Matt Crawford wrote: > On Dec 21, 2005, at 0:10, Ben Laurie wrote: >> Good ciphers aren't permutations, though, are they? Because if they >> were, they'd be groups, and that would be bad. > > A given cipher, with a given key, is a permutation of blocks. (Assuming > output blocks and input blocks are the same size.) It may be (and often > is) the case that the set of all keys does not span the set of all > possible permutations, in which case the permutations > > { E_k() | k in set of all keys } > > may or may not turn out to be a group. > > For blocks of n bits and keys of m bits, there are n! permutations but > 2^m of them are representable by some key. If m = n, this is a fraction > roughly equal to > > (2e/n)^n > > About 10^-70 for n=64. I don't know the probability of a randomly > selected subset of a permutation group being a group, but at these > scales, I bet it's small.

Must try not to post to crypto when I'm jetlagged! I had my wires crossed here, what's bad is when the keys form a group, of course (as others have also pointed out). -- http://www.apache-ssl.org/ben.html http://www.thebunker.net/ ** ApacheCon - Dec 10-14th - San Diego - http://apachecon.com/ ** "There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]