Resistance of Statistical Attacks of Parastrophic Quasigroup Transformation

In this paper, we prove an important cryptographic property of $PE$-transformation proposed elsewhere. If $PE$-transformation is used as encrypting function then after $n$ applications of it on arbitrary message the distribution of $l$-tuples ($l=1,2,\dots, n$) is uniform. This property implies the resistance of statistical kind of attack of this transformation. For illustration of theoretical results, some experimental results are presented as well.


Introduction
Quasigroups and quasigroup transformations are very useful for construction of cryptographic primitives, error detecting and error correcting codes. The reasons for that are the structure of quasigroups, their large number, the properties of quasigroup transformations and so on. The quasigroup string transformations E and their properties were considered in several papers.
A quasigroup (Q, * ) is a groupoid (i.e. algebra with one binary operation * on the finite set Q) satisfying the law: In fact, (1) says that a groupoid (Q, * ) is a quasigroup if and only if the equations x * u = v and u * y = v have unique solutions x and y for each given u, v ∈ Q.
In the sequel, let A = {1, . . . , a} be an alphabet of integers (a ≥ 2) and denote by A + = {x 1 . . . x k | x i ∈ A, k ≥ 1} the set of all finite strings over A. Note that Assuming that (A, * ) is a given quasigroup, for any letter l ∈ A (called leader), Markovski and al. (see [5]) defined the transformation E = E (1) l : A + → A + by E(x 1 . . . x k ) = y 1 . . . y k ⇔ y 1 = l * x 1 , y i = y i−1 * x i , i = 2, . . . , k where x i , y i ∈ A. Then, for given quasigroup operations * 1 , * 2 , . . . , * n on the set A, we can define mappings E 1 , E 2 , . . . , E n , in the same manner as previous by choosing fixed elements l 1 , l 2 , . . . , l n ∈ A (such that E i is corresponding to * i and l i ). Let where • is the usual composition of mappings (n ≥ 1). It is easy to check that the mappings E is a bijection. In the same paper, authors proposed a transformation E (n) as an encryption function and proved the following theorem.
Theorem 1. Let α ∈ A + be an arbitrary string and β = E (n) (α). Then m-tuples in β are uniformly distributed for m ≤ n.
Also, in Theorem 2 in [1], Bakeva and Dimitrova proved that the probabilities of (n + 1)-tuples in β = E (n) (α) are divided in a classes where a = |A|, if (p 1 , p 2 , . . . , p a ) is the distribution of letters in an input string and p 1 , p 2 , . . . , p a are distinct probabilities, i.e., p i = p j for i = j. Each class contains a n elements with the same probabilities and the probability of each (n + 1)-tuple in i-th class is 1 a n p i , for i = 1, 2, . . . , a. If p i1 = p i2 = . . . = p iν for some 1 ≤ i 1 < . . . < i ν ≤ a, then the classes with probabilities 1 a n p i1 = 1 a n p i2 = . . . = 1 a n p iν will be merged in one class with νa n elements. Using these results, the authors proposed an algorithm for cryptanalysis.
In paper [4], Krapez gave an idea for a new quasigroup string transformation based on parastrophes of quasigroups. A modification of this quasigroup transformation is defined in [2]. In [3], authors showed that the parastrophic quasigroup transformation has good properties for application in cryptography. Namely, using that transformation the number of quasigroups of order 4 useful in cryptography is increased. To complete the proof of goodness of parastrophic quasigroup transformation for cryptography, it is needed to prove that Theorem 1 holds for that transformation, too. It will guarantee that message encrypted by the parastrophic quasigroup transformation will be resistant of a statistical kind of attacks.

Parastrophic transformation
In this Section, we briefly repeat the construction of parastrophic quasigroup transformation given in [2].
In this paper we use the following notations for parastrophe operations: . . x k be an input message. Let d 1 be an random integer such that (2 ≤ d 1 < k) and l be random chosen element (leader) from A. Also, let (A, * ) be a quasigroup and f 1 , . . . , f 6 be its parastrophe operations.
Using previous transformation E, for chosen l, d 1 and quasigroup (A, * ) we define a parastrophic transformation P E = P E l,d1 : A + → A + as follows.
At first, let q 1 = d 1 be the length of the first block, i.e., M 1 = x 1 x 2 . . . x q1 . Let s 1 = (d 1 mod 6) + 1. Applying the transformation E on the block M 1 with leader l and quasigroup operation f s1 , we obtain the encrypted block Further on, using last two symbols in C 1 we calculate the number d 2 = 4y q1−1 + y q1 which determines the length of the next block. Let In general case, for given i, let the encrypted blocks C 1 ,. . . , C i−1 be obtained and d i be calculated using the last two symbols in We apply the transformation E fs i ,yq i−1 on the block M i and obtain the encrypted block

Now, the parastrophic transformation is defined as
where || is a concatenation of blocks. Note that the length of the last block M r may be shorter than d r (depends on the number of letters in the input message). The transformation P E is schematically presented in Figure 1.
For arbitrary quasigroup on a set A, random leaders l 1 , . . . l n and random lengths d 1 , we define mappings P E 1 , P E 2 , . . . , P E n as in (3) such that P E i is corresponding to d (i) 1 and l i . Using them, we define the transformation P E (n) as follows: where • is the usual composition of mappings.

Theoretical proof for resistance of statistical kind of attacks
Let the alphabet A be as above. A randomly chosen element of the set A k can be considered as a random vector (X 1 , X 2 , . . . , X k ), where A is the range of X i , i = 1, . . . , k. We consider these vectors as input messages. The transformation P E = P E l,d1 : A + → A + can be defined as: Let (p 1 , p 2 , ..., p a ) be the probability distribution of the letters 1, ..., a in an input message. That implies p i > 0 for each i = 1, 2, ..., a and a i=1 p i = 1.
An important property of one transformation for application in cryptography is the uniform distribution of the substrings in the output message (Y 1 , . . . , Y k ). This property guarantee the resistance of statistical attack. Therefore, we investigate the distribution of substrings in the output message obtained using P E-transformation. At first we will prove that after applying the transformation P E (1) on an input message α, the letters in transformed message are uniformly distributed.  1, 2, . . . , k).
Proof. In this proof we use the same notations as in construction of parastrophic quasigroup transformation given in the previous section.
At first, note that the leader l can be consider as uniformly distributed random variables on the set A since it is randomly chosen from the set A. Therefore, l ∼ U ({1, . . . , a}), i.e., Also, leader l is independent of each letter X i in the input message. Let t = 1. Using the equation (4) and total probability theorem, for distribution of Y 1 , we obtain Note that if i runs over all values of A then for fixed j, the expression X 1 = f ′ s1 (i, j) runs over all values of A, too. Therefore, i.e., Y 1 ∼ U ({1, . . . , a}). We proceed by induction, and let suppose that Y r ∼ U ({1, 2, . . . , a}). Similarly as previous, using that f sr+1 is the parastrophe operation applied in (r + 1) th step we compute the distribution of Y r+1 as follows.
According to definition of parastrophic operation given with (4), we can conclude that the random variables X r+1 and Y r are independent. Applying that in previous equation, we obtain As previous, f ′ sr+1 is the inverse quasigroup transformation of f sr+1 . In the last equation, we use that X r+1 = f ′ sr+1 (i, j) runs over all values of A when j is fixed and i runs over all values of A, i.e.
On this way, we proved that Y t has uniform distribution on the set A, for each t ≥ 1.
From the Theorem 2 we can conclude the follows. If M ∈ A k and C = P E l,d1 (M ) then the letters in the message C are uniformly distributed, i.e., the probability of the appearance of a letter i at the arbitrary place of the string C is 1 a , for each i ∈ A. k ) = P E (n) (X 1 , X 2 , . . . , X k ). We will prove this theorem by induction. Let suppose that the statement is satisfied for n = r, i.e., (Y {1, 2, . . . , a} l ) for each 1 ≤ l ≤ r and each t ≥ 0. Now, let n = r + 1. We consider the distribution of (Y ) for each 1 ≤ l ≤ r + 1 and arbitrary t.
where f sj is the parastrophe operation applied in the step j and f ′ sj is its inverse transformation, j = t + 2, . . . , t + l. Now, The last equality is obtained by using the fact that Y {1, 2, . . . , a}) and from previous expression we obtain that {1, 2, . . . , a} l ) for each l ≤ n and each t ≥ 0.

Experimental results
We made many experiments in order to present our theoretical results. Here we give an example. We have randomly chosen a message M with 1,000,000 letters of the alphabet A = {1, 2, 3, 4} with the distribution of letters given in the Table 2 . We used the quasigroup (5) and its parastrophes.
After applying P E (3) on M , we got a encrypted message C = P E (3) (M ). In each P E-transformation, we chose the length of the first block d 1 = 3 and the initial leader l 1 = 4.
The distribution of letters in the output C is given in the Table 3. Table 3. The distribution of the letters in the output message x-axis in the lexicographic order ( ′ 11 ′ → 1, ′ 12 ′ → 2, . . . , ′ 44 ′ → 16). On the similar way, the triplets and 4-tuples are presented on Figure 3 and Figure 4.
We can see on Figure 2 and Figure 3 that after three applications of P Etransformations, the pairs and triplets are also uniformly distributed as we proved in Theorem 3. Also, we can see on Figure 4 that the distribution of the 4-tuples in C is not uniform, but that distribution is closer to the uniform distribution than the distribution of 4-tuples in the input message.
Next, we check whether Theorem 2 in [1] is satisfied when P E-transformation is applied. The distribution of pairs after one application of P E-transformation is presented on Figure 5 a). On Figure 5 b), we present the distribution of pairs after one application of E-transformation. We can see that probabilities of pairs are divided in 4 classes on Figure 5 b) as the Theorem 2 in [1] claims. But we cannot distinguish any classes for probabilities on Figure 5 a). This means that the algorithm for cryptanalysis proposed in [1] cannot be applied when an input message is encrypted by P E-transformation. Therefore encryption by P E-transformation is more resistant on statistical kind of attacks. Note that for relevant statistical analyses, we must have enough large input message. Namely, in experiments, the probabilities of n-tuples are computed as relative frequencies. So, a relative frequency of an event tends to probability only if we have enough large sample. The relevant statistical analyses cannot be done for shorter message. Therefore, statistical kind of attack is impossible on not enough large input message. Note that if an intruder catches and concatenates a lot of short messages encrypted by the same P E (n) -transformation, it will obtain a long message and it can apply a statistical attack. But, the attack will be impossible if we change quasigroups used in encryption P E (n) -transformation more often.

Conclusion
In this paper we proved that after n applications of P E-transformation on an arbitrary message the distribution of l-tuples (l = 1, . . . , n) is uniform and we cannot distinguish classes of probabilities in the distribution of (n + 1)-tuples. This means that if P E-transformation is used as encryption function the obtained cipher messages are resistant on statistical kind of attacks when the number n of applications of P E-transformation is enough large.
In [5], the authors concluded that E-transformation can be applied in cryptography as encryption function since the number of quasigroups is huge one (there are more than 10 58000 quasigroups when |A| = 256) and the brute force attack is not reasonable.
If P E-transformation is used in encryption algorithm then the secret key will be a triplet ( * , l, d 1 ). In that case, the brute force attack also is not possible since except the quasigroup operation * and leader l, the key contains the length of the first block d 1 which has influence of the dynamic of changing of parastrophes.
At the end, in [3] authors proved that P E-transformation has better cryptographic properties than E-transformation for quasigroups of order 4. Namely, some of fractal quasigroups of order 4 become parastrophic non-fractal and they can be used for designing of cryptographic primitives. Investigation for quasigroups of larger order cannot be done in real time since their number is very large.
Finally, from all results we can conclude that P E-transformation is better as encrypting function than E-transformation.