In this post, we shall discuss a problem with measuring the cryptographic security of a block cipher round function along with a solution to this problem that works for block ciphers like the AES. For this post, the reader is supposed to understand the basics of model theory, some group theory, universal algebra, and cryptography (some familiarity with block ciphers would suffice).

If is a function, then for , let be the mapping defined by letting for each . Recall that a block cipher round function is a mapping where for each , the mapping is a permutation.

Let be a block cipher round function. Suppose that is a permutation of and is a permutation of . Then the block cipher round function defined by has the same level of security as does, but mappings and could appear to be quite different from each other. This is a problem for any entity analyzing the security of a block cipher since an entity may assign the block ciphers and different levels of security even though these block ciphers should be assigned the same level of security. For example, the mapping could have a very high level of linearity, but the permutations could be chosen so that has a low level of linearity according to such a measure of linearity.

Suppose that are block cipher round functions. Then an isomorphism between is a pair where are bijections and where for all . We say that block cipher round functions are isomorphic (and write ) if there exists an isomorphism from to .

Two isomorphic block ciphers round functions should have the same level of security. Therefore, a good measure of some aspect of security of a block cipher should assign isomorphic block cipher round functions the same level of that aspect of security.

We say that a function is a block cipher round function invariant if whenever the block cipher round functions are isomorphic. Equivalently, a block cipher round function invariant is a function that is in some sense definable ( should at least be definable in terms of higher order logic). In this post, we shall mainly develop some theory in order to define as many aspects of block ciphers as possible. We shall then describe block cipher round function invariants that quantify a certain aspect of cryptographic security such as non-linearity. In future posts, we shall describe other block cipher round function invariants such as the spectral radii of linear operators obtained from the block cipher round function.

## Defining heap operations and other structure in a block cipher

In order to show that certain measures of security are block cipher round function invariants (such as some measures of non-linearity), we will first need to be able to define certain operations and relations from the block cipher round function If the function has a nice form, then it is not too difficult to define quite a bit of structure on the sets (this structure can almost make into vector spaces), and one can use this structure to produce block cipher round function invariants.

Let be sets. Suppose that is a group. Suppose that the group acts on the set . Suppose that is a permutation and is the function defined by . Suppose furthermore that whenever , there exists some with . Plenty of block cipher round functions such as AES’s are of this form, and the block ciphers of this form can be studied mathematically. In practice, the group is usually a vector space over or at least an abelian -group.

We have . Therefore, the mapping is definable (for this post, by definable, we mean definable in the structure ), so the relation is definable. However, for all if and only if which happens if and only if . Therefore, the mapping is definable, and this definable ternary operation should be considered to be an algebraic structure that looks like a group but where there is no element that is designated to be the basepoint of this algebraic structure. Let us now go over the theory of algebraic structures that are like groups except without basepoints in order to make sense of the ternary operation .

A heap is a pair where is a ternary operation that satisfies the following identities:

i. whenever .

ii. whenever .

Heaps should be considered to be algebraic structures that are very similar to groups but heaps do not have an identity element.

Example: Suppose that are sets. Then let be the collection of all functions . Then define an operation by letting . Then is a heap. One can easily extend this example to category theory since the collection of all isomorphisms between two fixed objects in a category is also a heap.

Example: Let be a topological space. Suppose that Let be the collection of all continuous functions where . Define a mapping by letting for , for , and for . Define a relation on where we set if are homotopic. In other words, set if there is a continuous mapping where if we set , then and for each . Then is a congruence on the structure , and the quotient algebra is a heap know as the fundamental heap of . One writes for

A heap with a basepoint is an algebraic structure where is a heap, and .

If is a group with identity , then let where is the algebraic operation defined by letting . If is a heap with basepoint, then let be the algebraic structure where .

Theorem:

- Suppose that is a group. Then is a heap with basepoint.

2. Suppose that is a heap with basepoint. Then is a group.

3. If is a group, then .

4. If is a heap with basepoint, then .

Proof: 1. Let is a group. Suppose that . Then

i-a. ,

i-b. , and

ic. .

Furthermore,

Therefore, is a heap with a basepoint.

2. Suppose that is a heap with a basepoint , and . Then Therefore, the operation is associative.

Furthermore, , and , so the element is the identity of . Now define a unary operation by letting .

Then

Furthermore,

Therefore, are inverses, so is a group.

3. Let be a group with identity . Suppose that

, and Then whenever , we have . Therefore,

4. Let be a heap. Suppose that , and let Then

Therefore,

Q.E.D.

Proposition: Suppose now that are groups. Then a function is a heap homomorphism if and only if there is some and a group homomorphism such that for each .

Proof: Let denote the heap operation for both groups . Then

Suppose that for each and is a group homomorphism. Then

Suppose that is a heap homomorphism. Then let

. Then let is a mapping such that for each . Then

Q.E.D.

One can also obtain a group from a heap without needing to assign the heap an arbitrary point as its basepoint.

Suppose that is a heap. Then let be the relation on where we set if and only if .

Proposition: is an equivalence relation on

Proof outline: One can show that the old fashioned way by showing that is reflexive, symmetric, and transitive. One can also observe that there is a group operation where , and here, if if and only if . Q.E.D.

Proposition: If , then

Proof: We have , so . Q.E.D.

Now, define a operations , and by letting and .

Proposition: The operation is associative.

Proof:

Proposition: is a congruence with respect to the operations and .

Proof outline: One can show that and and the old fashioned way. One can also define a mapping by letting . The mapping is clearly a homomorphism from to , and is just . Q.E.D.

Therefore, let denote the equivalence class of with respect to the equivalence relation .

Let . We have already shown that does not depend on the choice of . Let denote the operations where we set which is the equivalence class containing and where which is the equivalence class containing .

Proposition: is a group.

Proof outline: It is not too hard to show that satisfies the group axioms, but there is another way of proving that is a group.

The mapping in the above proposition is a surjective homomorphism. Therefore, the mapping defined by is an isomorphism. Since is a group, the structure is isomorphic to , so is a group as well. Q.E.D.

Observe that the group is definable in , and the action of on defined by letting is also definable since .

Suppose that is a heap. Then a heap action of on a set is a mapping such that whenever (one can generalize the notion of a heap action further to a function where for all , but we do not need this more general notion of a heap action). From the following proposition, we see that the heap actions are just group actions composed with a permutation.

Proposition: Suppose that is a group and is a function. Then the following are equivalent:

- the mapping is a heap action.
- there is some permutation and a group action of on where whenever .
- There is a permutation and a group action of on where .

Proposition: Suppose that is a group, and is a heap action.

- There exists a unique pair where is an action of the group on and where for all .

2. There exists a unique pair where is an action of the group on and where for all .

3. and the actions are conjugate in the sense that and whenever

A faithful group action of a group on a set is said to be a torsor if for each , there exists a unique with . A faithful group action is a torsor if and only if there exists a (not necessarily definable) group structure on and an isomorphism such that whenever

A heap torsor is a heap action such that for each , there exists a unique where . If is a group, then is a heap torsor if and only if there is a group operation on and a group isomorphism such that . If is a heap torsor, then the heap operations on are definable from . We observe that plenty of block cipher round functions including AES’s round function are heap torsors.

**Heap torsor duality**

There are several structures that are equivalent to the notion of a heap torsor.

Let G be a group. Then whenever is a permutation of and , let be the permutation be defined by letting for each . Let . Observe that the set of operations only depends on the heap operation on . A heap with permutation coset is a pair where is a heap and is some permutation of .

If is a heap with permutation coset where is the heap operation on , then let be the operations defined by letting and The operations do not depend on the representative of Let .

A one-sorted heap torsor is a set together with three ternary operations such that is a heap and satisfy the following identities:

- and
- .

If is a one-sorted heap torsor, then whenever , let be the mapping defined by letting

Proposition: Suppose that is a one-sorted heap torsor. Then whenever , we have

Proof: For simplicity, suppose that is a group. Then . Therefore, , so

Q.E.D.

If is a one-sorted heap torsor, then let whenever .

If is a heap with permutation coset and heap operation , then let be the mapping where and . Then do not depend on the representative of . Let

Theorem:

- Suppose that is a heap with permutation coset. Then is a one-sorted heap torsor.
- Suppose that is a one-sorted heap torsor. Then is a heap with permutation coset.
- If is a heap with permutation coset, then .
- If is a one-sorted heap torsor, then

Proof:

(1). For simplicity, assume that is a group. Then

Furthermore, if and only if if and only if

if and only if . Therefore, the mappings

are inverses. We conclude that is a one-sided heap torsor.

2. This is trivial.

3. Suppose that is a heap with permutation coset and heap operation . Then let . Then where and is the mapping where . In this case, we have

, so .

4. Suppose that is a one-sorted heap torsor. For , recall that for . Then whenever . Therefore, let . Then

Therefore . Since the mappings is an inverse to and is an inverse to , we know that as well. Therefore, .

Q.E.D.

Let us now construct a duality between one-sorted heap torsors and heap torsors.

Suppose that is a heap torsor mapping. Let Let denote the heap operation on both and .

For simplicity, suppose that are groups, is a group isomorphism, and is a permutation such that for all .

Then whenever , let be the unique element with . Then define . We observe that , and , so .

Let be the mapping where if , then are inverses. Let

Suppose that is a one-sorted heap torsor. Then define an relation on where we set if and only if .

We observe that if is endowed with a group operation and a permutation such that for all , then if and only if iff iff . In particular, is an equivalence relation, and if and only if .

Define a ternary operation by letting .

Define a mapping by letting .

Proposition: The mapping preserves the operation in the sense that .

Proof:

Q.E.D.

Since is a surjective homomorphism from to with kernel , the equivalence relation is a congruence, and the mapping defined by letting is a heap isomorphism.

Define a mapping by letting . The mapping is a well-defined mapping.

Proposition: The mapping is a heap torsor.

Proof: Let’s overload the symbol by letting . Then

We observe that .

Now, if , then , so . Therefore, . We conclude that . Therefore, is a heap torsor.

Q.E.D.

Let be the heap torsor obtained from .

Theorem: If is a one-sorted heap torsor, then

Proof: Suppose that and

Suppose that . Then for all . However, since , we know that for each .

Since the operations are definable as terms in in the same way that are definable as terms in , we know that , so .

Q.E.D.

If is a heap torsor, then let . Let Define a mapping by letting . If are groups, and is a group isomorphism and , then . In particular, . Therefore, define a mapping by letting . Then the mapping is a bijection.

Proposition: whenever .

Proof: Suppose . Let be the element with . Then , and

Q.E.D.

## Definability of cartesian product structure and S-boxes in SP-networks

In order to produce powerful measures of security for the block cipher round function , let us assume that is not just a heap torsor, but is a substitution-permutation (SP) network. Under this assumption that is an SP-network with reasonably secure S-boxes, nearly any sensible measure of security of is actually definable from the torsor .

Suppose that are groups. Let be a group isomorphism for . Let . Define a group isomorphism by letting Suppose that is a permutation for , and is the mapping defined by letting The mapping is the S-box mapping in our block cipher.

Let be a heap homomorphism. The mapping is the permutation box map in the SP-network. Suppose that .

Let be the projection mapping where . Let be the equivalence relation where if and only if . We shall now under various hypotheses and in various ways define the set of all equivalence relations from the structure .

Define an operation by letting for each . Observe that the operation is definable from the operations . Observe furthermore that for each .

Let . Let where is the heap operation on and is the operation on defined by Observe that is the direct product of the algebras . If we can establish that is the only factorization (up to the rearrangement of the factors) of as a direct product of directly irreducible factors, then can define our set of equivalence relations as the kernels of the projection mappings onto , so we shall now work towards proving that is the unique factorization of as a direct product of directly irreducible algebras (under reasonable hypotheses about the mappings ).

If is a structure such that are two heap operations on , then we shall define subgroups of the group of all permutations of for .

Let be the group generated by the permutations of the form along with the permutations of the form Observe that is generated by the permutations of the form along with the permutations of the form . Let be the group generated by permutations of the forms .

Let be the group with presentation . In other words, is the infinite dihedral group. can also be thought of as the free product . Let be the subgroup of generated by along with the pairs where there are where for all and the pairs where there are with for all . Let be the group of all permutations of where . Let be the group generated by the permutations of the form where and is a term produced from the fundamental operations .

We observe that for , the group is isomorphic to a direct product . Once we prove (using reasonable assumptions) that is the unique factorization of into a direct product of directly indecomposable groups, we will be able to define the equivalence relations .

From the Krull-Schmidt theorem, we can conclude that for all factorizations of a group as a product of directly indecomposable members, the factors are unique up to reordering and isomorphism.

Theorem: (Krull-Schmidt) Suppose that is a group that satisfies both the ascending and descending chain condition of normal subgroups. Suppose that and are factorizations of into indirectly indecomposable groups. Then and there is some permutation where for and where whenever

We say that a group is strongly indecomposable if whenever are subgroups of with and where whenever , then or . Recall that the center of a group G is the subgroup and that the group is centerless if the center is just

Proposition: A group is strongly indecomposable and centerless if whenever are subgroups of with and where whenever , then or .

Proof: Suppose that is strongly indecomposable and centerless. Then whenever are subgroups of with and where whenever . Then either or . If we assume that , then since for and since is centerless, we conclude that . For a similar reason, if , then .

Observe that and if , then . Therefore, we have or . In either case, we have , so is centerless. Now assume that are subgroups of with and for . Then we have or . If , then , and if , then . Q.E.D.

Lemma: Suppose that is a strongly indecomposable centerless group. Then whenever are subgroups of that generate and where if and , then there is some where if , then .

Proof: We shall prove this fact by induction on . The case when is trivial. Now assume the induction hypothesis and that are subgroups of where for and that . Then let and . Then whenever , we have , and . Therefore, either or . In the case that , we have whenever . On the other hand, if , then , so by using the induction hypothesis, there is some where if and , then . Therefore, we have whenever and . Q.E.D.

Lemma: Suppose that a finite group is an internal direct product of nontrivial subgroups and each is a strongly indecomposable centerless group. Then whenever is an internal direct product of nontrivial directly indecomposable subgroups , we have , and there is a bijection with for

Proof: By the Krull-Schmidt theorem, we know that there exists an automorphism and a bijection such that for .

Now, let be the inclusion mapping, and let be the projection mapping whenever . Since each is generated by the set of subgroups and since if , then , we conclude by the above lemma that there is some function where if , then

In particular, the mapping is a surjective mapping.

I now claim that the mapping is surjective. Suppose that is not surjective. Then if is not in the image of , then whenever , and therefore, , so as well which is a contradiction, so we conclude that is surjective. Since is surjective, must also be injective. Therefore, for each , we have . Therefore, for all , we have

Q.E.D.

Proposition: Let . Suppose that for all , the group is strongly indecomposable and centerless. Then the set of projections where is the kernel of the projection is definable in the structure .

Proof: The above lemma applies to the subgroups of the group , so up-to-reordering, is the only factorization of into a direct product of directly indecomposable subgroups. For each , let be the group generated by . Then if and only if there exists some with . Therefore, since is definable, the set is also definable. Q.E.D.

We observe that the above proposition applies to when there is some where is the alternating or symmetric group for each and where for all . In particular, the above proposition applies when is the AES round function since the group is the alternating group for according to my previous post.

**A universal algebraic approach**

The equivalence relations are congruences on , so we shall now characterize the set based on the properties of the congruences .

We say that an algebra is congruence permutable if whenever are congruences on , we have . We say that a variety is congruence permutable if every algebra in is congruence permutable. We say that an algebra is congruence distributive if the lattice of congruences of is a distributive lattice. A variety is congruence distributive if each algebra in is congruence distributive. A variety is said to be arithmetical if it is both congruence permutable and congruence distributive. If is an algebra, then we shall write for the variety generated by .

A Mal’cev term is a ternary term that satisfies the identity A majority term is a ternary term that satisfies the identity . A -minority term is ternary term that satisfies the identity .

Theorem: (Mal’cev) Let be a variety. Then is congruence permutable if and only if there exists a ternary term that is a Mal’cev term for .

Theorem: Let be a variety. If has a majority term, then is congruence distributive.

Theorem: (Pixley) Let be a variety. Then the following are equivalent:

- is arithmetical.

2. has a Mal’cev term and a majority term.

3. has a 2/3 minority term.

For example, every heap operation is a Mal’cev term. Therefore, every variety that contains a heap operation is congruence permutable.

If is a distributive lattice, then observe that the collection of all complemented elements of is a complemented distributive lattice, and every complemented distributive lattice with a complementation operation is a Boolean algebra.

Proposition: Suppose that is a congruence distributive algebra and . Furthermore, suppose that for each , the algebra has no non-trivial complemented congruence. Then the maximal elements in the Boolean algebra of complemented congruences in are the congruences .

Corollary: If , no has a non-trivial complemented congruence, and there is a common majority term or a common 2/3 minority term for , then the set of equivalence relations is definable in .

If is an algebra with underlying set , then we shall say that is primal if it is finite and for each function with , there is a term with whenever . For example, the 2 element Boolean algebra is primal. More generally, if is a prime number, then the finite field with operations is primal.

If is an algebra with underlying set , and , then we shall let be the algebra where we add a nullary operation for each element . We say that the the algebra is functionally complete if it is finite and is primal. For example, every finite field is functionally complete.

Theorem: (Werner) Suppose that is a finite algebra with more than one element where is congruence permutable. Then is functionally complete if and only if the lattice is a four element lattice.

Lemma: Suppose that is a functionally complete algebra with underlying set . Then for all , there is an and an -ary term where if is a function, then there are where if , then

Proposition: (Simultaneous functional completeness) Suppose that are functionally complete algebras of the same type with underlying sets . Suppose that have a common heap operation . Then whenever and for , the function is a polynomial function.

Proof outline: Select an element to be the basepoint. Then the group operation obtained by the heap operation together with the basepoint is a polynomial function.

There is some and -ary terms where for all and , there are where if , then

Now let be an -ary term defined by letting

Then for all , there are where if , then

Therefore, the function can be represented by a polynomial function.

Q.E.D.

Proposition: Suppose that if , then and the lattice has only four elements. Then:

2. by the mapping

3. is definable from the underlying set and the group whenever for

4. The congruences on are simply the intersections of the congruences .

5. is definable from the lattice of congruence of .

Theorem: (A corollary to Jordan’s theorem) Suppose that is a set and is a transitive group of permutations of . Then if some contains a cycle of prime length with , then is either the symmetric group or the alternating group.

Proposition: Suppose that is a finite algebra with underlying set that contains a heap operation. Suppose that . If there exists a permutation representable by a term in that contains a cycle of prime length where , then is functionally complete.

Proof outline: To prove this result, one simply shows that there are only four congruences on , and as a consequence, is functionally complete by Werner’s theorem.

**Projection pairs**

Suppose that is a category that contains finite direct products. We say that a collection of objects is skew rigid for an object if whenever and is a morphism, either there is some where or there is some where ; here denote the projection mappings. We say that is skew rigid if is skew rigid for for each .

Proposition: If is skew rigid, then whenever is a homomorphism, there is some and a morphism where .

Proof: Let be the group homomorphism where there exists some where for all . We only need to show that there is some and a group homomorphism where .

We will prove that whenever is a group homomorphism, there is some and with by induction on .

The result clearly holds for , so assume the induction hypothesis and that . Then let be the mapping such that Then , so there is some where for all .

For all , let be the inclusion mapping. Define by letting . Then since is a group homomorphism, we know that there is a group homomorphism where for all or for all . Observe that , so either for all or for all .

Q.E.D.

Proposition: Suppose that is skew rigid. Then whenever is an endomorphism, there exists some function along with homomorphisms for where whenever

Let be a heap. We say that a heap endomorphism is a retraction if .

Proposition: Let be a group. Suppose that is a heap endomorphism. Then let be the group endomorphism, and let be the element where for all . Then is a retraction if and only if is a retraction, and .

Proof: . We have

We have .

We have . Therefore, .

Now, , and . Therefore, since , we conclude that .

Q.E.D.

We say that two heap retractions are complementary projections if there is some with and where for all .

For example, the mappings defined by letting are complementary heap projections, and we observe that every pair of complementary heap projections is of this form.

Observation: Suppose is a heap and are complementary projections where and . Then

- If we set to be the identity of , then the heap homomorphisms are actually group homomorphisms.

2. for all

3. The identity is the unique element with .

4. The homomorphism defined by letting is a bijection. Furthermore, If we define mappings by letting , then

Proposition: Suppose that is skew rigid and each is directly indecomposable. Then whenever are complementary projections with for all , there is some where precisely when for and for . In particular, the set is definable in

Proof: Suppose that . Then are homomorphisms. Therefore, there are homomorphisms with where if is constant, then and where if is constant, then . Observe that . In other words, whenever .

I now claim that .

It is impossible to have and since that would mean that which is impossible since that would mean that is a function of .

If , then we would have , so which is not possible since the only way for to be dependent solely on would be if were a constant function. Similarly, if , then , so we would have which is only possible if is a constant function. Therefore, the only possibility is to have .

We conclude that there are homomorphisms where and whenever .

We observe that and and for each .

We conclude that the operators are complementary projections, so since each is directly indecomposable, for each , either is the identity function and is constant or is the identity function and is constant.

Q.E.D.

We observe that the various conditions that allow us to define from the mapping are conditions that the S-box mapping should satisfy in order for one to consider the SP-network to be secure. Furthermore, for every SP-network , the lattice of congruences of should be generated by in order for the block cipher to be considered secure, but whenever the lattice of congruences is generated by , the set is definable.

## Some invariants of block cipher round functions

For the remainder of this post, we shall assume that the mapping is an SP-network and that the set is definable from . From the definability of , we shall be able to recover most of the important information about the non-linear layer as well as the linear later .

Let be the group of all permutations of that can be factored as where whenever .

We say that a pair is an SP-factorization of if is a heap automorphism, , and for some . If is an SP-factorization of , then we shall say that is an affinization of and is a boxification of .

Observation:

1. The SP-factorizations of are precisely the pairs of the form for some where is the mapping where and where is a heap homomorphism. The are uniquely determined by the SP-factorization.

2. A function is an affinization of if and only if for some heap automorphism

3. A function is a boxification of if and only if for some heap automorphism

While the mappings are generally not definable in , the set of all SP-factorizations of is definable in . Furthermore, an isomorphic copy of can be obtained from the set of all SP-factorizations of along with the heap operation on .

**Box invariant functions**

We say that a function is heap (group) box invariant if whenever is a heap (group) that can be written as an internal direct product of and for , and are heap (group) automorphisms and where is a heap (group) automorphism for , then

The heap box invariant functions can be put into a one-to-one correspondence with the group box invariant functions.

If is heap box invariant and definable, then one can define a block cipher round function invariant by defining where is some affinization of (of course, this function depends on a suitable way of defining from ).

Example 0: From a definable function with range , one can produce a heap (group) box invariant function by letting where is a uniform randomly selected heap (group) automorphism for each and are independent.

Example 1: Let be a prime number. Suppose that and is a vector space over the field . For each , let be the inclusion and projection mappings. Then let Then is a group box invariant. A higher value of indicates a greater level of cryptographic security.

Example 2: Define the Hamming distance and hamming weight on by letting be the cardinality of the set of all where and where (whenever is a group and not just a heap). Define the branch number of to be . Observe, also that if is a group automorphism, then the branch number of is simply . The branch number of a heap homomorphism measures the amount of diffusion in that heap homomorphism. A higher branch number indicates a greater level of cryptographic security.

**Affine invariant functions**

A function is said to be affine invariant if whenever are groups, and are heap isomorphisms, and is a function, then

Set if and only if there is a permutation of such that for each , then let denote the equivalence class containing with respect to . It is not too hard to show that if is an SP-factorization, and , then the quantity , so does not depend on the SP-factorization that we choose. Therefore is also a block cipher round function invariant.

Let us now look at a few examples of affine invariant functions.

Example 0: Let be a function. Then there exists a unique collection of constants such that One can compute the constants using Mobius inversion. We say that is said to be the Zhegalkin polynomial or algebraic normal form of the function . The degree of the Zhegalkin polynomial of is known as the algebraic degree of the function .

The algebraic degree of a function is simply the maximum value of where is a projection function.

Example 1: Suppose that are finite groups and is a function. Then whenever , define . Then the uniformity of is defined to be . The uniformity of a function is a measure of the non-linearity of that function.

If is a function, then define The quantity is known as the non-balancedness of the function and is proportional to the variance . Suppose that are abelian groups. Then define

If are finite groups, and is a function, then let where refers to the Hamming distance and is the set of all heap homomorphisms from to .

The algebraic degree, the quantity , the uniformity, and the quantity are all affine invariant.

**Conclusion**

From this discussion, we can conclude that for at least some block ciphers (including AES), many good measures of security of the block cipher are actually invariant under isomorphism. We can also conclude that block ciphers like AES are designed so that they can be easily analyzed mathematically. I expect that in the future, cryptographers will use block cipher round function invariants in order to objectively and automatically evaluate the security level of block ciphers in the future (we will eventually need to replace AES for another block cipher that is better adapted to reversible computing hardware).

**Future posts**

In future posts, we shall go over block ciphers that can be put into a nearly unique normal form. Such a normal form allows us to compute many block cipher round function invariants that will allow us to rate the security levels of these block ciphers. In future posts, we shall also discuss invariants consisting of spectral radii of matrices obtained from . These spectral radii invariants apply to all block ciphers, and it is not too hard to compute these spectral radii in the extreme case when both and are very small.

## References

- [Textbook for universal algebra] “A course in universal algebra”, by Stanley Burris and H.P. Sankappanavar, Graduate Texts in Mathematics #78, Springer-Verlag, New York-Berlin, 1981.
- [Textbook for algebra including group theory] Hungerford, T.W. (1974) Algebra. Springer-Verlag, New York.