On properties of translation groups in the affine general linear group with applications to cryptography
Marco Calderini, Roberto Civino, Massimiliano Sala

TL;DR
This paper studies the structure of translation groups within the affine general linear group, providing new representations, counting formulas, and classifications to aid cryptanalysis in cryptography.
Contribution
It introduces a new representation of elementary abelian regular subgroups and classifies their conjugacy classes, enhancing cryptanalysts' ability to analyze block ciphers.
Findings
Developed a convenient representation for subgroup elements
Derived combinatorial counting formulas for subgroup properties
Classified conjugacy classes of these subgroups
Abstract
The affine general linear group acting on a vector space over a prime field is a well-understood mathematical object. Its elementary abelian regular subgroups have recently drawn attention in applied mathematics thanks to their use in cryptography as a way to hide or detect weaknesses inside block ciphers. This paper is focused on building a convenient representation of their elements which suits better the purposes of the cryptanalyst. Several combinatorial counting formulas and a classification of their conjugacy classes are given as well.
| n | # of classes | classes size | |
|---|---|---|---|
| 3 | 2 | ||
| 4 | 2 | ||
| 5 | 4 | ||
| 6 | 8 | ||
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
On properties of translation groups in the affine general linear group with applications to cryptography111This research was partially funded by the Italian Ministry of Education,
Universities and Research (MIUR), with the project PRIN 2015TW9LSR “Group theory and applications”. Roberto Civino is partially funded by the Centre of Excellence EX-EMERGE at University of L’Aquila.
Marco Calderini
Roberto Civino
Massimiliano Sala
Department of Informatics, University of Bergen, Norway
DISIM, University of l’Aquila, Italy
Department of Mathematics, University of Trento, Italy
Abstract
The affine general linear group acting on a vector space over a prime field is a well-understood mathematical object. Its elementary abelian regular subgroups have recently drawn attention in applied mathematics thanks to their use in cryptography as a way to hide or detect weaknesses inside block ciphers. This paper is focused on building a convenient representation of their elements which suits better the purposes of the cryptanalyst. Several combinatorial counting formulas and a classification of their conjugacy classes are given as well.
keywords:
Translation group, affine group, block ciphers, cryptanalysis.
1 Introduction
The group of the translations of a vector space over a prime field is an elementary abelian regular subgroup of the corresponding symmetric group, and its normaliser, the affine general linear group, is a well-understood mathematical object. Regular subgroups of the affine group and their connections with algebraic structures, such as radical rings [16] and braces [19], have already been studied in several works [18, 24, 27, 28]. More recently, elementary abelian regular groups have been used in cryptography to define new operations on the message space of a block cipher and to implement statistical and group theoretical attacks [13, 15, 20]. All these objects are well-known to be conjugated to the translation group, but this fact does not provide a simple description and representation of their elements which is useful to the cryptanalyst. For this reason, we address the problem of giving a convenient matrix representation of some elementary abelian regular subgroups of the affine groups and, in some cases, we classify them in terms of their conjugacy classes. The idea behind the cryptographic attack resulting from this work is the one of using alternative group structures on the message space of a block cipher to detect a bias in the distribution of the encrypted messages, as we will describe in the following section in more detail. Although the approach of using alternative operations in place of the XOR (the usual sum over a binary vector space) is not new [1, 7], the idea of using groups isomorphic to the translation group was never considered.
1.1 Organisation of the paper
The paper is organised as follows. In Section 2 we introduce the notation and present the main focus of the work, also providing a description of the idea which is behind the use of translation groups in cryptography. In Section 3 we present our main result, i.e. Theorem 3.11, which proves a description of the translation groups useful in block ciphers cryptanalysis. Section 4 is mainly devoted to the case of binary fields, to combinatorial aspects of the topic and to a classification of conjugacy classes in low dimension. In Theorem 4.1 and Theorem 4.7 we provide a bound on the numbers of groups as in Theorem 3.11.
2 Preliminaries
Let us start by introducing the notation used throughout this work.
Let be a prime number, a positive integer and be the -dimensional vector space over . The -th component of the vector is denoted by . The canonical basis of is composed by the vectors , where if and only if , otherwise it is 0. The vector subspace generated by vectors is denoted by , where . Let be the group of all the permutations on . In this paper we use postfix notation for function evaluation, i.e. if and we write to mean . The identity of is denoted by and if , where , we denote by the group they generate. Let be the general linear group on , i.e. the group of the linear permutations of , and let us denote by the group of all the translations on , i.e. . Then, let the affine general linear group , the normaliser of in the symmetric group, be represented as . Let denote the set of all matrices with entries over with rows and columns. The identity matrix is denoted by .
In this work we will also use some basic ring-theoretical notions that are summarised here for the convenience of the reader. Let be a ring. An element is called nilpotent if for some and it is called unipotent if is nilpotent, i.e. for some . Analogously, if is a subgroup of unipotent permutations, then is called unipotent. An element is said upper unitriangular in a basis on if and only if for all . The map is called upper unitriangular if it is upper triangular with respect to the canonical basis. The group of upper unitriangular linear maps is here denoted by .
The idea of the cryptographic application of this study is described in the following section.
2.1 Motivation and links to the theory of block ciphers
Let be elementary abelian regular. As already mentioned, from a result due to Dixon [23] (see also [5] for an easy proof), there exists such that . Since inherits from its regularity, and recalling that for each we denoted by the translation sending [math] to , it is possible to represent , where the map is the unique in sending [math] to . Once this labelling is established, it is possible to define an additive law on by letting for each . It is easy to check that is an abelian group whose corresponding translation group is . Moreover, letting the multiplication of a vector by a non-zero element be defined as
[TABLE]
it is easily checked that if and , then
[TABLE]
[TABLE]
[TABLE]
and since is elementary. This proves that is a vector space over , and since , and are isomorphic vector spaces. We will denote by the normaliser of and by the stabiliser of in . Since in this paper we will always deal with different operations at the same time, for sake of clarity we will sometimes denote as , by and by .
The idea of using an application of the group-theoretical study of translation groups to block ciphers comes from the fact that the translation is the standard way the user introduces its key in the encryption process (in cryptographic terms, the key is XOR-ed to the message). In order to explain this fact and to let the reader figure out the potential attacks coming from alternative translation groups, we will give here a little and self-contained introduction to block ciphers. A block cipher on the message space is a set of many invertible function in , called encryption functions. Popular examples may be found e.g. in [11, 22]. Each encryption function is of the type of
[TABLE]
where and the parameter are fixed by the designer and made publicly available, and the sequence represents the encryption key chosen by the user. Once the key and the message to be sent are chosen by the sender, it delivers to the receiver. If the receiver is entitled to recover the message, i.e. if it knows the secret key, it can apply the inverse of the encryption function and obtain the original message . The security of this process, i.e. the inability of a non-authorised party to recover the message, strongly relies on the way the function is designed. Indeed, the process of designing is one of the most important phases in the definition of a block cipher, and it is usually carried out in order to guarantee that the obtained block cipher is resistant against each known attack (e.g. linear [25] and differential [8] cryptanalysis). Giving details and properties that the function has to satisfy is out of the scope of this work, for whose purposes is enough to know that a minimum and crucial requirement is that . As a matter of fact, the farthest it lies from the affine group, the better. This guarantees that the group , called the group of the round functions, is not the affine group . Such a group, introduced in [21] for the first time, has been carefully studied ever since researchers have shown that some of its properties can reveal weaknesses of the cipher [2, 3, 4, 6, 17, 26, 29, 31, 32]. Although it is rather easy to select such that is different from , it not as easy to prove that is not contained in any conjugate of in . If this is the case, i.e. if there exists such that , then there exists an operation such that
[TABLE]
which means that each encryption function is affine with respect to the operation , a serious threat for the security of the cipher. A description of the attack that can be perfomed in this case is shown in [14]. Another example in this regard, i.e. a successful attack against a block cipher which makes use of an operation as described above, can be found in [20]. For the reason explained before, since our interest is in determining if and when the group of the round functions is as in Eq. (1), we focus on investigating operations such that . Such hypothesis is also decisive in the application studied in [20], where the classical differential attack (see e.g. [9, 10]) is generalised to alternative operations. Moreover, we will always assume , since it guarantees fast computation, crucial in the application to cryptanalysis. The related problem of determining conditions on which ensure that for some operation is still open. Some partial results can be found in [13, 15, 20].
In the next section we will introduce our novel results and in particular we will describe all elementary abelian regular groups such that .
3 Abelian regular subgroups of the affine groups
Keeping in mind the construction of Sec. 2, we now focus on groups conjugated to which are affine groups. A seminal work for this research is the paper [16], where the authors give an easy description of the abelian regular subgroups of the affine group in terms of commutative associative algebras that one can define on the vector space . Here we summarise their main results. Recall that a Jacobson radical ring is a ring such that is a group, where the operation defined as , for each . Note that in general the operation does not induce a vector space structure on . The proof of the next result may be found in [16].
Theorem 3.1**.**
Let be any (finite or infinite) field, and be a vector space of any dimension over . There is a one-to-one correspondence between
abelian regular subgroups of , 2. 2.
commutative, associative -algebra structures that one can impose on the vector space structure , such that the resulting ring is radical.
In this correspondence, isomorphism classes of -algebras correspond to conjugacy classes of abelian regular subgroups of , where the conjugation is under the action of .
The correspondence mentioned in the previous result may be written explicitly, proceedings as follows. Let be abelian and regular. Since is regular, reasoning as in Sec. 2 its elements can be labeled as . For each , from the hypothesis, there exists and for some such that . In order to keep the notation lighter, will be simply denoted by . For any , let us define the map . Then, operation defined on by letting is such that the structure is a commutative -algebra and the resulting ring is radical. Moreover, notice that by definition, then , hence for each . Denoting by the operation induced by , let us now define the set
[TABLE]
and denote by .
Proposition 3.2**.**
Let be an elementary abelian regular subgroup. Then for each , has order and it is unipotent. In particular is a unipotent subgroup of .
Proof.
Let . Since is elementary, has order , so . For each we get
[TABLE]
therefore . ∎
Let us now define an important -subspace:
[TABLE]
We will sometimes denote by . It is easily checked that is a subspace of and . Such a subspace is nontrivial for the following theorem, proven in [16]. It is straightforward but important to notice that if , then holds for each , and consequently .
Theorem 3.3** ([16]).**
Let be an abelian regular subgroup. If is finite, then .
We will show soon that plays an important role for the characterisation of maps in the group .
Our purpose is, given an operation induced by the group , to describe the matrices for each , where . We show now some preliminary results.
Let be a subspace of . Then for all such that , the action of over is well defined by means of the map in . Let us prove now the following characterisation, recalling that denotes the group of upper unitriangular linear maps.
Lemma 3.4**.**
Let be a unitriangular map acting as the identity on the quotient , for each . Then, the affine transformations generate a transitive subgroup of .
Proof.
Denote by the transformation . Let us start by observing that for each the action of over is well defined and from the hypotheses acts on vectors of leaving the first coordinates unchanged. Let now and be two elements of and let us show that there exists such that . Let such that . So
[TABLE]
for some for , where depends on and . Analogously, if is such that , then
[TABLE]
for some for . In this way, we obtain
[TABLE]
such that , hence the transitivity is proven. ∎
Remark 3.5*.*
Notice that in the conditions of Lemma 3.4, if denotes the operation induced by , then is a basis of . However, this is not true in general. In the following example on indeed, the canonical basis is not a basis for . Let be defined in the following way:
[TABLE]
where
[TABLE]
Then the translations are respectively individuated by the matrices
[TABLE]
It is a straightforward check that .
Let us now show a more general result which will be useful later. The following well-known result (see e.g. [30, pag. 62]) is needed.
Theorem 3.6**.**
Let be a group of unipotent matrices. Then there exists a basis of in which all elements of are upper triangular.
Lemma 3.7**.**
Let be a unipotent subgroup and let be a subspace such that for all and we have , i.e. is a subgroup of the pointwise stabiliser of . Let and . Then all elements of are upper triangular in a basis , where is any basis of .
Proof.
Since fixes all the elements of , it acts as a group of unipotent maps on . From Theorem 3.6 there exists a basis of , such that lies in for all . Then, all elements of are upper triangular in the basis , since for all . ∎
The previous result reads in the way displayed below, when specified to our case.
Corollary 3.8**.**
Let be an elementary abelian regular group. Let and let . Then all elements of are upper triangular in a basis , where is any basis of .
Proof.
By Proposition 3.2, is unipotent. Moreover, by definition, for all and we have . Hence, the claim follows from Lemma 3.7. ∎
The results obtained so far may be summarised in the following theorem. According to this result, when considering an operation we can always assume, up to conjugation, that is generated by the last vectors of the canonical basis.
Theorem 3.9**.**
Let be an elementary abelian regular group. Let and let . Then there exists such that and .
Proof.
From Corollary 3.8, all the elements of are upper triangular with respect to a basis of , whose last vector form a basis of . Let such that for each . It is easy to check that , then for all we have
[TABLE]
Since , we have . In conclusion, from , we also obtain . ∎
Till now we have assumed that the subgroup is an affine group. For reasons already explained in Sec. 2 and related to the application in cryptography of this construction, we are interested in groups whose normalisers contain the group of translations , i.e. in operations for which, given such that , we also have . Let us report a result from [16] which is useful for our purpose.
Lemma 3.10**.**
Let be abelian and regular. Then for each and we have
[TABLE]
where denotes the product of the -algebra related to as in Theorem 3.1, and .
In our case, from Lemma 3.10 we obtain that normalises if and only if for all . Indeed, if for all we have , then
[TABLE]
Conversely, if for each , then
[TABLE]
Finally notice that the condition for all is equivalent to for all .
We are now ready to prove one of the main results of this work, i.e. the structure of affine translation groups whose normalisers contain the group . Before doing so, let us recall that for sake of simplicity, proceeding as in Sec. 2, given a group , we denote by the normaliser in of , which is where is such that .
Theorem 3.11**.**
Let be elementary abelian regular and let be the operation induced on . Let , let and let us assume . Then, if and only if for all there exists a matrix such that
[TABLE]
Proof.
By Theorem 3.9, there exists another group operation on such that the corresponding translation group is conjugated, by an element of , to and satisfies and . Let and let an upper-triangular matrix and such that
[TABLE]
Notice that the lower structure of the matrix derives by the property for each , i.e. for each . Recall that
[TABLE]
where the equivalence in Eq.(3) derives from Lemma 3.10. From Eq.(4) instead, considering we obtain that if and only if .
In order to conclude, we need to prove that each conjugate is such that all the matrices in the group are as in Eq. (2), provided that and is spanned by the last vectors of the canonical basis. Let such that . Since , then and also . Consequently
[TABLE]
for some and . Thus, if we have
[TABLE]
therefore the claim follows from . ∎
The characterisation given above allows to construct an isomorphism between the vector spaces and , which can be computed very efficiently (see [14]). This makes some attacks feasible [14, 20]. Moreover, Theorem 3.11 can be used to determine the maps contained in (see [13, 20]).
4 Even characteristic and combinatorial formulas
In this section we specialise our focus to the cryptographically-relevant case of binary fields. Let us assume from now on that . In this case, we can prove (see Theorem 4.1 and Theorem 4.7) an upper bound on the number of the elementary abelian regular subgroups as in Theorem 3.11. Moreover, we can calculate the number of these groups if the co-dimension of is 2 or 3. To conclude, we report the full classification of the elementary abelian regular subgroups of up to dimension 6. Before doing so, let us prove the following result which bounds the dimension of the subspace .
Proposition 4.1**.**
Let be elementary abelian regular and let . If , then
[TABLE]
Proof.
From Theorem 3.3 and from the hypothesis we have . Let us now assume that cointains linearly independent vectors and let independent from . Let be the operation induced by . Then, , thus for all . Moreover, and so . Then, if , then
[TABLE]
which implies , a contradiction. If is even, then , i.e. contains at least four elements. A proof of this fact may be found in [13]. ∎
Let us now prove that if normalises and the co-dimension of is at most , then we also have that normalises .
Proposition 4.2**.**
Let be elementary abelian regular, and let be the operation induced. Let and . If , then contains .
Proof.
The claim follows if we prove that if , then . Let and let us assume by contradiction . Then there exists such that . Let us show that are linearly independent. Let for such that
[TABLE]
By multiplying each member of the previous equation by we obtain , which implies . In the same way, by multiplying by we prove . Proceeding in this way one proves that for each . This proves that are linearly independent and none of these belongs to . Using a similar argument one proves that . This implies , a contradiction. ∎
We have presented the previous result in the way which best fit our needs. However, it can be stated more generally in the following way.
Proposition 4.3**.**
Let be elementary abelian regular. Let be such that , and let us assume . Then is contained in the normaliser of if and only if is contained in the normaliser of .
Example 4.4*.*
Notice that Proposition 4.2 does not hold, in general, for . Let be the exterior algebra over a vector space of dimension three, spanned by . Hence a basis of is composed by
[TABLE]
The associated translation group is such that , but we have
[TABLE]
From Theorem 3.11, cannot contain the group .
Let us now point out, starting from Theorem 3.11, some properties of the matrices in defining the operation . Let us assume be elementary abelian regular and let us denote, as usual, and . Let . Since we obtain that the -th row of is zero, where
[TABLE]
Instead, from , we obtain that the -th row of equals the -th row of . Moreover, let . Then
[TABLE]
which proves that , i.e.
[TABLE]
This fact is easily generalised as follows.
Proposition 4.5**.**
Let be an elementary abelian regular group. Let and . Moreover, let us assume and . Let , for some . Then
[TABLE]
Proof.
From the hypothesis we have that the canonical basis of is a basis also for (see Remark 3.5). Moreover, for and for . The claim follows straightforwardly by writing in terms of s in . ∎
4.1 Some combinatorial results
In this section we will examine some combinatorial aspects of our topic, focusing on counting the number of abelian regular subgroups of the affine group which are useful in cryptographic contexts. In the next result we will count them in terms of points of a given geometric variety. Let be as in Proposition 4.5. For each we will denote the entries in the matrix in the following way:
[TABLE]
In what follows, in order to keep the notation more compact, given a positive integer we will denote by the set .
Theorem 4.6**.**
Let . The number of elementary abelian regular subgroups such that and is
[TABLE]
where , is the ideal in generated by with
[TABLE]
* is the variety of and is the Gaussian binomial.*
Proof.
The claim follows by applying together Theorem 3.11 and Theorem 3.9. Let us start by computing the number of the groups as in Theorem 3.11, and then all the conjugates one can obtain from these. Notice that a group such that is generated by the last vectors of the canonical basis of and such that is determined if the matrices (and so, equivalently, ) are individuated, since for the remaining . We will show that to each set of admissible matrices corresponds one point in and vice versa, from a point of we can obtain one set of admissible matrices . Let be such that is generated by the last vectors of the canonical basis of and such that . Let us denote by the matrices defining the operation. If and , then, from Proposition 4.5,
[TABLE]
Since , then there exist such that
[TABLE]
which happens if and only if
[TABLE]
For simmetry we also have that the conditions given by set hold. Moreover, since is fixed from , we also obtain a solution for set . To conclude, is trivially satisfied, since the matrices are binary.
Vice versa, from a solution of the ideal , we can construct as in Eq. (5). Consequently, we can consider the group generated by the affine maps for , where for
[TABLE]
and for . Since the conditions of Lemma 3.4 are satisfied, is transitive, and it is abelian from the condition expressed by set . Moreover, if and , then
[TABLE]
Computing we obtain
[TABLE]
Hence, since from the condition given by set we obtain , and so , i.e. is elementary. Moreover, is regular, since it is abelian and transitive.
This shows a one-to-one correspondence between the points of and the subgroups such that and . To conclude, consider a -dimensional vector subspace and let . Let us denote by the distinct elementary abelian regular groups such that and let be a transformation such that . Then the groups are pairwise distinct and for each . Now, let be an elementary abelian regular subgroup such that . We have , which implies for some , and so . Our claim follows from the fact that the number of -dimensional vector subspaces of an -dimensional vector space over is . ∎
In the next result, we give an upper bound on the number of points of the variety defined in Theorem 4.6. A lower bound to has been given in [13], where it is also shown that the upper bound of Theorem 4.7 is tight.
Theorem 4.7**.**
Let be defined as in Theorem 4.6. Then
[TABLE]
Proof.
Let where for all as in (5), i.e. is the -th row of the matrix .
We aim at counting how many vectors satisfy the constrains of set , and as in Theorem 4.6. We proceed in two steps: we consider first all the solutions for and and then we exclude some of those for which the equations of are not satisfied.
First step. As already pointed out before Proposition 4.5, from the conditions in we have for all , and from those in , for all . Therefore, the matrix is determined only by the rows , being its first row equal to zero. Analogously, is determined only by the rows and by , since the first row of is equal to the second row of and since the second row of equal to zero. Iterating this argument we can consider only the vector composed as
[TABLE]
and thus we have solutions to the equations in .
Second step. The entries of must satisfy also the constrains given by , so for any subset we can exclude the cases where
[TABLE]
In particular, we count when the entries of the matrices with are all zeros and the remaining entries of the matrices with are all non-zero. We start considering those vectors obtained when exactly one is zero and others are non-zero, that is, we consider any set with one element. In this case entries of are zero and the others are all non-zero. Similarly, if any pair is equal to zero and the others are not, then entries of are zero and the others are all non-zero. Indeed, assuming , the zero entries of must be in order to have , and in order to have . Considering that is already zero, we have that entries of are zero. Iterating this argument, if we assume that matrices are zero, then entries of are zero and the others are all non-zero. Then such matrices can be chosen in possible ways and any time non-zero elements may be used to fill each of the other entries of , that are
[TABLE]
The last case is when matrices are zero. By the conditions of also the last one is zero, and this happens only when is zero. This concludes the proof. ∎
The following results are derived from Theorem 4.6 and are related to the special cases when . Notice that the case has been largely considered in [20], where it has been used to perform a differential attack against a block cipher. The same notation as in Theorem 4.6 in used. Recall that if , from Proposition 4.2, the hypothesis is enough to guarantee that , and so also Theorem 3.11 applies.
Corollary 4.8**.**
There exist
[TABLE]
distinct elementary abelian regular groups such that .
Proof.
Proceeding as in Theorem 4.6, we need to compute the number of groups such that . Using the notation as in Theorem 4.7, we have
[TABLE]
The following possibilities need to be ruled out:
and , 2. 2.
and , 3. 3.
and , 4. 4.
and , 5. 5.
and , 6. 6.
and , 7. 7.
, and .
Therefore we obtain that is the number of distinct subgroups such that . ∎
Corollary 4.9**.**
There exist
[TABLE]
distinct elementary abelian regular groups such that .
Proof.
The proof is obtained using the same argument as in Corollary 4.8. ∎
Let us now prove that the groups of Corollary 4.9 belong to the same conjugacy class under .
Proposition 4.10**.**
Let and elementary abelian regular subgroups of such that . Then, there exists such that .
Proof.
It is enough to prove the claim for and elementary abelian regular subgroups of such that . Recall that such groups are defined by the corresponding -dimensional vectors, as shown in the proof of Theorem 4.7. Let us denote and , whose matrices are respectively individuated by the vectors
[TABLE]
Let us assume first that and have the same Hamming weight, i.e. the same number of non-zero coordinates. In this case there exists a permutation matrix such that . Let be the permutation matrix defined as
[TABLE]
Note that when we multiply a matrix by on the right we are permuting the last columns of . On other hand, multiplying by on the left we are permuting the last rows of . Hence, we have
[TABLE]
where is the index permutation induced by , thus . This implies that two groups corresponding to vectors with the same weight are conjugated.
Let us now assume that
[TABLE]
for some . Let be the matrix whose -th row if and , i.e.
[TABLE]
Note that . Note also that multiplying a matrix by on the right we are updating its -th column by summing up its -th and -th columns. On the other hand, multiplying a matrix by on the left we are updating its -th row by summing up its -th and -th rows. Therefore
[TABLE]
for and
[TABLE]
Notice that the group
[TABLE]
is exactly , as . Therefore . We have also proved that, if and are such that the difference of their Hamming weights is one, by arguments previously used, the associated groups and are conjugated in .
To conclude, let us address the general case, i.e. the case of two groups obtained by two vectors and having Hamming weight and . Let us assume, without loss of generality, . Let us define
[TABLE]
[TABLE]
and denote by the corresponding groups. Reasoning as above, we have that and are conjugated in since and have the same Hamming weight, and the same can be proved for and . Moreover, from a previous argument is conjugated in to , for each . Therefore, and are conjugated in , which is our claim. ∎
4.2 Conjugacy classes in low dimension
In this last section we will focus on spaces with low dimension, i.e. with dimension up to 6. From Proposition 4.2 we obtain the following corollary.
Corollary 4.11**.**
If , then if and only if .
The bound of the previous result is tight, as shown below.
Proposition 4.12**.**
Let be such that . Then there exists an elementary abelian regular subgroup such that does not contain .
Proof.
Let be the dimension of . If , let us decompose as , where
[TABLE]
and
[TABLE]
otherwise we consider only . Let us impose over the algebra structure induced by the exterior algebra over a vector space of dimension , which is the one defined by
[TABLE]
and over the algebra structure given by the trivial product for each . Hence we can define the following product over :
[TABLE]
where and . It is easy to check that is a commutative associative -algebra such that the resulting ring is radical. From Theorem 3.1, such an algebra corresponds to an elementary abelian regular subgroup of . The claim follows from Lemma 3.10 and from its consequences, since . ∎
Let us now give a classification of all the elementary abelian regular subgroups of up to dimension , considering only the relevant cases when . The results, summarised in Table 1, derive from Corollary 4.8 and Corollary 4.9 and from some computation performed using MAGMA [12]. For each admissible value of , we collect in Table 1 the number of conjugacy classes of elementary abelian regular subgroups , the number of such subgroups in each class and the corresponding dimension of .
Acknowledgements
Part of the results of this paper are contained in Marco Calderini’s Ph.D. thesis [14], supervised by Massimiliano Sala. The authors gratefully thank the referee for comments and recommendations which helped to improve the quality of the paper.
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1[1] F. Abazari and B. Sadeghiyan. Cryptanalysis with ternary difference: Applied to block cipher PRESENT. International Journal of Information and Electronics Engineering , 2(3):441, 2012.
- 2[2] R. Aragona, M. Calderini, R. Civino, M. Sala, and I. Zappatore. Wave-shaped round functions and primitive groups. Advances in Mathematics of Communications , 13(1):67, 2019.
- 3[3] R. Aragona, M. Calderini, A. Tortora, and M. Tota. Primitivity of PRESENT and other lightweight ciphers. Journal of Algebra and Its Applications , 17(06):1850115, 2018.
- 4[4] R. Aragona, A. Caranti, and M. Sala. The group generated by the round functions of a GOST-like cipher. Annali di Matematica Pura ed Applicata (1923-) , 196(1):1–17, 2017.
- 5[5] R. Aragona, R. Civino, N. Gavioli, and C. Maria Scoppola. Regular subgroups with large intersection. Annali di Matematica Pura ed Applicata (1923-) , 198(6):2043–2057, 2019.
- 6[6] R. Aragona and A. Meneghetti. Type-preserving matrices and security of block ciphers. Advances in Mathematics of Communications , 13(2):235, 2019.
- 7[7] T. A Berson. Differential cryptanalysis mod 2 32 superscript 2 32 2^{32} with applications to MD 5. In Workshop on the Theory and Application of of Cryptographic Techniques , pages 71–80. Springer, 1992.
- 8[8] E. Biham and A. Shamir. Differential cryptanalysis of DES-like cryptosystems. Journal of CRYPTOLOGY , 4(1):3–72, 1991.
