is called a r ound function , and t he parameter k is called the r ound key . (W e write maps left-to- righ t, so ρ op erates first.) Here ρ is a fixed p erm utatio n op erating on the v ector space V . Therefore each round consists of an application of ρ , follo w ed b y a k ey addition. This cov ers for instance AES with i n dep endent subk eys. Let G = h ρσ k : k ∈ V i b e the group of p erm utations of V generated b y the ro und f unctions. Cho osing k = 0 w e see that ρ ∈ G , and th us T ≤ G . It follo ws that G = h T , ρ i . W e assume ρ = γ λ , where γ and λ are p erm utations. Here γ is a bric kla y er transformation, consisting of a num b er of S-b oxe s. The message space V is written as a direct sum V = V 1 ⊕ · · · ⊕ V n t , n t > 1, where each V i has the same dimension m > 1 ov er GF(2). As n t > 1, this implies that d = mn t is not a prime n um b er. F or v ∈ V , we will write O’NAN-S COTT A ND CIPHER GROUPS 3 v = v 1 + · · · + v n t , where v i ∈ V i . Also, w e consider the pro jections π i : V → V i , whic h map v 7→ v i . W e hav e v γ = v 1 γ 1 ⊕ · · · ⊕ v n t γ n t , where the γ i are S- b o xes, whic h w e allow to b e different f o r each V i . λ is a linear function (usually called a linear mixing lay er). The o nly assumption w e will b e making ab out λ is Cryptographic Assumption (3) b elo w. In AES the S-b o xes are all equal, a nd consist of inv ersion in the field G F(2 8 ) with 2 8 elemen ts (see later in this paragraph), follo wed by an affine transformation, that is, a linear t r a nsformation, follow ed b y a translation. When in terpreting AES in our sc heme, w e tak e adv an tage of the w ell-kno wn po ssibility of moving the linear part of the affine transformation to the linear mixing la y er, and incorp ora ting the translation in the key addition (see for instance [MR02]). Thus in our sc heme fo r AES w e ha v e m = 8, we iden t if y each V i with G F(2 8 ), and w e tak e xγ i = x 2 8 − 2 , so that γ i maps nonzero elemen ts to their inv erses, a nd zero to zero. As usual w e will simply sa y that γ i acts b y inv ersion. W e will w ork under the follo wing Cryptographic Assumptions. Consid e r an AES-like c ryptosystem a s describ e d ab ove, which satisfies the fol lowing c onditions. (1) 0 γ = 0 and γ 2 = 1 , the identity tr ansforma tion . (2) Th e r e is 1 ≤ r < m/ 2 such that the fol lowing hold. (a) F or al l 0 6 = v ∈ V i , the image of the map V i → V i , wh ich ma p s x 7→ ( x + v ) γ i + xγ i , has size gr e ater than 2 m − r − 1 , an d it is no t a c oset of a s ubsp ac e. (b) Ther e is no subsp ac e of V i , i n variant under γ i , o f c o dim e nsion les s than or e qual to 2 r . (3) Th e r e ar e no subsp ac es U, U ′ , U ′′ (exc ept { 0 } and V ) that ar e the sum of some of the V i , and such that U λ = U ′ and U ′ λ = U ′′ . In [CDVS08] w e hav e pro v ed under certain abstract and general assumptions a result that sp ecializes to the fo llo wing: Theorem 1. Supp ose a cryptosystem satisfies the Crypto gr ap hic Assumptions. Then the gr oup G gener ate d by its r ound functions acts primitively on the me s s age sp ac e V . W e g ive a short, group-theoretic pro of o f this in Section 3 . This w e do for the con v enience of the reader, as w e will need to refer to part of the pro of in Section 6. W e a re gra teful to the referee of another pap er fo r this pro of. In the rest of the pap er w e prov e the follow ing Theorem 2. Supp ose a cryptosystem satisfi e s the Crypto g r aphic Assumptions. Then the gr oup G gener ate d b y its r ound functions is the alternating gr oup Alt( V ) . The same holds for the gr o up g ener ate d by the cryptosystem with inde p endent subkeys. 4 A. CARAN TI, F. D ALLA V OL T A, AND M. SALA A w ord ab out the parit y of the group G is in order here. Ov er V = V ( d, 2 ) , non-trivial t r anslations are clearly in v olutions without fixed p oints, a nd th us ev en p erm utations. Also, for d > 2 the group GL( d, 2) = SL( d, 2) is p erfect, so that in pa r t icular it has no (norma l) subgroup of order 2, a nd it is th us con tained in Alt( V ). W e no w show that γ is a lso ev en, so that G ≤ Alt( V ). In fact, γ is the pro duct of n t p erm utations g i , acting as γ i on V i , and as the iden tit y o n V j , j 6 = i . This means that ev ery 2- cycle in γ i giv es rise to 2 d − m 2-cycles in g i . Now the n um b er 2 d − m is ev en, as d − m = n t m − m > m , n t > 1 by assumption, and m > 2 b y Cryptographic Assumption (1). It fo llows that each g i is ev en, and th us so is γ . (The same argumen t prov es tha t γ is eve n, ev en without assuming that it is an in v olution, as we do here.) Condition (1) is clearly satisfied by AES. As we said ab o v e, we tak e a dv an tage here o f t he p ossibilit y of assuming that γ is simply comp onen tw ise in v ersion. Condition ( 2 a) is also we ll-known t o b e satisfied, with r = 1 (see [Nyb94] but also [D R06]), as the image of that map has size 2 7 − 1. As to Condition (2b) , it is a lso satisfied by AES with r = 1. F or that, o ne could just use GAP [GAP05] to v erify that the only nonzero subspaces of GF(2 8 ) whic h are in v ariant under inv ersion are the subfields. Ho w ev er, this can also b e deriv ed from a more general result of [G GSZ06] and [Mat07 ], whic h states that the only nonzero additiv e subgroups of GF(2 m ), whic h contain the in v erse of all of their nonzero elemen ts, are the subfields. Condition (3) follow s fro m the prop erties of the comp onen ts MixColumns [DR02, 3.4.3] and ShiftRows [D R02, 3.4.2] of t he linear mixing lay er (whic h are not altered b y the fact tha t w e ha v e incorp orated in it the linear pa rt of the S-b o xes). In fact, supp ose, without loss of generality , that U ⊇ V 1 . Then U ′ con tains the whole first column of the state, and U ′′ = V , a con tradiction. This a rgumen t is a v estigial form of t he F our-Round Propagation Theorem [D R02, 9.5 .1]. 3. Primitivity In this section w e g iv e a pro of of Theorem 1. Supp ose for a con tradiction that G = h T , ρ i is imprimitiv e on V , so that a n y blo c k system for G is g iv en by the cosets of some subspace U of V . This is because, as it is pro v ed in [CD VS08], a blo ck system for G is a lso a blo c k system for the group T of tra nslations. No w ρ = γ λ , with λ linear, and 0 γ = 0. Th us U ρ = U , and U ′ = U γ = U λ − 1 is a subspace. Supp ose firstly that U = V i 1 ⊕ · · · ⊕ V i l is a direct sum o f some of the subspaces V i ( l < n t ). Then, U ′ = U γ = U , so that U ′ = U is λ -in v aria nt; this contradicts Cryptographic Assumption (3). Th us there exists i suc h that U 6⊇ V i , but there is u ∈ U , suc h that its i - th comp onent u i ∈ V i is nonzero. W e claim that U ∩ V i is nonzero. T ak e any v ∈ V i . Then ( u + v ) γ + v γ ∈ U ′ , so tha t uγ + ( u + v ) γ + v γ ∈ U ′ . The latter elemen t has all zero comp onents , exp ect p ossibly the i -th o ne, whic h is u i γ i + ( u i + v ) γ i + v ∈ U ′ ∩ V i . W ere the latter zero for all v ∈ V i , then the map O’NAN-S COTT A ND CIPHER GROUPS 5 V i → V i that maps v 7→ ( u i + v ) γ i + v γ i w ould b e constant, th us contradicting Cryptographic Assumption (2a). Th us there exists i suc h that b oth U i = U ∩ V i and U ′ i = ( U i ) γ i = U ′ ∩ V i are nonzero, prop er subspaces o f V i of the same dimension, and γ i : V i /U i → V i /U ′ i . If x ∈ V i , and v ∈ U i , v 6 = 0, then x + v and x a re in the same coset of U i , so ( x + v ) γ i and xγ i are in the same coset of U ′ i . Th us the set { ( x + v ) γ i + xγ i : x ∈ V i } is a subset of U ′ i , and by Cryptographic Assumption (2a) U i and U ′ i ha v e size greater t ha n 2 m − r − 1 , that is to say dimension at least m − r or equiv alen tly co di- mension at most r . The co dimension of U i ∩ U ′ i is therefore at most 2 r , so U i ∩ U ′ i cannot b e γ i -in v ariant b ecause of Cryptographic Assumption (2b). This means there exists z ∈ U i ∩ U ′ i suc h that z γ i / ∈ U i ∩ U ′ i , so z γ i / ∈ U i , as z γ i ∈ U ′ i . How ev er, U ′ i is the image of U i under the bijectiv e map γ i , so z = z γ 2 i / ∈ U ′ i , as z γ i / ∈ U i . Th us z / ∈ U i ∩ U ′ i , whic h is a con tradiction. 4. O’Nan-Scott In this section w e prov e Theorem 2. W e first state the O’Nan- Scott classifica- tion of primitiv e groups for the case of the maximal primitive subgroups of the symmetric group. W e giv e the result for the symmetric group of degree q n , where q is a p o wer of a prime num b er p . Theorem 3. [Cam99, Theorem 4 .8] Supp ose q is a p ower o f the pri m e p . A maximal primitive sub gr oup G of Sym ( q n ) is one of the fo l lo w ing: (1) affin e, that is, G = AGL( d, p ) , p d = q n , for so me d ; (2) prim itive non-b asic , that is, a wr e ath pr o duct G = Sym ( k ) ≀ Sym( r ) in pr o duct action, k r = q n , k 6 = 2 , r > 1 . (3) alm ost simp l e , that is, S ≤ G ≤ Aut( S ) , for a nonab eli a n si m ple gr oup S . Note that in our contex t p = 2. It is con v enien t to use a refinemen t of the O’Nan-Scott theorem, due to Cai Heng Li [Li03], fo r the sp ecial case when G contains an ab elian regular subgroup T ; in our case, this is the group o f t r a nslations. Theorem 4. [Li03, Theorem 1.1] L et G b e a prim itive gr oup of de gr e e 2 d , with d ≥ 1 . Supp ose G c ontains a r e gular ab eli a n sub gr oup T . Then G is one of the fol lowing (1) affin e, that is, G ≤ AGL( d, 2) ; (2) G = ( S 1 × · · · × S r ) .O .P , with 2 d = m r for some m and r > 1 . Her e T = T 1 × · · · × T r , with T i < S i ∼ = Alt( m ) for e ach i , O ≤ Out( S 1 ) × · · · × O ut ( S r ) , and P p ermutes tr ansitively the S i . (3) alm ost simp l e , that is, S ≤ G ≤ Aut( S ) , for a nonab eli a n si m ple gr oup S . 6 A. CARAN TI, F. D ALLA V OL T A, AND M. SALA T o prov e the first stat ement of Theorem 2 we need to deal with the three p ossible cases of Theorem 4. Case (1) is treated in Section 5 . An imp ortant observ ation of Li [Li03] is in order here. If V is a v ector space, with a ddition +, then t he symmetric group Sym( V ) con t a ins the affine group A GL( V ) = T GL( V ), where T is the group o f translations. But Sym( V ) also con tains the conj ug ates o f A GL( V ), whic h are still affine groups on the s e t V , but p ossibly with resp ect to an op eration ◦ different from +. In particular the group T of translations ma y b e con ta ined in one of these conjugates, where it will b e an ab elian regular subgroup. W e hav e studied this situation in [CD VS06], and we will b e exploiting t hese results in Section 5. Case (2) will b e dealt with in Section 6 . In the almost simple case (3), the in tersection of a one-p oint stabilizer in G with S is a prop er subgroup of S o f index 2 d , since the non trivial normal subgroup S o f the primitiv e group G is transitiv e. W e can th us a pp eal (as Li do es) to a particular case of a result o f G uralnic k [Gur8 3], whic h states that the only nonab elian simple groups that hav e a subgroup o f index of the form 2 d are either the alternating groups S = Alt( 2 d ), with d > 2 , or the g roups PSL( f , q ), where q is a prime- p o we r, and f is prime, ( q f − 1 ) / ( q − 1) = 2 d . W e rule out the second p o ssibility as f o llo ws. Since ( q f − 1) / ( q − 1) = q f − 1 + q f − 2 + · · · + q + 1 ≡ f (mo d 2), w e ha v e f = 2 here, and q = 2 d − 1. W ell-kno wn elemen tary arguments yield tha t q and d are prime. Ho w ev er, d = n t m is not prime, as n t > 1 by assumption, and as noted earlier m > 2 b y Cryptographic Assumption (1). Clearly Aut(Alt(2 d )) = Sym(2 d ) here, so G is either the alternating or the symmetric gr oup. Since w e hav e sho wn in Section 2 that G ≤ Alt( V ), we obtain G = Alt( V ). T o prov e the second statemen t of Theorem 2, w e then app eal to a standard argumen t: if the nonab elian simple group G is generated by a subset S , then f or an y fixed r the set S ′ = { s 1 s 2 . . . s r : s i ∈ S } of r -fold pro ducts of elemen ts of S generates a nontrivial normal subgroup of G , a nd th us S ′ also generates G . In our con text S is the set of the round functions for all p ossible subk eys, a nd r is the n um b er of rounds, so that S ′ is the set o f the tr a nsformations of the cryptosystem with indep enden t subke ys. 5. The affine case Supp ose G is con tained in an affine subgroup of Sym( V ). By the theory of [CD VS06], there is a structure of an asso ciative, comm utativ e, nilp otent ring ( V , ◦ , · , 0) on V , such that ( V , ◦ , 0) is a v ector space o v er the field with tw o ele- men t s, and ordinary addition on V is expressed as x + y = x ◦ y ◦ xy , for x, y ∈ V . Moreov er, G acts a s a gr o up of affine transformations on ( V , ◦ , 0). As b oth ( V , ◦ , 0) and ( V , + , 0) are elemen tary ab elian, we ha v e 0 = x + x = x ◦ x ◦ xx = 0 ◦ x 2 = x 2 O’NAN-S COTT A ND CIPHER GROUPS 7 for all x ∈ V . It follows x + y + xy = ( x ◦ y ◦ xy ) ◦ xy ◦ ( x ◦ y ◦ xy ) · xy = x ◦ y ◦ xy ◦ xy ◦ x 2 y ◦ xy 2 ◦ x 2 y 2 = x ◦ y . Here we hav e used the f a ct that · distributes ov er ◦ . No w ρ ∈ G is linear with resp ect to ◦ , that is ( x ◦ y ) ρ = xρ ◦ y ρ for all x, y ∈ V . Cho ose 0 6 = y ∈ U = { z ∈ V : xz = 0 for all x ∈ V } . (The latter set is different from { 0 } , as the ring ( V , ◦ , · , 0) is nilp o ten t.) Then (5.1) ( x + y ) ρ = ( x ◦ y ) ρ = xρ ◦ y ρ = xρ + y ρ + xρ · y ρ. No w note that giv en x ∈ V , the set xV = { xz : z ∈ V } is a subspace with resp ect to ◦ , as · distributes o v er ◦ ; and also a subspace with resp ect to +, as xz 1 + xz 2 = xz 1 ◦ xz 2 ◦ x 2 z 1 z 2 = xz 1 ◦ xz 2 . It follow s from 5 .1 t hat f o r 0 6 = y ∈ U w e ha v e { ( x + y ) ρ + xρ : x ∈ V } = y ρ + y ρV . The righ t ha nd side is a coset of a subspace of V with resp ect to +. Now λ ( and its in v erse) are linear with resp ect to +. Applying λ − 1 w e obtain that { ( x + y ) γ + xγ : x ∈ V } is also a coset of a subspace of V with resp ect to +. Cho ose an index i so that the comp onent y i ∈ V i of y is nonzero. Then w e ha v e that the pro j ection on V i of the previous set { ( x + y i ) γ + xγ : x ∈ V i } is a coset of a subspace of V i with resp ect to +. This contradicts Cryptographic Assumption (2a). 6. Wrea th product in product a ction Here w e deal to t he case when G = ( S 1 × · · · × S r ) .O .P , with 2 d = k r for some k and r > 1. Here T = T 1 × · · · × T r , where | T i | = k and T i < S i ∼ = Alt( k ) for eac h i , O ≤ Out( S 1 ) × · · · × Out( S r ), and P p erm utes transitiv ely the S i b y conjugatio n. It follows that S 1 × · · · × S r = So c( G ). Note that if k = 2 or 4, so that S i ∼ = Alt(2) or Alt(4 ), the group T o f translations is normal in G , so that G ≤ A GL( V ). This con tradicts the non-linearity of γ , whic h follows from Cryptographic Assumption (2a). Thus w e will assume k > 4 in the rest of this section. Note t ha t G = h T , ρ i , a nd T ≤ So c( G ), so that G/ So c( G ) is cyclic, spanned b y ρ . Since P p ermutes transitiv ely the S i , it follo ws that ρ p erm utes cyclic al ly the S i b y conjugation, that is, w e may rename indices so that S ρ i = ρ − 1 S i ρ = S i +1 for eac h i (and indices are t a k en mo dulo r ). 8 A. CARAN TI, F. D ALLA V OL T A, AND M. SALA Since eac h T i is a group o f translations, W i = 0 T i ⊆ 0 S i is a subspace of V , of order k . Since 0 S i has also order k , 0 T i = 0 S i . Clearly eac h elemen t of v ∈ V can b e written uniquely in the form v = 0 t , for t ∈ T . Thus v = 0 t 1 t 2 . . . t r = 0 t 1 + 0 t 2 + · · · + 0 t r for unique t i ∈ T i , and V = W 1 ⊕ W 2 ⊕ · · · ⊕ W r . F or each i we hav e also W i ρ = 0 S i ρ = 0 S ρ − 1 i +1 ρ = 0 ρS i +1 = 0 S i +1 = W i +1 , as 0 ρ = 0. Th us ρ p erm utes cyclically the W i . No w let v ∈ V , and write it as v = w 1 + · · · + w r where w i ∈ W i . Let t i ∈ W i b e suc h that w i = 0 t i . Since the t i are translations, w e ha ve v = 0 t 1 + 0 t 2 + · · · + 0 t r = 0 t 1 t 2 . . . t r . W e ha ve v ρ = 0 t 1 t 2 . . . t r ρ = 0 t ρ 1 t ρ 2 . . . t ρ r , as 0 ρ − 1 = 0. Since t ρ i ∈ S ρ i = S i +1 , there are t ′ i ∈ T i suc h that 0 t ρ i = 0 t i ρ = 0 t ′ i +1 ∈ W i +1 , and because S i and S j comm ute elemen twis e, w e ha v e v ρ = 0 t ρ 1 t ρ 2 . . . t ρ r = 0 t ′ 2 t ρ 2 . . . t ρ r = 0 t ρ 2 t ′ 2 . . . t ρ r = 0 t ′ 3 t ′ 2 . . . t ρ r = 0 t ′ 2 t ′ 3 . . . t ρ r = . . . = 0 t ′ 2 t ′ 3 . . . t ′ 1 = 0 t ′ 1 + 0 t ′ 2 + · · · + 0 t ′ r = 0 t r ρ + 0 t 1 ρ + · · · + 0 t r − 1 ρ = w 1 ρ + w 2 ρ + · · · + w r ρ. No w fix an index i , a nd take u ∈ W i . W e hav e from the ab ov e v ρ = ( w 1 + w 2 + · · · + w r ) ρ = w 1 ρ + w 2 ρ + + · · · + w r ρ, where w i ρ ∈ W i +1 , and also ( v + u ) ρ = w 1 ρ + ( w i + u ) ρ + · · · + w r ρ with ( w i + u ) ρ ∈ W i +1 . It follows (6.1) ( v + u ) ρ + v ρ = w i ρ + ( w i + u ) ρ ∈ W i +1 . No w ρ = γ λ , where λ is linear. Applying λ − 1 to b oth sides of (6.1 ) w e g et ( v + u ) γ + v γ ∈ W i +1 λ − 1 . In o ther w ords, there are subspaces W i , W i +1 λ − 1 of V of the same dimension suc h tha t when the input difference to γ is in the first one, then the output difference is in second one. By the ar gumen ts of Section 3 (with U = W i and U ′ = W i +1 λ − 1 ), it fo llo ws that W i is the direct sum o f some of the V j , for eac h i . Th us W 2 = W 1 ρ = W 1 λ and W 3 = W 2 λ , con tradicting Cryptographic Assumption (3). Reference s [Cam99] Peter J. Camer on, Permutation gr oups , Londo n Mathematica l So ciety Student T exts, vol. 4 5 , Cam bridge Universit y Press, Cam bridge , 1999. MR 20 01c:20 0 08 [CD VS06] A. Caranti, F. Dalla V o lta, and M. Sala, Ab elian re gu lar sub gr oups of the affine gr oup and r adic al rings , Publ. Math. Debrece n 69 (2006), no. 3, 2 97–30 8. MR MR2273 9 82 (2007j:20 001) [CD VS08] A Cara nt i, F. Dalla V o lta, and M. Sa la, On some blo ck ciphers and imprimitive gr oups , ht tp:// arxiv. org/abs/math/0806.4135 , 200 8 . O’NAN-S COTT A ND CIPHER GROUPS 9 [CG75] Don Copp er s mith and Edna Grossma n, Gener ators for c ertain altern ating gr oups with applic ations to crypto gr aphy , SIAM J . Appl. Ma th. 29 (19 75), no. 4, 624–6 27. MR MR04951 75 (58 #139 09) [DR02] Joan Daemen and Vincent Rijmen, The design of Rijndael , Information Secur it y and Cry ptography , Spr inger-V erlag, Ber lin, 2 002, AES—the adv a nced encr yption standard. MR MR198694 3 (2006 b:94025 ) [DR06] Joan Daemen and Vincent Rijmen, Two-r ound AES differ entials , IACR e-print eprint .iacr .org/2006/039.pdf , 20 06. [GAP05] The GAP Group, GAP – Gr oups, Algo rithms, and Pr o gr amming, V ersion 4.4 , 20 05, (\prot ect\v rule wid th0pt\ prote ct\href{http://www.gap-system.org}{http://www.gap-syste m . o r g } ) . [GGSZ06] Da niel Goldstein, Robert M. Guralnick, Lance Small, and E fim Zelmanov, Inversion invariant additive su b gr oups of division rings , Pacific J. Math. 227 (2006), no. 2, 287–2 94. MR MR22 6301 8 (200 7i:170 41) [Gur83] Rob ert M. Guralnick, Sub gr oups of prime p ower index in a simple gr oup , J. Algebra 81 (1983), no. 2, 304–3 11. MR 84m:2000 7 [KRS88] Burton S. Ka liski, Jr., Rona ld L. Rivest, and Alan T. Sherman, Is the data encryption standar d a gr oup? (Results of cycling exp eriments on DES) , J. Cr yptology 1 (1988), no. 1, 3–36 . MR MR935899 (89f:94017 ) [Li03] Cai Heng Li, The finite primitive p ermutation gr oups c ontaining an ab elian r e gular sub gr oup , P ro c. London Math. So c. (3) 87 (2 003), no. 3, 725–7 47. MR MR2005 881 (2004i:2 0003) [Mat07] Sandro Mattar ei, Inverse-close d additive sub gr oups of fields , Israel J. Math. 159 (2007), 343–3 47. MR MR23424 85 [MR02] Sean Murphy and Matthew J. B . Robshaw, Essential algebr aic stru ctur e within the AES , Adv ances in cryptolo gy—CR YP T O 2 002, Lecture Notes in Comput. Sci., vol. 2442, Springer, Berlin, 200 2, pp. 1 –16. MR MR20 54809 (2005a:9 4064 ) [Nyb94] Kaisa Nyb er g , Differ ential ly uniform mappings for crypto gr aphy , Adv ances in cryptolog y —EUROCR YPT ’93 (Lo fth us, 19 93), Lecture Notes in Comput. Sci., v ol. 765, Springer, Berlin, 1994 , pp. 55–64. MR MR12903 29 (95e:94039) [Pat99] Kenneth G. Paterson, I m primitive p ermu tation gr oups and tr ap do ors in iter ate d blo ck ciphers , F ast Soft ware Encryption: 6th In ternational W orkshop, FSE’9 9, Rome (L. Knudsen, ed.), Le c ture Notes in Computer Science, vol. 16 36, Springer- V erlag , Heidelber g, March 1 999, pp. 201–2 14. [Sha49] C. E . Shanno n, Commun ic ation the ory of s e cr e cy systems , B e ll System T ech. J. 2 8 (1949), 656–7 15. MR MR00321 33 (11,2 58d) [SW08] R¨ udiger Spa rr a nd Ralph W ernsdo rf, Gr oup the or et ic pr op erties of RIJNDAEL- like ciphers , Discrete Appl. Math. 156 (200 8), no. 16, 3139– 3149, doi:10.10 16/j.dam.20 07.12 .011. [W er93 ] Ralph W ernsdorf, The one-r ound fu n ctions of the DES gener ate the alternating gr oup , Adv ances in cry pto logy—EUROCR YPT ’92 (Balatonf ¨ ured, 1992 ), Le c ture Notes in Comput. Sci., vol. 658 , Spr inger, Berlin, 1993 , pp. 9 9–112 . MR MR1 24366 3 (94g:94 031) [W er02 ] Ralph W ernsdor f, The r ound functions of RIJNDAEL gener ate the alternating gr oup , Pro ceedings of the 9th International W orkshop on F ast Softw are Encryption, Lecture Notes in Co mputer Science, vol. 2 365, Springer-V erlag, Heidelb erg, 200 2 , FSE2002 , Leuven, Belg ium, F ebruary 200 2, pp. 143–148 . 10 A. CARAN TI, F. D ALLA V OL T A, AND M. SALA (A. Ca ranti) Dip ar timento di Ma tema tica, Universit ` a degli Studi di Trento, via Sommarive 14, I -38050 Povo (Trento), It al y E-mail addr ess : andrea. caran ti@unitn.it URL : http:/ /scie nce.u nitn.it/~caranti/ (F. Dalla V olta) Dip ar timento di Ma tema tica e Applicazioni, E d ificio U 5, Univer- sit ` a degli Studi di Milano–Bicocca, via R ober to Cozzi 53, I-20125 Milano, It al y E-mail addr ess : frances ca.da llavolta@unimib.it URL : http:/ /www. matap p.unimib.it/~dallavolta/ (M. Sala) Dip ar timento di Ma tema tica, Universit ` a degli Studi di Trento, via Sommarive 14, I -38050 Povo (Trento), It al y E-mail addr ess : sala@sc ience .unitn.it