Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

Permutation groups generated byround functions of

symmetric cryptosystems

A. Caranti1 F. Dalla Volta2 M. Sala31 F. Villani

1Dipartimento di MatematicaUniversità degli Studi di Trento

2Dipartimento di Matematica e ApplicazioniUniversità degli Studi di Milano Bicocca

3Boole CentreUniversity College Cork

Nottingham, 16 May 2007

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

Outline

1 MotivationIs DES a group?Trapdoors via imprimitivity

2 Group theory at workImprimitivity of groups generated by round functionsInverse-closed subsets of (finite) fieldsHua and AES

3 Primitive GroupsO’Nan-ScottAbelian regular subgroups and radical rings

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

Outline

1 MotivationIs DES a group?Trapdoors via imprimitivity

2 Group theory at workImprimitivity of groups generated by round functionsInverse-closed subsets of (finite) fieldsHua and AES

3 Primitive GroupsO’Nan-ScottAbelian regular subgroups and radical rings

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

Keys and transformations

A secrecy system is defined abstractly as a set oftransformations of one space (the set of possiblemessages) into a second space (the set of possiblecryptograms).

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

Keys and transformations

A secrecy system is defined abstractly as a set oftransformations of one space (the set of possiblemessages) into a second space (the set of possiblecryptograms). Each particular transformation ofthe set corresponds to enciphering with aparticular key.

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

Keys and transformations

A secrecy system is defined abstractly as a set oftransformations of one space (the set of possiblemessages) into a second space (the set of possiblecryptograms). Each particular transformation ofthe set corresponds to enciphering with aparticular key. The transformations are supposedreversible (non-singular) so that uniquedeciphering is possible when the key is known.

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

Keys and transformations

A secrecy system is defined abstractly as a set oftransformations of one space (the set of possiblemessages) into a second space (the set of possiblecryptograms). Each particular transformation ofthe set corresponds to enciphering with aparticular key. The transformations are supposedreversible (non-singular) so that uniquedeciphering is possible when the key is known.

C. E. Shannon,Communication theory of secrecy systems.Bell System Tech. J. 28 (1949), 656–715.

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

Keys and transformations

A secrecy system is defined abstractly as a set oftransformations of one space (the set of possiblemessages) into a second space (the set of possiblecryptograms). Each particular transformation ofthe set corresponds to enciphering with aparticular key. The transformations are supposedreversible (non-singular) so that uniquedeciphering is possible when the key is known.

C. E. Shannon,Communication theory of secrecy systems.Bell System Tech. J. 28 (1949), 656–715.

In the One-Time Pad

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

Keys and transformations

A secrecy system is defined abstractly as a set oftransformations of one space (the set of possiblemessages) into a second space (the set of possiblecryptograms). Each particular transformation ofthe set corresponds to enciphering with aparticular key. The transformations are supposedreversible (non-singular) so that uniquedeciphering is possible when the key is known.

C. E. Shannon,Communication theory of secrecy systems.Bell System Tech. J. 28 (1949), 656–715.

In the One-Time Pad, given a key a

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

Keys and transformations

A secrecy system is defined abstractly as a set oftransformations of one space (the set of possiblemessages) into a second space (the set of possiblecryptograms). Each particular transformation ofthe set corresponds to enciphering with aparticular key. The transformations are supposedreversible (non-singular) so that uniquedeciphering is possible when the key is known.

C. E. Shannon,Communication theory of secrecy systems.Bell System Tech. J. 28 (1949), 656–715.

In the One-Time Pad, given a key a, the correspondingtransformation is the translation v 7→ v + a, wherev ∈ V (d , 2) is a message.

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

Claude E. Shannon (1916–2001)

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

Is DES a group?

B. S. Kaliski, Jr, R. L. Rivest, Alan T. Sherman,Is the Data Encryption Standard a group? (Results ofcycling experiments on DES).J. Cryptology 1, no. 1 (1988), 3–36.

• Let Ta be a DES transformation, corresponding to thekey a. The Ta are permutations of the message space,that is, elements of Sym(2d ).

• Suppose {Ta : a} is a group, that is, for all keys a, bthere is a key c such that TaTb = Tc. Then Triple DESwould make no sense, and DES would be exposed to ameet-in-the-middle attack. (Birthday paradox.)

• They perform experiments that suggest that DES is nota group.

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

Is DES a group?

B. S. Kaliski, Jr, R. L. Rivest, Alan T. Sherman,Is the Data Encryption Standard a group? (Results ofcycling experiments on DES).J. Cryptology 1, no. 1 (1988), 3–36.

• Let Ta be a DES transformation, corresponding to thekey a. The Ta are permutations of the message space,that is, elements of Sym(2d ).

• Suppose {Ta : a} is a group, that is, for all keys a, bthere is a key c such that TaTb = Tc. Then Triple DESwould make no sense, and DES would be exposed to ameet-in-the-middle attack. (Birthday paradox.)

• They perform experiments that suggest that DES is nota group.

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

Is DES a group?

B. S. Kaliski, Jr, R. L. Rivest, Alan T. Sherman,Is the Data Encryption Standard a group? (Results ofcycling experiments on DES).J. Cryptology 1, no. 1 (1988), 3–36.

• Let Ta be a DES transformation, corresponding to thekey a. The Ta are permutations of the message space,that is, elements of Sym(2d ).

• Suppose {Ta : a} is a group, that is, for all keys a, bthere is a key c such that TaTb = Tc. Then Triple DESwould make no sense, and DES would be exposed to ameet-in-the-middle attack. (Birthday paradox.)

• They perform experiments that suggest that DES is nota group.

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

Is DES a group?

B. S. Kaliski, Jr, R. L. Rivest, Alan T. Sherman,Is the Data Encryption Standard a group? (Results ofcycling experiments on DES).J. Cryptology 1, no. 1 (1988), 3–36.

• Let Ta be a DES transformation, corresponding to thekey a. The Ta are permutations of the message space,that is, elements of Sym(2d ).

• Suppose {Ta : a} is a group, that is, for all keys a, bthere is a key c such that TaTb = Tc. Then Triple DESwould make no sense, and DES would be exposed to ameet-in-the-middle attack. (Birthday paradox.)

• They perform experiments that suggest that DES is nota group.

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

Is DES a group?

B. S. Kaliski, Jr, R. L. Rivest, Alan T. Sherman,Is the Data Encryption Standard a group? (Results ofcycling experiments on DES).J. Cryptology 1, no. 1 (1988), 3–36.

• Let Ta be a DES transformation, corresponding to thekey a. The Ta are permutations of the message space,that is, elements of Sym(2d ).

• Suppose {Ta : a} is a group, that is, for all keys a, bthere is a key c such that TaTb = Tc. Then Triple DESwould make no sense, and DES would be exposed to ameet-in-the-middle attack. (Birthday paradox.)

• They perform experiments that suggest that DES is nota group.

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

Is DES a group?

B. S. Kaliski, Jr, R. L. Rivest, Alan T. Sherman,Is the Data Encryption Standard a group? (Results ofcycling experiments on DES).J. Cryptology 1, no. 1 (1988), 3–36.

• Let Ta be a DES transformation, corresponding to thekey a. The Ta are permutations of the message space,that is, elements of Sym(2d ).

• Suppose {Ta : a} is a group, that is, for all keys a, bthere is a key c such that TaTb = Tc. Then Triple DESwould make no sense, and DES would be exposed to ameet-in-the-middle attack. (Birthday paradox.)

• They perform experiments that suggest that DES is nota group.

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

Is DES a group?

B. S. Kaliski, Jr, R. L. Rivest, Alan T. Sherman,Is the Data Encryption Standard a group? (Results ofcycling experiments on DES).J. Cryptology 1, no. 1 (1988), 3–36.

• Let Ta be a DES transformation, corresponding to thekey a. The Ta are permutations of the message space,that is, elements of Sym(2d ).

• Suppose {Ta : a} is a group, that is, for all keys a, bthere is a key c such that TaTb = Tc. Then Triple DESwould make no sense, and DES would be exposed to ameet-in-the-middle attack. (Birthday paradox.)

• They perform experiments that suggest that DES is nota group.

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

Is DES a group?

B. S. Kaliski, Jr, R. L. Rivest, Alan T. Sherman,Is the Data Encryption Standard a group? (Results ofcycling experiments on DES).J. Cryptology 1, no. 1 (1988), 3–36.

• Let Ta be a DES transformation, corresponding to thekey a. The Ta are permutations of the message space,that is, elements of Sym(2d ).

• Suppose {Ta : a} is a group, that is, for all keys a, bthere is a key c such that TaTb = Tc. Then Triple DESwould make no sense, and DES would be exposed to ameet-in-the-middle attack. (Birthday paradox.)

• They perform experiments that suggest that DES is nota group.

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

Further work on DES

K. W. Campbell and M. J. Wiener,DES is not a group.Crypto ’92, LNCS 740, Springer, 1993, 512–520.

Ralph Wernsdorf,The one-round functions of the DES generate thealternating group.Eurocrypt ’92, LNCS 658, Springer, 1993, 99–112.

• Considers the transformations Ra induced by the roundfunctions of DES. These are even permutations.

• Not only they are not a group, but they do generate thelargest possible group Alt(n), of order n!/2.{Ra1Ra2 · · ·Rak } = Alt(n).

• Since Alt(n) is a simple group, it is also generated bythe full DES transformations with independent subkeys.

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

Further work on DES

K. W. Campbell and M. J. Wiener,DES is not a group.Crypto ’92, LNCS 740, Springer, 1993, 512–520.

Ralph Wernsdorf,The one-round functions of the DES generate thealternating group.Eurocrypt ’92, LNCS 658, Springer, 1993, 99–112.

• Considers the transformations Ra induced by the roundfunctions of DES. These are even permutations.

• Not only they are not a group, but they do generate thelargest possible group Alt(n), of order n!/2.{Ra1Ra2 · · ·Rak } = Alt(n).

• Since Alt(n) is a simple group, it is also generated bythe full DES transformations with independent subkeys.

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

Further work on DES

K. W. Campbell and M. J. Wiener,DES is not a group.Crypto ’92, LNCS 740, Springer, 1993, 512–520.

Ralph Wernsdorf,The one-round functions of the DES generate thealternating group.Eurocrypt ’92, LNCS 658, Springer, 1993, 99–112.

• Considers the transformations Ra induced by the roundfunctions of DES. These are even permutations.

• Not only they are not a group, but they do generate thelargest possible group Alt(n), of order n!/2.{Ra1Ra2 · · ·Rak } = Alt(n).

• Since Alt(n) is a simple group, it is also generated bythe full DES transformations with independent subkeys.

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

Further work on DES

K. W. Campbell and M. J. Wiener,DES is not a group.Crypto ’92, LNCS 740, Springer, 1993, 512–520.

Ralph Wernsdorf,The one-round functions of the DES generate thealternating group.Eurocrypt ’92, LNCS 658, Springer, 1993, 99–112.

• Considers the transformations Ra induced by the roundfunctions of DES. These are even permutations.

• Not only they are not a group, but they do generate thelargest possible group Alt(n), of order n!/2.{Ra1Ra2 · · ·Rak } = Alt(n).

• Since Alt(n) is a simple group, it is also generated bythe full DES transformations with independent subkeys.

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

Further work on DES

K. W. Campbell and M. J. Wiener,DES is not a group.Crypto ’92, LNCS 740, Springer, 1993, 512–520.

Ralph Wernsdorf,The one-round functions of the DES generate thealternating group.Eurocrypt ’92, LNCS 658, Springer, 1993, 99–112.

• Considers the transformations Ra induced by the roundfunctions of DES. These are even permutations.

• Not only they are not a group, but they do generate thelargest possible group Alt(n), of order n!/2.{Ra1Ra2 · · ·Rak } = Alt(n).

• Since Alt(n) is a simple group, it is also generated bythe full DES transformations with independent subkeys.

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

Further work on DES

K. W. Campbell and M. J. Wiener,DES is not a group.Crypto ’92, LNCS 740, Springer, 1993, 512–520.

Ralph Wernsdorf,The one-round functions of the DES generate thealternating group.Eurocrypt ’92, LNCS 658, Springer, 1993, 99–112.

• Considers the transformations Ra induced by the roundfunctions of DES. These are even permutations.

• Not only they are not a group, but they do generate thelargest possible group Alt(n), of order n!/2.{Ra1Ra2 · · ·Rak } = Alt(n).

• Since Alt(n) is a simple group, it is also generated bythe full DES transformations with independent subkeys.

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

Further work on DES

K. W. Campbell and M. J. Wiener,DES is not a group.Crypto ’92, LNCS 740, Springer, 1993, 512–520.

Ralph Wernsdorf,The one-round functions of the DES generate thealternating group.Eurocrypt ’92, LNCS 658, Springer, 1993, 99–112.

• Considers the transformations Ra induced by the roundfunctions of DES. These are even permutations.

• Not only they are not a group, but they do generate thelargest possible group Alt(n), of order n!/2.{Ra1Ra2 · · ·Rak } = Alt(n).

• Since Alt(n) is a simple group, it is also generated bythe full DES transformations with independent subkeys.

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

Further work on DES

K. W. Campbell and M. J. Wiener,DES is not a group.Crypto ’92, LNCS 740, Springer, 1993, 512–520.

Ralph Wernsdorf,The one-round functions of the DES generate thealternating group.Eurocrypt ’92, LNCS 658, Springer, 1993, 99–112.

• Considers the transformations Ra induced by the roundfunctions of DES. These are even permutations.

• Not only they are not a group, but they do generate thelargest possible group Alt(n), of order n!/2.{Ra1Ra2 · · ·Rak } = Alt(n).

• Since Alt(n) is a simple group, it is also generated bythe full DES transformations with independent subkeys.

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

AES

Ralph Wernsdorf,The round functions of RIJNDAEL generate thealternating group.FSE ’02, LNCS 2365, Springer, 2002, 143–148.

• Ditto for AES.

• Wernsdorf’s proof requires some (computer)calculations. He has a recent approach which is moreconceptual.

• We tried another such approach suggested by. . .

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

AES

Ralph Wernsdorf,The round functions of RIJNDAEL generate thealternating group.FSE ’02, LNCS 2365, Springer, 2002, 143–148.

• Ditto for AES.

• Wernsdorf’s proof requires some (computer)calculations. He has a recent approach which is moreconceptual.

• We tried another such approach suggested by. . .

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

AES

Ralph Wernsdorf,The round functions of RIJNDAEL generate thealternating group.FSE ’02, LNCS 2365, Springer, 2002, 143–148.

• Ditto for AES.

• Wernsdorf’s proof requires some (computer)calculations. He has a recent approach which is moreconceptual.

• We tried another such approach suggested by. . .

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

AES

Ralph Wernsdorf,The round functions of RIJNDAEL generate thealternating group.FSE ’02, LNCS 2365, Springer, 2002, 143–148.

• Ditto for AES.

• Wernsdorf’s proof requires some (computer)calculations. He has a recent approach which is moreconceptual.

• We tried another such approach suggested by. . .

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

AES

Ralph Wernsdorf,The round functions of RIJNDAEL generate thealternating group.FSE ’02, LNCS 2365, Springer, 2002, 143–148.

• Ditto for AES.

• Wernsdorf’s proof requires some (computer)calculations. He has a recent approach which is moreconceptual.

• We tried another such approach suggested by. . .

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

Outline

1 MotivationIs DES a group?Trapdoors via imprimitivity

2 Group theory at workImprimitivity of groups generated by round functionsInverse-closed subsets of (finite) fieldsHua and AES

3 Primitive GroupsO’Nan-ScottAbelian regular subgroups and radical rings

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

Paterson’s imprimitivity trapdoor

Kenneth G. Paterson,Imprimitive Permutation Groups and Trapdoors inIterated Block Ciphers.FSE ’99, LNCS 1636, Springer, 1999, 201–214.

• Paterson builds a DES-like cryptosystem in which thegroup generated by the round functions is imprimitive.

• The (not immediately apparent) imprimitivity systemacts as a trapdoor.

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

Paterson’s imprimitivity trapdoor

Kenneth G. Paterson,Imprimitive Permutation Groups and Trapdoors inIterated Block Ciphers.FSE ’99, LNCS 1636, Springer, 1999, 201–214.

• Paterson builds a DES-like cryptosystem in which thegroup generated by the round functions is imprimitive.

• The (not immediately apparent) imprimitivity systemacts as a trapdoor.

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

Paterson’s imprimitivity trapdoor

Kenneth G. Paterson,Imprimitive Permutation Groups and Trapdoors inIterated Block Ciphers.FSE ’99, LNCS 1636, Springer, 1999, 201–214.

• Paterson builds a DES-like cryptosystem in which thegroup generated by the round functions is imprimitive.

• The (not immediately apparent) imprimitivity systemacts as a trapdoor.

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

Imprimitivity and trapdoors

• You have a cipherext c, and you are looking for aplaintext p such that c = Ta(p).

• Here a is the unknown key, and Ta the knowncorresponding transformation of the cryptosystem.

• The message space V 3 p, c is of size n, which isassumed to be too big to allow for an exhaustivesearch.

• Suppose you know that the group spanned by all Tb

has an imprimitivity system V1, . . . , Vm, wherem ≈

√n ≈ |Vi |.

• Then a search over m ≈√

n gives us Vi such thatc ∈ Ta(Vi). We could have calculated in advance a setof representatives of the Vi . We need a fastmembership test for the Vi .

• Then we find p through another search over Vi , again ofsize ≈

√n. So we search 2

√n elements instead of n.

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

Imprimitivity and trapdoors

• You have a cipherext c, and you are looking for aplaintext p such that c = Ta(p).

• Here a is the unknown key, and Ta the knowncorresponding transformation of the cryptosystem.

• The message space V 3 p, c is of size n, which isassumed to be too big to allow for an exhaustivesearch.

• Suppose you know that the group spanned by all Tb

has an imprimitivity system V1, . . . , Vm, wherem ≈

√n ≈ |Vi |.

• Then a search over m ≈√

n gives us Vi such thatc ∈ Ta(Vi). We could have calculated in advance a setof representatives of the Vi . We need a fastmembership test for the Vi .

• Then we find p through another search over Vi , again ofsize ≈

√n. So we search 2

√n elements instead of n.

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

Imprimitivity and trapdoors

• You have a cipherext c, and you are looking for aplaintext p such that c = Ta(p).

• Here a is the unknown key, and Ta the knowncorresponding transformation of the cryptosystem.

• The message space V 3 p, c is of size n, which isassumed to be too big to allow for an exhaustivesearch.

• Suppose you know that the group spanned by all Tb

has an imprimitivity system V1, . . . , Vm, wherem ≈

√n ≈ |Vi |.

• Then a search over m ≈√

n gives us Vi such thatc ∈ Ta(Vi). We could have calculated in advance a setof representatives of the Vi . We need a fastmembership test for the Vi .

• Then we find p through another search over Vi , again ofsize ≈

√n. So we search 2

√n elements instead of n.

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

Imprimitivity and trapdoors

• You have a cipherext c, and you are looking for aplaintext p such that c = Ta(p).

• Here a is the unknown key, and Ta the knowncorresponding transformation of the cryptosystem.

• The message space V 3 p, c is of size n, which isassumed to be too big to allow for an exhaustivesearch.

• Suppose you know that the group spanned by all Tb

has an imprimitivity system V1, . . . , Vm, wherem ≈

√n ≈ |Vi |.

• Then a search over m ≈√

n gives us Vi such thatc ∈ Ta(Vi). We could have calculated in advance a setof representatives of the Vi . We need a fastmembership test for the Vi .

• Then we find p through another search over Vi , again ofsize ≈

√n. So we search 2

√n elements instead of n.

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

Imprimitivity and trapdoors

• You have a cipherext c, and you are looking for aplaintext p such that c = Ta(p).

• Here a is the unknown key, and Ta the knowncorresponding transformation of the cryptosystem.

• The message space V 3 p, c is of size n, which isassumed to be too big to allow for an exhaustivesearch.

• Suppose you know that the group spanned by all Tb

has an imprimitivity system V1, . . . , Vm, wherem ≈

√n ≈ |Vi |.

• Then a search over m ≈√

n gives us Vi such thatc ∈ Ta(Vi). We could have calculated in advance a setof representatives of the Vi . We need a fastmembership test for the Vi .

• Then we find p through another search over Vi , again ofsize ≈

√n. So we search 2

√n elements instead of n.

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

Imprimitivity and trapdoors

• You have a cipherext c, and you are looking for aplaintext p such that c = Ta(p).

• Here a is the unknown key, and Ta the knowncorresponding transformation of the cryptosystem.

• The message space V 3 p, c is of size n, which isassumed to be too big to allow for an exhaustivesearch.

• Suppose you know that the group spanned by all Tb

has an imprimitivity system V1, . . . , Vm, wherem ≈

√n ≈ |Vi |.

• Then a search over m ≈√

n gives us Vi such thatc ∈ Ta(Vi). We could have calculated in advance a setof representatives of the Vi . We need a fastmembership test for the Vi .

• Then we find p through another search over Vi , again ofsize ≈

√n. So we search 2

√n elements instead of n.

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

Imprimitivity and trapdoors

• You have a cipherext c, and you are looking for aplaintext p such that c = Ta(p).

• Here a is the unknown key, and Ta the knowncorresponding transformation of the cryptosystem.

• The message space V 3 p, c is of size n, which isassumed to be too big to allow for an exhaustivesearch.

• Suppose you know that the group spanned by all Tb

has an imprimitivity system V1, . . . , Vm, wherem ≈

√n ≈ |Vi |.

• Then a search over m ≈√

n gives us Vi such thatc ∈ Ta(Vi). We could have calculated in advance a setof representatives of the Vi . We need a fastmembership test for the Vi .

• Then we find p through another search over Vi , again ofsize ≈

√n. So we search 2

√n elements instead of n.

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

Imprimitivity and trapdoors

• You have a cipherext c, and you are looking for aplaintext p such that c = Ta(p).

• Here a is the unknown key, and Ta the knowncorresponding transformation of the cryptosystem.

• The message space V 3 p, c is of size n, which isassumed to be too big to allow for an exhaustivesearch.

• Suppose you know that the group spanned by all Tb

has an imprimitivity system V1, . . . , Vm, wherem ≈

√n ≈ |Vi |.

• Then a search over m ≈√

n gives us Vi such thatc ∈ Ta(Vi). We could have calculated in advance a setof representatives of the Vi . We need a fastmembership test for the Vi .

• Then we find p through another search over Vi , again ofsize ≈

√n. So we search 2

√n elements instead of n.

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

Imprimitivity and trapdoors

• You have a cipherext c, and you are looking for aplaintext p such that c = Ta(p).

• Here a is the unknown key, and Ta the knowncorresponding transformation of the cryptosystem.

• The message space V 3 p, c is of size n, which isassumed to be too big to allow for an exhaustivesearch.

• Suppose you know that the group spanned by all Tb

has an imprimitivity system V1, . . . , Vm, wherem ≈

√n ≈ |Vi |.

• Then a search over m ≈√

n gives us Vi such thatc ∈ Ta(Vi). We could have calculated in advance a setof representatives of the Vi . We need a fastmembership test for the Vi .

• Then we find p through another search over Vi , again ofsize ≈

√n. So we search 2

√n elements instead of n.

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

Imprimitivity and trapdoors

• You have a cipherext c, and you are looking for aplaintext p such that c = Ta(p).

• Here a is the unknown key, and Ta the knowncorresponding transformation of the cryptosystem.

• The message space V 3 p, c is of size n, which isassumed to be too big to allow for an exhaustivesearch.

• Suppose you know that the group spanned by all Tb

has an imprimitivity system V1, . . . , Vm, wherem ≈

√n ≈ |Vi |.

• Then a search over m ≈√

n gives us Vi such thatc ∈ Ta(Vi). We could have calculated in advance a setof representatives of the Vi . We need a fastmembership test for the Vi .

• Then we find p through another search over Vi , again ofsize ≈

√n. So we search 2

√n elements instead of n.

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

Imprimitivity and trapdoors

• You have a cipherext c, and you are looking for aplaintext p such that c = Ta(p).

• Here a is the unknown key, and Ta the knowncorresponding transformation of the cryptosystem.

• The message space V 3 p, c is of size n, which isassumed to be too big to allow for an exhaustivesearch.

• Suppose you know that the group spanned by all Tb

has an imprimitivity system V1, . . . , Vm, wherem ≈

√n ≈ |Vi |.

• Then a search over m ≈√

n gives us Vi such thatc ∈ Ta(Vi). We could have calculated in advance a setof representatives of the Vi . We need a fastmembership test for the Vi .

• Then we find p through another search over Vi , again ofsize ≈

√n. So we search 2

√n elements instead of n.

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

Imprimitivity and trapdoors

• You have a cipherext c, and you are looking for aplaintext p such that c = Ta(p).

• Here a is the unknown key, and Ta the knowncorresponding transformation of the cryptosystem.

• The message space V 3 p, c is of size n, which isassumed to be too big to allow for an exhaustivesearch.

• Suppose you know that the group spanned by all Tb

has an imprimitivity system V1, . . . , Vm, wherem ≈

√n ≈ |Vi |.

• Then a search over m ≈√

n gives us Vi such thatc ∈ Ta(Vi). We could have calculated in advance a setof representatives of the Vi . We need a fastmembership test for the Vi .

• Then we find p through another search over Vi , again ofsize ≈

√n. So we search 2

√n elements instead of n.

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

Imprimitivity and trapdoors

• You have a cipherext c, and you are looking for aplaintext p such that c = Ta(p).

• Here a is the unknown key, and Ta the knowncorresponding transformation of the cryptosystem.

• The message space V 3 p, c is of size n, which isassumed to be too big to allow for an exhaustivesearch.

• Suppose you know that the group spanned by all Tb

has an imprimitivity system V1, . . . , Vm, wherem ≈

√n ≈ |Vi |.

• Then a search over m ≈√

n gives us Vi such thatc ∈ Ta(Vi). We could have calculated in advance a setof representatives of the Vi . We need a fastmembership test for the Vi .

• Then we find p through another search over Vi , again ofsize ≈

√n. So we search 2

√n elements instead of n.

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

Are imprimitivity systems always linear?

Paterson’s imprimitivity system consists of the cosets of asubspace U of the message space V = V (d , 2).Membership testing is fast here (Gauss).Paterson asks whether subtler trapdoors can be built, usingimprimitivity systems that are not linear.

At the FSE conference where it was presented, AdiShamir told me that he could break the schemeusing a truncated differential attack [. . . ]

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

Are imprimitivity systems always linear?

Paterson’s imprimitivity system consists of the cosets of asubspace U of the message space V = V (d , 2).Membership testing is fast here (Gauss).Paterson asks whether subtler trapdoors can be built, usingimprimitivity systems that are not linear.

At the FSE conference where it was presented, AdiShamir told me that he could break the schemeusing a truncated differential attack [. . . ]

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

Are imprimitivity systems always linear?

Paterson’s imprimitivity system consists of the cosets of asubspace U of the message space V = V (d , 2).Membership testing is fast here (Gauss).Paterson asks whether subtler trapdoors can be built, usingimprimitivity systems that are not linear.

At the FSE conference where it was presented, AdiShamir told me that he could break the schemeusing a truncated differential attack [. . . ]

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

Are imprimitivity systems always linear?

Paterson’s imprimitivity system consists of the cosets of asubspace U of the message space V = V (d , 2).Membership testing is fast here (Gauss).Paterson asks whether subtler trapdoors can be built, usingimprimitivity systems that are not linear.

At the FSE conference where it was presented, AdiShamir told me that he could break the schemeusing a truncated differential attack [. . . ]

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

Are imprimitivity systems always linear?

Paterson’s imprimitivity system consists of the cosets of asubspace U of the message space V = V (d , 2).Membership testing is fast here (Gauss).Paterson asks whether subtler trapdoors can be built, usingimprimitivity systems that are not linear.

At the FSE conference where it was presented, AdiShamir told me that he could break the schemeusing a truncated differential attack [. . . ]

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

Outline

1 MotivationIs DES a group?Trapdoors via imprimitivity

2 Group theory at workImprimitivity of groups generated by round functionsInverse-closed subsets of (finite) fieldsHua and AES

3 Primitive GroupsO’Nan-ScottAbelian regular subgroups and radical rings

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

Imprimitivity systems in AES

• In an AES-like cryptosystems, the group contains thetranslations.

• Then there is a very simple answer to Paterson’squestion here: an imprimitivity system consists indeedof the cosets of a subspace U of the message space V .I.e.

imprimitivity system = { v + U : v ∈ V } ,

where v + U = {v + u : u ∈ U}.• It follows that for u ∈ U and v ∈ V one has

σ(v + u) + σ(v) ∈ U,

where σ is a round function.• An instance of truncated differential cryptanalysis.• This does not lead to an obvious weakness with respect

to TDC, as there are many candidates for the subspaceU. Is there the possibility of a trapdoor here?

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

Imprimitivity systems in AES

• In an AES-like cryptosystems, the group contains thetranslations.

• Then there is a very simple answer to Paterson’squestion here: an imprimitivity system consists indeedof the cosets of a subspace U of the message space V .I.e.

imprimitivity system = { v + U : v ∈ V } ,

where v + U = {v + u : u ∈ U}.• It follows that for u ∈ U and v ∈ V one has

σ(v + u) + σ(v) ∈ U,

where σ is a round function.• An instance of truncated differential cryptanalysis.• This does not lead to an obvious weakness with respect

to TDC, as there are many candidates for the subspaceU. Is there the possibility of a trapdoor here?

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

Imprimitivity systems in AES

• In an AES-like cryptosystems, the group contains thetranslations.

• Then there is a very simple answer to Paterson’squestion here: an imprimitivity system consists indeedof the cosets of a subspace U of the message space V .I.e.

imprimitivity system = { v + U : v ∈ V } ,

where v + U = {v + u : u ∈ U}.• It follows that for u ∈ U and v ∈ V one has

σ(v + u) + σ(v) ∈ U,

where σ is a round function.• An instance of truncated differential cryptanalysis.• This does not lead to an obvious weakness with respect

to TDC, as there are many candidates for the subspaceU. Is there the possibility of a trapdoor here?

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

Imprimitivity systems in AES

• In an AES-like cryptosystems, the group contains thetranslations.

• Then there is a very simple answer to Paterson’squestion here: an imprimitivity system consists indeedof the cosets of a subspace U of the message space V .I.e.

imprimitivity system = { v + U : v ∈ V } ,

where v + U = {v + u : u ∈ U}.• It follows that for u ∈ U and v ∈ V one has

σ(v + u) + σ(v) ∈ U,

where σ is a round function.• An instance of truncated differential cryptanalysis.• This does not lead to an obvious weakness with respect

to TDC, as there are many candidates for the subspaceU. Is there the possibility of a trapdoor here?

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

Imprimitivity systems in AES

• In an AES-like cryptosystems, the group contains thetranslations.

• Then there is a very simple answer to Paterson’squestion here: an imprimitivity system consists indeedof the cosets of a subspace U of the message space V .I.e.

imprimitivity system = { v + U : v ∈ V } ,

where v + U = {v + u : u ∈ U}.• It follows that for u ∈ U and v ∈ V one has

σ(v + u) + σ(v) ∈ U,

where σ is a round function.• An instance of truncated differential cryptanalysis.• This does not lead to an obvious weakness with respect

to TDC, as there are many candidates for the subspaceU. Is there the possibility of a trapdoor here?

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

Imprimitivity systems in AES

• In an AES-like cryptosystems, the group contains thetranslations.

• Then there is a very simple answer to Paterson’squestion here: an imprimitivity system consists indeedof the cosets of a subspace U of the message space V .I.e.

imprimitivity system = { v + U : v ∈ V } ,

where v + U = {v + u : u ∈ U}.• It follows that for u ∈ U and v ∈ V one has

σ(v + u) + σ(v) ∈ U,

where σ is a round function.• An instance of truncated differential cryptanalysis.• This does not lead to an obvious weakness with respect

to TDC, as there are many candidates for the subspaceU. Is there the possibility of a trapdoor here?

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

Imprimitivity systems in AES

• In an AES-like cryptosystems, the group contains thetranslations.

• Then there is a very simple answer to Paterson’squestion here: an imprimitivity system consists indeedof the cosets of a subspace U of the message space V .I.e.

imprimitivity system = { v + U : v ∈ V } ,

where v + U = {v + u : u ∈ U}.• It follows that for u ∈ U and v ∈ V one has

σ(v + u) + σ(v) ∈ U,

where σ is a round function.• An instance of truncated differential cryptanalysis.• This does not lead to an obvious weakness with respect

to TDC, as there are many candidates for the subspaceU. Is there the possibility of a trapdoor here?

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

Imprimitivity systems in AES

• In an AES-like cryptosystems, the group contains thetranslations.

• Then there is a very simple answer to Paterson’squestion here: an imprimitivity system consists indeedof the cosets of a subspace U of the message space V .I.e.

imprimitivity system = { v + U : v ∈ V } ,

where v + U = {v + u : u ∈ U}.• It follows that for u ∈ U and v ∈ V one has

σ(v + u) + σ(v) ∈ U,

where σ is a round function.• An instance of truncated differential cryptanalysis.• This does not lead to an obvious weakness with respect

to TDC, as there are many candidates for the subspaceU. Is there the possibility of a trapdoor here?

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

Imprimitivity systems in AES

• In an AES-like cryptosystems, the group contains thetranslations.

• Then there is a very simple answer to Paterson’squestion here: an imprimitivity system consists indeedof the cosets of a subspace U of the message space V .I.e.

imprimitivity system = { v + U : v ∈ V } ,

where v + U = {v + u : u ∈ U}.• It follows that for u ∈ U and v ∈ V one has

σ(v + u) + σ(v) ∈ U,

where σ is a round function.• An instance of truncated differential cryptanalysis.• This does not lead to an obvious weakness with respect

to TDC, as there are many candidates for the subspaceU. Is there the possibility of a trapdoor here?

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

Imprimitivity systems in AES

• In an AES-like cryptosystems, the group contains thetranslations.

• Then there is a very simple answer to Paterson’squestion here: an imprimitivity system consists indeedof the cosets of a subspace U of the message space V .I.e.

imprimitivity system = { v + U : v ∈ V } ,

where v + U = {v + u : u ∈ U}.• It follows that for u ∈ U and v ∈ V one has

σ(v + u) + σ(v) ∈ U,

where σ is a round function.• An instance of truncated differential cryptanalysis.• This does not lead to an obvious weakness with respect

to TDC, as there are many candidates for the subspaceU. Is there the possibility of a trapdoor here?

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

Imprimitivity systems in AES

• In an AES-like cryptosystems, the group contains thetranslations.

• Then there is a very simple answer to Paterson’squestion here: an imprimitivity system consists indeedof the cosets of a subspace U of the message space V .I.e.

imprimitivity system = { v + U : v ∈ V } ,

where v + U = {v + u : u ∈ U}.• It follows that for u ∈ U and v ∈ V one has

σ(v + u) + σ(v) ∈ U,

where σ is a round function.• An instance of truncated differential cryptanalysis.• This does not lead to an obvious weakness with respect

to TDC, as there are many candidates for the subspaceU. Is there the possibility of a trapdoor here?

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

No trapdoors in Rijndael

• There are no such trapdoors in AES/Rijndael.• This depends on certain properties of the components

of AES:• the mixing layer,• the S-boxes.

• In its basic version, AES operates on the vector spaceV = V (128, 2) of dimension 128 over the field F2 withtwo elements.

• AES is byte-oriented:

V = V1 ⊕ · · · ⊕ V16,

where each Vi = V (8, 2).

• The mixing layer makes sure that no nontrivial sum ofthe Vi is sent to itself.

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

No trapdoors in Rijndael

• There are no such trapdoors in AES/Rijndael.• This depends on certain properties of the components

of AES:• the mixing layer,• the S-boxes.

• In its basic version, AES operates on the vector spaceV = V (128, 2) of dimension 128 over the field F2 withtwo elements.

• AES is byte-oriented:

V = V1 ⊕ · · · ⊕ V16,

where each Vi = V (8, 2).

• The mixing layer makes sure that no nontrivial sum ofthe Vi is sent to itself.

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

No trapdoors in Rijndael

• There are no such trapdoors in AES/Rijndael.• This depends on certain properties of the components

of AES:• the mixing layer,• the S-boxes.

• In its basic version, AES operates on the vector spaceV = V (128, 2) of dimension 128 over the field F2 withtwo elements.

• AES is byte-oriented:

V = V1 ⊕ · · · ⊕ V16,

where each Vi = V (8, 2).

• The mixing layer makes sure that no nontrivial sum ofthe Vi is sent to itself.

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

No trapdoors in Rijndael

• There are no such trapdoors in AES/Rijndael.• This depends on certain properties of the components

of AES:• the mixing layer,• the S-boxes.

• In its basic version, AES operates on the vector spaceV = V (128, 2) of dimension 128 over the field F2 withtwo elements.

• AES is byte-oriented:

V = V1 ⊕ · · · ⊕ V16,

where each Vi = V (8, 2).

• The mixing layer makes sure that no nontrivial sum ofthe Vi is sent to itself.

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

No trapdoors in Rijndael

• There are no such trapdoors in AES/Rijndael.• This depends on certain properties of the components

of AES:• the mixing layer,• the S-boxes.

• In its basic version, AES operates on the vector spaceV = V (128, 2) of dimension 128 over the field F2 withtwo elements.

• AES is byte-oriented:

V = V1 ⊕ · · · ⊕ V16,

where each Vi = V (8, 2).

• The mixing layer makes sure that no nontrivial sum ofthe Vi is sent to itself.

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

No trapdoors in Rijndael

• There are no such trapdoors in AES/Rijndael.• This depends on certain properties of the components

of AES:• the mixing layer,• the S-boxes.

• In its basic version, AES operates on the vector spaceV = V (128, 2) of dimension 128 over the field F2 withtwo elements.

• AES is byte-oriented:

V = V1 ⊕ · · · ⊕ V16,

where each Vi = V (8, 2).

• The mixing layer makes sure that no nontrivial sum ofthe Vi is sent to itself.

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

No trapdoors in Rijndael

• There are no such trapdoors in AES/Rijndael.• This depends on certain properties of the components

of AES:• the mixing layer,• the S-boxes.

• In its basic version, AES operates on the vector spaceV = V (128, 2) of dimension 128 over the field F2 withtwo elements.

• AES is byte-oriented:

V = V1 ⊕ · · · ⊕ V16,

where each Vi = V (8, 2).

• The mixing layer makes sure that no nontrivial sum ofthe Vi is sent to itself.

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

No trapdoors in Rijndael

• There are no such trapdoors in AES/Rijndael.• This depends on certain properties of the components

of AES:• the mixing layer,• the S-boxes.

• In its basic version, AES operates on the vector spaceV = V (128, 2) of dimension 128 over the field F2 withtwo elements.

• AES is byte-oriented:

V = V1 ⊕ · · · ⊕ V16,

where each Vi = V (8, 2).

• The mixing layer makes sure that no nontrivial sum ofthe Vi is sent to itself.

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

No trapdoors in Rijndael

• There are no such trapdoors in AES/Rijndael.• This depends on certain properties of the components

of AES:• the mixing layer,• the S-boxes.

• In its basic version, AES operates on the vector spaceV = V (128, 2) of dimension 128 over the field F2 withtwo elements.

• AES is byte-oriented:

V = V1 ⊕ · · · ⊕ V16,

where each Vi = V (8, 2).

• The mixing layer makes sure that no nontrivial sum ofthe Vi is sent to itself.

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

No trapdoors in Rijndael

• The S-box is a map on each Vi = V (8, 2). It is the onlynonlinear component of AES.

• Each Vi is identified with GF(28). (A non-primitivepolynomial is used!)

• The S-box is x 7→ x−1. Well, not quite, 0 7→ 0, that isx 7→ x254, plus a minor tweak with an affine map.

• A role is played by a property of inversion in (finite)fields.

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

No trapdoors in Rijndael

• The S-box is a map on each Vi = V (8, 2). It is the onlynonlinear component of AES.

• Each Vi is identified with GF(28). (A non-primitivepolynomial is used!)

• The S-box is x 7→ x−1. Well, not quite, 0 7→ 0, that isx 7→ x254, plus a minor tweak with an affine map.

• A role is played by a property of inversion in (finite)fields.

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

No trapdoors in Rijndael

• The S-box is a map on each Vi = V (8, 2). It is the onlynonlinear component of AES.

• Each Vi is identified with GF(28). (A non-primitivepolynomial is used!)

• The S-box is x 7→ x−1. Well, not quite, 0 7→ 0, that isx 7→ x254, plus a minor tweak with an affine map.

• A role is played by a property of inversion in (finite)fields.

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

No trapdoors in Rijndael

• The S-box is a map on each Vi = V (8, 2). It is the onlynonlinear component of AES.

• Each Vi is identified with GF(28). (A non-primitivepolynomial is used!)

• The S-box is x 7→ x−1. Well, not quite, 0 7→ 0, that isx 7→ x254, plus a minor tweak with an affine map.

• A role is played by a property of inversion in (finite)fields.

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

No trapdoors in Rijndael

• The S-box is a map on each Vi = V (8, 2). It is the onlynonlinear component of AES.

• Each Vi is identified with GF(28). (A non-primitivepolynomial is used!)

• The S-box is x 7→ x−1. Well, not quite, 0 7→ 0, that isx 7→ x254, plus a minor tweak with an affine map.

• A role is played by a property of inversion in (finite)fields.

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

No trapdoors in Rijndael

• The S-box is a map on each Vi = V (8, 2). It is the onlynonlinear component of AES.

• Each Vi is identified with GF(28). (A non-primitivepolynomial is used!)

• The S-box is x 7→ x−1. Well, not quite, 0 7→ 0, that isx 7→ x254, plus a minor tweak with an affine map.

• A role is played by a property of inversion in (finite)fields.

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

No trapdoors in Rijndael

• The S-box is a map on each Vi = V (8, 2). It is the onlynonlinear component of AES.

• Each Vi is identified with GF(28). (A non-primitivepolynomial is used!)

• The S-box is x 7→ x−1. Well, not quite, 0 7→ 0, that isx 7→ x254, plus a minor tweak with an affine map.

• A role is played by a property of inversion in (finite)fields.

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

No trapdoors in Rijndael

• The S-box is a map on each Vi = V (8, 2). It is the onlynonlinear component of AES.

• Each Vi is identified with GF(28). (A non-primitivepolynomial is used!)

• The S-box is x 7→ x−1. Well, not quite, 0 7→ 0, that isx 7→ x254, plus a minor tweak with an affine map.

• A role is played by a property of inversion in (finite)fields.

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

No trapdoors in Rijndael

• The S-box is a map on each Vi = V (8, 2). It is the onlynonlinear component of AES.

• Each Vi is identified with GF(28). (A non-primitivepolynomial is used!)

• The S-box is x 7→ x−1. Well, not quite, 0 7→ 0, that isx 7→ x254, plus a minor tweak with an affine map.

• A role is played by a property of inversion in (finite)fields.

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

Outline

1 MotivationIs DES a group?Trapdoors via imprimitivity

2 Group theory at workImprimitivity of groups generated by round functionsInverse-closed subsets of (finite) fieldsHua and AES

3 Primitive GroupsO’Nan-ScottAbelian regular subgroups and radical rings

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

Inversion

In studying Rijndael’s S-box we were led to the followingquestion.Suppose we have an additive subgroup A of the fieldGF(28). Suppose A is closed under taking inverses ofnon-zero elements.Is A a subfield?It is easy to verify that this is indeed the case here. Whatabout the general question for an arbitrary field?Examples:

• A = Ri = { ai : a ∈ R } ⊆ C.

• In GF(52), take A = GF(5)α = { 0, α, 2α,−2α,−α },where α2 = 2.

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

Inversion

In studying Rijndael’s S-box we were led to the followingquestion.Suppose we have an additive subgroup A of the fieldGF(28). Suppose A is closed under taking inverses ofnon-zero elements.Is A a subfield?It is easy to verify that this is indeed the case here. Whatabout the general question for an arbitrary field?Examples:

• A = Ri = { ai : a ∈ R } ⊆ C.

• In GF(52), take A = GF(5)α = { 0, α, 2α,−2α,−α },where α2 = 2.

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

Inversion

In studying Rijndael’s S-box we were led to the followingquestion.Suppose we have an additive subgroup A of the fieldGF(28). Suppose A is closed under taking inverses ofnon-zero elements.Is A a subfield?It is easy to verify that this is indeed the case here. Whatabout the general question for an arbitrary field?Examples:

• A = Ri = { ai : a ∈ R } ⊆ C.

• In GF(52), take A = GF(5)α = { 0, α, 2α,−2α,−α },where α2 = 2.

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

Inversion

In studying Rijndael’s S-box we were led to the followingquestion.Suppose we have an additive subgroup A of the fieldGF(28). Suppose A is closed under taking inverses ofnon-zero elements.Is A a subfield?It is easy to verify that this is indeed the case here. Whatabout the general question for an arbitrary field?Examples:

• A = Ri = { ai : a ∈ R } ⊆ C.

• In GF(52), take A = GF(5)α = { 0, α, 2α,−2α,−α },where α2 = 2.

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

Inversion

In studying Rijndael’s S-box we were led to the followingquestion.Suppose we have an additive subgroup A of the fieldGF(28). Suppose A is closed under taking inverses ofnon-zero elements.Is A a subfield?It is easy to verify that this is indeed the case here. Whatabout the general question for an arbitrary field?Examples:

• A = Ri = { ai : a ∈ R } ⊆ C.

• In GF(52), take A = GF(5)α = { 0, α, 2α,−2α,−α },where α2 = 2.

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

Inversion

In studying Rijndael’s S-box we were led to the followingquestion.Suppose we have an additive subgroup A of the fieldGF(28). Suppose A is closed under taking inverses ofnon-zero elements.Is A a subfield?It is easy to verify that this is indeed the case here. Whatabout the general question for an arbitrary field?Examples:

• A = Ri = { ai : a ∈ R } ⊆ C.

• In GF(52), take A = GF(5)α = { 0, α, 2α,−2α,−α },where α2 = 2.

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

Inversion

In studying Rijndael’s S-box we were led to the followingquestion.Suppose we have an additive subgroup A of the fieldGF(28). Suppose A is closed under taking inverses ofnon-zero elements.Is A a subfield?It is easy to verify that this is indeed the case here. Whatabout the general question for an arbitrary field?Examples:

• A = Ri = { ai : a ∈ R } ⊆ C.

• In GF(52), take A = GF(5)α = { 0, α, 2α,−2α,−α },where α2 = 2.

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

Inversion

In studying Rijndael’s S-box we were led to the followingquestion.Suppose we have an additive subgroup A of the fieldGF(28). Suppose A is closed under taking inverses ofnon-zero elements.Is A a subfield?It is easy to verify that this is indeed the case here. Whatabout the general question for an arbitrary field?Examples:

• A = Ri = { ai : a ∈ R } ⊆ C.

• In GF(52), take A = GF(5)α = { 0, α, 2α,−2α,−α },where α2 = 2.

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

Inversion

In studying Rijndael’s S-box we were led to the followingquestion.Suppose we have an additive subgroup A of the fieldGF(28). Suppose A is closed under taking inverses ofnon-zero elements.Is A a subfield?It is easy to verify that this is indeed the case here. Whatabout the general question for an arbitrary field?Examples:

• A = Ri = { ai : a ∈ R } ⊆ C.

• In GF(52), take A = GF(5)α = { 0, α, 2α,−2α,−α },where α2 = 2.

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

Inversion

Sandro MattareiInverse-closed additive subgroups of fields.Israel J. Math. to appear.

Theorem

Let E be a finite field of characteristic two. Suppose A 6= 0 isan additive subgroup of E which contains the inverses ofeach of its nonzero elements. Then A is a subfield of E.

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

Inversion

Sandro MattareiInverse-closed additive subgroups of fields.Israel J. Math. to appear.

Theorem

Let E be a finite field of characteristic two. Suppose A 6= 0 isan additive subgroup of E which contains the inverses ofeach of its nonzero elements. Then A is a subfield of E.

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

Two more general results

Theorem

Let E be a field of characteristic different from two and let Abe a non-trivial inverse-closed additive subgroup of E. ThenA is either a subfield of E or the set of elements of tracezero in some quadratic field extension contained in E.

Theorem

Let E be a field of characteristic two and let A be an inverse-closed additive subgroup of E. Then A is an F 2-subspace ofF for some subfield F of E.

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

Two more general results

Theorem

Let E be a field of characteristic different from two and let Abe a non-trivial inverse-closed additive subgroup of E. ThenA is either a subfield of E or the set of elements of tracezero in some quadratic field extension contained in E.

Theorem

Let E be a field of characteristic two and let A be an inverse-closed additive subgroup of E. Then A is an F 2-subspace ofF for some subfield F of E.

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

Proof of the finite case, characteristic two

Proof.

Hua’s identity, valid in any associative (but not necessarilycommutative) ring, shows

a + ((a − b−1)−1 − a−1)−1 = aba

with a, b, ab − 1 invertible.First of all, 1 ∈ A. This is because A has even order, andeach element different from 0, 1 is distinct from its inverse.Now with b = 1, and a ∈ A \ { 0, 1 } we get that for a ∈ A,also a2 ∈ A. (This is clearly valid also for a = 0, 1.) It followsthat any c ∈ A can be represented in the form c = a2 forsome a ∈ A. Now Hua’s identity yields that A is closedunder products, so that A is a subring, and thus a subfield,of A.

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

Proof of the finite case, characteristic two

Proof.

Hua’s identity, valid in any associative (but not necessarilycommutative) ring, shows

a + ((a − b−1)−1 − a−1)−1 = aba

with a, b, ab − 1 invertible.First of all, 1 ∈ A. This is because A has even order, andeach element different from 0, 1 is distinct from its inverse.Now with b = 1, and a ∈ A \ { 0, 1 } we get that for a ∈ A,also a2 ∈ A. (This is clearly valid also for a = 0, 1.) It followsthat any c ∈ A can be represented in the form c = a2 forsome a ∈ A. Now Hua’s identity yields that A is closedunder products, so that A is a subring, and thus a subfield,of A.

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

Proof of the finite case, characteristic two

Proof.

Hua’s identity, valid in any associative (but not necessarilycommutative) ring, shows

a + ((a − b−1)−1 − a−1)−1 = aba

with a, b, ab − 1 invertible.First of all, 1 ∈ A. This is because A has even order, andeach element different from 0, 1 is distinct from its inverse.Now with b = 1, and a ∈ A \ { 0, 1 } we get that for a ∈ A,also a2 ∈ A. (This is clearly valid also for a = 0, 1.) It followsthat any c ∈ A can be represented in the form c = a2 forsome a ∈ A. Now Hua’s identity yields that A is closedunder products, so that A is a subring, and thus a subfield,of A.

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

Proof of the finite case, characteristic two

Proof.

Hua’s identity, valid in any associative (but not necessarilycommutative) ring, shows

a + ((a − b−1)−1 − a−1)−1 = aba

with a, b, ab − 1 invertible.First of all, 1 ∈ A. This is because A has even order, andeach element different from 0, 1 is distinct from its inverse.Now with b = 1, and a ∈ A \ { 0, 1 } we get that for a ∈ A,also a2 ∈ A. (This is clearly valid also for a = 0, 1.) It followsthat any c ∈ A can be represented in the form c = a2 forsome a ∈ A. Now Hua’s identity yields that A is closedunder products, so that A is a subring, and thus a subfield,of A.

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

Proof of the finite case, characteristic two

Proof.

Hua’s identity, valid in any associative (but not necessarilycommutative) ring, shows

a + ((a − b−1)−1 − a−1)−1 = aba

with a, b, ab − 1 invertible.First of all, 1 ∈ A. This is because A has even order, andeach element different from 0, 1 is distinct from its inverse.Now with b = 1, and a ∈ A \ { 0, 1 } we get that for a ∈ A,also a2 ∈ A. (This is clearly valid also for a = 0, 1.) It followsthat any c ∈ A can be represented in the form c = a2 forsome a ∈ A. Now Hua’s identity yields that A is closedunder products, so that A is a subring, and thus a subfield,of A.

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

Proof of the finite case, characteristic two

Proof.

Hua’s identity, valid in any associative (but not necessarilycommutative) ring, shows

a + ((a − b−1)−1 − a−1)−1 = aba

with a, b, ab − 1 invertible.First of all, 1 ∈ A. This is because A has even order, andeach element different from 0, 1 is distinct from its inverse.Now with b = 1, and a ∈ A \ { 0, 1 } we get that for a ∈ A,also a2 ∈ A. (This is clearly valid also for a = 0, 1.) It followsthat any c ∈ A can be represented in the form c = a2 forsome a ∈ A. Now Hua’s identity yields that A is closedunder products, so that A is a subring, and thus a subfield,of A.

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

Proof of the finite case, characteristic two

Proof.

Hua’s identity, valid in any associative (but not necessarilycommutative) ring, shows

a + ((a − b−1)−1 − a−1)−1 = aba

with a, b, ab − 1 invertible.First of all, 1 ∈ A. This is because A has even order, andeach element different from 0, 1 is distinct from its inverse.Now with b = 1, and a ∈ A \ { 0, 1 } we get that for a ∈ A,also a2 ∈ A. (This is clearly valid also for a = 0, 1.) It followsthat any c ∈ A can be represented in the form c = a2 forsome a ∈ A. Now Hua’s identity yields that A is closedunder products, so that A is a subring, and thus a subfield,of A.

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

Proof of the finite case, characteristic two

Proof.

Hua’s identity, valid in any associative (but not necessarilycommutative) ring, shows

a + ((a − b−1)−1 − a−1)−1 = aba

with a, b, ab − 1 invertible.First of all, 1 ∈ A. This is because A has even order, andeach element different from 0, 1 is distinct from its inverse.Now with b = 1, and a ∈ A \ { 0, 1 } we get that for a ∈ A,also a2 ∈ A. (This is clearly valid also for a = 0, 1.) It followsthat any c ∈ A can be represented in the form c = a2 forsome a ∈ A. Now Hua’s identity yields that A is closedunder products, so that A is a subring, and thus a subfield,of A.

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

Proof of the finite case, characteristic two

Proof.

Hua’s identity, valid in any associative (but not necessarilycommutative) ring, shows

a + ((a − b−1)−1 − a−1)−1 = aba

with a, b, ab − 1 invertible.First of all, 1 ∈ A. This is because A has even order, andeach element different from 0, 1 is distinct from its inverse.Now with b = 1, and a ∈ A \ { 0, 1 } we get that for a ∈ A,also a2 ∈ A. (This is clearly valid also for a = 0, 1.) It followsthat any c ∈ A can be represented in the form c = a2 forsome a ∈ A. Now Hua’s identity yields that A is closedunder products, so that A is a subring, and thus a subfield,of A.

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

Proof of the finite case, characteristic two

Proof.

Hua’s identity, valid in any associative (but not necessarilycommutative) ring, shows

a + ((a − b−1)−1 − a−1)−1 = aba

with a, b, ab − 1 invertible.First of all, 1 ∈ A. This is because A has even order, andeach element different from 0, 1 is distinct from its inverse.Now with b = 1, and a ∈ A \ { 0, 1 } we get that for a ∈ A,also a2 ∈ A. (This is clearly valid also for a = 0, 1.) It followsthat any c ∈ A can be represented in the form c = a2 forsome a ∈ A. Now Hua’s identity yields that A is closedunder products, so that A is a subring, and thus a subfield,of A.

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

Proof of the finite case, characteristic two

Proof.

Hua’s identity, valid in any associative (but not necessarilycommutative) ring, shows

a + ((a − b−1)−1 − a−1)−1 = aba

with a, b, ab − 1 invertible.First of all, 1 ∈ A. This is because A has even order, andeach element different from 0, 1 is distinct from its inverse.Now with b = 1, and a ∈ A \ { 0, 1 } we get that for a ∈ A,also a2 ∈ A. (This is clearly valid also for a = 0, 1.) It followsthat any c ∈ A can be represented in the form c = a2 forsome a ∈ A. Now Hua’s identity yields that A is closedunder products, so that A is a subring, and thus a subfield,of A.

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

Outline

1 MotivationIs DES a group?Trapdoors via imprimitivity

2 Group theory at workImprimitivity of groups generated by round functionsInverse-closed subsets of (finite) fieldsHua and AES

3 Primitive GroupsO’Nan-ScottAbelian regular subgroups and radical rings

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

More on Hua and AES

Hua’s identity can be used in the cryptanalysis of AES.

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

More on Hua and AES

Hua’s identity can be used in the cryptanalysis of AES.

Joan Daemen and Vincent Rijmen,Two-Round AES Differentialse-print, 2007.

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

More on Hua and AES

Hua’s identity can be used in the cryptanalysis of AES.

Joan Daemen and Vincent Rijmen,Two-Round AES Differentialse-print, 2007.

Theorem

Let T denote a two-round Rijndael transformation. Itoperates on GF(28). Fix 0 6= a ∈ GF(28). Then the set ofinverses of the output differences with input difference a

{

(T (x + a) − T (x))−1 : x ∈ GF(28)}

forms a linear subspace, minus { 0 }.

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

More on Hua and AES

Hua’s identity can be used in the cryptanalysis of AES.

Joan Daemen and Vincent Rijmen,Two-Round AES Differentialse-print, 2007.

Theorem

Let T denote a two-round Rijndael transformation. Itoperates on GF(28). Fix 0 6= a ∈ GF(28). Then the set ofinverses of the output differences with input difference a

{

(T (x + a) − T (x))−1 : x ∈ GF(28)}

forms a linear subspace, minus { 0 }.

Hua’s identity simply tells us that

(T (x + a) − T (x))−1 = a((a−1x)2 + a−1x).

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

Outline

1 MotivationIs DES a group?Trapdoors via imprimitivity

2 Group theory at workImprimitivity of groups generated by round functionsInverse-closed subsets of (finite) fieldsHua and AES

3 Primitive GroupsO’Nan-ScottAbelian regular subgroups and radical rings

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

O’Nan-Scott

Our intention would now be to apply the O’Nan-Scottclassification of primitive groups.

Leonard L. ScottRepresentations in characteristic p.The Santa Cruz Conference on Finite Groups, 1979,Proc. Sympos. Pure Math., 37, 319–331.

M. Aschbacher and L. ScottMaximal subgroups of finite groups.J. Algebra 92 (1985), 44–80.

Martin W. Liebeck, Cheryl E. Praeger and Jan Saxl,On the O’Nan-Scott theorem. . .J. Austral. Math. Soc. Ser. A 44 (1988), 389–396

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

O’Nan-Scott

Our intention would now be to apply the O’Nan-Scottclassification of primitive groups.

Leonard L. ScottRepresentations in characteristic p.The Santa Cruz Conference on Finite Groups, 1979,Proc. Sympos. Pure Math., 37, 319–331.

M. Aschbacher and L. ScottMaximal subgroups of finite groups.J. Algebra 92 (1985), 44–80.

Martin W. Liebeck, Cheryl E. Praeger and Jan Saxl,On the O’Nan-Scott theorem. . .J. Austral. Math. Soc. Ser. A 44 (1988), 389–396

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

O’Nan-Scott

Our intention would now be to apply the O’Nan-Scottclassification of primitive groups.

Leonard L. ScottRepresentations in characteristic p.The Santa Cruz Conference on Finite Groups, 1979,Proc. Sympos. Pure Math., 37, 319–331.

M. Aschbacher and L. ScottMaximal subgroups of finite groups.J. Algebra 92 (1985), 44–80.

Martin W. Liebeck, Cheryl E. Praeger and Jan Saxl,On the O’Nan-Scott theorem. . .J. Austral. Math. Soc. Ser. A 44 (1988), 389–396

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

O’Nan-Scott

Our intention would now be to apply the O’Nan-Scottclassification of primitive groups.

Leonard L. ScottRepresentations in characteristic p.The Santa Cruz Conference on Finite Groups, 1979,Proc. Sympos. Pure Math., 37, 319–331.

M. Aschbacher and L. ScottMaximal subgroups of finite groups.J. Algebra 92 (1985), 44–80.

Martin W. Liebeck, Cheryl E. Praeger and Jan Saxl,On the O’Nan-Scott theorem. . .J. Austral. Math. Soc. Ser. A 44 (1988), 389–396

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

Primitive Groups

An analysis of the O’Nan-Scott classification shows that the(primitive) group generated by the round functions ofRijndael could be one of the following.

• The alternating group.

• A wreath product in product action.

• An affine group.

We have not been able to finish it off from here.Still, we have a spin-off from the last case.

A. Caranti, F. Dalla Volta and M. SalaAbelian regular subgroups of the affine group andradical rings.Publ. Math. Debrecen 69 (2006), no. 3, 297–308.

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

Primitive Groups

An analysis of the O’Nan-Scott classification shows that the(primitive) group generated by the round functions ofRijndael could be one of the following.

• The alternating group.

• A wreath product in product action.

• An affine group.

We have not been able to finish it off from here.Still, we have a spin-off from the last case.

A. Caranti, F. Dalla Volta and M. SalaAbelian regular subgroups of the affine group andradical rings.Publ. Math. Debrecen 69 (2006), no. 3, 297–308.

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

Primitive Groups

An analysis of the O’Nan-Scott classification shows that the(primitive) group generated by the round functions ofRijndael could be one of the following.

• The alternating group.

• A wreath product in product action.

• An affine group.

We have not been able to finish it off from here.Still, we have a spin-off from the last case.

A. Caranti, F. Dalla Volta and M. SalaAbelian regular subgroups of the affine group andradical rings.Publ. Math. Debrecen 69 (2006), no. 3, 297–308.

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

Primitive Groups

An analysis of the O’Nan-Scott classification shows that the(primitive) group generated by the round functions ofRijndael could be one of the following.

• The alternating group.

• A wreath product in product action.

• An affine group.

We have not been able to finish it off from here.Still, we have a spin-off from the last case.

A. Caranti, F. Dalla Volta and M. SalaAbelian regular subgroups of the affine group andradical rings.Publ. Math. Debrecen 69 (2006), no. 3, 297–308.

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

Primitive Groups

An analysis of the O’Nan-Scott classification shows that the(primitive) group generated by the round functions ofRijndael could be one of the following.

• The alternating group.

• A wreath product in product action.

• An affine group.

We have not been able to finish it off from here.Still, we have a spin-off from the last case.

A. Caranti, F. Dalla Volta and M. SalaAbelian regular subgroups of the affine group andradical rings.Publ. Math. Debrecen 69 (2006), no. 3, 297–308.

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

Primitive Groups

An analysis of the O’Nan-Scott classification shows that the(primitive) group generated by the round functions ofRijndael could be one of the following.

• The alternating group.

• A wreath product in product action.

• An affine group.

We have not been able to finish it off from here.Still, we have a spin-off from the last case.

A. Caranti, F. Dalla Volta and M. SalaAbelian regular subgroups of the affine group andradical rings.Publ. Math. Debrecen 69 (2006), no. 3, 297–308.

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

Primitive Groups

An analysis of the O’Nan-Scott classification shows that the(primitive) group generated by the round functions ofRijndael could be one of the following.

• The alternating group.

• A wreath product in product action.

• An affine group.

We have not been able to finish it off from here.Still, we have a spin-off from the last case.

A. Caranti, F. Dalla Volta and M. SalaAbelian regular subgroups of the affine group andradical rings.Publ. Math. Debrecen 69 (2006), no. 3, 297–308.

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

Outline

1 MotivationIs DES a group?Trapdoors via imprimitivity

2 Group theory at workImprimitivity of groups generated by round functionsInverse-closed subsets of (finite) fieldsHua and AES

3 Primitive GroupsO’Nan-ScottAbelian regular subgroups and radical rings

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

Abelian regular subgroups and radical rings

Theorem

Let F be a field, and let (V ,+) be a vector space over F .There is a bijection between

• Abelian regular subgroups of the affine group Aff(V ) onV, and

• F-algebra structures (V ,+, ·) such that the resultingring is radical.

Isomorphism classes of algebras correspond to conjugacyclasses of subgroups under the action of GL(V ).

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

Abelian regular subgroups and radical rings

Theorem

Let F be a field, and let (V ,+) be a vector space over F .There is a bijection between

• Abelian regular subgroups of the affine group Aff(V ) onV, and

• F-algebra structures (V ,+, ·) such that the resultingring is radical.

Isomorphism classes of algebras correspond to conjugacyclasses of subgroups under the action of GL(V ).

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

Abelian regular subgroups and radical rings

Theorem

Let F be a field, and let (V ,+) be a vector space over F .There is a bijection between

• Abelian regular subgroups of the affine group Aff(V ) onV, and

• F-algebra structures (V ,+, ·) such that the resultingring is radical.

Isomorphism classes of algebras correspond to conjugacyclasses of subgroups under the action of GL(V ).

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

Abelian regular subgroups and radical rings

Theorem

Let F be a field, and let (V ,+) be a vector space over F .There is a bijection between

• Abelian regular subgroups of the affine group Aff(V ) onV, and

• F-algebra structures (V ,+, ·) such that the resultingring is radical.

Isomorphism classes of algebras correspond to conjugacyclasses of subgroups under the action of GL(V ).

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

Abelian regular subgroups and radical rings

Theorem

Let F be a field, and let (V ,+) be a vector space over F .There is a bijection between

• Abelian regular subgroups of the affine group Aff(V ) onV, and

• F-algebra structures (V ,+, ·) such that the resultingring is radical.

Isomorphism classes of algebras correspond to conjugacyclasses of subgroups under the action of GL(V ).

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

Related work

D..F. Holt, Robert B. HowlettOn groups which are the product of two abelian groups.J. London Math. Soc. (2) 29 (1984), no. 3, 453–461.

Robert B. HowlettOn the exponent of certain factorizable groups.J. London Math. Soc. (2) 31 (1985), no. 2, 265–271.

Plus work of Y.P. Sysak which can be found in

B. Amberg, S. Franciosi, F. de Giovanni.Products of groups.Oxford Mathematical Monographs, 1992.0-19-853575-9

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

Related work

D..F. Holt, Robert B. HowlettOn groups which are the product of two abelian groups.J. London Math. Soc. (2) 29 (1984), no. 3, 453–461.

Robert B. HowlettOn the exponent of certain factorizable groups.J. London Math. Soc. (2) 31 (1985), no. 2, 265–271.

Plus work of Y.P. Sysak which can be found in

B. Amberg, S. Franciosi, F. de Giovanni.Products of groups.Oxford Mathematical Monographs, 1992.0-19-853575-9

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

Related work

D..F. Holt, Robert B. HowlettOn groups which are the product of two abelian groups.J. London Math. Soc. (2) 29 (1984), no. 3, 453–461.

Robert B. HowlettOn the exponent of certain factorizable groups.J. London Math. Soc. (2) 31 (1985), no. 2, 265–271.

Plus work of Y.P. Sysak which can be found in

B. Amberg, S. Franciosi, F. de Giovanni.Products of groups.Oxford Mathematical Monographs, 1992.0-19-853575-9

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

Related work

D..F. Holt, Robert B. HowlettOn groups which are the product of two abelian groups.J. London Math. Soc. (2) 29 (1984), no. 3, 453–461.

Robert B. HowlettOn the exponent of certain factorizable groups.J. London Math. Soc. (2) 31 (1985), no. 2, 265–271.

Plus work of Y.P. Sysak which can be found in

B. Amberg, S. Franciosi, F. de Giovanni.Products of groups.Oxford Mathematical Monographs, 1992.0-19-853575-9

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

An application

• In the affine group over a finite vector space, an abelianregular subgroup intersects the group of translationsnontrivially.

• There is an example of Hegedus of a nonabelian,regular subgroup of an affine group over a finite vectorspace which has trivial intersection with the group oftranslations.

• There is a (simple) example of an abelian, regularsubgroup of the affine group over an infinite vectorspace which has trivial intersection with the group oftranslations.

Pál HegedusRegular subgroups of the affine groupJ. Algebra 225 (2000), no. 2, 740–742.

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

An application

• In the affine group over a finite vector space, an abelianregular subgroup intersects the group of translationsnontrivially.

• There is an example of Hegedus of a nonabelian,regular subgroup of an affine group over a finite vectorspace which has trivial intersection with the group oftranslations.

• There is a (simple) example of an abelian, regularsubgroup of the affine group over an infinite vectorspace which has trivial intersection with the group oftranslations.

Pál HegedusRegular subgroups of the affine groupJ. Algebra 225 (2000), no. 2, 740–742.

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

An application

• In the affine group over a finite vector space, an abelianregular subgroup intersects the group of translationsnontrivially.

• There is an example of Hegedus of a nonabelian,regular subgroup of an affine group over a finite vectorspace which has trivial intersection with the group oftranslations.

• There is a (simple) example of an abelian, regularsubgroup of the affine group over an infinite vectorspace which has trivial intersection with the group oftranslations.

Pál HegedusRegular subgroups of the affine groupJ. Algebra 225 (2000), no. 2, 740–742.

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

An application

• In the affine group over a finite vector space, an abelianregular subgroup intersects the group of translationsnontrivially.

• There is an example of Hegedus of a nonabelian,regular subgroup of an affine group over a finite vectorspace which has trivial intersection with the group oftranslations.

• There is a (simple) example of an abelian, regularsubgroup of the affine group over an infinite vectorspace which has trivial intersection with the group oftranslations.

Pál HegedusRegular subgroups of the affine groupJ. Algebra 225 (2000), no. 2, 740–742.

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

The example

• Let (V ,+, ·) be the maximal ideal tF [[t ]] of theF -algebra F [[t ]] of formal power series over an arbitraryfield F .

• In Aff(V ) we have the group N of translations.• (V ,+, ·) is a radical ring. Our methods allow us to

construct another abelian, regular subgroup T ofAff(V ). As a group, T is V under the circle operationx ◦ y = x + y + xy , where the element in Tcorresponding to x acts on V via y 7→ y ◦ x .

• One sees that U = { x ∈ V : x · y = 0 for all y ∈ V }corresponds to N ∩ T .

• Since F [[t ]] is a domain, we have N ∩ T = {1} here.• Also, T is torsion-free. If F is a field of positive

characteristic p, then the group N of translations hasexponent p. Thus Aff(V ) has two rather differentabelian regular subgroups here.

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

The example

• Let (V ,+, ·) be the maximal ideal tF [[t ]] of theF -algebra F [[t ]] of formal power series over an arbitraryfield F .

• In Aff(V ) we have the group N of translations.• (V ,+, ·) is a radical ring. Our methods allow us to

construct another abelian, regular subgroup T ofAff(V ). As a group, T is V under the circle operationx ◦ y = x + y + xy , where the element in Tcorresponding to x acts on V via y 7→ y ◦ x .

• One sees that U = { x ∈ V : x · y = 0 for all y ∈ V }corresponds to N ∩ T .

• Since F [[t ]] is a domain, we have N ∩ T = {1} here.• Also, T is torsion-free. If F is a field of positive

characteristic p, then the group N of translations hasexponent p. Thus Aff(V ) has two rather differentabelian regular subgroups here.

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

The example

• Let (V ,+, ·) be the maximal ideal tF [[t ]] of theF -algebra F [[t ]] of formal power series over an arbitraryfield F .

• In Aff(V ) we have the group N of translations.• (V ,+, ·) is a radical ring. Our methods allow us to

construct another abelian, regular subgroup T ofAff(V ). As a group, T is V under the circle operationx ◦ y = x + y + xy , where the element in Tcorresponding to x acts on V via y 7→ y ◦ x .

• One sees that U = { x ∈ V : x · y = 0 for all y ∈ V }corresponds to N ∩ T .

• Since F [[t ]] is a domain, we have N ∩ T = {1} here.• Also, T is torsion-free. If F is a field of positive

characteristic p, then the group N of translations hasexponent p. Thus Aff(V ) has two rather differentabelian regular subgroups here.

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

The example

• Let (V ,+, ·) be the maximal ideal tF [[t ]] of theF -algebra F [[t ]] of formal power series over an arbitraryfield F .

• In Aff(V ) we have the group N of translations.• (V ,+, ·) is a radical ring. Our methods allow us to

construct another abelian, regular subgroup T ofAff(V ). As a group, T is V under the circle operationx ◦ y = x + y + xy , where the element in Tcorresponding to x acts on V via y 7→ y ◦ x .

• One sees that U = { x ∈ V : x · y = 0 for all y ∈ V }corresponds to N ∩ T .

• Since F [[t ]] is a domain, we have N ∩ T = {1} here.• Also, T is torsion-free. If F is a field of positive

characteristic p, then the group N of translations hasexponent p. Thus Aff(V ) has two rather differentabelian regular subgroups here.

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

The example

• Let (V ,+, ·) be the maximal ideal tF [[t ]] of theF -algebra F [[t ]] of formal power series over an arbitraryfield F .

• In Aff(V ) we have the group N of translations.• (V ,+, ·) is a radical ring. Our methods allow us to

construct another abelian, regular subgroup T ofAff(V ). As a group, T is V under the circle operationx ◦ y = x + y + xy , where the element in Tcorresponding to x acts on V via y 7→ y ◦ x .

• One sees that U = { x ∈ V : x · y = 0 for all y ∈ V }corresponds to N ∩ T .

• Since F [[t ]] is a domain, we have N ∩ T = {1} here.• Also, T is torsion-free. If F is a field of positive

characteristic p, then the group N of translations hasexponent p. Thus Aff(V ) has two rather differentabelian regular subgroups here.

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

The example

• Let (V ,+, ·) be the maximal ideal tF [[t ]] of theF -algebra F [[t ]] of formal power series over an arbitraryfield F .

• In Aff(V ) we have the group N of translations.• (V ,+, ·) is a radical ring. Our methods allow us to

construct another abelian, regular subgroup T ofAff(V ). As a group, T is V under the circle operationx ◦ y = x + y + xy , where the element in Tcorresponding to x acts on V via y 7→ y ◦ x .

• One sees that U = { x ∈ V : x · y = 0 for all y ∈ V }corresponds to N ∩ T .

• Since F [[t ]] is a domain, we have N ∩ T = {1} here.• Also, T is torsion-free. If F is a field of positive

characteristic p, then the group N of translations hasexponent p. Thus Aff(V ) has two rather differentabelian regular subgroups here.

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

The example

• Let (V ,+, ·) be the maximal ideal tF [[t ]] of theF -algebra F [[t ]] of formal power series over an arbitraryfield F .

• In Aff(V ) we have the group N of translations.• (V ,+, ·) is a radical ring. Our methods allow us to

construct another abelian, regular subgroup T ofAff(V ). As a group, T is V under the circle operationx ◦ y = x + y + xy , where the element in Tcorresponding to x acts on V via y 7→ y ◦ x .

• One sees that U = { x ∈ V : x · y = 0 for all y ∈ V }corresponds to N ∩ T .

• Since F [[t ]] is a domain, we have N ∩ T = {1} here.• Also, T is torsion-free. If F is a field of positive

characteristic p, then the group N of translations hasexponent p. Thus Aff(V ) has two rather differentabelian regular subgroups here.

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

The example

• Let (V ,+, ·) be the maximal ideal tF [[t ]] of theF -algebra F [[t ]] of formal power series over an arbitraryfield F .

• In Aff(V ) we have the group N of translations.• (V ,+, ·) is a radical ring. Our methods allow us to

construct another abelian, regular subgroup T ofAff(V ). As a group, T is V under the circle operationx ◦ y = x + y + xy , where the element in Tcorresponding to x acts on V via y 7→ y ◦ x .

• One sees that U = { x ∈ V : x · y = 0 for all y ∈ V }corresponds to N ∩ T .

• Since F [[t ]] is a domain, we have N ∩ T = {1} here.• Also, T is torsion-free. If F is a field of positive

characteristic p, then the group N of translations hasexponent p. Thus Aff(V ) has two rather differentabelian regular subgroups here.

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

The example

• Let (V ,+, ·) be the maximal ideal tF [[t ]] of theF -algebra F [[t ]] of formal power series over an arbitraryfield F .

• In Aff(V ) we have the group N of translations.• (V ,+, ·) is a radical ring. Our methods allow us to

construct another abelian, regular subgroup T ofAff(V ). As a group, T is V under the circle operationx ◦ y = x + y + xy , where the element in Tcorresponding to x acts on V via y 7→ y ◦ x .

• One sees that U = { x ∈ V : x · y = 0 for all y ∈ V }corresponds to N ∩ T .

• Since F [[t ]] is a domain, we have N ∩ T = {1} here.• Also, T is torsion-free. If F is a field of positive

characteristic p, then the group N of translations hasexponent p. Thus Aff(V ) has two rather differentabelian regular subgroups here.

Groupsgenerated by

roundfunctions

Caranti, DallaVolta, Sala &

Villani

MotivationIs DES a group?

Trapdoors viaimprimitivity

Groups atworkImprimitivity

Inversion

Hua and AES

PrimitivityO’Nan-Scott

Radical Rings

The example

• Let (V ,+, ·) be the maximal ideal tF [[t ]] of theF -algebra F [[t ]] of formal power series over an arbitraryfield F .

• In Aff(V ) we have the group N of translations.• (V ,+, ·) is a radical ring. Our methods allow us to

construct another abelian, regular subgroup T ofAff(V ). As a group, T is V under the circle operationx ◦ y = x + y + xy , where the element in Tcorresponding to x acts on V via y 7→ y ◦ x .

• One sees that U = { x ∈ V : x · y = 0 for all y ∈ V }corresponds to N ∩ T .

• Since F [[t ]] is a domain, we have N ∩ T = {1} here.• Also, T is torsion-free. If F is a field of positive

characteristic p, then the group N of translations hasexponent p. Thus Aff(V ) has two rather differentabelian regular subgroups here.