Quasigroup transformations and their cryptographic potentials

1
Quasigroup transformations and their
cryptographic potentials

• Ass. Prof. Danilo Gligoroski
• Institute of Informatics, Faculty of Natural
  Sciences,
• Skopje, Republic of Macedonia

2
Overview

• Examples and definitions of latin squares and
  quasigroups
• Latin squares in mathematics
• Latin squares in cryptology
• Examples and definitions of quasigroup string
  transformations
• Edon block cipher
• Edon stream cipher
• Edon-C hash function
• Edon-PRNG
• Quasigroup Cryptanalysis, definition and examples
• Conclusions and future work

3
Examples
2 1 0 3
3 0 1 2
1 2 3 0
0 3 2 1
0 1 2 3
1 2 3 0
2 3 0 1
3 0 1 2
? 0 1 2 3
0 2 1 0 3
1 3 0 1 2
2 1 2 3 0
3 0 3 2 1
A Latin Square
A Latin Square
2 1 0 3
1 2 3 0
3 0 1 2
0 3 2 1
A Quasigroup (Q,?)
A Latin Square
4
Examples (cont.)
Every quasigroup has 5 conjugates (parastrophes).
? 0 1 2 3
0 2 1 0 3
1 3 0 1 2
2 1 2 3 0
3 0 3 2 1
A Quasigroup (Q,?)
? 0 1 2 3
0 2 1 0 3
1 1 2 3 0
2 3 0 1 2
3 0 3 2 1
? 0 1 2 3
0 2 3 1 0
1 1 0 2 3
2 0 1 3 2
3 3 2 0 1
? 0 1 2 3
0 3 2 0 1
1 1 0 2 3
2 0 1 3 2
3 2 3 1 0
? 0 1 2 3
0 2 1 3 0
1 1 2 0 3
2 0 3 1 2
3 3 0 2 1
? 0 1 2 3
0 3 1 0 2
1 2 0 1 3
2 0 2 3 1
3 1 3 2 0
x?yz ? z?xy
x?yz ? z?yx
x?yz ? x?zy
x?yz ? y?xz
x?yz ? y?zx
5
Definitions
6
Definitions (cont.)

• Wolf, M. 1989. Nondeterministic Circuits, Space
  Complexity and Quasigroups, Computer Sciences
  Technical Report 870. Computer Sciences
  Department, University of Wisconsin -- Madison.
• "Definition A Latin square is an n x n grid with
  each of the integers 1,2,...,n appearing exactly
  once in each row and column."
• "If each of the integers 1,2,...,n appears as a
  label for exactly one row and exactly one column
  then the Latin square can be viewed as a
  multiplication table of a quasigroup. We
  formalize the definitions of groups and
  quasigroups by considering the following four
  properties of a set Q with an associated binary
  operation . For all a,b,c in Q
• (1) There is a unique x such that abx.
• (2) There is a unique x such that axb.
• (3) There is a unique x such that xab.
• (4) (ab)ca(bc)
• Definition Q is a quasigroup if satisfies
  properties 1,2 and 3.
• Definition Q is a group if satisfies
  properties 1,2,3, and 4.

7
A short mathematical history about Latin Squares

• First written reference in 1723
• 36 officers problem Euler 1779, introduced the
  phrase Latin square
• Steiner (1853) proposed the problem of arranging
  N things in triplets, such that every pair occurs
  in just one and only one triplet. Such an
  arrangement may be called a simple triplet system
  or a Steiner's triplet system.
• 1870s - 1890 A. Cayley (multiplication table of
  a group Cayley table is Latin square)
• 1873-1890, E. Shroeder (about quasigroups with
  identity element loop)
• 1930s Moufang (close connection between
  projective planes and non-associative
  quasigroups)
• F. Yates (1936), - Balanced Incomplete Block
  Design
• 1960s 2000s Enumeration of latin squares of
  order n, Critical sets in Latin Squares and
  Quasigroup Completion Problem.

8
A short mathematical history about Latin Squares
(cont.)

• 1995 -- McKay, B. and E. Rogoyski. 1995. Latin
  Squares of Order 10. Electronic Journal of
  Combinatorics. 2(3) 1-4.
• Table 1 Numbers of normalized Latin rectangles)
• For n256, Tgtgt1058000 ??!!??
• To obtain the total number of Latin rectangles,
  not necessarily normalized, multiply L(n,n) by
  n!(n-1)! i.e. TL(n,n) n! (n-1)!

Table 2. Estimates of L(n,n) for larger n.
n L(n,n)
1 1
2 1
3 1
4 4
5 56
6 9,408
7 16,942,080
8 535,281,401,856
9 377,597,570,964,258,816
10 7,580,721,483,160,132,811,489,280
n L(n,n)
11 5.36x1033
12 1.62x1044
13 2.51x1056
14 2.33x1070
15 1.5x1086
16 1.0x10102
9
A short cryptology history about Latin Squares

• 1949 Shannon, C. Communication Theory of
  Secrecy Systems. Bell System Technical Journal.
  28 656-715. "Perfect systems in which the number
  of cryptograms, the number of messages, and the
  number of keys are all equal are characterized by
  the properties that (1) each M is connected to
  each E by exactly one line, (2) all keys are
  equally likely. Thus the matrix representation of
  the system is a Latin square." (p. 681)

10
A short cryptology history about Latin Squares
(cont.)

• S-boxes in Substitution/Permutation Networks
  block ciphers every S-box can be seen as row or
  column of an quasigroup (some examples)
• Lucifer 1970s (uses two S-boxes mapping 4 bits
  to 4 bits)
• As two rows of a quasigroup of order 16.
• DES 80s (uses 8 S-boxes mapping 6 bits to 4
  bits)
• 8 rows of 8 Latin squares of order 64x64.
• AES 1999, (one S-box mapping 8 bits to 8 bits)
• One row of a quasigroup of order 256.

11
A short cryptology history about Latin Squares
(cont.)

• Non-Expanding, Key Minimal, Robustly-Perfect,
  Linear and Bilinear Ciphers, by Massey, Maurer
  and Wang, (Advances in Cryptology -- EUROCRYPT
  '87. 237-247. Springer-Verlag). Section 2
  introduces the notion of a robustly-perfect block
  cipher and shows the connection of such ciphers
  to Latin squares.
• "Discrete Mathematics Using Latin Squares" by
  Laywine and Mullen, Chapter 14, covers
• 14.2 encryption based upon the theory of sets of
  MOLS
• 14.3 secret sharing schemes based on critical
  sets
• 14.4 Diffie-Hellman key exchange and RSA in the
  group of row-Latin squares
• "DESV A Latin square variation of DES" by
  Carter, Dawson, and Nielsen (Proceedings of the
  Workshop on Selected Areas in Cryptography,
  Ottawa, Canada, 1995)
• "Black box cryptanalysis of hash networks based
  on multipermutations Schnorr and Vaudenay
  (Eurocrypt '94 pp47-57)

12
A short cryptology history about Latin Squares
(cont.)

• Denes and Keedwell, 1992, Authentication scheme
  based on Latin squares
• Bakhtiari, Safavi-Naini, Pieprzyk, 1997, MAC
  based on Latin Squares

Basic idea
?1 0 1 2 3
0 2 1 0 3
1 3 0 1 2
2 1 2 3 0
3 0 3 2 1
?2 0 1 2 3
0 0 1 2 3
1 1 0 3 2
2 3 2 1 0
3 2 3 0 1
?3 0 1 2 3
0 1 0 3 2
1 0 1 2 3
2 3 2 1 0
3 2 3 0 1

Transformations on quasigroup(s)
13
Quasigroup string transformations

• 1997 2003, Gligoroski, Markovski, Andova,
  Bakeva, Stojcevska, Kusakatov, Institute of
  Informatics, Faculty of Natural Sc., Skopje

Basic idea
? 0 1 2 3
0 2 1 0 3
1 3 0 1 2
2 1 2 3 0
3 0 3 2 1
Letters frequency
0 1 2 3
? 0.6 0.15 0.15 0.10
e0?(?) 0.25 0.35 0.15 0.25
d0?(?) 0.20 0.30 0.35 0.15
??00102300120010020003
0.6 0.15 0.15 0.10
0.25 0.35 0.15 0.25
0.20 0.30 0.35 0.15
e0?(?)21023130113013002131
d0?(?)22130002111213201223
0 0 1 0 2 3 0 0 1 2 0 0 1 0 0 2 0 0 0 3
0 2 1 0 2 3 1 3 0 1 1 3 0 1 3 0 0 2 1 3 1
e0?(?)
0 0 0 1 0 2 3 0 0 1 2 0 0 1 0 0 2 0 0 0 3
2 2 1 3 0 0 0 2 1 1 1 2 1 3 2 0 1 2 2 3
d0?(?)
14
Quasigroup string transformations - definitions
15
Quasigroup string transformations - definitions
16
More definitions
17
Some interesting properties of quasigroup string
transformations
Let (Q,?) is a quasigroup, a?Q, and (Q,?) is its
corresponding first parastrophe. Then for every
string ? ?Q, da? (ea?(?))?.
Theorem for uniform distribution of letters in
transformed strings
18
Some interesting properties of quasigroup string
transformations (cont.)

• Transformation of strings with 4x4 Quasigroups.
• There are 576 4x4 quasigroups.
• For every ??0,1,2,3l l1..6, there is at least
  one Q and k?? such that (e0(e0((e0(?)))000.
  (e0(?) is applied k times)
• For n7 there are 45 strings (0.27) that CAN NOT
  be transformed in 000
• For n8 there are 2,517 strings (3.84) that CAN
  NOT be transformed in 000
• For n9 there are 34,455 strings (13.14) that
  CAN NOT be transformed in 000
• For n10 there are 255,732 strings (24.39) that
  CAN NOT be transformed in 000
• For n11 there are 2,042,895 strings (48.71)
  that CAN NOT be transformed in 000
• For n12 there are 10,122,285 strings (60.33 )
  that CAN NOT be transformed in 000

Transformation of strings with 5x5
Quasigroups There are 161280 5x5 quasigroups. I
have checked for every ??0,1,2,3,4l l1..12,
and ALWAYS there is at least one Q and k?? such
that (e0(e0((e0(?)))000. (e0(?) is applied k
times)
Open problem What are the smallest lengths of
strings in n (ngt4) letters alphabet, that can not
be transformed in 000?
19
Edon block cipher

• Variable length of blocks
• Variable length of keys
• For embeded systems (hardware implementation) can
  use 2 quasigroups of order 16, and their first
  conjugates. In total 512 bytes for quasigroup
  storage, and with the code, less then 1024 bytes.
• In software implementation uses 2 quasigroups of
  order 256, and their first conjugates. In total
  256 Kb.

20
Edon block cipher (notation)

• Message block Mm1m2 ... ml of length l bytes.
• Key Kq1q2 ... qk of length k bytes.
• Inner key string Pp1p2 ... pk of length k bytes.
• Cipher block Cc1c2 ... cl of length l bytes.

21
Edon block cipher (ENCRYPTION)

• I phase
• Key sheduling for obtaining inner key string
  Pp1p2 ... pk of length k bytes from the key
  string Kq1q2...qk.
• PK
• For i1 to k do
• begin
• If (qi mod 2)0 then
• P(e transform of P with first quasigroup and
  leader qi)
• Else
• P(d transform of P with second quasigroup and
  leader qi)
• If iltk then RotateRight(P)
• end

• II phase
• Encryption of a message block Mjm1m2 ... ml of
  length l bytes with the inner key string Pp1p2
  ... pk of length k bytes.
• For i1 to k do
• begin
• If (pi mod 2)0 then
• M(e transform of M with first quasigroup and
  leader pi)
• Else
• M(d transform of M with second quasigroup and
  leader pi)
• If iltk then RotateRight(M)
• end

22
Edon block cipher (ENCRYPTION)
23
Edon block cipher (DECRYPTION)

• I phase
• Key sheduling for obtaining inner key string
  Pp1p2 ... pk of length k bytes from the key
  string Kq1q2...qk.
• PK
• For i1 to k do
• begin
• If (qi mod 2)0 then
• P(e transform of P with first quasigroup and
  leader qi)
• Else
• P(d transform of P with second quasigroup and
  leader qi)
• If iltk then RotateRight(P)
• end

• II phase
• Dencryption of a block Cjc1c2 ... cl of length l
  bytes with the inner key string Pp1p2 ... pk of
  length k bytes.
• For ik downto 1 do
• begin
• If (pi mod 2)1 then
• C(e transform of C with parastrophe of second
  quasigroup and leader pi)
• Else
• C(d transform of C with parastrophe of first
  quasigroup and leader pi)
• If igt1 then RotateLeft(C)
• end

24
Edon block cipher (DECRYPTION)
25
Edon block cipher (Cryptanalysis)

• Variable length of a key means that it has
  variable number of rounds
• Different usage of e or d transformation has a
  role of confusion and diffusion
• Differential cryptanalysis after 4 rounds shows
  uniform distribution for almost every pair of two
  quasigroups.

26
Edon block cipher (Cryptanalysis) (cont.)
27
Edon block cipher (Cryptanalysis) (cont.)
28
Edon block cipher (Cryptanalysis) (cont.)
29
Edon block cipher (Cryptanalysis) (cont.)
30
Edon stream cipher (ENCRYPTION)
No key sheduling. Inner key string Pp1p2 ... pk
Kq1q2...qk.

• For i1 to k do
• If (pi mod 2)0
• begin
• M(e transform of M, with first quasigroup and
  with leader pi)
• piml
• end
• else begin
• tempml
• M(d transform of M, with second quasigroup and
  with leader pi)
• pitemp
• end

31
Edon stream cipher (DECRYPTION)

• For ik downto 1 do
• If (pi mod 2)1
• begin
• C(e transform of C, with the parastrophe of
  second quasigroup and with leader pi)
• picl
• end
• else begin
• tempcl
• C(d transform of C, with the parastrophe of
  first quasigroup and with leader pi)
• pitemp
• end

32
Edon stream cipher (ENCRYPTION) (cont.)
33
Edon C, cryptographic hash function

• Hash output length N can be variable
• Security properties doesnt depend on
  initialization vector easy transformation in
  MAC
• Restriction In the quasigroup should be no
  element x such that x?xx

34
Edon C, cryptographic hash function (cont.)

• Message block Mm1m2 ...ml of length l bytes.
• Output hash length N.
• Initialisation vector H0h1h2 ...hN
• Quasigroup cyclic vector transformation
• defined as If ?a0a1 ...aN-1, ?b0b1 ...bN-1
  then

35
Edon C, cryptographic hash function (cont.)

• Algorithm
• 1. Pad the message Mm1m2 ...ml and obtain new
  message M such that the length L of the new
  message is multiple of N i.e. L?N by this
  transformation

2. Initialize the hash vector H0h1h2 ...hN
3. For i1 to ? do HiC(Mi?Hi-1)
4. Output H?
36
Edon PRNG

• Uses K internal states of random function
  represented as a vector Mm1m2 ... mK
• For cryptographic purposes K should be at least
  16.
• Seed is the initial value of the vector M.
• One quasigroup of order 256.

• Initialize PRNG
• Vector M takes initial K values i.e. Mm1m2
  ... mK
• 2. Get next 32 bit random number
• For i1 to 8 do Me0(M)
• next_32_bit_random
• mkmk-2mk-4mk-6
• is concatenation.

We made more then 1000 experiments to check the
quality of produced random files (with Diehard
and FIPS1402), and never find any situation of
falling on some test.
Our claims that this PRNG is secure are based on
the fact that produced 32 bit random number is
concatenation of non-neighbouring bytes after 8
rounds of quasigroup string transformation of the
seed vector.
37
Quasigroup cryptanalysis (work in progress)

• This encrypting scheme is easy breakable with
  the known plaintext attack (if the quasigroup
  is known).

• For one quasigroup (Q,?) define the following
  string transformation (QCA2)
• Transform a message block Mjm1m2 ... mk of
  length k bytes with the key string Pp1p2 ... pk
  with the following procedure
• For i1 to k do
• Begin
• M(e transform of M with leader pi)
• If iltk then RotateRight(M)
• end

m1 m2 m3 m4 m5 m6 m7
p1
p2
p3
p4
p5
p6
p7 c1 c2 c3 c4 c5 c6 c7






38
Quasigroup cryptanalysis (work in progress)
(cont.)

• Algorithm QCA2
• 1. Convert a stream of pairs Mi,Ci i1,2,,
  obtained by some cryptographic source (algorithm
  X) into a number base n.
• 2. Choose an arbitrary key string Pp1p2 ... Pk
  where elements pj are in the base n.
• 3. Search for a quasigroup (Q,?) such that
  QCA2(Mi)Ci for as much as possible values of i,
  until the number of elements in the corresponding
  partial Latin square is 30 of n2.
• 4. Try to solve Quasigroup Completion Problem
  with the obtained partial latin square and to
  obtain a quasigroup (Q,?).
• If the probability PQ(P,M)Cgt? for CX(M), then
  we say that QCA2 has broken the algorithm X with
  success rate ?.

39
Quasigroup cryptanalysis (work in progress)
Some experiment results

• Experiment 1 RSA system where n has small value
  (12 bits). A latin square of order 64x64 that
  with QCA2 can successfully simulate 27 the work
  of RSA.
• Experiment 2 RSA system where n has small value
  (20 bits). A latin square of order 64x64 that
  with QCA2 can successfully simulate 10 the work
  of RSA.
• Experiment 3 AES encryption in ECB mode of
  1,000,000 blocks of 128 bits PT every block
  is different. Produced file CT is passing every
  known statistical test of randomness. Then I
  applied QCA2 on PT and CT and it proposed
  around 100 quasigroups of order 256. Around 10
  of them can bijectively transform CT such that
  transformation fails drasticly on statistical
  tests.

40
Latin square of order 40x40. With QCA2 it can
successfully simulate 2.5 of an RSA system where
n has small value and 12 bits.
41
Quasigroup cryptanalysis (work in progress)

• Question How big should be the order of the
  quasigroup n, such that it can brake an RSA 1024
  with a success rate of 1?
• Answer (speculative) If n216, then every
  massage with less then 1024 bits can be
  represented with 64 letters. For storing one
  quasigroup of order n216 we need 8 GB memory.
  The number of elements in such a quasigroup is
  232, and to fullfill 30 of them we will need
  around 231 pairs Mi,Ci.
• Answer (speculative) If n224, then every
  massage with less then 1024 bits can be
  represented with 43 letters. For storing one
  quasigroup of order n224 we need 768 TB memory,
  and to fullfill 30 of it we will need around
  247 pairs Mi,Ci.

42
Future work with quasigroup transformations in
cryptology

• In cryptography
• Make more cryptoanalysis of Edon algorithms
• Develope protocols for embedding one smaller
  quasigroup into another bigger one, and build
  hierarchies of trusted levels of communication.

• In cryptanalysis
• Make more experiments with QCA2, with well known
  crypto algorithms DES, 3-DES, AES, RSA, DH, ...
• Convert QCA2 into an algorithm QCA1 that makes
  cryptanalysis only with cipher text.

• In theory of computing
• Efficient algorithms for quasigroup
  transformation of strings with desired frequency
  distribution.

I am interested for research cooperation. Thanks.