Substitution block ciphers with functional keys Текст научной статьи по специальности «Математика»

2017 Математические методы криптографии №38

МАТЕМАТИЧЕСКИЕ МЕТОДЫ КРИПТОГРАФИИ

UDC 519.7 DOI 10.17223/20710410/38/4

SUBSTITUTION BLOCK CIPHERS WITH FUNCTIONAL KEYS1

G. P. Agibalov National Research Tomsk State University, Tomsk, Russia

We define a substitution block cipher C with the plaintext and ciphertext blocks in Fn and with the keyspace Ks0,n(g) that is the set {f (x) : f (x) = n2(ga2(n1(xal))); a1,a2 E Fn;п1,п2 E Sn}, where s0 is an integer, 1 ^ s0 ^ n; g : Fn ^ Fn is a bijec-tive vector function g(x) = g1(x)g2(x) ...gn(x) such that every its coordinate function gi(x) essentially depends on some Si ^ s0 variables in the string x = x1x2 .. .xn; Sn is the set of all permutations of the row (12... n); n and a,, are the permutation and negation operations, that is, (n = (¿i«2 ... in)) ^ (n(aia2 ...an) — ail ai2 . . . ain ^ (a = b1b2 ...bn) ^ ((a1a2 ... an)a = al a22.. .abn) and, for a and b in F2, ab = a if b = 1 and ab = —a if b = 0. Like g, any key f in Ks0,n(g) is a bijection on Fn, f (x) = f1(x)f2(x) ...fn(x), and every its coordinate function fi(x) essentially depends on not more than s0 variables in x. The encryption of a plaintext block x and the decryption of a ciphertext block y on the key f are defined in C as follows: У = f (x) and x = f-1(y). Here, we suggest a known plaintext attack on C with the threat of discovering the key f that was used. Let P1 ,P2,..., Pm be some blocks of a plaintext, C1, C2,..., Cm be the corresponding blocks of a ciphertext, i.e., Ci = f (Pi) for l = 1, 2,...,m, and Pi = Pi1Pi2 ...Pin, Ci = Cl1Cl2 ...Cin. The object is to determine the coordinate function fi(x) of f for each i E {1,2,...,n}. The suggested attack consists of two steps, namely we first determine the essential variables xil,...,xis of fi(x) and then compute a Boolean function h(xil,...,xis) such that h(ail, ...,ais) = fi(a1,..., an) for all n-tuples (a1a2 ... an) E Fn. For determining the essential variables of fi, we construct a Boolean matrix || inf D(fi)|| with the set of rows inf D(fi), where D(fi) = {Pi ® P3 : Cu = j; l,j = 1, 2,..., m}, Cu = fi(P), l = 1,...,m, i = 1,...,n, and infD(fi) is the subset of all the minimal vectors in D(fi). Then the numbers of essential variables for fi are the numbers of columns in the intersection of all covers of || inf D(fi)|| with the cardinalities not more than s0, where a cover of a Boolean matrix M is defined as a subset C of its columns such that each row in M has '1' in a column in C. For computing h(xil,... ,xis), we first set h(Piil,..., Piis) = Cii for l = 1,... ,m and then, if h is not yet completely determined on F2, we increase the number m of known blocks (Pi,Ci) of plain- and ciphertexts or extend h on F2 in such a way that the vector function h = h1h2 ...hn with the completely defined coordinate functions is a bijection on Fn. We also describe some special known plaintext attacks on substitution block ciphers with keyspaces being subsets of Ks0,n(g).

Keywords: substitution ciphers, block ciphers, functional keys, cryptanalysis, known plaintext attack, Boolean functions, essential variables, bijective functions.

1The author was supported by the RFBR-grant no. 17-01-00354.

1. Introduction

In cryptography, the cryptosystems with the functional keys are widely used as cryptographic primitives including key-stream generators, s-boxes, cryptofilters, cryptocombiners, key hash functions as well as the symmetric and public-key ciphers, digital signature schemes. For the author, the research, including the definition, characterisation and cryptanalysis of such cryptosystems had beginnings at the 1960-th years. First object of this research was the key-stream generator based on a finite autonomous automaton (state machine) with the output function depending on a bounded number of coordinates of the automaton state and being the key of the generator and of the corresponding stream cipher [1, 2]. Later, two sets of symmetric iterative block ciphers with the functional keys were proposed [3]. They were constructed according to the known cryptographic schemes originally suggested by H. Feistel and implemented in the ciphers LUCIFER and DES and, therefore, were named after Lucifer and Feistel respectively. At the last years, our research in this area was related to definitions and cryptanalysis and synthesis methods for some other kinds of cryptalgorithms with functional keys including watermarking ciphers [4], finite automata cryptographic generators with two-valued controlled steps [5], and cryptautomata [6] where a cryptautomaton is described by a set C of automata networks and a set K of keys such that the choosing a key in K determines a network in C as a specific cryptographic algorithm. In the case, when the key contains transition and (or) output functions of some components in networks in C, we have a cryptosystem with the functional keys. In this paper, we describe another class of cryptosystems with functional keys, namely that named in the title.

2. Definition

Here is a general formal mathematical definition of the ciphers under consideration. Let C be a symmetric cipher and C = (X, Y, K, E,D), where X, Y, and K are the sets of plaintexts, ciphertexts and keys respectively and E and D are, respectively, the encryption and decryption algorithms, E : XxK ^ Y, D : YxK ^ X and E(x, k) = y ^ D(y, k) = x for any x E X, y e Y, and k E K. Suppose X = Y = Fn, K C Bn, B is a class of Boolean functions having some bounded both computational and capacity complexities and depending on not more than n variables such that the mapping f : Fn ^ Fn, defined for x E X and fif2... fn E K as f (x) = fi(x)f2(x)... fn(x), is a bijection. In this case, the cipher C is said to be a substitution block cipher with functional keys, or, shortly, a funkeysubcipher. For each block x = x1x2 ... xn E X, for each key k = f1f2 ... fn E K, and for each ciphertext y E Y in it, we have E(x, k) = f (x) and D(y, k) = f-1(y). Further, these equalities are called the invertibility condition of C.

Note that in this definition, the bounded complexity of a function means the existence of its practical specification and computation.

As usually, there are two general problems in the funkeysubcipher theory — synthesis and analysis. The second problem is very typical of block ciphers and its solving ways significantly depend on the way the first problem is solved. According to the definition above, the first problem consists in generating a proper key space K, namely which is over a set B of Boolean functions of a bounded complexity, satisfies the invertibility conditions, and is great enough to withstand exhaustive search attacks. A method for solving this problem is described in the following section.

3. Synthesis method

Let 1Sn denote the set of all invertible systems each consisting of n functions in B. Further, we also consider the systems in 1Sn as Boolean bijective vector functions, that is, as substitutions on Fn. To synthesize a funkeysubcipher C = (Fn,K,Fn,E,D), where K C 1Sn, we need generating the vector functions in 1Sn as keys in K. Without knowing how to generate all of them, we propose here to generate keys in K as some members of 1Sn which can be obtained by inverse and permutation operations over bits on inputs and outputs of a chosen or given function in 1Sn. For this purpose, we, first, introduce some auxiliary notations related to the permutation and inverse operations and, then, define some subsets of functions in Bn.

Let Sn be the set of all the permutations of numbers 1, 2, ..., n, namely Sn = = {i1i2 ... in : j E {1, 2,..., n}; j = k ^ j = ik; j, k E {1, 2,..., n}}. For any permutation n = i1i2... in E Sn and any vector v = v1v2 . ..vn, let n(vj) = Vj, j = 1, 2, ...,n, and n(v) = n(v1 )n(v2) . ..n(vn) = vi1 vi2... vin. Also, if v1,v2,...,vn are Boolean values (variables or constants) and a = b1b2 ... bn E Fn, then let v- = v^1 v^2 ... v^, where, for any Boolean values a and b, ab = —a if b = 0 and ab = a if b = 1. We say that n(v) and vare obtained by, respectively, permutation and inverse operations n and a over v. In cases when n = 12 ...n or a =11... 1, that is, the operations n or a are identity ones, we write n =1 or a = 1 respectively.

Taking any g(x1 , x2,..., xn) in 1Sn, a1, a2 in Fn, and n1,n2 in Sn, we then can define a vector function f : Fn ^ Fn as f (x) = n2(g-2 (n1(xCT1))), x x 1 x 2 ... xn.

Particularly, g(x)

can be the identical function, that is, for each i in {1, 2,..., n} its coordinate function g^(x) can be equal to x^. In any case, the table of the function f (x) is obtained from the table of the function g(x) by

— substituting columns corresponding to some variables for inverses (in a1),

— transposing (according to n1) columns corresponding to some variables,

— substituting columns corresponding to some coordinate functions of g(x) for inverses (in a2 ), and

— transposing (according to n2) columns corresponding to some coordinate functions of the function g(x).

In other words, f (x) is computed from the function g(x) by the inversion and transposition of some its inputs and outputs and, like g, is of a bounded complexity and satisfies the invertibility condition. Therefore, f (x) E 1Sn.

Define Kn(g) = MgCT2 (ff1(xCT1))) : aba2 E F"ff1,ff2 E Sn}. Thus, we get that Kn(g) C C 1Sn and |Kn(g)| ^ (2nn!)2. Any subset K C Kn(g) of an exponential cardinality can be taken as a synthesis result — the key space of a funkeysubcipher C. The following subsets of Kn(g) are possible candidates for playing this role: Kn(g, 1) = {g(xCT1) : a1 E Fn}, |Kn(g, 1)| ^ 2n;

Kn(g Kn(g Kn(g Kn(g Kn(g Kn(g Kn(g Kn(g Kn(g

2) = {g(n1(x)) : n1 E Sn}, |Kn(g, 2)| ^ n!;

3) = {g(^1(xCT1)) : a1 E Fn, n E Sn}, |Kn(g, 3)| ^ 2nn!;

4) = {g-2(x): a2 E Fn}, |Kn(g, 4)| ^ 2n-

n

5) = {g-2(x-1) : a1,a2 E Fn}, |Kn(g, 5)| ^ 22n;

6) = {g-2 (n1(x)) : a2 E Fn, n E Sn}, |Kn(g, 6)| ^ 2nn!;

7) = {g-2(n1(x-1)) : a1,a2 E F^,n1 E Sn}, |Kn(g, 7)| ^ 22nn!;

8) = Mg(x)) : n2 E Sn}, |Kn(g,8)| ^ n!;

9) = {n2(g(x-1)) : a1 E Fn,n2 E Sn}, |Kn(g, 9)| ^ 2nn!;

10) = {n2(g(n1(x))) : n2,n E Sn}, |Kn(g, 10)| ^ (n!)2;

Kn(g Kn(g Kn(g Kn(g Kn(g

11) = |n2(g(ni(xCT1))) : a G Fn,ni,n2 G Sn}, |Kn(g, 11)| ^ 2n(n!)2;

12) = {n2(gCT2(x)) : a G Fn,n2 G Sn}, |Kn(g, 12)| ^ 2nn!;

13) = {^(g-2(x-1)) : ai,a2 G F^ G Sn}, |Kn(g, 13)| ^ 22nn!;

14) = {^(g-2(ni(x))) : a G Fn,ni,n G Sn}, |Kn(g, 14)| ^ 2n(n!)2;

15) = Kn(g).

4. Funkeysubciphers with key functions in a bounded number of essential variables

Let s0 and n be some integers, 1 ^ s0 ^ n, and Bs0,n be the set of all Boolean functions f (xi,... ,xn) essentially depending on not more than s0 variables xi,... ,xn, that is, for any f : Fn ^ F2,

f (xi , . . . , xn) G Bso,n

^ 3s ^ so 3ii,... ,is G {1,... , n}3g : F2 ^ F2(f (xi, ...,Xn) = g(x^,... ,xis)).

The set of variables xi1,..., xis satisfying this equation is said to be a sufficient subset of arguments for the function f. If U is a sufficient subset for f and, for any V C U, V isn't a sufficient for f, then the variables in U are said to be essential arguments for f.

For natural s ^ s0, let B*n be the set of all functions in Bson essentially depending on

so

exactly s variables. It is clear that Bso,n = (J B*n. We suppose that the number s0 is small

s=i ,

enough for accepting functions in Bso,n to be of a bounded complexity.

Let ISso,n denote the set of all bijective Boolean vector functions each consisting of n coordinate functions in Bso n. Balancedness of each coordinate function of a Boolean vector function f is the necessary condition for bijectivity of f. So the cardinality of ISso,n

'n\ ( 2so

doesn't exceed the number Nso,n = ^ j ^so-\jj , that is the number of all n-dimen-

sional vectors with coordinates being balanced Boolean functions in s0 variables taken in all possible ways from the set {xi,..., xn}.

A funkeysubcipher with key functions in a bounded number of essential variables is a funkeysubcipher C = (Fn,K, Fn,E,D), where K C ISso,n. To synthesize these ciphers, we need generating the key spaces K for them from vector functions in ISso,n. Here, we propose to do this just in the same way as we have done above in the set ISn using the inverse and permutation operations.

Namely, take a vector function g(xi,x2,... ,xn) in ISso,n. Let g = (gi,... ,gn). By the definition of ISso,n, for every i G {1,..., n}, there exists a natural s^ ^ s0 such that g^ G G B* , that is, g^ essentially depends on s^ variables. Define Kso,n(g) = {n2(g-2(ni(x-1))) : ai,a2 G Fn,ni,n2 G Sn}, where x = xix2 ...xn. Thus, we get that Kso,n(g) C ISso,n and |Kso,n(g)| ^ (2nn!)2. Moreover, for any function f = (fi,...,fn) G Kso,n(g) and any i G {1,..., n}, the number of essential variables of f equals sj, the number of essential variables of gj where j = n-i (i).

Any subset K C Kso,n(g) of an exponential cardinality can be taken as the key space of the funkeysubcipher C with key functions in a bounded number of essential variables. In particular, this role can be successfully played by the subsets Kso,n(g, j) that are formally defined, just as Kn(g,j), j = 1,2,..., 15, have been done. For example, Kso,n(g, 7) = = {g-2 (ni(x-1)) : ai,a2 G F^i G Sn}, |Kso,n(g, 7)| ^ 22nn!, and Kso,n(g, 15) =' Kso,n(g). The only difference is in the class of the function g that, for Kn(g, j), belongs to ISn and, for Kso,n(g, j), belongs to ISso,n.

To produce subsets K C Ks0,n(g) as key spaces for funkeysubciphers with key functions in a bounded number of essential variables, we need to have a capability to generate vector Boolean functions g = (g1... gn) in Is0,n with various values of their parameters n, s0, s1, ..., sn. Unfortunately, we have no any exhaustive solution of this problem and can only present now a pair of some restricted relevant methods.

Let 1S*n denote the set of all bijective Boolean vector functions each consisting of n coordinate functions in B*n. The methods just mentioned construct functions from 1S*n.

The first method is used in the case when s ^ 3 and s|n, i.e. n = st for some t E N. It is proved in [7] that IS* s = 0 for all s ^ 3. So, we can construct t functions g(j) = g(j)... g(j) E IS* s, i = 1,...,t. Then the function g(x1,...,xn) = = g11)(x1, . . . ,xs) . . .gS1)(x1, . . . ,xs)g12) (xs+1, . . . ,x2s) . . .gS2)(xs+1, . . . ,x2s) . . . g^ (x(t- 1)s+1, . . . , xn) . . .g( (x(t-1)s+1,... ,xn) belongs to /S*,n.

The second method starts from g(1) (x1,..., xs) = g1... gs E IS* s too. Then we construct the function g(2)(x1,..., xs, xs+1) = g1... gsh where h = xs+1 ©q(x1,..., xs) and q E B*_ 1 s. It is proved in [8] that g(2) E IS* s+1. Repeating this step, we successively obtain the functions g(3) E IS* s+2 (using the functions h = xs+2©q(x1,..., xs, xs+1) and q E B*-1 s+1), ..., g(n+s-1) e IS* , ,

s n

5. Cryptanalysis 5.1. C r y p t a n a l y s i s p r o b l e m

In this section, we consider the cryptanalysis problem for funkeysubciphers giving our attention to ciphers with key functions in bounded numbers of essential variables. Moreover, we confine the consideration to ciphers with key spaces K = Ks0,n(g, j), where g is an arbitrary function in (Bs0,n)n and j can be assigned any value from {1,..., 15}. However, for some parameter j values, the cryptanalysis methods proposed here actually hold for ciphers with the wider key spaces, particularly with K = Kn(g, j).

We assume that the cryptanalyst exploits a known plaintext attack with the threat of total break (secret key recovery). This means that he possesses some blocks P1,..., Pm of a plaintext and corresponding blocks C1,..., Cm of a ciphertext and tries to determine the key that was used, that is, a function f (x) E K = Ks0,n(g, j) such that C = f (p) for all l E {1,... , m}. According to Kerckhoff's principle, it is supposed that the cryptanalyst knows the cipher C = (Fn,K, Fn,E,D) being used. Particularly, he knows the key space K = Ks0,n(g,j) and its parameters g E (Bs0,n)n, n E N, s0 ^ n, and j E {1,..., 15}. The knowledge of the function g(x1,...,xn) yields the knowledge of its inverse g-1, coordinate functions g1,... ,gn in Bs0,n and the sets X1,... ,Xn of their essential variables respectively, Xj C X = {x1,...,xn}, i = 1,...,n. On the base of this information, the cryptanalyst has to determine the coordinate functions f 1,..., fn of a key function f (x1,... ,xn) in Ks0,n(g, j) which satisfies the equalities f (p) = C for all l E {1,..., m}. Here, for each i E {1,..., n}, the function f belongs to Bs0,n, its essential variables form a subset U C X, and |Uj| = |Xj| = Sj if the permutation n2 in the expression for Ks0,n(g, j) is the identity one. For the cryptanalyst, to determine the function fj means to determine the set U of its essential variables and the value of fj for each combination of values of variables in Uj.

Below we first give a general solution of the problem comprising the all fifteen partial cases of it and then present specific solutions for some of these cases.

5.2. General c r y p t a n a l y s i s method

The method concerns the funkeysubcipher C with the general key space K = Kso,n(g) = = {n2(g-2(ni(x-1))) : ai,a2 G Fn,ni,n2 G Sn} which includes the partial key spaces Kso,n(g,j) for all j G {1,..., 15}.

Recall that we have a string of Boolean variables x — x i x 2... xn, a vector Boolean function g(x) = gi(x)g2(x).. .gn(x) with coordinate functions gi,... ,gn, where gi G B*. n for 1 ^ s^ ^ s0 and i = 1,..., n, the blocks of a plain text Pi,..., Pm and the corresponding blocks of a ciphertext Ci,..., Cm.

Let k G K and Q = C1iCi2 ... Cin, l = 1,..., m. Denote f (x) = fi(x)f2(x)... fn(x) = = n(g-2(ni(x-1))). Then f G Bso,n, k = f(x), Cl = f (Pi), and Cli = fi(P), l = 1,... ,m and i = 1 , . . . , n.

Thus, the cryptanalysis problem is as follows: for every i G {1,...,n} and given equalities Cu = fi(P), l = 1,... ,m, determine the function fi(x). The problem is divided into two subproblems: find out essential variables of the function fi and compute its values for all possible values of these variables. In connection with the first subproblem, we need to note that the number of essential variables of fi depends on whether the permutation n2 in f (x) = n2(g-2(ni(x-1))) is the identity one or not. If the answer is "yes", then fi has the same number si of essential variables as gi. Otherwise we can only say that this number is less or equal to max{si,..., sn} and doesn't exceed s0.

To solve the first subproblem, we now present some auxiliary results. Let f/(xi,... ,xn) be a, possibly, partial Boolean function given by two subsets M°, C Fn and Mi, C Fn so that a G Mj, ^ f/(a) = b, b G F2.

We first define the following sets:

D(f/) = {a © P : a G M° ,p G M),}, inf D(f/) = {S : S G D(f/), -Gf G D(f/) ^ < S)},

where for S = di... dn and S/ = di... < in Fn S/ < S ^ S/ = S & Vt G {1,..., n} (d£ ^ dt). Particularly, in our case,

D(fi) = {Pi © Pj : Cii = Cj,, l, j = 1, 2,... , m}.

We next construct the Boolean matrix M/ = || inf D(f/)|| with the set of rows that is equal to inf D(f/). The columns in M/ with the numbers 1,2,..., n are assigned to variables x1, x2, . . . , xn respectively. A subset J of them is said to be a cover of M/ if for each row in M/, there is a column in J with the value 1 in this row. The cover J is minimal if it doesn't contain as a subset another cover of M/.

At last, we note that in [9] we have proved that a subset of variables U = {xj1,..., xjs} is sufficient for f/ iff the subset J of columns in M/ with the numbers j,..., js is a cover of M/, and U is essential for f/ iff J is a minimal cover of M/. Moreover, U is a unique subset of essential variables for f/ iff J is a unique cover of M/; in this case, each row in M/ is a unit vector ej (with a 1 in the j-th coordinate and 0's elsewhere) and U = {xj1,..., xjs} if all the rows in M/ are ej1,..., ejs.

Also, in [10], we have proved that a subset of variables {xj1,... ,xjs} is a unique subset of essential variables for a function f/ in Bso,n iff all the covers of the matrix ||inf D(f/)||, the cardinalities of which don't exceed s0, have a non-empty intersection consisting of columns with the numbers j,..., js.

So, finding a unique subset of essential variables (if it exists) for the function fi in Bso,n and thus solving the first cryptanalysis subproblem is reduced to computing, for the

matrix ||inf D(fj)||, the intersection of all covers whose cardinalities are not more than s0. The computational complexity of this work is O(2s0).

Under the known essential variables xj1, ...,xj of fj, any solution of the second cryptanalysis subproblem for i E {1,...,n} can be obtained as fj(x) = hj(xj1, ...,xj ), where hj : F2' ^ F2, the vector function h1(x11,..., x1 )h2(x21,..., x2 )... hn(xn1,..., xnsn) is a bijection on Fn, and, for all a = a1a2 ... an E Fn, if a = P and l E {1,..., m}, then hj(aj1,..., ajs.) = Cjj.

In particular, if for each i E {1,...,n}, the set {xj1, ...,xj } is a unique subset of essential variables for fj and P = {P1j1 P1j2 ... P1j : l = 1,...,m} = F2', then the solution f (x) of the cryptanalysis problem for the cipher C is unique and, for i E {1,..., n}, it has fj(x) = hj(xj1,... ,xjs.), where hj(Pij1 Pj2 ... PHs.) = Cjj, l E {1,... ,m}.

In the case of P = F2', the following problem arises: given a partially defined Boolean function f'(x1,... ,xn) and a subset {i1,..., is} C {1,..., n}, find (if exists) a completely defined Boolean function h(xj1,..., xjs) such that h(aj1 aj2... ajs) = f/(a1a2 ... an) for each n-tuple (a1a2... an) from the domain of f/. This problem is a special case of the known problem of completing a partial function in a functional class and isn't a subject of this research.

For making references to the general cryptanalysis method described here, we name it GCM. The core of GCM is the algorithm for finding, for a given partially defined Boolean function f/(x1,..., xn) from Bs0,n, such a function h(xj1 ,...,xjs) E B*n that h(xj1,... ,xjs) = f/(x1,... ,xn) on the domain of f/. We denote this algorithm by B.

As for the parameters of the cryptanalysis problem, namely g,a1 ,a2,n1,n2, GCM doesn't depend directly on them both in the contents and in a result. This is not an accidental fact, but it is because these parameters are not really the key k of the cipher C, they only form the expression n2(g-2(n1(x-1))) to specify a bijective function f : Fn ^ Fn which is in fact the key k of C and the result of GCM execution over the given pairs (Pj, Cj), i = 1,..., n.

5.3. Some particular cryptanalysis methods

Some particular cryptanalysis methods for a cipher C under consideration can be obtained by applying GCM to ciphers Cj with key spaces Ks0,n(g, j) for j E {1,..., 14}. We think of these methods as key space limitations of the general method and denote by GCMj. For example, GCM9 and GCM14 are GCM for ciphers with key spaces K = Ks0,n(g, 9) = {n2(g(x-1)) : a1 E Fn,n E Sn} and K = K^,n(g, 14) = Mg-2 Mx))) : a2 E Fn,n1,n2 E Sn} respectively.

Now, we consider some other particular cryptanalysis methods that are not exactly key space limitations of GCM, but give special solutions to some ciphers Cj with limited key spaces.

Cases j = 1, 4, 5

Describing cryptanalysis methods in these cases, we limit our exposition to determination of the inverse operations for obtaining f from g.

Let g-1 = (grWV.^g-O, f-1 = . . . , fr—^ a1 = a11a12 ...a1n, a2 =

= a21a22 ... a2n, P = PnP2 ... Pjn, and C^ = C^1C^2 ... C^n, l = 1, 2,..., m.

In the case j = 1, where K = Ks0,n(g, 1) = {g(x-1) : a1 E Fn}, the cryptanalysis problem is trivial because, for every l E {1,..., m}, C = g(P-1), Pf1 = g-1(C), Pi1' = g-/(Cj), i E {1,..., n}, and a1j is computed by using the Boolean implication

(ab = c) ^ (b =1 ^ c = a),

namely aii = 1 ^ gi-/(Ci) = Pii for all i G {1, 2,..., n} and some (any) l G {1,..., m}, particularly for l = 1.

By the same reason, the problem is trivial in the case j = 4, where K = Kso n(g, 4) = = {g-2 (x) : a2 G Fn}, because C = g-2 (P), C-2 = g(P) and a2 is computed by using the same implication: a2i = 1 ^ gi(Pi) = Cii, i = 1, 2,... , n.

In the case j = 5, where K = Kso,n(g, 5) = {g-2 (x-1) : ai,a2 G Fn}, we have C = = g-2(P-1), C-2 = g(P-1), and P- = g^C-2). For every pair (a2,l), where a2 G Fn and l = 1, 2,..., m, compute the value a(-2,i) = a (-2,i)a(-2,i)... a (-2,i) of the vector a i in F2n by using the algorithm of the case j = 1, namely

a(-2,i) = 1 ^ g^C-2) = Pii,i = 1,..., m.

The result of the cryptanalysis is a pair (a ^a2) satisfying the equality ai = a(-2,i) for all l G {1, . . . , m}. Note that this answer is not sure to be unique. The computational complexity of the algorithm is O(2n).

Note that the attacks described in these cases successfully work on ciphers with K = = Kn(g, j) for j = 1, 4,5 respectively and g G ISn.

Case j = 7

In this case, K = Kso,n(g, 7) = {g-2 (n i(x-1)) : a ^a2 G Fn,n i G Sn} and the cipher under consideration is C7 that is the partial case of C, where n2 = 1. Besides, the ciphers Cj for all j G {1,..., 6} are partial cases of C7, and the cryptanalysis problem for them can be solved by any method solving this problem for C7. The method presented here is an amplification of GCM, namely, instead of method B, a method A is used, which takes into attention the condition n2 = 1, yielding the fact that a function fi(x) to be found has the same number si of essential variables as the known function gi. So, finding essential variables

for fi is reduced in A to finding, for the matrix ||inf D(fi)||, a minimal cover of the given

n

cardinality — si. The computational complexity of the last problem doesn't exceed

si

In other details, the cryptanalysis method for C7 coincides with GCM.

Some program implementations of algorithms A and B and the results of their thorough testing on computers have been presented in [2].

REFERENCES

1. Agibalov G. P. and Levashnikov A. A. Statisticheskoe issledovanie zadachi opoznaniya bulevykh funktsiy odnogo klassa [Statistical study of the identifying problem for a class of Boolean functions]. Proc. ASDA Conf., Novosibirsk, 1966, pp. 40-45. (in Russian)

2. Agibalov G. P. and Sungurova O. G. Kriptoanaliz konechno-avtomatnogo generatora klyuchevogo potoka s funktsiey vykhodov v kachestve klyucha [Cryptanalysis of a finite-state keystream generator with an output function as a key]. Vestnik TSU. Prilozhenie, 2006, no. 17, pp. 104-108. (in Russian)

3. Agibalov G. P. SIBCiphers — simmetrichnye iterativnye blochnye shifry iz bulevykh funktsiy s klyuchevymi argumentami [SIBCiphers — symmetric iterative block ciphers composed of Boolean functions depending on small number of variables]. Prikladnaya Diskretnaya Matematika. Prilozhenie, 2014, no. 7, pp. 43-48. (in Russian)

4. Agibalov G. P. Watermarking ciphers. Prikladnaya Diskretnaya Matematika, 2016, no. 1(31), pp.62-66.

5. Agibalov G. P. and Pankratova I. A. O dvukhkaskadnykh konechno-avtomatnykh kriptograficheskikh generatorakh i metodakh ikh kriptoanaliza [About 2-cascade finite

automata cryptographic generators and their cryptanalysis]. Prikladnaya Diskretnaya Matematika, 2017, no. 35, pp. 38-47. (in Russian)

6. Agibalov G. P. Kriptoavtomaty s funktsional'nymi klyuchami [Cryptautomata with functional keys]. Prikladnaya Diskretnaya Matematika, 2017, no. 36, pp. 59-72. (in Russian)

7. Pankratova I. A. Construction of invertible vectorial Boolean functions with coordinates depending on given number of variables. Proc. CSIST'2016, Minsk, BSU Publ., 2016, pp. 519-521.

8. Pankratova I. A. Ob obratimosti vektornykh bulevykh funktsiy [On the invertibility of vector Boolean functions]. Prikladnaya Diskretnaya Matematika. Prilozhenie, 2015, no. 8, pp. 35-37. (in Russian)

9. Agibalov G. P. Minimizatsiya chisla argumentov bulevykh funktsiy [Number minimization for variables a partial Boolean function depends on]. Problemy Sinteza Tsifrovykh Avtomatov, Moscow, Nauka Publ., 1967, pp. 96-100. (in Russian)

10. Agibalov G. P. O nekotorykh doopredeleniyakh chastichnoy bulevoy funktsii [Some completions of partial Boolean function]. Trudy SPhTI, 1970, iss.49, pp. 12-19. (in Russian)