A Cryptographic Compendium

[Next]
A Cryptographic Compendium
This site contains a brief outline of the various types of cipher systems
that have been used historically, and tries to relate them to each other
while avoiding a lot of mathematics.
Its chapters are:
1. Introduction
2. Paper and Pencil Systems
3. Electrical and Mechanical Cipher Machines
4. Telecipher Machines
5. The Computer Era
6. Public-Key Cryptography
7. Miscellaneous Topics
You can also go directly to a complete table of contents.
Thus, although this page is about cryptography, it does not fall into
certain categories of worthwhile and helpful pages about cryptography
that are more common; it is neither:
● a page introducing beginners to methods of solving different kinds

of paper and pencil ciphers,
● a page explaining how you can obtain a copy of PGP, ScramDisk, or
Private Idaho to start protecting your own communications, or
● a page devoted to the history of cipher machines, with photographs
of various ones.
There are links to some of the pages in these categories in the Links
section of this site.
Occasionally, some methods of cryptanalysis are briefly touched upon

here, but the details are very limited, compared to the excellent material
available elsewhere.
This site has a great deal in common with sites of the third category, but
alas, it doesn't include any photographs. What it does have are schematic
diagrams (in my own, somewhat nonstandard symbolism, designed to be
easy to recognize at small sizes) and descriptions of the operation of many
historical cipher machines. The story of the Enigma's decryption, derived
from a multitude of secondary sources, is, I hope, explained with both
completeness and clarity here.
It covers forms of cryptography ranging from the simple paper-and-pencil

methods to the modern computer cipher systems, and attempts to point
out the common features that link them.
One word of warning, however: I have indulged my own ego rather

shamelessly here, and have described a series of block ciphers of my own
design (under the name of "Quadibloc"; the first one was inspired by DES
and Blowfish, although in a way it was the opposite of Blowfish, and the
others are the result of appropriating various ideas found in the AES
candidate ciphers), some paper-and-pencil fancies of mine, and a rather
elaborate fractionation scheme for converting the binary output of
modern encryption methods to letters for transmission by Morse, or base-
78 armor (more efficient than base-64, if less efficient than base-85), or
encryption by classical letter-based methods.
In only one section do I discuss, and very briefly, codes, in which words or
phrases rather than letters, bits, or digits are the unit of encipherment.
However, the word code is used legitimately in mathematics to refer to
substitutions which are non-linguistic (and hence, in cryptology, would be
called ciphers) from Morse code to Hamming code (used for error-
correction) and Huffman code (used for data compression). I have,
therefore, been unable to be rigorous about the use of the word "code" in
these pages.
Return to Home Page
Copyright (c) 1998, 1999, 2000, John J. G. Savard
[Next]
[Next] [Up/Previous/Index]
Introduction
This page is about codes and ciphers, which people use to communicate
with each other in ways that other parties cannot (it is hoped) understand.
Although secrecy in communication can precede literacy, for example by
the use of obscure allusions, a spoken language that is different from the
one commonly spoken, a jargon or cant of terms with special or secondary
meanings, or a conventionalized way of speaking such as Pig Latin, the
efflorescence of many and sophisticated methods of secret
communications waited for the development of alphabetic writing, which
allows any thought to be represented by a small number of easily
manipulated characters.
Even then, it took a conceptual breakthrough to realize that letters can be

represented by other symbols; particularly in introductory books on the
subject for children, this is often illustrated by various examples that are
used today, such as Morse code, signal flags, Baudot, ASCII, or, as
illustrated below, Braille and semaphore:
And, for another even more prosaic illustration, here is the color code
used on resistors (as well as on the old mica capacitors) and the color
code, if one can call it that, of pool balls:
One early and entertaining historical survey of the use of codes and
ciphers was the book Secret and Urgent, by Fletcher Pratt, also the author
of several novels. This book came out in the same year as Elementary
Cryptanalysis, by Helen Fouché Gaines, which will be mentioned below.
The title of this book is a particularly apt description of why methods of
scrambling messages to keep them secret are used.
Obviously, if a message contains nothing that is confidential, there is no

need to bother putting it into code or cipher.
But equally, if a message is not urgent, then even if it is secret, it can be

communicated at some time when there is an opportunity to meet
privately.
Only when both conditions exist: when the contents of a message must be
kept secret, and yet the message is so urgent that the risk must be taken of
sending it by a means that may allow others to read it, would people take
the time and effort to put a message into cipher, and take the risk involved
in relying on cipher to maintain its secrecy.
Of course, today computers carry out the steps involved in enormously
complicated cipher schemes at the push of a button, so neither the effort
nor the risk looms as large as it did during most of the history of the
subject.
This site contains a brief outline of the various types of cipher systems
that have been used historically, and tries to relate them to each other
while avoiding a lot of mathematics.
Suggestions for Reading

The following books can be recommended for someone beginning to learn
about the subject of secret writing:
The Codebreakers, David Kahn, Macmillan (1st ed.) Simon and Schuster
(2nd ed.). This book is a fascinating history of cryptography, dealing with
the role it has played in many historical events. There are also some
nuggets of technical information not seen in other books aimed at the
general public, and there is historical information about subjects related
to secret codes, such as cable codes (which do not involve secrecy, and
were for saving money on sending telegrams).
Elementary Cryptanalysis, Helen Fouché Gaines, Dover. Published under

the title Cryptanalysis to avoid confusion with a book by Abraham Sinkov
(also a good book), this book deals with pencil and paper ciphers, and is
particularly aimed at people who solve such ciphers as a hobby. It
describes a wide variety of ciphers and a multitude of solving methods.
And I will also mention two other books here:
Machine Cryptography and Modern Cryptanalysis, Cipher A. Deavours

and Louis Kruh; Artech House. This book is a gold mine of information
and was the source for much of what you will see in this web site about
cipher machines of the rotor era. It is now out of print. Unfortunately, it
was marred by a number of typographical errors. I had thought that
regrettable, but felt that this was a common occurrence in books with a
limited anticipated sale. An otherwise positive review in Cryptologia
magazine (also a significant source, particularly for my account of the
Siemens T-52) did include the comment that one might expect better than
that, and as a result my faulty memory led me to categorize the review as
"scathing", for which I apologize to its author (himself a significant source
of information for my section on the Enigma's Uhr box), Frode Weierud.
A number of the illustrations from this book were reprinted (with full
permission, of course) in the more recent book Decrypted Secrets from
Springer-Verlag.
Applied Cryptography, Bruce Schneier; John Wiley and Sons. This book
is aimed at the computer professional who needs to implement secure
systems involving cryptography. As it describes a wide selection of
algorithms and protocols, it will be of interest to anyone concerned with
cryptography in the computer era. This book is one of the most widely
available books covering the subject matter, and it is frequently cited as a
source and as an authority on the USENET newsgroup sci.crypt. The 2nd
edition is considerably expanded, with fascinating detail on a much larger
number of cipher systems.
[Next] [Up/Previous/Index]
Return to Home Page

Main Screen
Copyright (c) 1998, 1999, 2000 John J. G. Savard

[Next] [Up/Index] [Previous]
Pencil and Paper Systems

The most obvious way, perhaps, of taking text and concealing it from the prying
eyes of those who don't know your secret is by replacing each letter by something
else, like this:
ABCDE FGH IJKL MNO PQRST UVW XYZ

----- --- ---- --- ----- --- ---
$7+Q@ ?)/ 2X3: !8J 9%6*& 15= (;4
which turns
Please send me some money
into
9:@$*@ *@8Q !@ *J!@ !J8@;
This is called substitution, and ciphers based on this principle date back to
ancient times.
For example, the diagram to the right

illustrates several cipher alphabets used by the
ancient Hebrews. Three of them are based on
arrangements of the alphabet according to a
definite pattern, and these patterns can be
illustrated in terms of the 26-letter alphabet
used by the English language by showing what
the equivalent substitutions are in that alphabet:
Atbash:
A B C D E F G H I J K L M
-------------------------
Z Y X W V U T S R Q P O N
Albam:
A B C D E F G H I J K L M
-------------------------
N O P Q R S T U V W X Y Z
Atbah:
A B C D J K L M E S T U V
------- ------- - -------
I H G F R Q P O N Z Y X W
Note that all three of these are reciprocal, in
that if one letter becomes another letter, then
that other letter becomes the original letter in
turn.
The illustration also contains other information. The numerical value of each
letter is given below the name of the letter, and the original Hebrew form of the
name of the letter is also shown to the right. Also, Cryptic Script B, an alphabet
used in the writing of part of the Dead Sea Scrolls is shown (albeit imperfectly;
the symbol for Shin is only known to be used for one of the two values of that
letter, as indicated by dots, and an additional special-purpose character is not
shown.)
The other method of concealing a message is called transposition, which was also
used in ancient times, at least by the Spartans with the scytale, a baton around
which a leather belt could be wound, so that a message could be written on the
belt, crossing from one loop to the next, so that it could only be read while the
belt was so wound.
In transposition, instead of replacing letters with something else, the letters of a

message are moved around, so that they aren't written down in order.
● Cryptanalyzing the Simple Substitution Cipher

● Methods of Transposition
● Improving Substitution
❍ Homophones and Nomenclators
❍ Polygraphic Ciphers and Fractionation
■ Playfair and its Relatives
■ The Bifid, the Trifid, and the Straddling Checkerboard
■ Fractionated Morse, and Other Oddities
■ The VIC Cipher
■ Two Trigraphic Ciphers, and a Heptagraphic One
❍ Polyalphabetic Substitution
● Code Books
● Fun With Playing Cards
● Conclusions
Skip to Next Section

Table of Contents
Main Screen
Home Page
[Next] [Previous] [Up/Index]
Electrical and Mechanical Cipher

Machines
Using machinery to automate encryption permitted ciphers to be much more
complicated than those which can reasonably be applied by hand without too
many mistakes. And this was true even though machines had to be reliable and
inexpensive, and this meant they could only carry out fairly simple operations.
(Today, of course, the microchip has changed everything immensely!)
There are several types of cipher machine that we will examine in this section;
and a few more that belong to another section, since they hint at the computer age
to follow.
● Early Machine Ciphers

❍ The Bazeries Cylinder
❍ The Kryha Cryptograph
❍ The Hill Cipher
❍ The RED Machine
❍ The Reihenscheiber
❍ The A-22 Cryptograph
● The Hagelin lug and pin machines

❍ Cryptanalysis of the Basic Lug and Pin Machine
● Rotor Machines - and their PURPLE cousins

❍ Rotor Machine Basics
❍ The Interval Method
❍ The Method of Isomorphs
❍ PURPLE, CORAL, and JADE
● The Enigma: a unique rotor machine

❍ Basic Principles of the Enigma
❍ The Uhr Box
❍ The Enigma A and Enigma B
❍ Relatives of the Enigma
❍ Cryptanalysis of the Enigma
■ Cliques on the Rods

■ Indicators and Jefferys Sheets
■ The Bombe and the Diagonal Board
● An American Achievement: the ultimate rotor machine

● Miscellaneous Machine Ciphers
❍ The Hagelin B-211
❍ Sweden's HC-9
❍ LACIDA
● Conclusions for Chapter II

❍ Fantastic Rotor Machines
❍ Child's Play
❍ Irregular Rotor Movement
[Next] [Previous] [Up/Index]
Skip to Next Chapter

Table of Contents
Main Screen
Home Page
Telecipher Devices
This section looks at cipher machines that worked with teletypewriters.
Just as today's computers represent printed characters as 8-bit bytes using the ASCII code,
teletypewriters used a similar code for communications purposes. However, they used only
five bits per character, which conserved bandwidth, although it meant that shifting between
letters and other characters such as numbers and punctuation marks required sending
characters that indicated a shift was taking place.
Thus, we have a family of cipher machines that, before the computer age, was already
working in binary code.
Two early American attempts at a telecipher machine were not used in practice, since they
were found to be insecure. One was designed by Gilbert S. Vernam for A. T. & T., the two-
tape machine, where two punched tape loops of unequal size each provided a current
character to be XORed with the plaintext character. The other was devised by Col. Parker
Hitt, who was one of America's foremost cryptologists of the World War I era, for ITT, and
involved ten cams with 96, 97, 98, 99, 100, 101, 102, 103, 104, and 105 positions, two of
which supplied the bits to be XORed with one bit of the current plaintext character.
The XOR or exclusive-or logical operation is the simplest possible way to apply a key to a
plaintext to conceal it. This operation is also modulo-2 addition, with the very small table:
| 0 1
---+-------
0 | 0 1
1 | 1 0
If we view 0 as standing for "False", and 1 as standing for "True", then A exclusive-or B is
true if either A is true exclusively (that is, A is true and B is false), or if B is true exclusively
(B is true and A is false).
However, the machine devised by Vernam was modified to a form which was secure, and
many countries have used similar devices. Instead of increasing the number of punched tape
loops used to XOR with the plaintext, the number of key inputs was reduced from two to just
one: and that one took a key tape consisting of completely random bits, used only once.
This, the one-time tape, is again the perfect case of polyalphabeticity, which was previously
noted as the one-time pad under pencil-and-paper methods.
If anyone is unfamiliar with the alphabet used for 5-level teletypewriters, which is called the
Baudot code (although, more accurately, it is in fact derived, with slight modifications, from
the Murray code, a later 5-unit printing telegraph code, just as the code for transmitting chess
moves by telegraph is called the Uedemann code, for the first person to invent such a code,
even though the code actually used is a later one, properly known as Gringmuth notation;
also, the International Morse Code, though it has several characters in common with the code
of dots and dashes originally devised by Samuel Findley Breese Morse, is actually a revision
of his code devised by one Frederick Gerke from Austria, as I have recently learned thanks to
Terry Ritter) a table of it is given here.
(In the interests of making complete information handy, the table included is one with some
additional information from one of my USENET posts.)
International Telegraph Alphabet No. 5 is the international version of ASCII;
International Telegraph Alphabet No. 1 was a version of Emile Baudot's original 5-unit code,
the one that included a 'letters space' and a 'figures space'. (I've seen a web site that
incorrectly claims that International Morse, formerly Continental Morse, was ITA 1.)
International Telegraph Alphabet No. 2 is what is most commonly called Baudot; it is the 5-
level code derived from the Murray code.
ITA 3 and ITA 4 are obscure, but they are both derived from ITA 2, as are a couple of other
codes.
The final code, ten bits long, is AUTOSPEC. All the codes, except for CCIR 476, are shown
in order of transmission; CCIR 476 is shown the other way around, being assumed to be sent
LSB first as is ASCII.
Characters ITA 2 ITA 4 ITA 3 CCIR 476 AUTOSPEC

(ITA 2 on left,
some national
ones follow)
Character 32 00000 100000 0000111 1101010 0000000000

Space 00100 000100 1101000 1011100 0010011011
Q 1 11101 011101 0001101 0101110 1110111101 Q 1 q !

W 2 11001 011001 0100101 0100111 1100100110 W 2 w
E 3 10000 010000 0111000 1010110 1000001111 E 3 e
R 4 01010 001010 1100100 1010101 0101001010 R 4 r $
T 5 00001 000001 1000101 1110100 0000111110 T 5 t
Y 6 10101 010101 0010101 0101011 1010101010 Y 6 y ^
U 7 11100 011100 0110010 1001110 1110000011 U 7 u &
I 8 01100 001100 1110000 1001101 0110001100 I 8 i
O 9 00011 000011 1000110 1110001 0001100011 O 9 o ~
P 0 01101 001101 1001010 0101101 0110110010 P 0 p
A - 11000 011000 0011010 1000111 1100011000 A - a _

S ' BEL 10100 010100 0101010 1001011 1010010100 S ' s "
D WRU $ 10010 010010 0011100 1010011 1001010010 D d
F % ! 10110 010110 0010011 0011011 1011001001 F % f `
G @ & 01011 001011 1100001 0110101 0101110100 G @ g }
H £ # STOP 00101 000101 1010010 1101001 0010100101 H # h {
J BEL ' 11010 011010 0100011 0010111 1101000101 J * j
K ( 11110 011110 0001011 0011110 1111011110 K ( k [
L ) 01001 001001 1100010 1100101 0100101001 L ) l ]
Z + " 10001 010001 0110001 1100011 1000110001 Z + z
X / 10111 010111 0010110 0111010 1011110111 X / x \
C : 01110 001110 1001100 0011101 0111010001 C : c ;
V = ; 01111 001111 1001001 0111100 0111101111 V = v |
B ? 10011 010011 0011001 1110010 1001101100 B ? b
N , 00110 000110 1010100 1011001 0011000110 N , n <
M . 00111 000111 1010001 0111001 0011111000 M . m >
CR 00010 000010 1000011 1111000 0001011101
LF 01000 001000 1011000 1101100 0100010111
FIGS 11011 011011 0100110 0110110 1101111011
LTRS 11111 011111 0001110 1011010 1111100000
alpha (all 0) 000000 0101001 0001111
beta (all 1) 111111 0101100 0110011
SYNC 110011
repetition 0110100 1100110
Unlike ITA 3, CCIR 476 has a pattern that relates it to ITA 2: except for the letters B and U,
whose natural codes are used for alpha and beta, those ITA 2 characters which have 4, 3, or 2
one bits set are represented by 0x0, 0x1, and 1x1 respectively, where x is the five bits of the
ITA 2 character; and 1nnnnn0 represents the characters that don't fit into this range, with
again exactly 3 of the n bits set. Note that ITA 3 is a 3 of 7 code, while CCIR 476 is a 4 of 7
code.
Perhaps this is why the newer CCIR 476 is the one US radio amateurs are permitted to use,
and do use for AMTOR, while the older ITA 3 was used for ARQ purposes originally. But
it's odd to see a new code developed to fill exactly the same purpose as an older code already
accepted as an international standard.
ITA 3 was known as, or derived from, the Moore ARQ code, also known as the RCA code. It
appears to have been the first code used for ARQ (automatic repeat request) purposes, and to
have been invented in or prior to 1946 by H. C. A. van Duuren. ITA 3 was adopted as an
international standard in 1956, according to the source which first brought him to my
attention.
AUTOSPEC repeats the five-bit character twice, but if the character is one with odd parity,
the repetition is inverted. Thus, the parity bit is transmitted with high reliability, and every
other bit of the character is effectively repeated twice. It can be thought of the result of
applying an error-correcting code with the matrix:
1 0 0 0 0 0 1 1 1 1
0 1 0 0 0 1 0 1 1 1
0 0 1 0 0 1 1 0 1 1
0 0 0 1 0 1 1 1 0 1
0 0 0 0 1 1 1 1 1 0
to 5-level characters.
The entries
F % ! and
V = ;
mean that, for F, no figures shift character is defined by ITA 2; however, the % sign is uses as
a national-use figures shift character for Britain. The U.S. figures shift character is !. For V,
however, the = sign is defined as the official figures shift character. The U.S. 5-unit
teletypewriter code, which is nonconformant to ITA 2, defines ; as the figures shift character
for V instead.
After the code bits, there are four more columns of characters, giving the characters used by
ASCII over AMTOR. The all-zeroes character is used to toggle between the ordinary
character set in the first two columns, and the auxilliary one in the second two. The ordinary
character set is that of the international version of the 5-level code, rather than the U.S.
version, but the figures shift of J, instead of being the bell, is the asterisk.
Note that there is also an official standard of very recent vintage for using lowercase with 5-
level code, which works on a different principle: a LTRS code while already in letters case is
used to toggle between upper and lower case.
This standard does not include ASCII graphics characters, but it was designed to be
compatible with the use of the all-zeroes code for supplementary alphabetic characters; these
characters could have their lower case available using their shift character in the same fashion
as LTRS is used.
This new standard works as follows: FIGS LTRS operates as a reset into upper-case mode. In
normal upper-case mode, when returning to letters case from figures case, one is returning to
upper-case letters.
When in letters case, a superfluous LTRS code switches into lower-case. This is true even
when reset into upper-case mode; but then it also clears lower-case mode, so that, whether
one is printing upper-case or lower-case, when one returns from printing figures characters to
print letters, one begins with lower-case letters.
This is a bit confusing, so I will illustrate it:
ABC [FIGS] 1234 [LTRS] DEF [LTRS] ghi [FIGS] 1234 [LTRS] jkl
[LTRS] MNOPQ [FIGS] 1234 [LTRS] rst [FIGS][LTRS] UVW
[FIGS] 1234 [LTRS] XYZ
Essentially, toggling between upper and lower case with a superfluous LTRS is always on.
FIGS LTRS resets (to upper-case, or capitals) only the default letters case that a normal
LTRS, used for exiting figures printing, returns to. And that default flips back to lower case
the first time lower case is accessed with an (otherwise) superflous LTRS.
Thus, this example proceeds as follows:

ABC [FIGS] 1234 [LTRS] DEF
One begins by having only figures and upper-case letters available.
[LTRS] ghi [FIGS] 1234 [LTRS] jkl
The superfluous LTRS now switches one into lower-case mode, as well as immediately
switching to printing lower-case letters. The FIGS shift still takes you to normal figures case,
and a LTRS shift returns you to lower-case letters.
[LTRS] MNOPQ [FIGS] 1234 [LTRS] rst
A superfluous LTRS shift changes you to printing upper-case characters, but the mode
remains lower-case mode. Thus, FIGS takes you to printing digits, and LTRS takes you to
printing in the default case for the current mode, which is lower case.
[FIGS][LTRS] UVW [FIGS] 1234 [LTRS] XYZ
A superfluous LTRS toggles between printing upper-case and lower-case, but only moves
you from upper-case mode to lower-case mode. To change mode in the reverse direction, the
combination FIGS LTRS is required. Once that combination is used, not only do you print in
upper-case, but a LTRS shift used after printing figures will return you to the new default
case, which is again upper case.
The bits are numbered from 1 to 5, in the order in which they are transmitted. They are
normally preceded by one start bit (0) and followed by one and a half stop bits - that is, a 1
level on the wire for one and a half times the time used for transmitting a data bit. In ASCII,
the bits of a character are transmitted least significant bit first; since the 5-level code bits
don't represent codes in any kind of numerical order, sometimes bit 5 and sometimes bit 1 is
taken as the most significant bit, although the tendency has been to treat bit 5 as the MSB
because of the use of the same UART chips for ASCII and 5-level code.
And here is a graphical version, showing the standard, U.S., financial, and weather character
sets:
The top two lines show the original Murray code, from which the modern 5-level code is
derived. (The original Baudot code was completely different.) It too, like the original Baudot,
used a letters space and a figures space. I'm not sure about the functions of the line feed and
carriage return characters: one of them could be a newline, and the other might have had a
different control function. Also, in my reference, the space for the figures shift of A was left
blank. My guess is that that should have been a comma.
Incidentally, the reason that this code is not so organized that when the letters are in
alphabetical order, their codes are in binary numerical order, as is the case for ASCII, is
because the codes were chosen so that the most common letters would have codes that would
cause less wear and tear on the moving parts of teleprinters. The following chart shows the
scheme by which the codes were assigned:
lsc lf
EfprT AINO UCM KV SRH DL FG TP BW QX tiYZ
1 * * * * * * * * ** ** ****
2 * ** ** ** * * * ** * * **
.........................................
3 * ** *** ** * * * * ** * *
4 * ** ** ** * * ** * * * **
5 * * * * * * * * ** ** ****
● The Lorenz Schlusselzusatz SZ-40

● The Siemens Geheimschreiber T-52
● The Swedish SA-1
● An American patent
● Converter M-228
● Conclusions

Table of Contents
Main Screen
The Computer Era

The era of computers and electronics has meant an unprecedented freedom for
cipher designers to use elaborate designs which would be far too prone to error if
handled by pencil and paper, or far too expensive to implement in the form of an
electromechanical cipher machine.
There are rumors that the secret cipher machines of the 1960s and beyond
involved the use of shift registers, and, more specifically, that they used nonlinear
shift registers, since it is known that a linear feedback shift register produces a
sequence which, while it has a long period and an appearance of randomness, is
not itself a secure additive key for a cipher. Since it is very difficult to guarantee
that a shift register whose feedback is nonlinear will always have a reasonably
long period, I think I will continue to doubt these rumors until the facts finally
become declassified. (However, since the mathematical theory does exist by
which the conditions for maximum period of the quadratic congruential
generator are known, I definitely could be wrong.)
However, some published papers use the term "nonlinear shift register" to
describe a stream cipher system which has a linear feedback shift register at its
heart, but which has as its output a nonlinear function of the shift register's state.
Since it is trivially possible to produce any output sequence with the same period
as the underlying LFSR in this way, (Proof: use the outputs from all the cells in
the LFSR as inputs to the address lines of a one-bit wide ROM programmed, in a
suitable order, with the desired sequence) I have no problem accepting the
existence of nonlinear shift register designs in this sense.
Publicly known designs based on shift registers instead use linear shift registers,
but do such things as combining the output from several, controlling the stepping
of one shift register with another, as was done with the pinwheels in some of the
more secure telecipher designs of the last chapter, or using one shift register to
select between the outputs of two other shift registers.
But the main thrust of the computer era has been in the development of block
ciphers, starting with the LUCIFER project at IBM, which was the direct
ancestor of DES, the Data Encryption Standard.
● LUCIFER
● The Data Encryption Standard
❍ Details of DES
❍ Variations of DES
● And Now For Something Completely Different: SAFER

● Something Not Quite As Different: IDEA
● Formerly Secret: SKIPJACK
● Blowfish
● My Own Humble Contribution: QUADIBLOC
❍ Description of QUADIBLOC
■ Euler's Constant and the QUADIBLOC S-boxes
❍ Variants with different key sizes
❍ The QUADIBLOC FAQ
❍ Key Enrichment
❍ Quadibloc II
❍ Quadibloc III
❍ Quadibloc IV
❍ Quadibloc V
❍ Quadibloc VI
❍ Quadibloc S
❍ Quadibloc VII
❍ Quadibloc VIII
■ The Standard Rounds
■ The Mixing and Whitening Phase
■ The Key Schedule
■ The Rationale of the Design
❍ Quadibloc IX
❍ Quadibloc X
● Towards the 128-bit era: AES Candidates

❍ The Advanced Encryption Standard (Rijndael)
❍ Twofish (finalist)
❍ SERPENT (finalist)
❍ RC6 (finalist)
❍ DEAL
❍ MARS (finalist)
❍ SAFER+
❍ FROG
❍ LOKI-97
❍ CAST-256
❍ Magenta
❍ DFC
● Block Cipher Modes

● Cryptanalytic Methods for Modern Ciphers
❍ Differential and Linear Cryptanalysis
■ Extensions of Differential Cryptanalysis
■ The Boomerang Attack
❍ Cryptanalysis, Almost by Aimlessly Thrashing About
❍ Hidden Markov Methods
● Stream Ciphers
❍ Shift-Register Stream Ciphers
■ An Illustrative Example
■ Other Constructions
■ More Realistic Examples
❍ Other Stream Ciphers
■ Panama
❍ A Note on the Importance of Galois Fields
● Conclusions
❍ Modified Panama
❍ Mishmash
❍ Combining Two Unrelated Block Ciphers
❍ A Base Conversion Block Cipher and Other Concepts
❍ The Large-Key Brainstorm
❍ The Inner Structure of the Feistel Round

Table of Contents
Main Screen
Home Page
Public-key Cryptography
Public-key cryptography is a very novel form of cryptography that first became
known to the public during the decade of the 1970s. Not only is it novel, its very
name seems paradoxical and confusing.
Although cryptographic techniques have other uses besides sending secret

messages, such as authentication, and this is especially true of public-key
cryptography, sending secret messages is still one of the things public-key
cryptography can be used for.
And if a message is secret, that means that the key to unlock it must be a secret,
or else anyone could decipher it. That is still just as true for public-key
cryptography as it is for the regular kind.
If that's the case, what does the word "public" in public-key cryptography mean?
Normally, with a conventional cryptographic system, if you know both the key
for sending a secret message, and the method of encryption in which that key is
used, then you also know everything you need to know to decipher secret
messages sent with that key and in that system. A few conventional encryption
systems are reciprocal, so that exactly the same key and procedure serves for
encryption and decryption; but in those that are not reciprocal, the key and
procedure for decryption are both still easily derived from those for encryption,
and in most cases, only one of the two differs.
A public-key cryptosystem is one where a key, useful for sending messages, can
be made public without revealing the still-secret key that allows those messages
to be read.
How can this be possible?
A two-part codebook is one where the code groups don't have the same order as
the plaintext words and phrases they represent. If you publish only the
enciphering half of such a codebook, keeping the deciphering part to yourself,
then it is easier to send coded messages to you than it is to read them.
Of course, that doesn't really provide genuine security. But it hints as to how
PKC can be possible.
Another example, one of the first PKC concepts expressed in the open literature,
goes as follows:
Transmit a large number of encrypted messages to a correspondent. These

messages are in a cipher that can be broken, but not without some work. The
messages look something like this:
"Key number 2126 is EXVRRQM"
"Key number 1253 is PTXYZLE"
and so on.
The keys for each key number are chosen genuinely at random.
You keep a table of what every numbered key is.
The person who wants to send you a message picks any one of your large number
of encrypted messages, and breaks it. Then, using the key found inside, he
encrypts his message to you, and the precedes it with a note saying: "I am using
key number 2126 to encrypt this message".
He only had to decrypt one of the encrypted key messages to send you a
message, but anyone who wanted to read it would have to keep decrypting all the
messages until he found the right one.
So, the principle of PKC is to find some trick that works one way without
revealing how to reverse the process. And one good place to look for tricks like
that is in higher mathematics, and each of the public-key methods we will look at
in the remainder of this section will have had a basis that came from that source.
Public-key cryptography is certainly very different from conventional

cryptography, and is of general mathematical interest. But it is also of very
considerable practical importance.
Without public-key cryptography, you could still send an encrypted E-mail to a

friend who was away on vacation, if before he left you had given him a secret
key to use. You could also encrypt your E-mails to someone you hadn't met,
provided you sent him, or he sent you, a secret key by a more secure method,
such as a letter by regular mail. (Of course, letters can be read too by a
determined adversary, but exchanging keys even in this simple fashion would
keep your communications out of reach of someone who has the opportunity to
intercept your E-mail but not the contents of your mailbox.)
With public-key cryptography, however, no resort to an alternative more secure

channel of communications for prior setup is required. Instead, encrypted
communications can be set up on an impromptu basis, entirely over an insecure
medium such as the Internet. It is not an overstatement to claim that public-key
cryptography is the factor which changed cryptography from something which
was only used by people with either a strong need for secrecy, or an interest in
cryptography itself, to something used routinely by many people for such
practical purposes as making credit-card purchases over the Internet.
If PKC did not exist, however, credit-card companies could instead have issued
secret passwords to credit-card holders. If a merchant verified a password by
comparing a one-way hash of the password and the user's account number to a
coded number on the credit card, knowing the one-way hash of the password
wouldn't enable him to create a new password to decieve other merchants. Thus,
even without public-key methods, it would be possible to avoid the requirement
that every transaction would have to be directly verified with the credit-card
company. But precautions would be needed to ensure that a hash code could not
be used in place of a password, by being inserted into a stage of the verification
process which comes after the password being converted to its hash. Including
the account number in the hash prevents making forged credit cards for someone
else's account with a different password, if the hash also involves a secret key.
The RSA public-key cryptosystem is a straightforwards example of public-key

cryptography: using the same operation, key E transforms plaintext to ciphertext,
key D transforms ciphertext to plaintext, but it isn't possible to find D only
knowing E; the two prime factors of the modulus used are required.
But there are other ways to send a message from one place to another without
prior exchange of a secret key.
The Diffie-Hellman key exchange method relies on a one-way transformation

from a private key x to a public key A^x, which has the property that two parties
can exchange public keys, and using either private key and the other public key,
it is possible to arrive at the same secret session key which no one knowing only
the two public keys can derive.
The Massey-Omura cryptosystem is based on Shamir's three-pass protocol,

where an encryption method is used such that, after it is applied twice, the two
encryptions do not need to be removed in the exact reverse of the order in which
they were applied, but can be removed in any order. This allows one party to
send an encrypted message, and the recipient can send it back encrypted again,
and then the first party can remove his own encryption, sending it back to the
recipient as if only the recipient had encrypted it. (While there are many
encryption methods that are commutative, most, if used in this way would
provide no security whatever, because relationships between the messages sent
would reveal the secret keys used.)
● Modulus Arithmetic
● The Rivest-Shamir-Adleman (RSA) method
❍ Looking for Primes
❍ Finding d from e
❍ Large Number Exponentiation
❍ Factoring
● The Diffie-Hellman method

❍ El Gamal
❍ Digital Signatures Based on Diffie-Hellman
● Other Methods
● The Uses of Public-key Cryptography
● Conclusions
Next Chapter
Table of Contents
Main Screen
Home Page
Miscellaneous Items
Computer programs that handle data encryption, such as the well-known program
PGP (Pretty Good Privacy) involve other functions besides encryption itself.
The information to be encrypted is usually compressed first, because this

squeezes out patterns in the plaintext that might be useful to a cryptanalyst. And,
of course, it also saves bandwidth, and compression isn't going to be possible
after encryption, because encrypted texts look random.
But there is one oversimplification in that last statement. If an encrypted text

consists of random binary bits, then if these bits are transmitted in the form of
bytes containing eight random bits each, no further compression is possible. On
the other hand, if they were transmited one bit to a byte, each byte either
containing the ASCII character "0" or the ASCII character "1", then compression
would be possible.
While that would be silly, transmitting an encrypted series of bits in the form of
printable ASCII characters only might make good sense, by making it easier to
transmit your data without problems over a network where control characters
have special meanings. Although TCP/IP was specifically designed to permit all
256 possible byte values to be transmitted transparently (the only control
character with special meaning is DLE, Data Link Escape, and two DLEs in a
row always represent a real DLE that is part of user data) binary data is usually
transmitted over the Internet in "base-64" format, where 64 printable ASCII
characters, specifically chosen not to be different in the versions of ASCII used
for different languages, and to be also present in EBCDIC, are used.
Even the case of a simple pencil and paper cipher does, in a rudimentary form,
illustrate these two additional phases of encryption.
Changing
Please send more money.
to
WGRXT RTRVU IPQRI PVRE
actually involves three transformations of the plaintext to reach the ciphertext.
First,
Please send more money.
is changed to
PLEASESENDMOREMONEY
to remove information that is harder to encipher securely, and which is not

essential to the understanding of the text. This is a form of compression, even if it
is not lossless, and functions more by discarding information than by
compressing it. Of course, we've already seen the straddling checkerboard
principle, which does use the same basic principle (prefix-property variable-
length coding) as Huffman codes, which are a serious method of compression.
Then,
PLEASESENDMOREMONEY
is changed to
WGRXTRTRVUIPQRIPVRE
which is the actual encryption procedure, described in terms of the 26 letters of

the alphabet, and nothing else.
Finally,
WGRXTRTRVUIPQRIPVRE
is changed to
WGRXT RTRVU IPQRI PVRE
for ease of reading and transmission, which illustrates the process of applying
armor to the output of an encryption process.
Finally, digital signatures need one-way hash functions. Ordinary checksums
aren't adequate, since it is possible to construct a message with a different
meaning having the same checksum as the one someone intended to sign. One-
way hash functions are similar to block ciphers in some ways, but different in
others.
Hash functions can also be used as a way of producing encryption keys from pass
phrases or from random input of imperfect quality.
● Data Compression
❍ The Representation of Speech
❍ Semi-Arithmetic Coding
❍ Character Codes
● Error-Correcting Codes
● Armor, Message Termination, and Base Conversion
❍ From 47 bits to 10 letters
❍ Armor-Related Fractionation
❍ Tying up Loose Ends
❍ From 93 bits to 28 digits
❍ Keystream Base Conversion
❍ Message Blocking
❍ Optimized Morse Armor
● Steganography
● One-way Hash Functions
❍ Description of SHA
● Hardware Security
❍ When Somebody's Looking Over Your Shoulder
● Key Management
❍ The IBM Key Management Scheme for DES
❍ Kerberos
❍ Protocols and Privacy Amplification
❍ Passwords and Protocols
❍ Military Key Management
❍ Red Thread Resistance
❍ Key Escrow
❍ Pass Phrases and Randomness
❍ The Interlock Protocol
● Quantum Mechanics and Cryptography

❍ Quantum Computing
❍ Quantum Cryptography
● Cryptanalysis
❍ The Limits of Cryptanalysis
❍ The Nature of Cryptanalysis
● Security Without Proof

● The Ideal Cipher
● Cryptography for Content Protection
● Fallacies of Cryptography and Compression
● The Politics of Cryptography
● Conclusions for Chapter VI
Table of Contents
Main Screen
[Up]
Contents
Introduction
1. Paper and Pencil Systems

❍ Cryptanalyzing the Simple Substitution Cipher
❍ Methods of Transposition
❍ Improving Substitution
■ Homophones and Nomenclators
■ Polygraphic Ciphers and Fractionation
■ Playfair and its Relatives
■ The Bifid, the Trifid, and the Straddling
Checkerboard
■ Fractionated Morse, and Other Oddities
■ The VIC Cipher
■ Two Trigraphic Ciphers, and a Heptagraphic One
■ Polyalphabetic Substitution
❍ Code Books
❍ Fun With Playing Cards
❍ Conclusions
2. Electrical and Mechanical Cipher Machines

❍ Early Machine Ciphers
■ The Bazeries Cylinder
■ The Kryha Cryptograph
■ The Hill Cipher
■ The RED Machine
■ The Reihenschieber
■ The A-22 Cryptograph
❍ The Hagelin lug and pin machines
■ Simple Cryptanalysis of the Basic Lug and Pin Machine

❍ Rotor Machines - and their PURPLE cousins
■ Rotor Machine Basics
■ The Interval Method
■ Isomorphs
■ PURPLE, CORAL, and JADE
❍ The Enigma: a unique rotor machine
■ Basic Principles of the Enigma
■ The Uhr Box
■ The Enigma A and Enigma B
■ Relatives of the Enigma
■ Cryptanalysis of the Enigma
■ Cliques on the Rods
■ Indicators and Jefferys Sheets
■ The Bombe and the Diagonal Board
❍ An American Achievement: SIGABA, the ultimate rotor
machine
❍ Miscellaneous Machine Ciphers
■ The Hagelin B-211
■ Sweden's HC-9
■ LACIDA
❍ Conclusions for Chapter II
■ Fantastic Rotor Machines
■ Child's Play
■ Irregular Rotor Movement
3. Telecipher Machines
❍ The Lorenz Schlusselzusatz
❍ The Siemens Geheimschreiber T-52
❍ The Swedish SA-1
❍ An American patent
❍ Converter M-228
❍ Conclusions for Chapter III
4. The Computer Era

❍ LUCIFER
❍ The Data Encryption Standard
■ Details of DES
■ Variations of DES
❍ And Now For Something Completely Different: SAFER
❍ Something Not Quite As Different: IDEA

❍ Formerly Secret: SKIPJACK
❍ Blowfish
❍ My Own Humble Contribution: QUADIBLOC
■ Description of QUADIBLOC
■ Euler's Constant and the QUADIBLOC S-boxes
■ Variants with different key sizes
■ The QUADIBLOC FAQ
■ Key Augmentation
■ Quadibloc II
■ Quadibloc III
■ Quadibloc IV
■ Quadibloc V
■ Quadibloc VI
■ Quadibloc S
■ Quadibloc VII
■ Quadibloc VIII
■ The Standard Rounds
■ The Mixing and Whitening Phase
■ The Key Schedule
■ The Rationale of the Design
■ Quadibloc IX
■ Quadibloc X
❍ Towards the 128-bit era: AES Candidates

■ The Advanced Encryption Standard (Rijndael)
■ Twofish (finalist)
■ SERPENT (finalist)
■ RC6 (finalist)
■ DEAL
■ MARS (finalist)
■ SAFER+
■ FROG
■ LOKI-97
■ CAST-256
■ Magenta
■ DFC
❍ Block Cipher Modes

❍ Cryptanalytic Methods for Modern Ciphers
■ Differential and Linear Cryptanalysis
■ Extensions of Differential Cryptanalysis
■ The Boomerang Attack
■ Cryptanalysis, Almost by Aimlessly Thrashing About
■ Hidden Markov Methods
❍ Stream Ciphers
■ Shift-Register Stream Ciphers
■ An Illustrative Example
■ Other Constructions
■ More Realistic Examples
■ Other Stream Ciphers
■ Panama
■ A Note on the Importance of Galois Fields
❍ Conclusions for Chapter IV
■ Modified Panama
■ Mishmash
■ Combining Two Unrelated Block Ciphers
■ A Base-Conversion Block Cipher and Other Concepts
■ The Large-Key Brainstorm
■ The Inner Structure of the Feistel Round
5. Public-Key Cryptography
❍ Modulus Arithmetic
❍ The Rivest-Shamir-Adleman (RSA) method
■ Looking for Primes
■ Finding d from e
■ Large Number Exponentiation
■ Factoring
❍ The Diffie-Hellman method
■ El Gamal
■ Digital Signatures Based on Diffie-Hellman
❍ Other Methods
❍ The Uses of Public-key Cryptography
❍ Conclusions for Chapter V
6. Miscellaneous Topics
❍ Data Compression
■ The Representation of Speech
■ Semi-Arithmetic Coding
■ Character Codes
❍ Error-Correcting Codes
❍ Armor, Message Termination, and Base Conversion
■ From 47 bits to 10 letters
■ Armor-Related Fractionation
■ Tying up Loose Ends
■ From 93 bits to 28 digits
■ Keystream Base Conversion
■ Message Blocking
■ Optimized Morse Armor
❍ Steganography
❍ One-way Hash Functions
■ Description of SHA
❍ Hardware Security
■ When Somebody's Looking Over Your Shoulder
❍ Key Management
■ The IBM Key Management Scheme for DES
■ Kerberos
■ Protocols and Privacy Amplification
■ Passwords and Protocols
■ Military Key Management
■ Red Thread Resistance
■ Key Escrow
■ Pass Phrases and Randomness
■ The Interlock Protocol
❍ Quantum Mechanics and Cryptography

■ Quantum Computing
■ Quantum Cryptography
❍ Cryptanalysis
■ The Limits of Cryptanalysis
■ The Nature of Cryptanalysis
❍ Security Without Proof

❍ The Ideal Cipher
❍ Cryptography for Content Protection
❍ Fallacies of Cryptography and Compression
❍ The Politics of Cryptography
❍ Conclusions for Chapter VI
Return to Home Page
Copyright (c) 1998, 1999 John J. G. Savard

[Up]
[Next] [Up] [Previous] [Index]
Fractionated Morse, and Other Oddities

Fractionated Morse
Morse code uses variable-length symbols made up of dots and dashes, but unlike a straddling checkerboard, the
length of a symbol is not determined by the dots and dashes within it. Instead, spaces are also needed to mark off
the symbols from each other.
But fractionation is still possible using Morse code as a basis. Elementary Cryptanalysis, by H. F. Gaines, gives a
cipher devised by M. E. Ohaver, the author of an early series of magazine columns on cryptanalysis which was
of value to her in the writing of that book, called a "mutilation" cipher, that works like this:
Split the message in Morse code into two parts; the string of dots and dashes, and a series of numbers giving the
number of dots or dashes in the representation of each letter. Then, take the numbers, divide them into groups of
n, and reverse the order of the numbers in each group. Using the now transposed numbers as a guide, turn the
string of dots and dashes back into letters.
A table of Morse code follows (and, while I'm at it, I may as well include Japanese Morse, having the data
available from one of my old USENET posts):
E . CD he I .. DE [A] S ... D7 ra H .... C7 nu

V ...- B8 ku
U ..- B3 u F ..-. C1 ti
(1) ..-- C9 no
A .- B2 i R .-. C5 na L .-.. B6 ka
(2) .-.- DB ro
W .-- D4 ya P .--. C2 tu
J .--- A6 wo
T - D1 mu N -. C0 ta D -.. CE ho B -... CA ha
X -..- CF ma
K -.- DC wa C -.-. C6 ni
Y -.-- B9 ke
M -- D6 yo G --. D8 ri Z --.. CC hu
Q --.- C8 ne
O --- DA re (3) ---. BF sho
(4) ---- BA ko
5 ..... 5 6 -.... 6
4 ....- 4 = -...- D2 me
(5) ...-. / -..-. D3 mo
3 ...-- 3 -..-- D5 yu
(6) ..-.. C4 to (c) -.-.. B7 ki
Inter ..-.- D0 mi Start -.-.- BB sa
..--. DF [B] ( -.--. D9 ru
2 ..--- 2 -.--- B4 e
Wait .-... B5 o 7 --... 7
(9) .-..- yi (e) --..- CB hi
+ .-.-. DD n --.-. BC shi
.-.-- C3 te (f) --.-- B1 a
.--.. ye 8 ---.. 8
(a) .--.- B0 - ---.- BD su
(b) .---. BE se 9 ----. 9
1 .---- 1 0 ----- 0
These notes represent two special marks in Japanese:
[A] double stroke following kana (nigori),

[B] small circle following kana (han-nigori).
These notes represent accented letters in European languages or Turkish:
(1) u umlaut (2) a umlaut, cedilla (3) o umlaut or other accent (4) ch, s cedilla (5) s hat (6) e primary accent
(usually acute, grave in Italian) (9) e accent grave (a) a accent (b) j hat (c) c cedilla or accent (e) z accent grave
(f) n tilde
To remove ambiguities, the Japanese syllables are preceded by the hex code, in the version of 8-bit ASCII that
includes kana, of the kana symbol represented. The symbols whose phonetic values I give as yi and ye have the
appearance, respectively:
* ********
******* *
* * *
* * * *
* * *
******* *
* *******
Here is a graphic, giving all the kana used in Japanese Morse:
Since this system requires that the ciphertext letters must be able to represent all combinations of from one to
four dots or dashes, four extra symbols, used in Morse for accented letters in some languages other than English,
need to be included in the cipher alphabet.
While the original system, having only the group length as a key, may not have been all that secure, the basic
concept is clever and original. The character lengths could as easily have been transposed by means of a double
columnar transposition, and the dots and dashes could be translated to 0s and 1s, and enciphered by any
applicable method, even DES.
While I consider Ohaver's "mutilation" cipher very interesting, for the principle which it illustrates, the term
Fractionated Morse is normally used for a less elegant, but more secure, system, in which possible combinations
of three symbols from the set of dot, dash, and x, the latter standing for the space between letters, are represented
by letters. Note that combinations with two consecutive "x"s are not required, so the ciphertext uses a 22-letter
alphabet.
The letters will vary in frequency, and since two adjacent letters that would produce two consecutive "x"s do not
occur, redundancy still remains in subtle forms as well.
Mixed Fractionation for the Computer
Also, fractionation can be done in a mixed fashion.
● 25 times 27 is one less than 26 times 26, so one could encipher bigrams (except 1 that is ignored) into
objects consisting of two symbols from a five-character alphabet and three symbols from a three-character
alphabet, and then seriate the two kinds of symbols separately, also using two tables, one 125 entries long,
and one 81 entries long, for substitution on them;
● 32 equals 27 plus 5, and 128 equals 125 plus 3, so there are two different ways to encipher a binary
bitstream as a mix of symbols from a three-character and a five-character alphabet;
● 26 to the 10th power is very slightly larger than 2 to the 47th power; this is noted in a section in the last
chapter dealing with ways of preparing a binary message for transmission as text (known as "armor"), but
even this could be made use of in an elaborate fractionation scheme.
Because there are convenient ways to convert both letters and bits to a mix of symbols from a 3-element set and
from a 5-element set, as well as an efficient way to convert from bits to letters, intriguing possibilities suggest
themselves. An elaborate fractionation scheme combining the threads mentioned here together is described later.
Enciphering Digits
One interesting way to produce a mixed fractionation scheme comes from the fact that the square of any
triangular number is the same as the sum of the cubes of the consecutive numbers which, when added, produced
that triangular number!
Making use of that fact, and since 10 is a triangular number, one can construct a table like this:
0 1 2 3 4 5 6 7 8 9
0 AAA AAB AAC * -+- -++ aca acb acc acd
1 ABA ABB ABC --- +-- +-+ ada adb adc add
2 ACA ACB ACC --+ ++- +++ baa bab bac bad
3 BAA BAB BAC CAA CAB CAC bba bbb bbc bbd
4 BBA BBB BBC CBA CBB CBC bca bcb bcc bcd
5 BCA BCB BCC CCA CCB CCC bda bdb bdc bdd
6 aaa aba daa dab dac dad caa cab cac cad
7 aab abb dba dbb dbc dbd cba cbb cbc cbd
8 aac abc dca dcb dcc dcd cca ccb ccc ccd
9 aad abd dda ddb ddc ddd cda cdb cdc cdd
As 1 cubed is just 1, and 2 cubed is 8, these symbols make up only a very small part of the square table above,
and thus this part of the table is seldom used. One way to deal with that is to change the table, so that those 9
spaces are instead filled by two symbols from the ABC set of symbols.
0 1 2 3 4 5 6 7 8 9
0 AAA AAB AAC AA AB AC aca acb acc acd
1 ABA ABB ABC BA BB BC ada adb adc add
2 ACA ACB ACC CA CB CC baa bab bac bad
3 BAA BAB BAC CAA CAB CAC bba bbb bbc bbd
4 BBA BBB BBC CBA CBB CBC bca bcb bcc bcd
5 BCA BCB BCC CCA CCB CCC bda bdb bdc bdd
6 aaa aba daa dab dac dad caa cab cac cad
7 aab abb dba dbb dbc dbd cba cbb cbc cbd
8 aac abc dca dcb dcc dcd cca ccb ccc ccd
9 aad abd dda ddb ddc ddd cda cdb cdc cdd
Using the straddling checkerboard that we saw above,
9 8 2 7 0 1 6 4 3 5
-------------------
A T O N E S I R
2 B C D F G H J K L M
6 P Q U V W X Y Z . /
we can encipher a sample message in this scheme, just seriating across the whole message for simplicity (in
practice, one would want to do other things):
TH EREISAP AC K AG EW AITING F ORY OU ATTH ESTATION message

821151349699282492016093830202775667629882114898370 straddling checkerboard
d A B C c c b C d A a d d A A c b c d c d A b c b fractionation
c B C A d d a B d A a d c A A b d a a d c B c d b encoding
a B B B a d c a B a b b C C b a b a c a B c c b
For this example, I won't worry about enciphering the last digit of the message. Padding, or another
encipherment step might take care of that.
Now, I seriate the symbols from the ABC and the abcd sets independently, retaining the type of each pair of
digits, and thus the symbols are rearranged as follows, leading to enciphered digits:
d A B B c a c B d C a c d B C d b a c d d A a a a seriation
a B C B d d b A d A c b c B A b b b d a c A a b d
a C A A a c d c C d c a A B b c c c d c B b b b
621250409618791394350978824034733881986584017071170 reconversion
One could also leave all the "d" symbols in their place, and seriate only the "abc" and "ABC" symbols as though
case did not matter - but then convert either to capital or small letters so that the type of each two digit group is
kept the same. (Some care, of course, must be taken when developing a variation so that decipherment remains
possible.) That would produce the following result:
d C A A b b b C d B c d d A B c a c d b d A c c b seriation
a A A B d d a A d A b d c B A a d c a d a C c d b
b B A C a d b a A c c c A A b b b c c c C b b b
633400125659272392307894841030671787645864228797370 reconversion
and this method has its strengths, but also its weaknesses (mainly because the "d"s remain fixed).
Giant Playfair
Another technique I once described involved first using the straddling checkerboard to encipher a message as
digits, and then to use Playfair to encipher it. But instead of using the Playfair technique over a 5 by 5 square of
letters, one uses a 10 by 10 square containing digit pairs, like the following:
68 71 07 49 76 42 54 77 21 82
02 09 98 65 70 55 17 01 50 91
33 35 30 08 62 22 97 44 06 57
64 18 78 58 96 34 11 56 52 38
95 26 86 20 27 37 93 05 14 85
63 29 39 61 87 10 88 32 00 80
31 81 16 83 24 99 67 72 13 53
89 94 47 40 25 73 04 59 84 19
03 75 28 60 12 41 43 48 66 74
79 46 36 45 51 69 23 15 92 70
Thus, the four digits 2076 would encipher to 2749 with this square.
Next
Chapter Start
Table of Contents
Main page
Home page
Armor
A number of methods are possible for converting binary bits to printable characters.
One of the simplest is to take five or six bits of binary data to select one of 32 or 64
characters. Other, more complicated schemes are possible, though.
If 85 characters can be used, then five characters are enough to represent four bytes of
random data. If 86 characters can be used, a simplified scheme can achieve the same
result, since 86 times 3 is 258, which is larger than 256. Assign not more than three of
the 256 possible values for a byte to each of the 86 allowed characters. Then, after
representing four bytes by one of those characters, one character from a set of 81 (3
times 3 times 3 times 3) can resolve which of the 256 byte values, or which of up to 3
values for the character given, is valid for each of the four bytes.
The problem of converting messages to text form for transmission over the Internet is,
of course, closely tied to the ASCII representation of characters. Here is a chart
showing the printable characters in ASCII in graphical form:
and here is an ASCII chart in text form, first just the control characters:
0 0
0 0
0 1
0000 NUL Null DLE Data Link Escape
0001 SOH Start of Header DC1 Device Control 1
0010 STX Start of Text DC2 Device Control 2
0011 ETX End of Text DC3 Device Control 3
0100 EOT End of Transmission DC4 Device Control 4
0101 ENQ Enquiry NAK Negative Acknowledge
0110 ACK Acknowledge SYN Synchronization
0111 BEL Bell ETB End of Transmission Block
1000 BS Backspace CAN Cancel
1001 HT Horizontal Tab EM End of Medium
1010 LF Line Feed SUB Substitute
1011 VT Vertical Tab ESC Escape
1100 FF Form Feed FS Field Separator
1101 CR Carriage Return GS Group Separator
1110 SO Shift Out RS Record Separator
1111 SI Shift In US Unit Separator
and now the entire 7-bit ASCII code, with only the abbreviations of the first 32 control
characters:
0 0 0 0 1 1 1 1
0 0 1 1 0 0 1 1
0 1 0 1 0 1 0 1
0000 NUL DLE 0 @ P ` p
0001 SOH DC1 ! 1 A Q a q
0010 STX DC2 " 2 B R b r
0011 ETX DC3 # 3 C S c s
0100 EOT DC4 $ 4 D T d t
0101 ENQ NAK % 5 E U e u
0110 ACK SYN & 6 F V f v
0111 BEL ETB ' 7 G W g w
1000 BS CAN ( 8 H X h x
1001 HT EM ) 9 I Y i y
1010 LF SUB * : J Z j z
1011 VT ESC + ; K [ k {
1100 FF FS , < L \ l |
1101 CR GS - = M ] m }
1110 SO RS . > N ^ n ~
1111 SI US / ? O _ o DEL Delete
The problem of transmitting data in ASCII text characters over the Internet is
complicated by the fact that some of the characters in ASCII do not have counterparts
in other data transmission codes used by some computers, such as the original version
of EBCDIC. Also, some character positions in 7-bit ASCII are used to represent
different characters in other countries. Thus, the characters in the same columns as the
letters are often used to represent accented letters; the symbol # is replaced in the
United Kingdom by the British pound sign.
In some transmissions over the Internet, a line beginning with a minus sign or hyphen
(-) runs the risk of being interpreted as a header line, indicating the MIME type of a
section of a document.
Of course, if one wishes to send a text by Morse Code, or over a 5-unit teletypewriter
link, the best way to do it would be to convert the binary data to letters from the 26-
letter alphabet, using no other characters.
I have worked out an elaborate and efficient scheme for doing this.
This scheme could also serve other purposes. Since a great many historical encryption
algorithms are aimed at the 26-letter alphabet, one could apply them to a text already
encrypted by modern methods in binary after such a conversion.
And there is an easy way to send a text composed only of uppercase letters over the
Internet efficiently, if a 78-character character set is possible. Take four letters: the first
can be encoded as three symbols from 1 to 3. Combine one such symbol with each
remaining letter to determine which character to use from a character set with 3 times
26 characters, which is 78 characters.
A section is also included here about the question of how to perform the special
processing required to end a message efficiently and securely when the length of the
original plaintext message isn't an integer number of blocks in size, whether those are
blocks used by a block cipher or blocks for the conversion process used to produce
armor for transmission. Also, since base conversion is discussed here, this spot seemed
as good as any to place a discussion of base conversion as it applies to random or
pseudorandom keystreams.
A Table of Powers, useful in finding ideas for ways to perform fractionation.
● From 47 bits to 10 letters

● Armor-Related Fractionation
● Tying up Loose Ends
● From 93 bits to 28 digits
● Keystream Base Conversion
● Message Blocking
● Optimized Morse Armor

Table of Contents
Main Page
[Next] [Up/Previous] [Index]
Cryptanalyzing the Simple Substitution

Cipher
This page is not complete. It is placed here now to reserve
space, to allow other changes to this section to take place.
Here is a short message, enciphered only by replacing each of its letters by a different letter on a
consistent basis:
MGSVR WWJXS VPTRY SSOEF YYTMQ SVSYM MTPTR XYMGS RVRFJ

NFVGX TYFWF EIFUS AXJJQ SJSNM QPMGS TJOTF IMLSS TYSJO
SLQSL LPLTF OYSHM MRSVO FP
How would one go about trying to read it?
The first step that would occur to many people would be to make use of the fact that some letters
are more common than others in English. E is the most common letter, and letters like J, Q, X,
and Z are quite rare.
And so, we count the letters in our message. This produces the following table of frequencies:
A E F G H I J L M N O P Q R S T U V W X Y
1 2 9 4 1 2 7 5 10 2 5 5 4 6 18 9 1 6 3 4 8
In comparison, a frequency count I had my computer perform on a sample of literary text

produced these frequencies:
A 443747 8.03 H 331686 6.00 O 420966 7.62 V 54921 0.99

B 88298 1.60 I 382552 6.92 P 102205 1.85 W 114048 2.06
C 152187 2.75 J 7112 0.13 Q 5841 0.11 X 12081 0.22
D 225040 4.07 K 33872 0.61 R 330126 5.97 Y 95514 1.73
E 711756 12.88 L 220858 4.00 S 351389 6.36 Z 3519 0.06
F 139985 2.53 M 141726 2.56 T 514613 9.31
G 103279 1.87 N 383526 6.94 U 156536 2.83
Arranged in order of frequency, for clarity, they become:
E 12.88 H 6.00 F 2.53 K 0.61

T 9.31 R 5.97 W 2.06 X 0.22
A 8.03 D 4.07 G 1.87 J 0.13
O 7.62 L 4.00 P 1.85 Q 0.11
N 6.94 U 2.83 Y 1.73 Z 0.06
I 6.92 C 2.75 B 1.60
S 6.36 M 2.56 V 0.99
Comparing these frequencies to those of the message:
18: S 7: J 3: W
10: M 6: R V 2: E I N
9: F T 5: L O P 1: A H U
8: Y 4: G Q X
it might be tempting to start by aligning like frequencies wherever possible:
Cipher: S M Y J W
---------
Plain: e t n i f
to begin deciphering the message like this:
MGSVR WWJXS VPTRY SSOEF YYTMQ SVSYM MTPTR XYMGS RVRFJ

t e ffi e n ee nn t e ent t nt e i
NFVGX TYFWF EIFUS AXJJQ SJSNM QPMGS TJOTF IMLSS TYSJO

n f e ii eie t t e i t ee nei
SLQSL LPLTF OYSHM MRSVO FP

e e ne t t
Here, it looks like we've been luckier than we have a right to expect. With frequencies of 6.94
and 6.92 for N and I respectively, it isn't hard to imagine that I might be more common than N,
instead of N being more common than I, in the text of a particular message.
The combination t-e occurs three times from MGS, and once each from MQS and MLS, so it
seems reasonable to think that G stands for h. e-ent might be event, and -ffi-e might be office,
although it is actually hard to take seriously that W necessarily stands for f.
To make a good start on breaking a simple substitution, however, single-letter frequencies are
not enough. They might work for picking out the letters E and T in most cases, but more
information is available that can serve as a better guide.
We've seen that N and I have frequencies of 6.94 and 6.92 respectively. This is a very small
difference. But one is a consonant, and the other is a vowel. So we might expect them to behave
differently. And they do.
Next
Table of Contents
Main page
Methods of Transposition
After looking at ciphers which can replace the letters of one's message by completely
different letters, a cipher that can't change any letters at all seems weak.
And, if your message might mention, or might not mention, someone with, say, a Q or
an X in his name, then a transposition cipher will indeed give that away, although one
could solve that by adding some garbage to the end of your message before encrypting
it. But transposition ciphers can be secure in themselves, and as well, transposition
methods are useful to know, since they can be mixed with substitution methods for a
more secure cipher.
The best known method of transposition, simple columnar transposition, works like
this:
Using a key word or phrase, such as CONVENIENCE, assign a number to each letter
in the word using this rule: the numbers are assigned starting with 1, and they are
assigned first by alphabetical order, and second, where the same letter appears twice,
by position in the word.
Then, write in the message under the keyword, writing across - but take out columns, in
numerical order, reading down. Thus:
C O N V E N I E N C E
1 10 7 11 3 8 6 4 9 2 5
---------------------------------
H E R E I S A S E C R
E T M E S S A G E E N
C I P H E R E D B Y T
R A N S P O S I T I O
N
produces
HECRN CEYI ISEP SGDI RNTO AAES RMPN

SSRO EEBT ETIA EEHS
Of course, it wouldn't be left with the spaces showing the columns that were used.
Decoding is harder - to read a message scrambled this way, you first have to count the
letters to determine, in this case, that there are 45 letters, and so the first column will
have five letters in it, and the other ones four, so that you know when to stop when
filling the letters in vertically to read them out horizontally.
Since the text being transposed is split into nearly regular divisions of almost equal
length, even double columnar transposition can be broken without recourse to multiple
anagramming: the use of several messages of the same length, enciphered in the same
key, to recover the transposition by matching together columns of letters that form
reasonable letter pairs.
Another method of transposition, which appeared in a book by General Luigi Sacco, is

a variant of columnar transposition that produces a different cipher:
C O N V E N I E N C E
1 10 7 11 3 8 6 4 9 2 5
---------------------------------
H
E R E I S A S E C R
E T M E S
S A G E E N C I
P H E R E D B Y T R A
N S P O S I T
I O N
produces
HEESPNI RR SSEES EIY A SCBT

EMGEPN ANDI CT RTAHSO IEERO
Here, the first row is filled in only up to the column with the key number 1; the second
row is filled in only up to the column with the key number 2; and so on. Of course, one
still stops when one runs out of plaintext, so the eighth row stops short of the key
number 8 in this example. This method has the advantage of dividing the text being
transposed in a more irregular fashion than ordinary columnar transposition.
Various methods of modifying ordinary columnar transposition slightly to make it

irregular have been used from time to time.
For example, during World War I, the French army used a transposition in which
diagonal lines of letters were read off before the rest of the diagram. Also, several
countries have used columnar transpositions in which several positions in the grid were
blanked out and not used.
The method of transposition used on the digits produced by a straddling checkerboard

in the VIC cipher can be illustrated here with the alphabet; first, knowing the number
of letters to be encrypted, the area to be filled is laid out, and then the triangular areas
on the right to be filled with plaintext last are marked out:
2 4 3 1 5
-----------
a b c d e
f g h i U
j k l V W
m n X Y Z
o p q r s
t
here, the alphabet becomes DIVYR AFJMOT CHLXQ BGKNP EUWZS.
Another interesting form of transposition is the "turning grille", used by Germany

during the First World War.
A square grille, divided into a grid of squares, one-quarter of which are punched with
holes, is placed over a sheet of paper. The message is written on the paper through the
holes, and then the grille is rotated by 90 degrees, and then the message continues to be
written, as the grille is turned through all four possible positions.
The trick to designing such a grille is to divide the grille into quarters, numbering the
squares in each quarter so that as the grille is rotated, corresponding squares have the
same number. Then, choose one square with each number for punching.
In World War I, the Germans used turning grilles with an odd number of holes on each
side as well as with an even number; to do this, they marked the square in the centre,
which was always punched, with a black border to indicate it was only to be used in
one of the grille's positions.
Example of a turning grille and its use:
Grid numbering:
1 2 3 4 5 16 11 6 1
6 7 8 9 10 17 12 7 2
11 12 13 14 15 18 13 8 3
16 17 18 19 20 19 14 9 4
5 10 15 20 X 20 15 10 5
4 9 14 19 20 19 18 17 16
3 8 13 18 15 14 13 12 11
2 7 12 17 10 9 8 7 6
1 6 11 16 5 4 3 2 1
Layout:
O - - O - O - - - 1 4 16
- - O - - - - - O 8 2
- O - - - - O - - 12 13
- - O - O - - O - 18 20 9
- - - - X - O - O X 15 5
- - - O - - - O - 19 17
O - - - - O - - - 3 14
- O - - O - - - O 7 10 6
- - O - - - - - - 11
Filling-in:
first position
T H I O - - O - O - - -
S I - - O - - - - - O
S A - O - - - - O - -
M E S - - O - O - - O -
S A G - - - - O - O - O
E T - - - O - - - O -
H A O - - - - O - - -
T I A - O - - O - - - O
M - - O - - - - - -
(this is a message that I am)
second position
t E h N i C - O - - O - - O -
s R Y i - - - O - O - - -
s P T a - - O - O - - - -
I m e N s O - - - - - O - -
G s a W g - - - O . - - O -
I e T t O - - - - O - - -
h H A a T - O - O - - - - O
t U i R a - - O - - - - O -
N m I O - - - - - O - -
(encrypting with a turni)
third position
t e h n i N c - - - - - - O - -
G s r G y R i O - - - O - - O -
s p I t a L - - - O - - - - O
i L m e E n s - O - - - O - - -
T O g s a w g O - O - . - - - -
i P e R t O t - O - - O - O - -
h h V a a I t - - O - - - - O -
D t u i E r a O - - - - - O - -
n m T H i I - - - O - O - - O
(ng grille to provide thi)
fourth position
t e S h n i n c I - - O - - - - - O
g L s r g y L r i - O - - - - O - -
U s p i t S a T l O - - - - O - O -
i l m R e e n s A - - - O - - - - O
t T o g s I a w g - O - - . O - - -
i p V e r t o t E - - O - - - - - O
h h v a E a X i t - - - - O - O - -
d t i A i M e r a - - - O - O - - -
n P m t L h i E i - O - - O - - O -
(s illustrative example)
to produce the encrypted result:
TESHN INCIG LSRGY LRIUS PITSA TLILM

REENS AITOG SIAWG IPVER TOTEH HVAEA
XITDT IAIME RANPM TLHIE I
There are two important uses of transposition which are connected with substitution
ciphers.
Transposition can be used to generate a scrambled order of the letters in the alphabet
for use as a substitution alphabet.
Transposition forms part of a fractionation cipher, where letters are divided into parts,
then the parts are put back together in a different order, belonging to different letters.
Next
Table of Contents
Main Page
Home Page
Improving Substitution
A cipher based on the use of a secret alphabet is not very secure; such ciphers are
presented as puzzles in crossword puzzle magazines. To achieve security it is
required to do something better.
Today, even to people not acquainted with cryptography, a number of

possibilities suggest themselves. Originally, though, the new ideas came one at a
time, separated by hundreds or thousands of years.
The basic ways to improve on simple substitution are the following:
● Instead of using just 26 substitutes, make the problem harder by using a

bigger substitution. This is divided into several cases:
❍ Use several substitutes for each letter (homophonic substitution)
❍ Replace every two letters, or every three letters, by something else
that stands for that combination of two letters or three letters

(polygraphic substitution)
❍ Replace common combinations of letters, or words, or phrases, by
their own substitutes (nomenclators and codes)

● Instead of using the same set of substitutes all the time, change from one
secret alphabet to another as you encipher a message (polyalphabetic
substitution).
Another way of improving on simple substitution is less obvious. Today, text is

often converted from the letters, punctuation marks, digits, and other symbols
you find on a typewriter to the binary bits of ASCII. Before that, other
representations of text were used to substitute for the printed word, such as
Morse code. The ancient Greeks used the Polybius square for signalling, by
means of which each letter was represented by two groups of from one to five
signal fires.
If a letter can be broken up into smaller pieces for purposes of signalling, those
smaller pieces can also be used in a cipher. For example, one can take the letters
of a message apart into smaller pieces, transpose the smaller pieces, and then put
the pieces back together again into letters.
This is called fractionation, and is closely related to polygraphic substitution for
two reasons; one is that both deal with different sized units - parts of letters and
letters, or letters and pairs of letters - and the other is that fractionation is
sometimes used as a method of polygraphic substitution.
● Homophones and Nomenclators

● Polygraphic Ciphers and Fractionation
❍ Playfair and its Relatives
❍ The Bifid, the Trifid, and the Straddling Checkerboard
❍ Fractionated Morse, and Other Oddities
❍ The VIC Cipher
❍ Two Trigraphic Ciphers, and a Heptagraphic One
● Polyalphabetic Substitution
Next
Chapter Start
Table of Contents
Main Page
Home Page
Homophones and Nomenclators

One of the earliest methods used to create ciphers stronger than simple substitution was to create
cipher tables which had more than one substitute for each letter, and which had additional
substitutes for names that would be commonly used. Because of the significance given to proper
names, these systems were called nomenclators.
Some of the early nomenclators were fairly unsophisticated; the substitutes for the letter B might
be the letter M or the digit 4, written in several distinctive styles - and then the substitutes for C
might be the letter N or the digit 5, again written in distinctive styles. Thus, a cryptanalyst
willing to try a simple guess would only need to solve a Caesar cipher - a simple substitution
where the alphabet is merely displaced instead of being thoroughly scrambled - instead of facing
the full problem of finding substitutes for the full set of symbols individually.
One ingenious modern method of producing a homophonic cipher, called the Grandpré cipher,
involves choosing ten ten-letter words, which can be ordered so that their first letters form an
eleventh ten-letter word, and which collectively include all 26 letters of the alphabet.
For example:
0 1 2 3 4 5 6 7 8 9
0 S T R A T I F I E D
1 U N D E R S T O O D
2 B A R K E N T I N E
3 M A J O R I T I E S
4 A S T R O L O G E R
5 R E E X A M I N E D
6 I N V E S T M E N T
7 N E G A T I V E L Y
8 E F F E R V E S C E
9 S Q U E E Z I N G S
The advantage it has, over a more routine type of homophonic table, for example:
0,3,8 4,7 9 1 5 2 6
1,2,7,8 E T A O I N S
0,4,5 H R D L U B C
3,9 M F G J K P Q
6 V W X Y Z
is that the multiple substitutes for each letter are not closely related.
The book The American Black Chamber, by Herbert Osborn Yardley, illustrated a cipher wheel
used by the Mexican Army which could be set up to produce a homophonic cipher with a key
that could be easily changed.
Changed from a wheel to a slide, it would look like this:

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
15 16 17 18 19 20 21 22 23 24 25 26 01 02 03 04 05 06 07 08 09 10 11 12 13 14
43 44 45 46 47 48 49 50 51 52 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42
61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 53 54 55 56 57 58 59 60
92 93 94 95 96 97 98 99 00 79 80 81 82 83 84 85 86 87 88 89 90 91
having four movable disks, one containing the two-digit pairs from 01 to 26, the second the
pairs from 27 to 52, the third the pairs from 53 to 78, the fourth the pairs from 79 to 99,
followed by 00 and four blank, unused spaces. The key consisted of the four two-digit pairs
aligned under the letter A, and the possible substitutes for any letter were the four (or possibly
three) two-digit pairs aligned under it. Obviously, the system would have been more secure had
the alphabet and the sequence of digit pairs been mixed.
The most important weakness of a homophonic system is that the person using it can become
lazy, and use the same substitute for a letter over and over, or use the substitutes in rotation,
rather than using them randomly.
Also, as many homophonic systems are devised by amateurs, they can have defects of one kind
or another. Helen Fouché Gaines in Elementary Cryptanalysis notes that Givierge, author of the
Cours de Cryptographie, described a homophonic system of the following kind:
E J G F D
O K M H S
P R W
---------
IT |a b c d e
AL |f g h i j
BQ |k l m n o
CN |p q r s t
u v x y z
---------
V X Y Z U
This is a type of straddling checkerboard, and we will meet a more elegant form of it later in the
section on fractionation. The word straddling refers to the fact that while most letters have a
two-letter group as their substitute, consisting of the letters indicating their row and column
(which may, incidentally, be taken in either order, as the alphabet has been split in half for this
purpose), five less-frequent letters represent each other. Thus, the presence of occasional one-
letter symbols is intended to complicate the problem for the cryptanalyst, making it difficult for
him to find out where the letter pairs that make up most of the message begin and end.
Although this cipher has many nice features, it does have a number of defects. Since the letters
that have only one letter as their substitute are, essentially, in a separate table, why use only a 25-
letter alphabet? Of course, in French, the letter W is so little used as almost not to be part of the
alphabet. But there are other defects.
● Although a group can begin with a letter from either half of the alphabet, the second letter
always has to be from the other half.
● Also, the second letter of a two-letter group can't be one of the five letters that represent
themselves, although since the first letter already indicates that there is a two-letter group,
that would not cause confusion.
Hence, this cipher omits a large number of two-letter substitutes which it could be making use
of. An improved design could be the following:
E J G F D b|M
O K U H S f|T
V W g|N
--------- p|R
IZ |r q l m x| DFOQTX v|P
AL |e u w h n| CJLNPWY y|Q
BY |c i k z a| AEGKUV
CX |o j t s d| BHIMRSZ
---------
E A C F G
I B H J L
P D O K M
Q T R N V
S U Z X W
Y
Here, six mid-frequency letters have single-letter substitutes, but these substitutes are drawn
from other letters in the alphabet.
The rest of the alphabet is divided into two halves, but once a letter is chosen to indicate either a
row or a column, the other co-ordinate of the plaintext letter is chosen from a set made from the
entire alphabet. Hence, if a letter on the left begins a two-letter group, it is ended with a letter
below; if a letter on the top begins a two-letter group, it is ended with a letter on the right.
Thus, the plaintext letter R can become ED, EO, OO, IQ, ZQ, or II.
As noted previously, the basic concepts of cryptography were slow to emerge. David Kahn's
book The Codebreakers illustrates the earliest known example of a cipher with homophones,
from the year 1401. It looked like this:
a b c d e f g h i k l m n o p q r s t u x y z
---------------------------------------------
Z y x D t s r q p o n l m k j h g f e d c b a
2 4 8 F
3 H 9 T
+ J L ~
where the capital letters stand for various special symbols (Z indicates a reverse script lowercase
z, F indicates an ff ligature, and J indicates the astrological symbol for Jupiter, for example).
To modern eyes, what is particularly striking about this cipher is that, even though the step of
improving on simple substitution by using multiple equivalents was taken, the basic cipher
alphabet itself is not thoroughly mixed, but instead varies only slightly from a simple reversed
alphabet.
Incidentally, the British publisher Hodder and Stoughton has an extensive series of books on
various subjects in a series called "Teach Yourself Books": particularly noteworthy in this series
are the instructional books for foreign languages, which the case of some languages are the only
readily available introductory book in print in English. (These are the books that used to have
yellow covers, but which changed to light blue covers some years back.) The book Codes and
Ciphers by Frank Higenbottam in this series, while a general introduction to the subject, is
distinguished by its uniquely extensive coverage of the topic of breaking messages enciphered
using nomenclators.
Next
Chapter Start
Table of Contents
Home page
Polygraphic Ciphers and Fractionation

Instead of arbitrarily choosing a list of common words or syllables to give cipher
equivalents for, one might be able to achieve the same increased security another way,
by enciphering several letters at once using some simple system that handles all
possible combinations of two letters, or three letters.
Of course, one could just use a random list of all 676 possible combinations of two
letters, and this would give the maximum possible security for a system that handles
two letters at a time.
Or, one could even follow the lead of Giovanni Battista della Porta, and use a table
giving different symbols for every pair of letters:
This is a redrafting of the table of 400 symbols for the digraphs of a 20-character
alphabet given by Porta in his De Furtivis Literatum Notis. In the original, there are a
few typographical errors, leading to some duplicate symbols:
ZI is a duplicate of ZO, VM is a duplicate of LL, NG is a duplicate of NB. The

replacements for the first two were obvious, that for NG is somewhat arbitrary.
Naturally, since Porta was expressing the idea of a digraphic cipher in print for the first
time, he did so in a way that seems unsophisticated by modern standards.
The columns in Porta's diagram all contain characters related in shape. This makes it
easier to look up a symbol, but also gives away information. One way to retain the
advantage of easily finding a symbol, but without giving away information to the
cryptanalyst, is illustrated in the diagram above: have similar symbols arranged along
the diagonals of the diagram, and use mixed alphabets along the edges. While a
digraphic symbol cipher is something that isn't too practical, similar techniques have
been used for small code charts to make them practical and secure.
Systematic methods of enciphering several letters at once, without simply using a very
large table, will be outlined in what follows. Fractionation lends itself to many
complicated and bizarre developments, a few of which will be illustrated there.
Hopefully, all the examples that will be contained in the following pages will prove a
starting point from which you can let your imagination run wild.
Fractionation, although a powerful technique, has seldom been used in paper-and-

pencil ciphers, because it is too complicated and prone to error. Two schemes that
actually were used, the ADFGX or ADFGVX cipher used by Germany in the First
World War, and the VIC cipher used by Reino Hayhanen while engaged in espionage
in the United States, involved substituting multiple symbols for each letter, and
transposing the letters or digits so obtained, but did not attempt to then reconstitute the
symbols back into letters.
Representing letters by five symbols from a set of two, or three symbols from a set of
three, has tended to be used mostly for steganography, as proposed by Bacon and
Trithemius. (That is, in the former case, if one does not count the use of the 5-level
code for teletypewriters.)
The Hagelin B-21 and its relatives also involved fractionation, combined with
polyalphabeticity but without transposition.
● Playfair and its Relatives

● The Bifid, the Trifid, and the Straddling Checkerboard
● Fractionated Morse, and Other Oddities
● The VIC Cipher
● Two Trigraphic Ciphers, and a Heptagraphic One
A Table of Powers, useful in finding ideas or opportunities to perform fractionation.
Next
Chapter Start
Table of Contents
Main page
Home page
Playfair and its Relatives

Since 26 by 26 tables are awkward and bulky, and certainly impossible to memorize,
various systematic methods were developed to encipher more than one letter at a time.
Playfair
The most famous polygraphic system is, of course, the Playfair cipher, which works as
follows: given a 5 by 5 square, containing a jumbled alphabet, such as:
T X V H R
L K M U P
N Z O J E
C G W Y A
F B S D I
doing without one letter by some rule: i.e. if Q is omitted, as here, use KW to stand for
QU; or treat I and J, or U and V, as one letter.
Then, a pair of letters is converted to a ciphertext pair using one of three possible rules,
whichever one applies:
if the two letters are neither in the same row or the same column, replace each letter by
the one that is in its own row, but in the column of the other plaintext letter. Examples:
TI becomes RF, TW becomes VC, KA becomes PG, UB becomes KD, WX becomes
GV
T------>R T-->V H R
| K M U | | K | U P
| Z O J | | Z | J E
| G W Y | C<--W Y A
F<------I F B S D I
if the two letters are both in the same column, replace each one by the one below it,
wrapping around if necessary. Examples: VW becomes MS, TN becomes LC, TL
becomes LN, TF becomes LT, KB becomes ZX
T X V H R
L K M U P
N Z | J E
C G W Y A
F B S D I
it the two letters are both in the same row, replace each one by the one to the right of it,
wrapping around if necessary. Examples: TH becomes XR, KP becomes ML, NZ
becomes ZO.
T X---H R
L K M U P
N Z O J E
C G W Y A
F B S D I
Double letters aren't allowed within a single digraph, and must be split up by inserting
a letter used as a null (for example, an X) between them.
If the Playfair cipher is used on a computer, perhaps in combination with other ciphers,
it might be more convenient to make a rule for double letters, such as using the letter
that is both below and to the right of the plaintext letter, and also doubling it. Then, EE
would become CC.
The Four-Square and Two-Square Ciphers
Playfair has inspired some related bigraphic ciphers that, on the one hand, improve
security by involving multiple, unrelated alphabets, but on the other hand, are simpler
in that they use fewer rules than Playfair.
In the Four-Square cipher, two squares are used to find the two plaintext letters, and
two others are used to find the two ciphertext letters:
D W X Y M | E P T O L D W X Y M | E P T O L
R J E K I | C V I Y Z R J E K I | C V I Y Z
U V H P S | R M A G B U V H---------->M A G B
A L B Z N | F W J H S A L | Z N | F | J H S
G C O F T | U N D X K G C | F T | U | D X K
-----------|----------- ----|------|----|------
J T B U E | V I M A G J T | U E | V | M A G
Z H N D X | S W P O H Z H N<----------W P O H
L A F R G | U T Z K E L A F R G | U T Z K E
P M I Y C | N R D X Y P M I Y C | N R D X Y
V S K W O | B J L C F V S K W O | B J L C F
and the only rule for finding the substitute for a digraph is similar to the first rule given
for Playfair: the first letter is replaced by the letter in its row, and the second letter's
column, and so on. Thus, as the diagram above illustrates, HW becomes MN.
With only two squares, the first plaintext letter and the second ciphertext letter are
found in the square on the left, and if both plaintext letters are in the same row, each
one is replaced by the other letter. (Other rules are possible, as long as the result is a
pair of letters, the first from the square on the right, the second from the square on the
left, in the same row. For example, each letter could be replaced by the letter to the
right of, or below, the other letter in the other letter's own square.)
During World War II, several digraphic ciphers were used by the German armed
forces. All had the common feature that text was broken up by seriation before being
enciphered: that is, the message MORE TROOPS NEEDED HERE would be broken
up like this:
MORET NEEDE
ROOPS DHERE
and the digraphs to be enciphered would be MR OO RO EP TS ND EH EE DR EE.
While the seriation step is an essential part of some fractionation ciphers we will see
below, using it with a digraphic cipher has been questioned, since it allows the
cryptanalyst to pretend he is dealing with simple substitution with 26 homophones for
each letter, and therefore may make solution easier instead of harder.
According to the book Codebreakers, a collection of reminiscences by those who

worked at Bletchley Park during the war, the German army used a cipher in which the
digraphs were then enciphered using the two-square cipher. The German Navy used a
reciprocal table of digraphs, again after a seriation step, in what was called the
Dockyard cipher.
Jim Gillogly has noted that declassified NSA documents refer to another cipher of this
type, in which the digraphs were enciphered twice by means of the two-square cipher.
Since each letter enciphered the first time was then found in the square on the other
side for the second encipherment, the relation between plain and cipher digraphs was
much more complicated than in regular Playfair.
Next
Chapter Start
Table of Contents
Main page
Home page
The Bifid, the Trifid, and the Straddling

Checkerboard
The Bifid and Trifid ciphers
The first of the three rules for Playfair encipherment changes one two-letter group, or digraph, to
another by exchanging column co-ordinates. This suggests using row and column co-ordinates in a
more general fashion. Let's take the 5 by 5 square above, but number the rows and the columns, like
this:
1 2 3 4 5
---------
1) T X V H R
2) L K M U P
3) N Z O J E
4) C G W Y A
5) F B S D I
Then, another method of encipherment would be as follows: Divide a message into groups of letters of
a fixed length, say five letters, and write the row and then the column co-ordinate of each letter
beneath it, like this:
THISI SMYSE CRETM ESSAG E

11555 52453 41312 35544 3
14535 33435 15513 53352 5
and then, going across within each group, read the numbers in order, and turn them, in pairs, into
letters: that is, read 11555 14535 52453 33435... and turn them into the letters corresponding to 11, 55,
51, 45, 35, 52, and so on.
1155514535 5245333435 4131215513 3554453352 35

T I F A E B A O J E C N L I V E D A O B E
This is the Bifid cipher of Delastelle, and the general principle of this form of cipher is called
seriation. This is one of the most secure pencil-and-paper ciphers that is still used by hobbyists as a
puzzle. It isn't hard to make this kind of cipher just a little bit more complicated, and thereby obtain
one that is genuinely secure. It belongs to the class of cipher methods known as fractionation, where
letters are divided into smaller pieces, or "fractions". Just as two symbols from 1 to 5 give 25 letters,
three symbols from 1 to 3 give 27 letters; and five binary bits provide a 32-character alphabet.
The Trifid, also due to Delastelle, is the analogous cipher using a 27-letter alphabet represented by
three symbols from 1 to 3:
W 111 M 121 Z 131 N 211 O 221 L 231 C 311 T 321 U 331

A 112 & 122 Y 132 E 212 V 222 P 232 X 312 J 322 G 332
K 113 B 123 H 133 Q 213 R 223 S 233 I 313 F 323 D 333
to encipher a message by seriation like this:
THISISM YSECRET MESSAGE

3132321 1223223 1222132
2313132 3311212 2133131
1333331 2321321 1233222
which again is read off horizontally after being written in vertically, yielding a cipher message like
this:
313 232 123 131 321 333 331

I P B Z T D U
122 322 333 112 122 321 321

& J D A & T T
122 213 221 331 311 233 222

& Q O U C S V
Representing the letters as combinations of two groups of from one to five signal fires was originally
proposed by Polybius in his Histories, as being a general method of communications, unlike ones he
noted as being previously used that depended on a small list of pre-arranged messages. It looked like
this:
with the letters of the Greek alphabet placed on five numbered tablets, and each letter being numbered
on each tablet.
Other forms of dividing a character into smaller pieces, such as ASCII or Baudot, or Morse Code (to
be seen below) were also developed to allow communications over various types of channel, as were
the signal flags used by ships, to use an example of a different type.
The Straddling Checkerboard
Some ciphers actually used by Soviet spies used a square like this:
9 8 2 7 0 1 6 4 3 5
-------------------
A T O N E S I R
6 P Q U V W X Y Z . /
Eight of the most common letters are translated to a single digit. The two digits not used in this way
begin two-digit combinations that stand for the remaining letters. This is an example of a variable
length code with the prefix property. When it is possible to tell, from the digits one has already seen of
a symbol, whether or not one needs to include the next digit in the symbol, then spaces between the
digits of a symbol are not needed, and this is what is known as the prefix property.
At one time, telephone numbers in North America had this property, because the middle digit of an
area code was always 0 or 1, and the first three digits of a regular telephone number, also known as
the exchange, never had 0 or 1 as the middle digit. Therefore, it was possible to dial 1 plus the seven-
digit number to make a long-distance call within one's own area code, since the first three digits could
not possibly be an area code. However, the increased need for more telephone numbers made it
necessary to abandon this rule, in January 1995 and therefore when dialing a long-distance call within
one's own area code, it is now still necessary to dial the area code. This method of dealing with the
increased demand for telephone numbers had the advantage that the number of digits in a telephone
number did not have to be increased, and this avoided problems with computer data-processing
systems that allocated the fixed minimum amount of space for a telephone number, as well as limiting
the amount of alteration needed for older telephone equipment.
In Britain, on the other hand, it was necessary to lengthen every telephone number by one digit, and
this was done by inserting the digit 1 in every number in the second position on a day called "phONE
day", April 16, 1995, although permissive dialing remained in effect until April 22, 2000. A number
of other countries also modified their systems of telephone numbers during roughly the same period;
Australia began in 1996, and Finland changed over its phone system on October 12, 1996.
Since in Morse code, a dot is the letter E, and a dash is the letter T, but other Morse code symbols also
begin with a dot or a dash, Morse code is a variable-length code that does not have the prefix property,
and so spaces are required between letters in Morse code.
Of course, the second digit of a two-digit combination could also have stood, by itself, for another
letter; but because when you start from the beginning and move forwards, there is no chance of
confusion, this is a workable and usable system.
Thus, the message SENDMONEY would become 4 1 0 22 25 7 0 1 66, or, rather, 41022 25701 66
because spaces to show where the letters begin are not needed; the first digit representing a letter
determines if its substitute is one or two digits long.
More complicated codes that work this way, using only the two binary digits 0 and 1, are used as a
form of data compression. The most famous variable-length prefix-property binary codes are the
Huffman codes; but this term only applies to such a code when symbols were assigned in it by a
specific algorithm, which has been proven to be optimal, within the limitations of only considering
single-symbol frequencies, and only using this kind of code: arithmetic coding, which doesn't work in
whole bits, can be more efficient. Before Huffman's proof, codes of that nature assigned in a different
fashion, which are known as Shannon-Fano codes, were the best known.
In one case, the VIC cipher used by Reino Hayhanen (the message in that cipher on microfilm, inside
a hollow nickel, was the background to the page introducing this section) the digits produced by a
straddling checkerboard were then subjected to a form of columnar transposition which was varied by
selecting triangular areas to be filled with plaintext last.
In other cases, after the message was converted to digits, encipherment similar to the Vigenère to be
described in the next section was performed. Since Vigenère is a form of addition, doing addition on
digits is easier for most people, without special equipment, than doing it on letters.
Next
Chapter Start
Table of Contents
Main page
Home page
The VIC Cipher

The VIC cipher is an intricate cipher issued by the Soviet Union to at least one of its
spies. It is of interest because it seems highly secure, despite being a pencil-and-paper
cipher. It was the cipher in which a message was written which was found on a piece of
microfilm inside a hollowed-out nickel by a newspaper boy in 1953. The workings of
this cipher were explained by Hayhaynen to FBI agents shortly after his defection to the
United States in 1957.
David Kahn described that cipher briefly in an article in Scientific American, and in full
detail in a talk at the 1960 annual convention of the American Cryptogram Association
which was later reprinted in his book Kahn on Codes.
The VIC cipher, which I will demonstrate here adapted to the sending of English-
language messages, begins with an involved procedure to produce ten pseudorandom
digits. The agent must have memorized six digits (which were in the form of a date), and
the first 20 letters of a key phrase (which was the beginning of a popular song) and must
think of five random digits for use as a message indicator.
Let the date be July 4, 1776, to give the digits 741776. (Actually, the Russians used their
customary form of dates, with the month second.) And let the random indicator group be
77651.
The first step is to perform digit by digit subtraction (without carries) of the first five
digits of the date from the indicator group:
77651
(-) 74177
---------
03584
The second step is to take the 20-letter keyphrase, and turn it into 20 digits by dividing it
into two halves, and within each half, assigning 1 to the letter earliest in the alphabet,
and so on, treating 0 as the last number, and assigning digits in order to identical letters.
Thus, if our keyphrase is "I dream of Jeannie with t", that step proceeds:
I D R E A M O F J E A N N I E W I T H T
6 2 0 3 1 8 9 5 7 4 1 6 7 4 2 0 5 8 3 9
The result of the first step is then expanded to ten digits through a process called chain
addition. This is a decimal analog of the way a linear-feedback shift register works:
starting with a group of a certain number of digits (in this case five, and later we will do
the same thing with a group of ten digits), add the first two digits in the group together,
take only the last digit of the result and append it to the end of the group, then ignore the
first digit, and repeat the process.
The 10 digit result is then added, digit by digit, ignoring carries, to the first 10 digits
produced from the keyphrase to produce a ten-digit result, as follows:
6 2 0 3 1 8 9 5 7 4
(+) 0 3 5 8 4 3 8 3 2 7
-----------------------
6 5 5 1 5 1 7 8 9 1
And these 10 digits are then encoded by encoding 1 as the first of the 10 digits produced
from the second half of the keyphrase, 2 as the second, up to 0 as the tenth.
using code: 1 2 3 4 5 6 7 8 9 0
1 6 7 4 2 0 5 8 3 9
6 5 5 1 5 1 7 8 9 1
becomes 0 2 2 1 2 1 5 8 3 1
This ten digit number is used by chain addition to generate 50 pseudorandom digits for
use in encipherment:
0 2 2 1 2 1 5 8 3 1
---------------------
2 4 3 3 3 6 3 1 4 3
6 7 6 6 9 9 4 5 7 9
3 3 2 5 8 3 9 2 6 2
6 5 7 3 1 2 1 8 8 8
1 2 0 4 3 3 9 6 6 9
The last row of these digits (which will still be used again) is used like the letters in a
keyword for transposition to produce a permutation of the digits 1 through 9 (with 0 last
again):
1 2 0 4 3 3 9 6 6 9
---------------------
1 2 0 5 3 4 8 6 7 9
and those digits are used as the top row of numbers for a straddling checkerboard:
1 2 0 5 3 4 8 6 7 9
-------------------
A T O N E S I R
-------------------
8 P Q U V W X Y Z . /
One detail omitted is that the checkerboard actually used had the letters in the bottom
part written in vertical columns with some columns left until the end. That doesn't work
as well in an English example, as there are only two left-over spaces after the alphabet.
With the straddling checkerboard in place, we can begin enciphering a message.
Let our message be:
We are pleased to hear of your success in establishing your false identity. You will be
sent some money to cover expenses within a month.
Converting this to numbers, we proceed:
W EAREP L EASED TOH EAROF Y OU RSU C C ESSINESTAB L ISH ING

834194810741640025044195058858096800202466734621010776047303
Y OU RF AL SEID ENTITY Y OU W IL L B ESENTSOM EM ONEY TOC O

88580905107647004327288885808370707014643265094095348825025
V EREX P ENSESW ITH INAM ONTH

854948481436468372047310953204
For the sake of our example, we will give our agent a small personal number of 8. This
number is used to work out the widths of the two transposition tableaux used to
transpose the numbers obtained above. The last two unequal digits, which in this case are
the last two digits (6 and 9) of the last row of the 50 numbers generated above, are added
to the personal number with the result that the two transpositions will involve 8+6, or 14,
and 8+9, or 17, columns respectively.
The keys for those two transpositions are taken by reading out the 50 numbers by
columns, using the 10 digits used to generate them as a transposition key. Again, 0 is
last, so given the table above:
0 2 2 1 2 1 5 8 3 1
---------------------
2 4 3 3 3 6 3 1 4 3
6 7 6 6 9 9 4 5 7 9
3 3 2 5 8 3 9 2 6 2
6 5 7 3 1 2 1 8 8 8
1 2 0 4 3 3 9 6 6 9
we read out the digits in order:
36534 69323 39289 47352 36270 39813 4
stopping when we have the 31 digits we need.
Our first transposition uses the first 14 digits as the key of a conventional simple
columnar transposition:
36534693233928
--------------
83419481074164
00250441950588
58096800202466
73462101077604
73038858090510
76470043272888
85808370707014
64326509409534
88250258549484
81436468372047
3109532049
Since our message consisted of ten rows of 14 digits, plus one extra row of 9 digits, it is
149 digits long. At this initial stage, one null digit is appended to the message, making it
150 digits long, so that it will fill a whole number of 5-digit groups.
Thus, with the null digit added, it gives us the intermediate form of the message:
09200274534 6860181384 80577786883 15963702539 11018309880

75079700479 4027027992 90628086065 42040483240 30833654811
44818035243 4864084447 84005470562 1546580540
The fact that our message is 150 digits long was important to note, since the next step in
the encipherment, although it is also a columnar transposition, includes an extra
complexity to make the transposition irregular, and so it is necessary to lay out in
advance the space that will be used in that transposition.
The remaining 17 digits of the 31 we read out above, 9 47352 36270 39813 4, are the
key for this second transposition. The numbers, in addition to indicating the order in
which the columns are to be read out, indicate where triangular areas start which will be
filled in last.
The first triangular area starts at the top of the column which will be read out first, and
extends to the end of the first row. It continues in the next row, starting one column later,
and so on until it includes only the digit in the last column. Then, after one space, the
second triangular area starts, this time in the column which will be read out second.
Since we know that our message is 150 digits long, we know that it will fill 8 rows of 17
digits, with 14 digits in the final row. This lets us fill in the transposition block, first
avoiding the triangular areas:
94735236270398134
-----------------
09200274534686
018138480577786
8831596370253911
01830988075079700
47940
270279
9290628
08606542
040483240
and then with them filled in as well:
94735236270398134
-----------------
09200274534686308
01813848057778633
88315963702539116
01830988075079700
47940548114481803
27027952434864084
92906284478400547
08606542056215465
04048324080540
from which the fully encrypted message can be read out:
36178054 289959253 507014400 011342004 746845842 675048425

03100846 918177284 83603475 035007668 483882424 283890960
350713758 689914050 008042900 873786014 472544860
The last digit, 6, in the date shows that the indicator group is to be inserted in the final
message as the sixth group from the end, so the message in the form in which it will be
transmitted becomes:
36178 05428 99592 53507 01440 00113 42004 74684 58426 75048
42503 10084 69181 77284 83603 47503 50076 68483 88242 42838
90960 35071 37586 89914 05000 77651 80429 00873 78601 44725
44860
Next
Chapter Start
Table of Contents
Main page
Home page
Two Trigraphic Ciphers, and a Heptagraphic One

Playfair for Three
Based on the Playfair cipher, I once thought of a way to make a cipher that worked on groups of three
letters.
Using a square, as with Playfair:
T X V H R
L K M U P
N Z O J E
C G W Y A
F B S D I
encipher with the following rules:
● If all three letters are the same, replace them by three repetitions of the letter diagonally below
and to the right of that letter. Thus: MMM becomes JJJ in the square above. Below, and to the
right, are always interpreted cyclically, so DDD becomes RRR, and PPP becomes NNN, and
even III becomes TTT.
● If two of the letters are the same, encipher the two letters as if they were part of a digraph to be
enciphered with Playfair.
❍ If the two letters are in the same row, replace each one with the letter to its right. Thus:
PKK becomes LMM, NON becomes ZJZ.

❍ If the two letters are in the same column, replace each one with the letter below it. Thus:
HUH becomes UJU, ZZB becomes GGX.

❍ If the two letters are neither in the same row nor the same column, replace each letter
with the letter that is in its own row, but in the column of the other letter. Thus: BOO
becomes SZZ, MIM becomes PSP.
● When all three letters are different, follow these rules:
❍ If all three letters are in the same row, replace each one with the letter to its right. Thus,
CYG becomes GAW, ZEN becomes ONZ.

❍ If all three letters are in the same column, replace each one with the letter below it.
Thus, MOW becomes OWS, KGB becomes ZBX.

❍ If two letters are in the same row, and one of those two is in the same column as the
third letter, replace the letter that is in the same row as one other letter and the same
column as the other other letter with the letter that is in the same column as the letter
with which it shares a row, and in the same row as the letter with which it shares a
column. Replace the two other letters by each other. Thus, YUK becomes KGY, WVY
becomes HYV, POE becomes OPM, GAP becomes PKG.
❍ If two letters are in the same column, but the third letter is neither in that column nor in
the same row as either of those two letters, replace each letter by the letter which is in
its own row, but in the other column used by the three letters. Thus, TCO becomes
VWN, TAN becomes RCE, HUG becomes XKY.
❍ If two letters are in the same row, but the third letter is neither in that row nor in the
same column as either of those two letters, replace each letter by the letter which is in
its own column, but in the other one of the two rows used by the letters. Thus, NED
becomes FIJ, GAS becomes BIW, LOP becomes NME.
❍ If no two letters share either a row or column, each letter is replaced by the letter in its
own row, but in the column of the next letter of the trigram, the first letter being the
'next letter' for the last one. Thus, TOY becomes VJC, LOB becomes MZF, GET
becomes ANX.
Note that since a trigram with repeated letters always enciphers to a trigram with repeated letters, one
could use a separate square for each of the three possibilities, or even just use an arbitrary substitution
alphabet for the case of three identical letters.
Trigraphic from Fractionation
If one uses a substitution where each letter of a 27-letter alphabet is replaced by three digits from 1 to
3, then the obvious method of constructing a trigraphic cipher from this is to write the equivalents of
the three letters in by columns and take them out by rows; thus, with the alphabet
W 111 M 121 Z 131 N 211 O 221 L 231 C 311 T 321 U 331

A 112 & 122 Y 132 E 212 V 222 P 232 X 312 J 322 G 332
K 113 B 123 H 133 Q 213 R 223 S 233 I 313 F 323 D 333
we encipher like this:
T H E
3 1 2 X
2 3 1 L
1 3 2 Y
For 26 Letters
But how can we adapt these two ciphers to a 26-letter alphabet?
Let's imagine that we want to have a method that doesn't require, as the original Playfair did, inserting
a letter like X into the plaintext when a double letter occurs; we want something that can be applied
mechanically to any arbitrary input text. This would make it suitable for use as a step in encryption
performed by a computer.
For the cipher derived from Playfair, the structure of the rules provides a clue. When the extra letter
turns up, ignore it for encryption, but place it in the ciphertext without alteration, and treat two
remaining letters, if they are different, as in regular Playfair, and a single remaining letter (or two
identical remaining letters) as if they were three identical letters.
How, though, can we possibly make the cipher which requires a 27-letter alphabet work with only 26
letters?
First, choose a substitution table such that the unused letter, &, is represented by the code 333.
U 111 F 121 P 131 Q 211 D 221 W 231 B 311 R 321 G 331

X 112 J 122 I 132 C 212 A 222 K 232 Y 312 T 322 V 332
H 113 M 123 O 133 S 213 Z 223 L 233 E 313 N 323 & 333
Now then, any combination that does not contain an ampersand, but which produces a combination
that does contain one, will have produced a combination that, when enciphered again, doesn't contain
an ampersand.
L O G S & G
2 1 3 S 2 3 3 L
3 3 3 & 1 3 3 O
3 3 1 G 3 3 1 G
That appears to be a trivial consequence of the fact that this cipher is reciprocal.
Since an ampersand is represented by the code 333, however, that means that whether or not a square
produces an ampersand depends only on the positions of the 3s in that square; the other two digits, 1
and 2, are irrelevant. Thus, we can do better than leaving trigrams which encipher to combinations
including an ampersand unenciphered.
Between the two encipherments, we can apply a substitution to the letters of the first result, as long as
that substitution leaves the 3s unchanged. Since this substitution operates perpendicular to the
plaintext and the ciphertext, the cipher still mixes the letters of the trigram together in this case.
Such a substitution might look like this:
111 212 113 123 131 232 311 321 133 233
112 122 123 223 132 231 312 311 233 133
121 211 213 113 231 131 321 322 313 313
122 221 223 213 232 132 322 312 323 323
211 121 331 332
212 222 332 331
221 111
222 112 333 333
With such a substitution, our encipherment would become:
L O G H & V
2 1 3 S 213 -> 113 (H) 1 3 3 O
3 3 3 & 333 -> 333 (&) 1 3 3 O
3 3 1 G 331 -> 332 (V) 3 3 2 V
Heptagraphic encryption
Having now obtained two trigraphic ciphers which both operate on trigrams of the 26-alphabet, but
which operate on different principles, one is immediately tempted to combine them to create a cipher
which will be much stronger than either one alone.
One way to do this is simply to apply both in sequence. However, inspired by recently encountering
the polymorphic block ciphers of Kostadin Bajalcaliev, I have thought of a more elaborate way of
doing this.
Let us encipher a block of seven letters at a time. Three letters are enciphered trigraphically by one of
the two systems given above, and the next three are enciphered using the other system. The seventh
letter is used to indicate which system is used.
Then, the letters are rearranged according to the permutation
from 1 2 3 4 5 6 7
to 4 7 1 2 3 5 6
and the process is repeated.
Since it seems wasteful to leave a letter unenciphered just to use it as the source of one bit of
information, that letter could also be used to choose between twelve possibilities: there could be three
different sets of tables for one of the block ciphers, and four different sets of tables for the other. For
the one based on Playfair, it is not even necessary that the omitted letter be the same for each set of
tables.
Nonagraphic Encryption
Of course, with two different trigraphic ciphers, performing some sort of transposition between
applying them is another way to produce a very strong cipher.
Just as the trigraphic cipher based on a 27-character alphabet places digits in a square by columns, and
takes them out by rows, one could encrypt nine letters at a time by placing them in a square array, and
encrypting first the columns by one cipher, and then the rows by the other. One could even do that
twice, inspired by Square, the predecessor of Rijndael, the new Advanced Encryption Standard.
Next
Chapter Start
Table of Contents
Main page
Home page
Polyalphabetic Substitution
The idea of using substitution ciphers that change during the course of a message was a very important step forwards in
cryptography. David Kahn's book, The Codebreakers, gives a full account of the origins of this idea during the Italian
Renaissance.
The earliest form of polyalphabetic cipher was developed by Leon Battista Alberti by 1467. His system involved writing the
ciphertext in small letters, and using capital letters as symbols, called indicators, to indicate when the substitution changes,
now and then through a message. The plaintext alphabet on his cipher disk was in order, and included the digits 1 through 4
for forming codewords from a small vocabulary.
Subsequently, more modern forms were devised, which change the substitution for each letter:
● A progressive-key system, where keys are used one after the other in normal order. This was first published
posthumously, in a book by Johannes Trithemius that appeared in 1518. The key ABCD...Z was used with regular
alphabets in the form depicted therein.
● A keyword indicating the alphabets to use in turn. Although this system is what is called the Vigenère, it originated
with Giovan Batista Belaso in 1553. In 1563, Giovanni Battista Porta added the use of mixed alphabets to this system.
● The autokey system, where a key starts the choice of alphabet, but the message itself determines the alphabets to use
for later parts of the message. Although an unusable form of this was first proposed by Girolamo Cardano, it was
Blaise de Vigenère who proposed the modern form of the autokey cipher in 1585.
The following compact table provides 26 alphabets, each labelled with a letter of the alphabet:
B C D E F ZABCDEFGHIJKLMNOPQRSTUVWXY
G H I J K UVWXYZABCDEFGHIJKLMNOPQRST
L M N O P PQRSTUVWXYZABCDEFGHIJKLMNO
Q R S T U KLMNOPQRSTUVWXYZABCDEFGHIJ
V W X Y Z FGHIJKLMNOPQRSTUVWXYZABCDE
B G L Q V ABCDEFGHIJKLMNOPQRSTUVWXYZ
C H M R W BCDEFGHIJKLMNOPQRSTUVWXYZA
D I N S X CDEFGHIJKLMNOPQRSTUVWXYZAB
E J O T Y DEFGHIJKLMNOPQRSTUVWXYZABC
F K P U Z EFGHIJKLMNOPQRSTUVWXYZABCD
The A alphabet isn't shown, since in that alphabet, every letter stands for itself, and so, if nothing is done, nothing need be
looked up in the table. For any other alphabet, use the letter indicating the alphabet to find a row among the top five, and a
row among the bottom five; using those two rows, the upper row stands for plaintext, the lower for cipher.
Thus, for alphabet Q, the top row begins KLMNO... and the bottom row begins ABCDE..., and so K becomes A, Q becomes
G, and A becomes Q in that alphabet.
If you think of A as standing for zero, B for 1, up to Z for 25, this particular set of alphabets is nothing more than the modulo
26 addition of the plaintext and the key to obtain the ciphertext. Circular disks or sliding scales can be used to carry out the
addition. This, perhaps, can be more easily seen if we exhibit the Vigenère tableau in full, accompanied by the table for
modulo-26 addition:
|ABCDEFGHIJKLMNOPQRSTUVWXYZ | 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
19 20 21 22 23 24 25
-+-------------------------- --
+-----------------------------------------------------------------------------
A|ABCDEFGHIJKLMNOPQRSTUVWXYZ 0| 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
19 20 21 22 23 24 25
B|BCDEFGHIJKLMNOPQRSTUVWXYZA 1| 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19
20 21 22 23 24 25 0
C|CDEFGHIJKLMNOPQRSTUVWXYZAB 2| 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
21 22 23 24 25 0 1
D|DEFGHIJKLMNOPQRSTUVWXYZABC 3| 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21
22 23 24 25 0 1 2
E|EFGHIJKLMNOPQRSTUVWXYZABCD 4| 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22
23 24 25 0 1 2 3
F|FGHIJKLMNOPQRSTUVWXYZABCDE 5| 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
24 25 0 1 2 3 4
G|GHIJKLMNOPQRSTUVWXYZABCDEF 6| 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
25 0 1 2 3 4 5
H|HIJKLMNOPQRSTUVWXYZABCDEFG 7| 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25
0 1 2 3 4 5 6
I|IJKLMNOPQRSTUVWXYZABCDEFGH 8| 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 0
1 2 3 4 5 6 7
J|JKLMNOPQRSTUVWXYZABCDEFGHI 9| 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 0 1
2 3 4 5 6 7 8
K|KLMNOPQRSTUVWXYZABCDEFGHIJ 10|10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 0 1 2
3 4 5 6 7 8 9
L|LMNOPQRSTUVWXYZABCDEFGHIJK 11|11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 0 1 2 3
4 5 6 7 8 9 10
M|MNOPQRSTUVWXYZABCDEFGHIJKL 12|12 13 14 15 16 17 18 19 20 21 22 23 24 25 0 1 2 3 4
5 6 7 8 9 10 11
N|NOPQRSTUVWXYZABCDEFGHIJKLM 13|13 14 15 16 17 18 19 20 21 22 23 24 25 0 1 2 3 4 5
6 7 8 9 10 11 12
O|OPQRSTUVWXYZABCDEFGHIJKLMN 14|14 15 16 17 18 19 20 21 22 23 24 25 0 1 2 3 4 5 6
7 8 9 10 11 12 13
P|PQRSTUVWXYZABCDEFGHIJKLMNO 15|15 16 17 18 19 20 21 22 23 24 25 0 1 2 3 4 5 6 7
8 9 10 11 12 13 14
Q|QRSTUVWXYZABCDEFGHIJKLMNOP 16|16 17 18 19 20 21 22 23 24 25 0 1 2 3 4 5 6 7 8
9 10 11 12 13 14 15
R|RSTUVWXYZABCDEFGHIJKLMNOPQ 17|17 18 19 20 21 22 23 24 25 0 1 2 3 4 5 6 7 8 9
10 11 12 13 14 15 16
S|STUVWXYZABCDEFGHIJKLMNOPQR 18|18 19 20 21 22 23 24 25 0 1 2 3 4 5 6 7 8 9 10
11 12 13 14 15 16 17
T|TUVWXYZABCDEFGHIJKLMNOPQRS 19|19 20 21 22 23 24 25 0 1 2 3 4 5 6 7 8 9 10 11
12 13 14 15 16 17 18
U|UVWXYZABCDEFGHIJKLMNOPQRST 20|20 21 22 23 24 25 0 1 2 3 4 5 6 7 8 9 10 11 12
13 14 15 16 17 18 19
V|VWXYZABCDEFGHIJKLMNOPQRSTU 21|21 22 23 24 25 0 1 2 3 4 5 6 7 8 9 10 11 12 13
14 15 16 17 18 19 20
W|WXYZABCDEFGHIJKLMNOPQRSTUV 22|22 23 24 25 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14
15 16 17 18 19 20 21
X|XYZABCDEFGHIJKLMNOPQRSTUVW 23|23 24 25 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
16 17 18 19 20 21 22
Y|YZABCDEFGHIJKLMNOPQRSTUVWX 24|24 25 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
17 18 19 20 21 22 23
Z|ZABCDEFGHIJKLMNOPQRSTUVWXY 25|25 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
18 19 20 21 22 23 24
And, of course, instead of the modulo-26 addition table for our 26-letter alphabet, a Vigenere
table can be constructed for any alphabet. Thus, modulo-24 addition would be used for the
Greek alphabet, modulo-32 addition for the Russian alphabet, or, as shown in the picture at
left, modulo-22 addition for the Hebrew alphabet. Here, the table is written from right to left, in
the same direction as normally used for Hebrew writing.
The message "Wish you were here" can be encrypted by the three possible methods, using SIAMESE as the keyword:
Straight keyword:
Message: WISHYOUWEREHERE
Key: SIAMESESIAMESES
Cipher: OQSTCGYOMRQLWVW
Progressive key:
Key: SIAMESETJBNFTFU
Cipher: OQSTCGYPNSRMXWY
Autokey:
Key: SIAMESEWISHYOUW
Cipher: OQSTCGYSMJLFSLA
For the progressive key, the keyword, followed by the keyword advanced one position at a time through the alphabet, is
used. Just using ABCDEF... as the key would not have been unique enough to serve as a real cipher.
The table shown here can be thought of as a table for the addition of letters, which is equivalent to addition modulo 26,
where A stands for 0, B stands for 1, continuing on to Z, which would stand for 25.
The plain keyword system can be solved by the Kasiski method; look for repeated sequences of letters in a message, and
count the number of letters between them. From this, it is easy to spot common factors, and determine the length of the
keyword used. This lets one sort the letters into the ones enciphered with the same alphabet. If normal alphabets are used,
looking at the profile of the frequency count makes solution trivial.
For the other two methods, elementary cryptanalysis only allows solution for normal (or at least known) alphabets. The
progressive key case can be made to yield its period if one looks not for repeated letters, but for repeated distances in the
alphabet between adjacent letters; this subtracts out the slow movement of the keyword through the alphabet. The autokey
can basically be solved by brute-force trial on the length of its starting keyword. Of course, these systems can still be solved
with mixed alphabets, but more advanced methods are needed, involving statistics or multiple messages with the same key.
In addition to using mixed alphabets for greater security, there are other systems of historical importance.
The Gronsfeld, which added a numeric key to the plaintext, meant that there were only ten possible equivalents for each
letter, but was easier to do by hand without a table or slide or disk. The Porta system used a smaller table; the first half of the
alphabet was stationary while the second half moved, and equivalents for letters in each half of the alphabet were found in
the other half.
The table for the Porta system (converted to the modern 26-letter alphabet) is as follows:
ABCDEFGHIJKLM
-------------
AB |NOPQRSTUVWXYZ
CD |OPQRSTUVWXYZN
EF |PQRSTUVWXYZNO
GH |QRSTUVWXYZNOP
IJ |RSTUVWXYZNOPQ
K KL |STUVWXYZNOPQR
e MN |TUVWXYZNOPQRS
y OP |UVWXYZNOPQRST
QR |VWXYZNOPQRSTU
ST |WXYZNOPQRSTUV
UV |XYZNOPQRSTUVW
WX |YZNOPQRSTUVWX
YZ |ZNOPQRSTUVWXY
The Gronsfeld, and, even more easily, the Porta, because they only allow some letters, but not others, as equivalents for any
given plaintext letter, can be attacked through this weakness.
In attempting to devise a cipher that, like the Gronsfeld, lends itself to mental arithmetic, I used (for the English alphabet)
the method of representing numbers as letters that was used by the ancient Hebrews and the ancient Greeks:
A 1 J 10 S 100
B 2 K 20 T 200
C 3 L 30 U 300
D 4 M 40 V 400
E 5 N 50 W 500
F 6 O 60 X 600
G 7 P 70 Y 700
H 8 Q 80 Z 800
I 9 R 90
Then, the rule for encipherment is this:
a) If the plaintext and key letters are in the same column, they are added:
B (2) + F (6) = H (8)

L (30) + J (10) = M (40)
b) If the plaintext and key letters are in two different columns, their nonzero digits are added, and the letter in the third
column which contains neither key nor plaintext containing the sum is taken:
D (4) + L (30) = Y (700)

W (500) + K (20) = G (7)
If we had a 27-letter alphabet, we would only have to add that when the sum is greater than 9, subtract 9 (in the appropriate
digit place):
M (40) + Q (80) = L (30)
For the 26-letter alphabet, it's easy to modify rule (a): if the two letters are in the third column, subtract 800 instead of 900.
U (300) + Y (700) = T (200)
Rule (b) is modified in this way: always subtract 9; if the cipher letter and the key letter produce 900 as the result, use
instead the letter that would be produced by enciphering a letter with the value 900 with the key letter. Since there is no letter
with that value, when one is produced by deciphering, decipher 900 with the key to get the true plaintext letter.
This produces the table seen below:
Plaintext
ABCDEFGHI JKLMNOPQR STUVWXYZ
----------------------------
A|BCDEFGHIA TUVWXYZJS KLMNOPQR
B|CDEFGHIAB UVWXYZKST LMNOPQRJ
C|DEFGHIABC VWXYZLSTU MNOPQRJK
D|EFGHIABCD WXYZMSTUV NOPQRJKL
E|FGHIABCDE XYZNSTUVW OPQRJKLM
F|GHIABCDEF YZOSTUVWX PQRJKLMN
G|HIABCDEFG ZPSTUVWXY QRJKLMNO
H|IABCDEFGH QSTUVWXYZ RJKLMNOP
I|ABCDEFGHI STUVWXYZR JKLMNOPQ
J|TUVWXYZAS KLMNOPQRJ BCDEFGHI

K|UVWXYZBST LMNOPQRJK CDEFGHIA
L|VWXYZCSTU MNOPQRJKL DEFGHIAB
K M|WXYZDSTUV NOPQRJKLM EFGHIABC
e N|XYZESTUVW OPQRJKLMN FGHIABCD
y O|YZFSTUVWX PQRJKLMNO GHIABCDE
P|ZGSTUVWXY QRJKLMNOP HIABCDEF
Q|HSTUVWXYZ RJKLMNOPQ IABCDEFG
R|STUVWXYZI JKLMNOPQR ABCDEFGH
S|KLMNOPQRJ BCDEFGHIA TUVWXYZS

T|LMNOPQRJK CDEFGHIAB UVWXYZST
U|MNOPQRJKL DEFGHIABC VWXYZSTU
V|NOPQRJKLM EFGHIABCD WXYZSTUV
W|OPQRJKLMN FGHIABCDE XYZSTUVW
X|PQRJKLMNO GHIABCDEF YZSTUVWX
Y|QRJKLMNOP HIABCDEFG ZSTUVWXY
Z|RJKLMNOPQ IABCDEFGH STUVWXYZ
This table is slightly imperfect. For each of the first eighteen letters in the alphabet, when they occur in the plaintext, there is
one letter that no key letter will cause to be its ciphertext equivalent, and there is another letter that will be that plaintext
letter's ciphertext equivalent for two different key letters. However, although imperfect, it is less so than the Gronsfeld
cipher, and so the system might be of some use (although just converting to digits with a straddling checkerboard achieves
the same goal, of simplifying applying a key, without any imperfections, and considerably more simply).
It is, however, more important to recognize the names of two other systems. If Vigenère can be thought of as plaintext + key
= cipher, Beaufort amounts to key - plaintext = cipher. Since cipher = key + plaintext, Beaufort, like Porta, is reciprocal: the
same steps exactly will both encipher and decipher. Variant Beaufort is plaintext - key = cipher, and is the same as
deciphering for Vigenère.
Slides and disks are often used for the Vigenère and other polyalphabetic ciphers, particularly mixed-alphabet Vigenère.
Helen Fouché Gaines' Elementary Cryptanalysis gives a classification of mixed alphabet slides into four types:
● Type 1: Mixed plaintext alphabet, plain cipher alphabet.

● Type 2: Plain plaintext alphabet, mixed cipher alphabet.
● Type 3: The same mixed alphabet for plain and cipher.
● Type 4: Different mixed plain and cipher alphabets.
I would like to extend this classification slightly to make it comprehensive:
● Type 0: Plain plaintext and cipher alphabet.

● Type 0a: Plain plaintext alphabet, reversed cipher alphabet.
● Type 1: Mixed plaintext alphabet, plain cipher alphabet.
● Type 2: Plain plaintext alphabet, mixed cipher alphabet.
● Type 3: The same mixed alphabet for plain and cipher.
● Type 3a: Mixed plaintext alphabet, the same alphabet in reverse for cipher.
● Type 4: Different mixed plain and cipher alphabets.
A slide of type 0a produces a reciprocal cipher, and can be used for Beaufort. The mechanical equivalent of such a slide is an
element of a Hagelin machine.
The Type 1 slide is more easily cryptanalyzed than the Type 2 or above slides since once the different alphabets have been
determined by discovering the period of the cipher by the Kasiski method (looking for repeated digrams, trigrams and above,
noting the distance between them, and looking for a common factor to most of the distances, giving greater weight to longer
repetitions) the frequency counts can be lined up, since they are displaced along the cipher slide, which in this case has the
known regular alphabet along it.
Even in the mixed-alphabet case, once the period is found, letter frequencies and bigram frequencies can be used to read the
message. For a frequent letter, whether only a few letters, or a wide variety of letters, appear before or after that letter helps
to identify whether the letter is a vowel or a consonant, or to determine exactly which letter it is.
When some alphabets are partly reconstructed, if you know that the alphabets have been produced by a slide, even one with
two mixed alphabets, there are certain logical inferences that you may be able to make that will obtain the values of
additional letters. This technique is known as symmetry of position.
Let us suppose that we know that the plaintext letters E and N become, in one alphabet, the ciphertext letters P and Q, and in
another alphabet the ciphertext letters K and V.
Since the distance between the letters E and N on the slide with the scrambled plaintext alphabet does not change, even
though it is unknown, we know from this that the letters P and Q are the same distance apart on the ciphertext slide as the
letters K and V are.
And since one goes from one alphabet generated by a slide to another by moving one of the alphabets a certain distance, one
also knows that the two equivalents for E, the letters P and K on the ciphertext slide, are the same distance apart as Q and V.
Of course, these two facts are really consequences of one another: since P-Q = K-V, then it must also be true that P-K = Q-
V, where P, Q, K, and V are now standing for unknowns in modulo-26 arithmetic.
In any event, if we then find that in a third alphabet, the plaintext letters R and T become the ciphertext letters P and K,
respectively, and if we are fortunate enough to have an alphabet in which R becomes Q, we can then conclude that T will
become V in that alphabet.
Later, when at least two alphabets are almost completely reconstructed, it may be possible to work out what alphabets were
present on the slide that generated them. This can help in continuing the solution, or in reading future messages.
For example, a slide in two consecutive positions generates these alphabets:
QWERTYUIOPASDFGHJKLZXCVBNM abcdefghijklmnopqrstuvwxyz
BOXWITHFVEDZNLQURJGSPACKMY dkanxlqufrjgymvebwzihcopts
QWERTYUIOPASDFGHJKLZXCVBNM abcdefghijklmnopqrstuvwxyz
OXWITHFVEDZNLQURJGSPACKMYB zmclwqurvjgsbyedointfkxahp
On the left is the way the slide looks, and on the right are the alphabets as they appear to the cryptanalyst, who does not yet
know what alphabets are on the slides. Consecutive alphabets are shown; the method works for any odd shift between
alphabets except 13 (not because it's unlucky, but because it is exactly half of 26, the number of letters in the alphabet); for
an even shift, partial information about the slide is obtained: two separate 13-letter pieces.
The slides can be reconstructed because of the information the alphabets above give about them: D and Z are the equivalents
for A in the two alphabets. So, the distance between D and Z on the bottom slide must be the amount by which the slide must
be moved to get from one alphabet to the other. But that is also true of K and M, the two equivalents for B, and A and C, the
two equivalents for C, and so on.
So, we start with the letter D. The letter Z is our displacement ahead of it: here, it happens that the displacement is one, so
we'll get the exact alphabet on the slide, instead of simply an equivalent alphabet. To move another displacement forward,
we find Z as the equivalent for S in the first alphabet, and N as its equivalent in the second.
Thus, we reconstruct the alphabets like this:
a s d f g h j k l z x c v
DZ ZN NL LQ QU UR RJ JG GS SP PA AC CK
b n m q w e r t y u i o p
KM MY YB BO OX XW WI IT TH HF FV VE ED
If the shift were three instead of one, then the alphabets would be subjected to decimation, so that instead of DZNLQ... the
first few letters after D would be in positions D..Z..N..L..Q..., but the slides would still generate the same cipher alphabets,
only after different shifts.
It is particularly because the Kasiski method of attacking the simple keyword form of the Vigenere is so powerful that other
methods, such as key progression and the autokey were originated to avoid it.
The Lanaki Classical Cryptography Course, available at The Crypto Drop Box, notes two other methods sometimes tried.
One is to repeat the letters of one's keyword an increasing number of times, with a period different from the length of the
keyword: thus, the keyword SIAMESE might be repeated with the pattern 12345, so that one's key would begin
SIIAAAMMMMEEEEESEESSSIIIIAAAAAMEESSSEEE...
and an idea suggested by W. F. Friedman is then noted, where instead of using a simple sequence like 12345, one uses the
lengths of the Morse Code symbols for the letters in a keyword to control the pattern of repetitions.
These methods don't make a truly aperiodic cipher the way the autokey does, but like the progressive-key method, they
provide a longer period. However, the presence of stretches of plaintext enciphered with the same keyletter at least seems
like a weakness.
Of course, one could take Friedman's idea, and make it more complicated (and therefore impractical for actual use!) in a
number of ways.
Let us use a Morse Code keyword of BAKER, which is, in dots and dashes,
-... .- --. . .-.
and use two other keywords, ORANGE and CHOCOLATE, for Vigenere use.
A dot selects a letter from the first keyword, a dash selects a letter from the second keyword. And let both keywords also
experience key progression.
While this will still lead to a sequence with a finite period, the period will be a long one, and will start like this:
ORAN GE PSB O HFQ TCPI GR UDQ J HSV ERKI TW FSL J UXG TMKV YH UNL W ZIV
CHOC OL ATE D IPD PMBU FE JQE Q NCV GFKR FR ODW H GLS GSPE XI HMT H TQF
-... .- --. . .-. -... .- --. . .-. -... .- --. . .-. -... .- --. . .-.
CRAN GL ATB O HPQ PCPI GE JQQ J HCV GRKI TR ODL J ULG GMKV YI HML W ZQV
alternatively, the ends of each letter in the Morse keyword could control key progression for the first keyword, and the end
of each occurence of the whole keyword could control key progression for the second keyword, like this:
ORAN HF QTC Q KIS WFSL KU YHU O NXA KXQO ZC MZS R CFO CVTD HQ EXV G KTG
CHOC OL ATE C HOC PMBU FD IPD P MBU GEJQ EQ NCV G EJQ FROD WH FKR F ROD
-... .- --. . .-. -... .- --. . .-. -... .- --. . .-. -... .- --. . .-.
CRAN HL ATC Q KOS PFSL KD IPU O NBA GXQO ZQ NCS R CJO FVTD HH FKV G KOG
thus making use of more of the information in the Morse keyword, but, since such things are clearly impractical by hand, we
shall instead let such devices as rotor machines and the Hagelin lug and pin machine introduce complicated polyalphabetic
ciphers, as it was with such devices that such ciphers finally became usable.
Cipher disks are harder to make than slides, but they do look prettier. One type of cipher disk I invented independently looks
like this:
This disk was the best of my attempts to devise something which would be easy to use, but involve something more than just
sliding one alphabet against another. My intention was to approach the power of a rotor machine.
The wheel is built from four components, as illustrated below:
Essentially, the wheel is constructed from four disks, one of which has half of its outer portion removed.
On the bottom is a disk with the mixed plaintext alphabet, shown as item 1 in the diagram.
Above it is item 2, a disk with the numbers 1 through 13 repeated twice, against a backround of one color (shown here as
purple).
Then comes item 3, a disk of the same diameter, but with half of its perimeter removed to expose thirteen of the spaces on
the disk below. The half remaining has a background of a color contrasting with that disk (shown here as green), and a
mixed sequence of the numbers 1 through 13.
Finally, there is the smallest disk on the top, item 4, with the mixed cipher alphabet.
How the disks are stacked one on top of the other is illustrated by item 5 in the drawing, a view of the four disks one on top
of the other, but slightly offset to allow the perspective to be visible.
In use, one looks up a letter in the plaintext alphabet, and proceeds to the number in the next inner band. Then, starting from
the same number, against the background of the opposite color, also in that band (but on the other of the two middle disks)
one proceeds to the cipher letter on the innermost circle with the cipher alphabet. This is illustrated by item 6 in the picture.
One idea I had for making this type of device useful, by making it easier to move the disks with each letter enciphered, was
to add to each disk a rim (presumably with 26 notches or bumps around the outside, not shown for simplicity) so that the
four disks could be advanced like thumbwheels.
Versions of the disks using latticework to hold the outside rim in place, while allowing all the letters and numbers in lower
disks to be visible, are shown as items 7, 8, 9, and 10 in the diagram. Item 11 shows an oblique view of the disks stacked,
item 12 a face-on view.
One way to make use of this construction would be to have layers of cardboard between the disks, so that each rim is
individually exposed for a short distance. The 26 possible key letters would be allocated so that seven of them are used to
indicate that the lowest disk is to turn counterclockwise from 1 to 7 spaces, another 7 turn the smallest disk clockwise 1 to 7
spaces, and 6 indicate the disk shown with a purple rim is to turn counterclockwise from 1 to 6 spaces, and 6 indicate the
disk with half its periphery cut away is to turn clockwise from 1 to 6 spaces.
For use with text as a key, the letters would be allocated so that the frequent letters represented odd displacements, and were
distributed evenly among the four disks.
A version of the same device as a slide instead of a disk would look like this:
-----------------------------------------------------
F S H G Y M L Q K X O N E R Z A D I V C U T P W J B
-------------------------
------| 1 1 1 1 |--------------------
|7 4 1 6 3 5 0 1 9 2 3 2 8| 1 1 1 1
3 4 5| |6 7 8 9 0 1 2 3 1 2
------ --------------------
-----------------------------------------------------
X V I D U J C G M E Z A F T W O S H K Y P B R N Q L
-----------------------------------------------------
The Byrne Chaocipher, which was mentioned in David Kahn's The Codebreakers, was subsequently the subject of a
Cryptologia article, which indicated that the principle of this wheel may have been used before in that cipher.
Another device I designed myself in trying to produce a convenient cardboard approximation to a rotor machine is the
following slide:
The slide has a frame with an approximately rectangular pattern of holes, but with two corners clipped. Behind the frame,
there are two slides; one with slots in it that moves vertically, and a solid one that moves horizontally behind it.
The letters on the vertical slide are arranged so that as it moves up or down one position, the letters that become concealed
are rearranged and fill the spaces on the slide that now become visible, like this:
P E H S C A p e h s c a
L V F O K R Z l V F O K R Z
I B Q Y G W N I B Q Y G W N
X T M J D U X T M J D U E
C H L S P A
The same principle applies to the horizontal slide. However, since space is required for the vertical sliding alphabets, and the
spaces between the open rectangles, instead of being filled with merely one set of alphabets, it contains three interlaced
alphabets, which independently change in this way.
In the previous section, we saw how a straddling checkerboard like this:
9 8 2 7 0 1 6 4 3 5
-------------------
A T O N E S I R
6 P Q U V W X Y Z . /
could be used to convert letters to digits. Since it takes account of letter frequencies, the conversion is an efficient one.
This type of conversion makes the various types of polyalphabetic encipherment more convenient by hand, since the
Vigenere encryption is now simply addition (on a digit-by-digit basis, ignoring carries).
The table for this operation is, of course:
|0123456789
-+----------
0|0123456789
1|1234567890
2|2345678901
3|3456789012
4|4567890123
5|5678901234
6|6789012345
7|7890123456
8|8901234567
9|9012345678
and, as this is the table for addition modulo 10, it is not surprising that it resembles the table above for addition modulo 26,
or the equivalent Vigenère table.
So, using this conversion from letters to numbers to perform the equivalent of the examples above:
Repeating key:
W ISH Y OU W EREH ERE
603421667626015121151
439251414392514143925
---------------------
032672071918529264076
Progressive key:
603421667626015121151
439251415403625265147
---------------------
032672072029630386298
Autokey:
603421667626015121151
439251416034216676260
---------------------
032672073650221797311
so the same methods are as applicable to digits as they are to letters. However, the ease of doing addition on digits as
opposed to letters also means that the equivalent of the use of mixed alphabets is not found often with digits.
As noted in the previous section, Soviet spies using a straddling checkerboard for converting letters to digits have then often
encrypted these digits using a polyalphabetic substitution of the Vigenere type.
However, the attempt was made to use a perfect form of Vigenere encryption. (As the declassified information concerning
VENONA reveals, the attempt wasn't made quite well enough: supposed "one-time pads" were used at least twice on many
separate occasions.)
If, ahead of sending a message, you and your correspondent have arranged to share a key consisting of:
● genuinely random digits,

● long enough to be used only once, that is, matching in length all the messages you will be sending
then there is no way to "break" your messages by cryptanalysis. (Of course, the length and timing of messages may still give
information away.)
Why is there no way to break messages in such a case? Because, if the key is random, and if it is never used anywhere else
but with just one message, so there is no other way to get information about that key, then that key could be anything.
So any possible message having the same length as the intercepted message remains possible, because there is no way to
exclude the key that would give rise to any hypothetical message. If the key were not random, but generated by some rule,
then perhaps the key that would transform some possible plaintexts into the ciphertext actually intercepted could not have
been generated by that rule, thereby ruling out those plaintexts. If the key were used another time, then one possible text for
the first message could be ruled out because the other message would not make sense. But without either of these
opportunities, one speculative plaintext is only as good a guess as any other, and no better.
This survey of cryptographic algorithms has not gone very far, still being in its first chapter, and already we have found
perfection. But not only is quite a bit of key required, but more importantly, when that key is used up, no more secure
communications are possible using this method. And since the key is bulky, and impossible to memorize, this is only useful
where the messages are easy to intercept but the key is safe, for example, in communications, but not in protecting files on
your hard disk. Also, it can't complement public-key cryptography, since it doesn't provide a way by which encrypting a
small session key by a slow method with some useful special properties (making it possible to start communicating securely
without any advance secret exchange of a key) can protect a large message.
The one-time pad is perfect, and it is relatively easy to understand why it is impregnable. In general, it is not suitable for
everyday use, since computers make it very easy to carry out conventional encryption with methods of enormous
complexity. Such enormous complexity that there seems to be no rational reason to doubt their security. But just as there is a
tendency in some quarters to advocate the use of methods that aren't quite complex enough (for example, DES with its 56-bit
key, or other block ciphers that are only a step or two better), there is a tendency in other quarters to say that the "experts"
should not be trusted, and only the one-time system, in one of its various forms, is any good.
Incidentally, for the polyalphabetic encryption of a stream of message digits by a stream of key digits, it is not strictly
necessary to use only addition without carries. Just as either addition modulo 10 or addition modulo 26 are equally valid,
depending on whether the message is made up of digits or letters, addition modulo 100,000 is also equally valid. That is, five
message digits could be added to five key digits to produce five cipher digits using normal addition with the propagation of
carries within the five-digit group.
The one carry, though, that must be discarded is the one out of the five digits, if it is not propagated to the preceding five-
digit group. Sending the sum of 53478 and 88412 as 141890 instead of 41890 is a serious mistake, as it proves that both the
plain and key groups at that position must be larger than 41889, as neither of those five-digit groups can be larger than 99999.
One method of polyalphabetic encipherment that suffered from this error is any cipher of the Nihilist type.
A five-by-five square like that illustrated below was used to convert both a message and a key (repeatedly used, as in Porta's
cipher commonly known as the Vigenère) into a stream of digits:
1 P Z R M T
2 Y A V F I
3 O H K W N
4 G D X B U
5 S J C E L
1 2 3 4 5
However, when the stream of key digits was added to the stream of cipher digits, instead of using a modified modulo-5
tableau such as:
| 1 2 3 4 5
-------------
1 | 2 3 4 5 1
2 | 3 4 5 1 2
3 | 4 5 1 2 3
4 | 5 1 2 3 4
5 | 1 2 3 4 5
the digits were simply added by normal decimal addition without carries. Hence, while each digit which was added belonged
to a family of only five digits, the sum as transmitted could have any of nine values, (a sum of 1 could not occur) and only
one of those values, the digit 6, did not place some constraint on both the key digit and the message digit, as can be seen
from the table of that operation:
| 1 2 3 4 5
-------------
1 | 2 3 4 5 6
2 | 3 4 5 6 7
3 | 4 5 6 7 8
4 | 5 6 7 8 9
5 | 6 7 8 9 0
The actual Nihilist cipher, as described in Gaines, was even worse than this: the letters in the checkerboard square were in
their normal order, and the addition was performed with carries, to the extent that messages were sent in two-digit groups,
and three digit sums (such as 45 + 55, or 52 + 51) were sent in three digit form, preserving the carry out of the group.
However, the Russian language, before the Russian Revolution, had a thirty-six letter alphabet, and the use of a full 6 by 6
square would have improved things slightly.
Since the most natural way to apply a stream of key letters to a stream of plaintext letters is the Vigenère, and the most
natural way to apply a stream of key digits to a stream of plaintext digits is modulo-10 addition, when applying a stream of
key bits to a stream of plaintext bits, the very simple operation of modulo-2 addition, or exclusive-OR (XOR) is often used,
with the very short table:
| 0 1
-------
0 | 0 1
1 | 1 0
The following two tables:
| 0 1 2 3 4 5 6 7 | 0 1 2 3 4 5 6 7
------------------- -------------------
0 | 0 1 2 3 4 5 6 7 0 | 0 1 2 3 4 5 6 7
1 | 1 2 3 4 5 6 7 0 1 | 1 0 3 2 5 4 7 6
2 | 2 3 4 5 6 7 0 1 2 | 2 3 0 1 6 7 4 5
3 | 3 4 5 6 7 0 1 2 3 | 3 2 1 0 7 6 5 4
4 | 4 5 6 7 0 1 2 3 4 | 4 5 6 7 0 1 2 3
5 | 5 6 7 0 1 2 3 4 5 | 5 4 7 6 1 0 3 2
6 | 6 7 0 1 2 3 4 5 6 | 6 7 4 5 2 3 0 1
7 | 7 0 1 2 3 4 5 6 7 | 7 6 5 4 3 2 1 0
the first for modulo-8 addition, and the second for an independent exclusive-OR of each of the three bits of an octal digit,
shows how these two operations differ in their algebraic structure; thus, some modern computer ciphers alternate between
XOR and addition modulo 256 or modulo 65,536 within a complicated sequence of operations to make the cryptanalyst's
path a more tangled one.
The following two tables:
| 0 1 2 3 4 5 6 7 | 0 1 2 3 4 5 6 7
------------------- -------------------
0 | 0 1 2 3 4 5 6 7 0 | 0 1 2 3 4 5 6 7
1 | 1 2 3 0 5 6 7 4 1 | 1 2 0 4 5 6 7 3
2 | 2 3 0 1 6 7 4 5 2 | 2 0 1 5 6 7 3 4
3 | 3 0 1 2 7 4 5 6 3 | 3 4 5 6 7 0 1 2
4 | 4 5 6 7 0 1 2 3 4 | 4 5 6 7 1 3 2 0
5 | 5 6 7 4 1 2 3 0 5 | 5 6 7 2 3 4 0 1
6 | 6 7 4 5 2 3 0 1 6 | 6 7 3 0 2 1 4 5
7 | 7 4 5 6 3 0 1 2 7 | 7 3 4 1 0 2 5 6
illustrate two ways of obtaining tables that are different algebraically from either of the previous two. The first is a table of
the operation of adding the last two bits of a three-bit octal digit with modulo-4 addition, and XORing the first bit
independently. The second results from deliberately constructing a table which must be algebraically distinct from anything
like this, by beginning with a subtable for modulo-3 addition, which could not occur in a table built from exclusive-OR and
addition modulo a power of two, and then using displacements of the other five digits in the shadow of that subtable. Finally,
the remaining five by five square is filled; at first, some diagonals are filled systematically, and then the rest is filled through
trial and error, with some backtracking.
Next
Chapter Start
Table of Contents
Main page
Home page
Code Books
Before it became possible to build complex electrical and mechanical cipher machines,
cipher systems requiring many complex manipulations would have been impractical
and error prone.
A code book, with its long list of equivalents for thousands of words and phrases, as
opposed to the 26 letters of the alphabet, offers a degree of security without requiring a
large number of operations for each word encoded.
Codes have also been used for sending messages by telegraph at lower prices, by
representing common phrases used in business with single codegroups. Such
codebooks are arranged so that both the codegroups and their meanings are in easy-to-
find alphabetical order. A codebook arranged this way is called a one-part code.
Most (but not all) secret codebooks are called two-part codes; the codegroups are
assigned in a random order to the words encoded, and there is both an encoding
section, with the words in alphabetical order, and a decoding section, with the
codegroups in alphabetical (or numerical) order.
Thus, the decoding section of a codebook might look like this imaginary example that I
also used as the background to this page:
EZNLJ Shanghai
EZNKL OUGH
EZNLM 270 degrees
EZNMN Ship may not be
EZNNO Docking facilities
EZNOP Diesel fuel
EZNRS France
EZNST Repair-s-ed-ing
EZNTU Ship has
EZNUV Cancun
EZNVW 43 degrees
EZNYZ 500
EZNZA 23 knots
EZOAA Maintenance urgently required
EZOBB Perth
EZOCC 15 metres
EZODD Captain will be
EZOEE 23 3/4
The rationale behind the sequence of 5-letter groups shown is explained in the section
on Error-Correcting Codes.
Some codebooks assign both numeric codegroups and alphabetic codegroups to words;
the alphabetic codegroups are easier to actually transmit by Morse code, but the
numerical codegroups are easier to manipulate.
For secret codes, the manipulation might consist of superencipherment, the

encipherment of a message that is already in code. But many nonsecret cable codes
also provided numeric codegroups. This allowed people in a specialized business to, by
agreement, use the codegroups in one section of a large codebook, which contained
words and phrases they did not use, to instead represent the words and phrases another,
shorter codebook or in a section of another codebook. All that was needed was to add
or subtract an offset from the codegroups in the other codebook to fit them into the
unused space.
To increase security, secret codebooks often included nulls, that is, codegroups which
were to be ignored upon decipherment. Also, many codebooks included more than one
substitute for the most common words or phrases.
David Kahn's book The Codebreakers is illustrated with actual pages from once-secret
codebooks, such as the British and Allied Merchant Ship code, and the Hudson code of
the American Expeditionary Force.
Another codebook illustrated was Cypher SA, the codebook of the British Navy in the
last months of World War I. Another illustration of a different part of this codebook
also appeared in David Kahn's article in the July 1966 issue of Scientific American.
This codebook was perhaps unique, in that it used a stripped-down form of the autokey
principle.
It used a considerable number of nulls, and every message had to start with a null,
because many of the most common words and phrases in the code could not begin a
message.
Each five-digit codegroup in the code was followed by one of the three letters A, B, or
C. Many of the more common words and phrases had three different substitutes,
preceded by A, B, and C in order, and the one to be used was determined by which
letter had followed the previous codegroup.
Naturally, only the numbers were transmitted in the enciphered message.

Some of the most common words and phrases were also homophones in the ordinary
sense; instead of merely having one set of three substitutes, they might have had three
sets of substitutes, so that for each letter ending the previous word, there would still be
three arbitrary choices for the codegroup to use.
Since what we have is essentially three different codes, A, B, and C, although these
codes are the same in part, determined for each group by the codegroup enciphered
before, Cypher SA is properly classed as a form of autokey.
With many codes, a form of polyalphabetic substitution is used. In addition to the two-
part codebook, with numerical equivalents for the words or phrases to be sent, a second
book, filled with random numbers, is required. This second book's contents are called
the additive. A random starting point in the book is chosen for each message, and that
starting point is sent at the beginning of the message. Then, the numbers in the book
are added to the codegroups from the codebook before transmission. Always, carries
past the start of a codegroup are discarded; almost always, all carries are ignored, the
individual digits being added in isolation. This is the decimal equivalent of doing an
XOR instead of addition.
Sometimes other methods of encrypting an already coded message, called

superencryption, are used. For example, a short table giving subsitutes for pairs of
digits can be used, either on the codegroups, or just on the group which gives the
starting point of the additive.
When a long running key is used for Vigenere encryption, but that key is re-used,
Kerchoffs superimposition can be used to align different messages encrypted with the
same key. The messages are slid against each other, and positions that provide a high
number of coincidences, particularly those involving groups of consecutive characters,
are chosen.
For breaking codes used with additives, Kerchoffs superimposition is usually used in a
more sensitive form, as improved by W. F. Friedman. The kappa test compares the
proportion of coincidences that would be found, in the Vigenere case, between two
sequences of random letters, which would be exactly 1/26, and between two normal
plain-language texts. That is higher, because the letters are not all equal in frequency.
That figure equals the sum of the squares of the probabilities of all the plaintext
symbols; the chance of an A in the first message times the chance of an A in the second
message, plus the chance of a B in the first message times the chance of a B in the
second, and so on. The same applies to two strings of random groups of five digits,
which would have one group in 100,000 matching by chance, and two coded messages
without an additive applied. If two messages are aligned so that their additives
coincide, as far as coincidences between them at that position are concerned, it is as if
no additive was applied.
The following illustates why the random kappa is always smaller than the plaintext
kappa:
--------------------- ----------------------
|----| | |---------| |
|----| | |---------| |
|---------- | |---------| |
| |----| | |---------| |
| |----| | |--------------- |
| ----------- | | |----| |
| |----| | | |----| |
| |----| | | --------- |
| ----------| | |--| |
| |----| | ------|
| |----| | |--|
--------------------- ----------------------
The square of a number gains size from both of its factors, so taking size from a
smaller number squared and giving it to a larger one causes that size to be placed more
advantageously; therefore making all the numbers equal minimizes the sum of the
squares.
Next
Table of Contents
Home page
Fun With Playing Cards

To accompany the recent novel Cryptonomicon, Bruce Schneier, author of Applied
Cryptography, developed a cipher using the 52 playing cards and two jokers called
Solitare, which is described on the Counterpane web site.
This has been an inspiration to both myself and others; for example, Paul Crowley has
developed another cipher using playing cards called Mirdek.
My Playing Card Cipher
I, too, have now succumbed to the temptation to construct an alternative to Solitare.

The basic cycle that takes a deck that has already been scrambled to produce a
keystream operates as follows:
Step 1: From the prepared deck (the order of the cards in it is the key), turn up, and
deal out face up in a row, successive cards until the total of the cards (A=1, J=11,
Q=12, K=13) is 8 or more.
Step 2: If the last card dealt out in Step 1 is a J, Q, or K, take its value, otherwise take
the total of the values of the cards dealt out in Step 1. (This gives a number from 8 to
17.) In the next row, deal out that many cards from the top of the deck.
Step 3: Deal out the rest of the deck under that row, in successive rows that begin on
the left, and end under the lowest card in the top row, the next lowest card in the top
row, and so on, in rotation. A red card is lower than a black card of the same
denomination, and when there are two cards of the same color and denomination, the
first one in the row is considered lower.
These first three steps may lead to a layout which looks like this:
7S QH
3D 6S 3C 2D QD 4S 8S JS JD 10H QC 8H
5H AC 6D KS
10C
QS 9D 5D
2H 3S KD JH 2S 9C
9H 6H
8C 2C 7H JC 4C 8D 3H KC 7D 6C AH 4H
5C 10D 10S 7C 9S KH 4D
AD 5S AS
Step 4: Take the cards dealt out in Step 3, and pick them up by columns, starting with
those under the lowest card in the row dealt out in Step 2. The top card in the column is
to be on the bottom of a pile of face up cards, and the first column picked up is to be on
the bottom of the re-assembled deck.
Step 5: Place the cards dealt out in Step 2 (the last one on the bottom) in face-up form
on top of the re-assembled deck, and then the cards dealt out in Step 1, again, the last
one on the bottom of a face up pile put on top of the re-assembled deck.
Step 6: Turn the deck of cards over to face-down position to repeat Step 1.
Thus, these steps would cause the following new order of the deck to result from the
layout above:
KS JH JC 7C 5H 10C QS 2H 9H 8C 5C AD 6D
5D KD 7H 10S AS 9C 8D KH AC 9D 3S 6H 2C
10D 5S 4H 3H 4D 6C 7D KC 2S 4C 9S AH 8H
QC 10H JD JS 8S 4S QD 2D 3C 6S 3D QH 7S
And the cards that were at the beginning of the deck, and thus controlled the
transposition, are now at the end of the deck, and will be subject to the next
transposition instead of controlling it.
After doing this three times, obtain a keystream digit as follows:
Looking at the cards from the top of the deck, ignore all J, Q, and K cards; take the first
other card, from A to 10, and count down that many cards to find a card from A to 10.
Do the same from the bottom of the deck. The last digit of the sum of the values of
those two cards is the keystream digit.
Applying this to the scrambled deck obtained above (which is cheating a bit, since in
practice the transposition has to be done three times), it works this way:
KS JH JC 7C 5H 10C QS 2H 9H 8C 5C AD 6D
(7) 1 2 3 4 5 6 7*
5D KD 7H 10S AS 9C 8D KH AC 9D 3S 6H 2C
10D 5S 4H 3H 4D 6C 7D KC 2S 4C 9S AH 8H
7* 6 5 4 3 2 1 (7)
the two selected cards are the ace of diamonds and the ten of hearts, so the keystream
digit is a 1.
This way, people don't have to memorize a bridge ordering of the suits, and they use a
straddling checkerboard to allow false addition to apply the key, instead of trying to do
Vigenere or modulo-26 arithmetic in their heads.
By limiting the mental arithmetic required, I'm trying to make my method simpler.
However, the way in which the cards are rearranged is more complex; the cards are
dealt out in a layout, not merely manipulated in a straight line, and thus the result looks
somewhat more like a game of solitare. In the novel, the cipher Solitare was based on a
computer stream cipher; my method for using playing cards is instead based on an old
pencil-and-paper cipher.
The method of transposition used is the one given by General Luigi Sacco, that breaks
up a block into uneven units, and which perhaps has some advantages over ordinary
columnar transposition.
Of course, some of the rules used mean that there are biases in the transposition; if
every card had a distinct value, the order of the columns would be slightly more
random, and the rule intended to limit the row size to 17 instead of 21 makes 11, 12,
and 13 more likely row lengths. Note that Step 4 is set up to make the scrambling
invertible, so I did accept some good advice from Bruce Schneier's Solitare. The well-
known reason for this is noted elsewhere on this site: a non-invertible transformation
risks shrinking the state space of the thing transformed. That is: the fact that the
transformation is invertible is no guarantee of a long or maximal period. But if every
possible ordering of the deck is possible at the start, then every possible ordering of the
deck remains possible after 20, 30, or 2000 iterations of an invertible transformation. If
two orderings of the deck both transformed to the same ordering of the deck, then the
transformation would not be invertible. On the other hand, with a non-invertible
transformation, the number of possible orderings can continue to shrink as the
transformation is repeated.
The Keying Procedure
Starting with a deck in a fixed order, say AS 2S ... KS AH 2H ... KH AD 2D ... KD AC

2C ... KC, the procedure to obtain a scrambled deck order from a keyphrase is as
follows:
Divide the keyphrase into parts that are eight or more letters in length as follows: first,
use all the words that are eight or more letters long in the phrase, then, go through the
phrase, and, using only the shorter words, take as many words as needed at a time to
reach eight or more letters. When the last part is formed, and there are less than eight
unused letters in the key phrase, include them in the last part.
Then, take these parts of the keyphrase, and use them in pairs.
First, for each part, imagine the word as standing above the columns of cards, and then
perform Step 3 and Step 4 of the normal cycle, but on the entire deck.
Example:
Phrase: THE QUICK BROWN FOX JUMPED OVER THE LAZY DOG
This phrase has the parts:
THEQUICK
BROWNFOX
JUMPEDOVER
THELAZYDOG
So, the first two parts lead to the deck being scrambled as follows:
First, the deck is laid out like this:
T H E Q U I C K
7 4 2 6 8 3 1 5
AS 2S 3S 4S 5S 6S 7S
8S 9S 10S
JS QS KS AH 2H 3H
4H 5H
6H 7H 8H 9H 10H JH QH KH
AD 2D 3D 4D
5D
6D 7D 8D 9D 10D
JD QD KD AC 2C 3C 4C
5C 6C 7C
8C 9C 10C JC QC KC
Since the first card of a column is placed on the bottom when the cards are face up, and
the first column picked up is at the bottom of the cards when they are face up, they will
be on the top when the deck is in normal face-down order, and so this step leads to the
cards being in the order:
7S QH 4C 3S 10S KS 8H 3D 8D KD 7C 10C 6S
3H JH 3C KC 2S 9S QS 5H 7H 2D 7D QD 6C
9C KH 4S AH 9H 4D 9D AC JC AS 8S JS 4H
6H AD 5D 6D JD 5C 8C 5S 2H 10H 10D 2C QC
Now, the deck is then laid out like this for the second part:
B R O W N F O X
1 6 4 7 3 2 5 8
7S
QH 4C 3S 10S KS 8H
3D 8D KD 7C 10C
6S 3H JH
3C KC 2S 9S QS 5H 7H
2D 7D
QD 6C 9C KH
4S AH 9H 4D 9D AC JC AS
8S
JS 4H 6H AD 5D 6D
JD 5C 8C 5S 2H
10H 10D 2C
QC
which, when picked up, places the deck in this order:
7S QH 3D 6S 3C 2D QD 4S 8S JS JD 10H QC
8H 5H AC 6D KS 10C QS 9D 5D 2H 3S KD JH
2S 9C 9H 6H 8C 2C 7H JC 4C 8D 3H KC 7D
6C AH 4H 5C 10D 10S 7C 9S KH 4D AD 5S AS
Then, each of the two parts is used to scramble half of the deck again; the
transpositions above depended on the order of letters in each part, but this step will
instead depend on which letters are present.
Go through the alphabet, from A through Z, as you take cards from the top of the deck.
When you reach a letter that is part of the current part of the keyphrase, that card
completes the current pile you are making. The next card starts a new pile. Z always
completes the last pile, even if it is not present.
Then put the piles back together, but in the reverse order in which they were obtained.
Thus, the first part, THEQUICK, divides the first half of the deck like this:
A B C
7S QH 3D
D E
6S 3C
F G H I
2D QD 4S 8S
J K
JS KD
L M N O P Q
10H QC 8H 5H AC 6D
R S T
KS 10C QS
U
9D
V W X Y Z
5D 2H 3S KD JH
causing that half of the deck to be placed in the order:
5D 2H 3S KD JH 9D KS 10C QS 10H QC 8H 5H
AC 6D JS KD 2D QD 4S 8S 6S 3C 7S QH 3D
Then, the second half, BROWNFOX, is applied to the second half of the deck.
When there is an odd part of the key phrase, then the deck is transposed with that part,
and only its first half is mixed again.
Once the entire keyphrase is applied to the deck of cards, the deck is then subjected to a
non-invertible triple cut, as follows:
From each end of the deck, a card with a value from A to 10 is located, by the
procedure used to find the keystream numbers in normal encipherment. Then, starting
from the top of the deck when it is face down, which we will assume is placed on the
left, additional cards are counted from that card according to its value: one more card if
it is an ace, two more if it is a deuce, and so on, but this time, face cards are not ignored.
This part of the deck is then placed on the right-hand side.
The procedure is repeated from the other keystream card, again counting inwards. If
cards are left, these stay in the middle, and those from the bottom of the deck to the end
of the count are placed on the left-hand side.
Using the previous example of obtaining a keystream digit to illustrate how this works:
KS JH JC AH 5H 10C QS 2H 9H 8C//KC AD 6D
(1) 1* 1 2 3 4 5
5D KD 7H 6C AS 9C 8D 5C AC 9D 3S 6H 2C
7D 5S 3H 10D 4D 9S 10S//2S 4C 4H KH 7C 8H
7 6 5 4 3 2
1 7* 6 5 4 3 2 1 (7)
the pairs of slashes indicate the points at which the deck will be cut, ending up in the
order 2S...7S, KC...10S, KS...8C from the order above.
Finally, the cards are laid out according to the word spacing of the keyphrase:
T H E
2S 4C 4H
Q U I C K
KH 7C 8H QC 10H
B R O W N
JD JS 8S 4S QD
F O X
2D 3C 6S
J U M P E D
3D QH 7S KC AD 6D
O V E R
5D KD 7H 6C
T H E
AS 9C 8D
L A Z Y
5C AC 9D 3S
D O G
6H 2C 7D
T H E
5S 3H 10D
Q U I C K
4D 9S 10S KS JH
B R O W N
JC AH 5H 10C QS
F O X
2H 9H 8C
repeated until the deck is all laid out, and then they are picked up in face up form with
the last column, and its top card, on the bottom.
In the example, that leads to the cards ending up in this order when turned face down:
6D 10H QD AD JH QS QC 4S KC 6C 3S KS 10C
4H 8H 8S 6S 7S 7H 8D 9D 7D 10D 10S 5H 8C
4C 7C JS 3C QH KD 9C AC 2C 3H 9S AH 9H
2S KH JD 2D 3D 5D AS 5C 6H 5S 4D JC 2H
Next
Table of Contents
Main page
Conclusions for Chapter 1

This first chapter has touched on the major basic elements that apply to any form of
encryption.
Its treatment of them has been brief, almost to the point of being perfunctory.
Encyclopedia articles and inexpensive books cover this territory fairly well. The more
recent methods of encryption are covered in more specialized publications; that, and a
fascination with their intricacies, has led me to cover them in more detail.
Because most methods of substitution require some sort of chart or table (the Gronsfeld
was specifically designed to avoid this problem), or a slide or disk for polyalphabetics,
transposition ciphers were quite popular with armies as field ciphers.
Although it is easy to create a cipher that is very difficult to solve by a sufficiently

complicated combination of transposition and substitution, some simple ciphers
combining both are breakable.
During World War I, for a short time Germany used Vigenere encipherment with key
ABC (and, later, with key ABCD - but only for deceptive transmissions and not
important messages) followed by a simple columnar transposition.
For puzzle-solving purposes, the "Nicodemus" cipher breaks a message into complete
rectangular blocks, which are transposed by exactly the same keyword as was
previously used to encipher them in Vigenere. Thus, the enciphered message consists
of groups of plaintext letters encrypted in Vigenere with the same key, which can, of
course, be exploited by the cryptanalyst.
Claude Shannon, the father of information theory, who also contributed to the theory of
chess-playing computers, wrote a paper in The Bell System Technical Journal the title
of which was The Communications Theory of Secrecy Systems in which he noted that
the two basic elements of a cipher system are confusion and diffusion.
This has influenced the design of some cipher systems. A preliminary sketch of the
design of IBM's LUCIFER block cipher, appearing in Scientific American embodied
these elements in almost a pure form. (The actual LUCIFER cipher as implemented
was quite different, although it also embodied those elements, but in a less
straightforward way.)
Generally, confusion is understood as substitution, and diffusion is understood as
transposition.
These terms are, however, general and inclusive. Based on the specific methods of
attaining security found in the actual pencil-and-paper systems we've met so far, I feel
it is warranted to take the dangerous step of moving to a more specific and concrete
division of the operations within a cipher system.
The danger is that it could limit the imagination of cipher designers by being more
concrete. But since the terms 'confusion' and 'diffusion' are tending to be identified with
the simplest forms of substitution and transposition, it seems to me that more detail
might instead stimulate cipher designers to consider more options.
Thus, I propose the following set of basic elements in a cryptographic system:
Confusion
replacing symbols by other symbols.
Diffusion
moving of plaintext symbols to other positions within the ciphertext.
Convolution
the achievement of diffusion by means of confusion; the effect of performing
diffusion on a finer scale than confusion. This refers to what happens in
polygraphic and fractionation systems.
Alternation
changing, from one portion of the ciphertext to the next, of the rules for
confusion and/or diffusion.
Indirection
placing elements in a cipher 'behind' other elements so that their effects are
harder to analyze.
With this division, more of the methods actually used suggest themselves. Also, a
measure of quality can perhaps be noted. For confusion and diffusion, bigger seems to
be better. For alternation, the complexity of the scheme of alternation, its
unpredictability, is the measure of quality.
Associated with these goals are specific means, such as substitution for confusion.
If we view a message as an array of symbols, where P(n) is the n-th element of the
plaintext message P, and C is the ciphertext message, one can illustrate the various
techniques by formulas.
Substitution (Confusion)
Transforming a message by replacing the values of its elements according to
some rule; for example, C(i)=S(P(i)) over all i in the message, where S is a
substitution table indexed over the elements of the alphabet used.
Transposition (Diffusion)
Transforming a message by placing its elements in different locations within the
message; for example, C(T(i))=P(i) over all i in the message, where T is a
transposition table indexed over all the character positions in the message.
Fractionation (Convolution)
Transforming a message from being expressed in a number of symbols of one
alphabet to a different number of symbols in an alphabet of a different size,
combined with transpositions and substitutions on those alphabets. Such a
transformation might have a form such as C(i/2) = S(P(i)*N+P(i-1)) where i
starts as 2 and goes over all the even-numbered characters of the original
message, and N is the number of characters in the original alphabet. Its inverse
would be P(2i) = SL(C(i)) and P(2i-1) = SR(C(i)), where SL and SR are
substitutions such that mapping the characters c of the original alphabet to pairs
( SL(c), SR(c) ) is bijective; that is, different inputs become different outputs in
both directions. This is most useful when substitutions are applied to the
message with the larger alphabet size and fewer characters, and transpositions
are applied to the message with the smaller alphabet size and more characters.
Polyalphabeticity (Variation)
Applying a different substitution rule to different characters of the message.
Thus, C(i)=S(P(i),i) where the output of the substitution is a function of the
character's position in the message as well as the particular character.
Autokey (also Variation)

Causing the rule of encipherment for a part of a message to depend on another
part of the same message. C(i)=S(P(i)+P(i-1)) is a classic form of autokey,
which requires adding a dummy P(0) character to the start of the message. This
results in encipherment differing from one message to another.
Indirection involves preparing things like substitution tables in ways that are ciphers in
their own right; hence, it isn't found very much in simple paper-and-pencil ciphers,
where the amount of work to be done must be kept limited. The methods used for
forming substitution alphabets from a keyword by means of a transposition block, such
as the Ohaver method, noted previously, involve indirection in a sense, but only once
during a message. So there is no basic pencil-and-paper technique which is an effective
example of indirection. However, later on we will see the rotor machine SIGABA,
which may be considered the classic illustration of indirection.
Next
Table of Contents
Main page
Early Machine Ciphers

This section looks at some of the simpler ciphers involving mechanical aid to the
cryptographer. Cipher disks or slides are left in the pencil-and-paper section, but the
Wheatstone cryptograph (a set of geared cipher disks which achieved polyalphabeticity
by using plain and cipher alphabets of different lengths) would go here if it were
covered.
● The Bazeries Cylinder

● The Kryha Cryptograph
● The Hill Cipher
● The RED Machine
● The Reihenschieber
● The A-22 Cryptograph
Next Section
Chapter Start
Table of Contents
Home Page
The Bazeries Cylinder

Although originally invented much earlier, by Thomas Jefferson, this type of cipher
machine became generally known after its later re-invention by Commandant Etienne
Bazeries, who wrote a book about cryptology which recommended this device.
About 20 or 30 disks, each with a different scrambled alphabet on the edge, and with a
hole in the centre so they can all be stacked on a common axle, make up the device. The
disks can be numbered on one side, and the order in which they are stacked can be used
as a key that can easily be changed.
To encipher a message, rotate the disks so that its letters line up in one row, and take the
letters in any other row as the encrypted message. Decipherment is possible, because it is
easy to pick out one row of plaintext among 24 others of gibberish that are possible.
This is quite a secure cipher device, especially considering that it doesn't involve a lot of
fancy technology. Since every letter in a block is displaced through a different alphabet,
and every block has a different displacement, it is even possible to mistakenly assume
that it is unbreakable.
However, it isn't unbreakable. Like the Enigma, which we will meet later, no letter can
represent itself. This allows probable plaintext to be positioned against intercepted
messages.
The main attack against this type of cipher is the de Viaris method. If the alphabets on
the cylinder are poorly chosen, it may be that the fifth letter clockwise from E, for
example, can never be some letters, and is one particular letter several times. Thus, an
opponent who has a copy of the cylinder itself and some plaintext may be able to
identify the displacement for a block - and, with that, then determine the order of the
disks.
The alphabets on the M-94, a version of the Bazeries cylinder made from aluminum, and
used by the U.S. during the Second World War, were chosen to be part of a Latin square
to be more resistant to a de Viaris attack. A Latin square is an N by N square containing
the numbers from 1 to N, each N times, so that no number occurs twice in either the
same row or the same column. For example,
1 2 3 4 5
3 1 4 5 2
2 5 1 3 4
5 4 2 1 3
4 3 5 2 1
is an example of a Latin square. However, since
1 2 3 4 5
2 3 4 5 1
3 4 5 1 2
4 5 1 2 3
5 1 2 3 4
is also a Latin square, and is obviously not a good type of sequence for a cylinder cipher,
as every cylinder has the same alphabet, only shifted by one, there is more to choosing a
good set of alphabets for a cylinder than simply using a Latin square.
Ideally, if one were using 25 cylinders for a 26-character alphabet, one would like a
sequence such that, if one aligns any one letter to form a solid row of that letter, then the
remaining 25 letters on the 25 cylinders are, in each case, a Latin square. Then, for each
displacement, and each letter, all substitutes would be equally possible. I do not know
whether or not it is possible to fulfill this condition.
Even when the de Viaris attack is not possible, cylinder ciphers can be broken. During
World War II, the U.S. used an improved version of the cylinder cipher. Strips instead of
disks were used (which, of course, makes no difference in itself), and there were 100 of
them to choose from. The cipher procedure involved choosing 30 strips, but breaking up
the message into blocks of only 15 letters long.
Despite all this, and the fact that they did not have a captured specimen of the device to
work with, cryptanalysts in Nazi Germany were able to break messages enciphered with
the M-138-A.
If one does not have a copy of the device, and in any case the strips or disks used have
been made resistant to the de Viaris attack, it is still possible to attack a Bazeries cylinder
if one has several hundred messages, all sent with the same key.
Using the kappa test (the fact that two unrelated plaintexts will have more identical
characters in corresponding positions than two sequences of random letters, which will
have one coincidence for every 26 letters), one can group together messages with the
same displacement from the row with the plaintext message.
Once this is done, and if one had enough messages to work with, frequency counts can
be used for each position.
After the war, a further improvement was made to the strip cipher. In addition to a daily
order for the strips, keylists also gave a table with a column number (or a blank) under
each of the 26 letters. A random set of five letters was chosen for each message; the
column numbers in the frame corresponding to these letters were not used to encipher
that message. These were called "Channel Elimination Numbers", and the numbers
where the numbers of positions in the frame, not strips. (Since which strip went in which
column was also part of the same daily key, this was important operationally - for ease of
sending different messages, each with its own indicator, during the one day, not
cryptographically.)
As this essentially varied the key for every message, it prevented the statistical attack
outlined above.
The Bazeries cylinder relies on the input plaintext being plaintext, with some
redundancy, so that it can be found. Of course, if one allows expanding the text with an
extra letter, or using a pre-arranged scheme to pick the ciphertext row, variations of the
cipher method can be designed without this limitation, and therefore useful for the
subsequent encipherment of ciphertext.
The following diagram, showing a different kind of strip used for this type of
encipherment:
retains the limitation, while reducing it somewhat. The plaintext SEND MONEY is
being enciphered to the numerical ciphertext 345589628759, and its redundancy is being
reduced in the process by the same amount as a straddling checkerboard would do so.
The principle involved is that a plaintext letter, if found on the right side of the strip, is
represented by that single strip; otherwise, two strips, the first with the symbol > or >>
on the right-hand side, and the second with the plaintext letter in the first, or second,
column on the left-hand side are aligned to represent that letter.
Such a method, though, is only practical if, at least with practice, the row containing
plaintext "leaps out" at the eye of the decipherer.
In the diagram above, the first row contains the nonsense string OGOSRIERH, while the
second one contains the desired plaintext SENDMONEY, and the third contains
YORNEPCF, but that does seem to take some effort to see.
Next
Chapter Start
Table of Contents
Main Page
The Kryha Cryptograph

The Kryha cryptograph had a number of variations. It had two disks, each with a
scrambled alphabet that could be changed by the user. One disk moved for each letter
enciphered. The movement was controlled by a pinwheel; if there were, on the
pinwheel at one place, five teeth out followed by one pushed in, then that caused the
moving disk to move five places forwards for one letter.
An earlier model used a fixed gear, which caused the following movements, in order:
7 6 7 5 6 7 6 8 6 10 5 6 5 7 6 5 9
Essentially, the cipher it produced was similar to a progressive-key encipherment with

a keyword and mixed alphabets. Although it took W. F. Friedman only a few hours to
solve a message enciphered on one of these machines, the principles required are
already beyond those normally dealt with in books on cryptanalysis aimed at amateurs
and beginners.
Although the version of the machine solved by W. F. Friedman in "2 Hours, 41

Minutes" (the title of the chapter in Machine Cryptography and Modern Cryptanalysis
by C. Deavours and L. Kruh discussing the Kryha machine) appears to have been the
fixed-gear version, since Friedman was not given the machine to examine, he did not
have the opportunity to solve its cipher even more quickly, as in that case, only 17
trials would have been needed to sort the letters of the test message into
monalphabetically-enciphered groups.
Next
Chapter Start
Table of Contents
Home Page
The Hill Cipher

This cipher was once implemented in the form of a machine using gears and chains like
those used with bicycles. That, and the fact that it is impractical for hand use, while it
predates the computer age, has caused me to put it in this section, although the
appropriateness of this choice is also doubtful.
Supposing you are given the following problem to solve:
2x + y = a
x - y = b
and you want to find out what x and y are in terms of a and b.
The steps you can take to find it are the following:
You can add or subtract a multiple of one equation from another.
You can multiply one of the equations by a number.
You can change the order of the equations.
That last step may seem trivial, but it is included for completeness.
You can make a chart to save you copying the letters x, y, a, and b every time you
perform a step:
x y a b
-------------
2 1 | 1 0
1 -1 | 0 1
and the rows of this chart can be treated like the equations were. In this case, one might
proceed as follows:
x y a b
-------------
2 1 | 1 0 2x + y = a
1 -1 | 0 1 x - y = b
3 0 | 1 1 3x = a + b
1 -1 | 0 1 x - y = b
3 0 | 1 1 3x = a + b
-3 3 | 0 -3 -3x + 3y = -3b
3 0 | 1 1 3x = a + b
0 3 | 1 -2 3y = a - 2b
Of course, the last step of multiplying each row by 1/3rd (or, equivalently, dividing
each row by 3) is still to be taken. I've avoided it here, to omit dealing with fractions.
If one works with numbers in modular arithmetic, particularly if the modulus is not a
prime number, the rules change slightly.
If you add or subtract a multiple of one of the equations from another, you can still use
any multiple, since a multiple of zero is the same as doing nothing, and so since that
does not destroy information, neither will using a number that is not relatively prime to
the modulus.
When multiplying a single row by a number, however, you cannot use a number unless
it is relatively prime to the modulus. The Hill Cipher deals with modulo-26 arithmetic,
and so in addition to zero, 13 and all the even numbers are disallowed for this
manipulation.
Enciphering in the Hill Cipher is the same as finding a and b given x and y, where x
and y are numbers from 0 to 25 substituted for two letters of a digraph being
enciphered, and deciphering is solving for x and y given a and b.
Note that not all systems of linear equations can be solved, and you must choose one
that has an inverse. One way to do this is by performing the manipulations allowed for
finding an inverse on a square with zeroes everywhere except along the diagonal, since
this will always result in a square that can be brought to that form by these same
manipulations.
Also, the square formed by the coefficients of this kind of equation is called a matrix.
The act of finding a and b for x and y, using the original form of the equations which
directly give a and b as functions of x and y, thought of as an operation using the
square of numbers we began with in the x and y columns (called a matrix) is called
multiplying the vector (x,y) by the matrix to get the vector (a,b). The square
representing x, y, and z or a, b, and c on one side of a set of equations, with a 1 at the
start of the first row, in the second place in the second row, and so on, with zeroes
everywhere else, is called the identity matrix, since if a=x, b=y, c=z, then finding a, b,
and c for x, y, and z gives you the same numbers.
The linearity in the Hill cipher is its weak point. So a scrambled alphabet for
converting letters to numbers needs to be used, and it is important to remember that
that scrambled alphabet is a very important part of the key.
Next
Chapter Start
Table of Contents
Home Page
The RED Machine

A rotor machine usually uses a disk with 26 contacts arranged in a circle on each side.
When the rotor moves, the contacts on both sides of it advance.
A rotor which had 26 contacts in a circle on one side, and a spindle with 26 contact
strips on the other side, is always sure, when it moves, to take each letter to a different
substitute. Such a rotor is called a half-rotor, and the Hagelin B-211, which we will
meet later, uses such rotors as well.
The Japanese cipher machine which was codenamed RED by American codebreakers
behaved as if it consisted of two half-rotors, one with 20 contacts for 20 consonants,
and one with 6 contacts for 6 vowels, counting Y as a vowel. This property allowed
encrypted text to be pronounceable, thus allowing use of the commercial telegraph
system.
This division of the alphabet was perpetuated in the PURPLE machine, which was a
weakness of that machine, although it at least had a plugboard so that the six letters
handled by themselves could be any six letters.
Also, while American codebreakers built their own RED work-alikes that really did
have two half-rotors, the actual machine used by the Japanese had only one half-rotor;
the spindle had all 26 strips, and the wheel face had two sets of 60 contacts, one wired
with the same scramble of 20 characters repeatedly, and the other wired with the same
scramble of the other 6 characters repeatedly.
The 60-contact wheel usually moved one step for each character enciphered, but not
always. Its motion was controlled by a 47-position gear or pinwheel. Only eleven of the
teeth could be disabled, including four adjacent pairs of teeth.
When an enabled tooth is active, the rotor advances one position for the letter currently
enciphered.
When a disabled tooth is encountered, the rotor also advances one position, but the 47-
position gear continues to advance for the current letter. Thus, occasionally the rotor
will move two or even three positions when a letter is enciphered, but it will always
move exactly 47 positions for each cycle of the 47-position gear. That cycle will take
less than 47 letters, one less for every disabled tooth.
Next
Chapter Start
Table of Contents
Home Page
Reihenschieber
This device really belongs among the paper-and-pencil systems. But it is placed here in consideration of the fact
that, briefly, from 1958 to 1960, it was considered adequate to safeguard even top secret material.
The Reihenschieber resembled a slide rule in shape. Ten square sticks, taken from a set of 26, were placed in it, and
a grille slid along the device.
The 26 sticks that came with the device were each labelled with a letter of the alphabet. Which ten sticks to use in
the device was determined by the daily key, a sequence of ten different letters. Each stick had ten dimples on each
of its four sides, which allowed it to be placed between the Reihenschieber's rails in ten positions. These were
determined by another daily key, this time of ten digits. The ten digits (with the last one repeated to make an
eleventh digit) were used to encipher a five letter area indicator, which was sent with the message, repeated twice
using the same method that the digits the Reihenscheiber generates are used to encipher messages: each digit
indicates the column in a table containing the enciphering alphabet, and in addition the following digit, depending
on whether it is low (0-4) or high (5-9), selects one of two tables.
The sticks were printed with random sequences of digits, interspersed with the odd dot. The dots were ignored when
encountered, being present to make the sequence of digits produced by the device irregular. To the left of these
digits, there was an expanse with some letters and blank spaces; this expanse contained each of the 26 letters once
in an area 10 characters long on the four sides of the stick. The ten letters, generated from the ten digit key called
the "message key", were placed in a line, and thus these 10 letters specified both the horizontal placement and the
side which was to be uppermost, for each stick.
A frame that held grilles on the front and back (the strips were also printed with digits on the back) slid along the
device like the cursor on a slide rule. With each month's supply of key material, three sets of grilles were supplied,
each for use for a period of 10 or 11 days. As the strips ran along the device, going from left to right, the numbers
the device produced were those read out from the grille vertically, first from top to bottom, and then from the
leftmost column to the rightmost column. After reading out the digits shown at one slide position, the slide was
flipped over to read the numbers showing on the back as well before the slide was advanced along the ruler for the
next group of numbers. The grilles had 10 columns; the article which is my source claims they had 25 holes, but
gave an example with 26.
The grille could be slid through 52 positions, labelled first with the lowercase alphabet and then the uppercase
alphabet. The first position used was the one with the lowercase letter corresponding to the last letter of the
enciphered area indicator as used to slide and rotate the ten sticks.
Therefore, the Reihenschieber looked something like this:
____________ ______________
______| |___________________________|
/ | | |_
| | | abcdefghijklmnopq| ----------
---------------| |---------------------------| | - -|
|X u ae l pr| | 1701.5433.626.90512.3| | |7| |4|
---------------| |---------------------------| |- - - -|
|E i qj| |ooo 849.216.55.1034.2| |6| |.| |
-------------| |---------------------------| |-- -- - |
|G m uwi o| |o 65.20473.12.9.14516| ||4| |.||3||
-------------| |---------------------------| | - - - -- |
|P a| |ooooooo 9.250.3961490| | |0| |7| |
------------| |---------------------------| |- - - - -|
|V oi u xm| |oo 131.6150492.747318| |9| |2| |5|
--------------| |---------------------------| |-- - --|
|A py x q r| | 24619.43.529.6565.34| ||.| |5||.||
--------------| |---------------------------| | -- - -- |
|W hwm z| |oooo 5.1693.40453.112| | |.| |3| |
------------| |---------------------------| |- - - - |
|C i eqrl| |oo 87.21295.306172.91| |4| |3| |
------------| |---------------------------| |- - -- -|
|T c| |oooooooo .40541.331.6| | |1||.||8|
-----------| |---------------------------| | - -- - --|
|J u mtnw| |oooo 259.10129.6542.3| ||8||4| |1||
-----------| |---------------------------|_ | - - - |
| | | abcdefghijklmnopq| ----------
\______| |___________________________|
|____________| |______________
and in the position shown, the encipherer would read off the digits 6944870142537331458 for use in enciphering.
The slide continues on like this:
_____
|_____________________________________
| \
-- |IJKLMNOPQRSTUVWXYZ |
-| |----------------------------------------
|4| |802.1221607.435549.2076.24391462 EF|
-| |--------------------------------------------
| |.4335.20623.49.17029.33406.415.3307. EF|
- | |--------------------------------------------
Also, the four sides of one of its sticks would have looked something like this:
---------------------------------------------------------------------------
|A py x q r oooooooooo 24619.43.529.6565.3471.52.403569.19382.1
---------------------------------------------------------------------------
|A u mvjo zt oooooooooo .95190.317.45602.12995.138.440.27061.630
---------------------------------------------------------------------------
|A ek lbd c s oooooooooo 437.1512.44691.703977.69.405631.29331.95
---------------------------------------------------------------------------
|A nh gfi aw oooooooooo 2026.19.5113.4072.6198.20541.35622.9271.
---------------------------------------------------------------------------
The A at the left end indicated which square stick it was; on the other end, a code of two capital letters indicated
which set of sticks a stick belonged to. There are 52 usable positions for the grille; as the grille is 10 columns wide,
and there are 10 possible horizontal positions for the slide, the area of numbers and dots is 52 + 9 + 9 or 70
characters long.
Thus, the Reihenschieber did not encipher text directly. It simply was used to generate a stream of digits, which was
used as a key.
The digits were used to encipher text using a table of twenty alphabets, organized as two tables of ten alphabets.
One digit was used per letter to be enciphered; the digit picked one of the alphabets from a table; which table was
decided by whether the next digit (which will later be used to encipher another letter) was high (5-9) or low (0-4). A
new set of tables was provided each month.
My source for the information in this section is an article from the April 1996 issue of Cryptologia. The author,
Michael van der Meulen, had also done a few previous articles on German paper-and-pencil systems.
Comments on the Reihenschieber

The Reihenschieber as described here is certainly an interesting and unusual type of device. It is possible that the
old cipher device known as Ducros' Scotograph was somewhat similar to this, rather than being a variant of the
Bazeries cylinder as usually thought. And a device of this type has the potential to be quite secure.
But the Reihenschieber as described here seems to have some flaws that reduce its potential security.
● The grille has more than 10 holes. Although the dots on the sticks help, this still means that digits will repeat
at almost regular intervals.
● Of the forty possible positions for each stick, only 26 are ever used. This would not be a problem if the sticks
were frequently replaced, but they are part of the "hardware" of the device.
● The "area key" is the only thing that varies the keying of one day's messages using the same key list. There
is no indicator that varies randomly with each message.
● There is no reason for the message key not to consist of eleven digits, even if the last one need only be either
0 or 5. Or, for that matter, why not twelve digits, so that the starting position of the grille can be derived
separately.
If one is ambitious, one might even advocate using a monthly table with 100 alphabets, and using two digits to
encipher every letter, rather than using 20 alphabets (a number less than 26, and therefore also dangerous).
Next
Chapter Start
Table of Contents
Home Page
The A-22 Cryptograph

This cipher machine was a simple one of purely mechanical construction, but it
produced a cipher with a long period.
A drum, containing 29 mixed cipher alphabets, advanced two positions each time the
machine was used to encipher a letter.
An alphabet in normal order contained the plaintext letters. A window high enough to
expose two of the alphabets on the drum was present on the device. The plaintext
alphabet was moved in an irregular sequence to cover either the top or the bottom
alphabet of the two on the drum that were behind the window, but whether the normal
alphabet was the high one or the low one, it was always the one used for plaintext.
Thus, the movement of the bar with the plaintext alphabet simply controlled which of
two of the 29 cipher alphabets would be used at each step.
The irregular movement of this bar was controlled in two steps. First, a 25-pin
pinwheel advanced with each letter enciphered. Active pins on this pinwheel advanced
a chain with a variable number of links; some of those links were shaped to call for the
plaintext alphabet bar to be in its lower position, some were shaped to call for it to be
in its higher position.
Unfortunately, the cipher produced by this machine as described so far is quite weak; if
one knows that an A-22 has been used, one simply divides the encrypted message into
groups of 29 letters. Then, for each column of letters at that spacing, only two
alphabets are used, and this fact diminishes the benefit of the elaborate mechanism
devoted to alternating between those two. Instructions provided with the machine,
however, suggested advancing it two or three steps after enciphering some letters;
those who went to this extra effort would have obtained a greater degree of security.
Next
Chapter Start
Table of Contents
Home Page
The Hagelin Machines

Although the Swiss firm founded by Boris Hagelin has manufactured, and continues to
manufacture, many kinds of cipher machine, the words "Hagelin machine" will
normally inspire thoughts of their unique lug and pin based machines.
The basic principle of a Hagelin lug and pin machine is easy enough to describe. In the
C-38, used by the U.S. Army as the M-209, six pinwheels, with 17, 19, 21, 23, 25, and
26 positions on them, can be set by the user with an arbitrary series of pins that are
active. For every letter enciphered, all the pinwheels rotate one space.
The combination of active and inactive pins is presented to a cage with 27 sliding bars.
Each bar has two sliding lugs on it, which can be placed either in a position where it is
inactive, or in a position corresponding to any of the pinwheels, so that it will slide the
bar to the left, if the pin currently presented by that pinwheel is active.
The number of lugs sticking out rotates the cipher alphabet against the plaintext
alphabet. The two alphabets used are just the regular alphabet, and the alphabet in
reverse order, from Z back to A. This meant that encipherment was reciprocal,
although the machine still had a switch to select encipherment or decipherment: this
determined if the machine printed its output in five letter groups, or if it translated one
letter, chosen by the user, to a space.
The C-52, a postwar version of the Hagelin lug and pin machine, added an extra five
sliding bars to the cage that, instead of moving the cipher alphabet, caused the stepping
of the pinwheels to be irregular. The first pinwheel always moved, but the remaining
five pinwheels only moved when their corresponding bars were slid to the left. The six
pinwheels were labelled A, B, C, D, E, and F from left to right; bar 1 controlled
pinwheel B, bar 2 pinwheel C, and so on.
Also, on the C-52 the lugs could be moved from bar to bar, and the six pinwheels were
chosen from a set with lengths 25, 26, 29, 31, 34, 37, 38, 41, 42, 43, 46, and 47. Using
the pinwheels with lengths 34, 38, 42, 46, 25, and 26 allowed one to achieve
compatibility with the C-36: provided one also turned off the irregular pinwheel
stepping feature.
The alphabet always started from its normal position, instead of the position last used,
before being rotated by the projecting slide bars. This was perhaps the machine's main
weakness, as it made attacks based on frequency counts of displacements possible, but
it was perhaps unavoidable, since there was always a slight possibility of occasional
mechanical errors. Particularly as the machines were often used on battlefields.
In setting the lugs on the sliding bars, it was important to put many lugs for some
pinwheels, and few lugs for others, so as to get an even distribution of displacements:
basically, although some bars with two lugs active were desirable for irregularity, the
arrangement needs to approximate a binary coding of the active pins - that is, one
pinwheel might have only one lug facing it, another two, another four, and another
about eight, and another about thirteen or so.
For the C-52, in setting up lugs on the first five bars, it was important to ensure
frequent movement of the pinwheels.
Next
Chapter Start
Table of Contents
Home Page
Simple Cryptanalysis of the Basic Lug

and Pin Machine
Although the Swiss firm founded by Boris Hagelin has manufactured, and continues to
manufacture, many kinds of cipher machine, the words "Hagelin machine" will
normally inspire thoughts of their unique lug and pin based machines.
The basic principle of a Hagelin lug and pin machine is easy enough to describe. In the
C-38, used by the U.S. Army as the M-209, six pinwheels, with 17, 19, 21, 23, 25, and
26 positions on them, can be set by the user with an arbitrary series of pins that are
active. For every letter enciphered, all the pinwheels rotate one space.
The combination of active and inactive pins is presented to a cage with 27 sliding bars.
Each bar has two sliding lugs on it, which can be placed either in a position where it is
inactive, or in a position corresponding to any of the pinwheels, so that it will slide the
bar to the left, if the pin currently presented by that pinwheel is active.
In this section, we will examine how messages sent on the original C-38 machine could
be cryptanalyzed, in the simplest case. That is, I will assume that a large number of
intercepts for a given day (or whatever period intervenes between key changes) are
available, and that the message indicator, giving the initial positions of the pinwheels,
is not encrypted (or, which is the same thing in practice, any method of encryption used
for the pinwheel position has been revealed to the cryptanalyst by some other method
of intelligence).
The first thing to do is to find a pair of messages that have pinwheel settings that
overlap. To find overlaps, the first step is to convert a pinwheel setting into a number in
the sequence of pinwheel positions that the machine experiences. (Note that when the
machine was improved to have an irregular pinwheel motion, this approach could not
be used; overlaps could still be found, but then one would have to perform kappa tests
on every pair of messages, a tedious process requiring automated assistance.)
Such conversion relies on the Chinese Remainder Theorem: given a series of integers,
such as a, b, and c, which are all relatively prime to one another, the remainder of a
number after division by a, b, and c is sufficient to uniquely identify that number if it is
known to be within a range of length a times b times c.
Thus, for example, the numbers 1 through 15 have different remainders modulo 3 and
modulo 5:
1 | 1 1 6 | 0 1 11 | 2 1
2 | 2 2 7 | 1 2 12 | 0 2
3 | 0 3 8 | 2 3 13 | 1 3
4 | 1 4 9 | 0 4 14 | 2 4
5 | 2 0 10 | 1 0 15 | 3 0
How can we quickly convert a pair of remainders to the number it is associated with,
without performing a table lookup? Basically, we can take one remainder as is; the
remainder modulo 5 tells us something we will need to know to find the number. But
we then want to use the other remainder, the one modulo 3, to tell us how many times a
whole 5 needs to be added to this remainder.
How might we do this? Looking at the way the groups of five numbers start, it seems
that the difference between the two numbers might be considered. That difference is:
1 | 1 1 0 6 | 0 1 -1 11 | 2 1 1
2 | 2 2 0 7 | 1 2 -1 12 | 0 2 -2
3 | 0 3 -3 8 | 2 3 -1 13 | 1 3 -2
4 | 1 4 -3 9 | 0 4 -4 14 | 2 4 -2
5 | 2 0 2 10 | 1 0 1 15 | 3 0 3
From this, it can be seen that if we take the difference modulo 3, it nicely separates the
numbers into three groups of five, but we have to shift to starting with 0, as is only to
be expected, since the remainders modulo 15 run from 0 to 15.
Since 5 modulo 3 is 2, the difference increases by 2 for each group of 5.
Thus, the rule, which can be applied repeatedly to convert a group of several
remainders to a remainder modulo their product, is:
Given two prime numbers, A and B, where A is less than B, and the remainders
modulo those primes, a and b, of an unknown number, the remainder of that number
modulo AB is determined as follows:
● Let k equal a minus b, modulo A.

● Divide k by the value of B modulo A, and call the result m.
● The remainder of our number modulo AB is b plus m times B.
Once we have found two overlapping messages, the second step is to solve for the
plaintext of those messages over the extent of the overlap. Because the machine
produces successive shifts of a known alphabet, we know that the distance between two
ciphertext letters at a given position corresponds to the distance between the two
plaintext letters they represent, so for each position, we have only 26 out of 676
possibilities to consider for two letters. (Remember, the plaintext alphabet and the
cipher alphabet are the normal alphabet and the reversed alphabet, and the distances
between letters must be considered in their own alphabets.) Eliminating pairs which
have an uncommon letter in either position narrows down the possibilities for each
letter in each message.
For a machine like the Sigaba, which produces a different alphabet for each letter, an
attack at a "depth of two" is probably impossible without much additional information.
Having some plaintext and corresponding ciphertext, we can derive from that the series
of displacements generated by the operation of the lugs and pins over the part of the
sequence of pinwheel positions in question.
At this stage, one can apply sophisticated techniques, which have been described
elsewhere, to attempt to reconstruct the lug and pin settings of the machine. In order
that different combinations of active and inactive pins will tend to produce different
numbers of shifted lugs (different displacements of the alphabet), the lugs need to be
distributed among the positions corresponding to pinwheels in a manner that assigns
different weightings to the different pinwheels, resembling, but not identical to, the
weighting of binary numbers (16, 8, 4, 2, 1). Thus, if one looks for large displacements
and how they alternate with small ones, one may find a pattern that indicates where the
lugs are on at least one pinwheel.
The third step is to find messages which have an almost overlap. A list of all the
pinwheel positions in the overlap will help with this; it can be compared to the start and
end pinwheel positions of other messages (and middle positions, if the other messages
are long enough, and the overlap is short enough). An almost overlap is a span of
letters in a message where the positions of five of the six pinwheels have matching
positions to the pinwheels enciphering the (full) overlap sequence with which it is
being compared.
Since each pinwheel contributes only a single bit of input to the cage which determines
the displacements (note that for a computer version of this type of cipher, which
XORed together whole bytes in lists of differing length as input to an S-box, this would
not work), half the time, the displacement would match that of the displacement in the
message with which the almost overlap exists. So, a trial decipherment can be made
using those displacements, and it should not be hard to pick out the half of the letters
that are right. This gives information on whether a pin in one position on a pinwheel
has the same active or inactive state as a pin somewhere else.
Multiple almost overlaps involving the same odd pinwheel allow reconstruction of the
pinwheel; so does the fact that an extra active pin results in an increased displacement
(although there are exceptions to that rule once the cage has more than 25 lugs in it).
Constructing a table with 64 entries (corresponding to the combinations of active and
inactive pins) giving displacements is sufficient to read messages, although it is
doubtless possible to reconstruct the lug settings from the displacement table.
Next
Chapter Start
Table of Contents
Home Page
The Hebern Rotor Machine, and PURPLE

The rotor machine is what many people will think of when they think of a cipher
machine. And the most straightforward type of rotor machine is the one invented by
Edward Hebern, in the United States.
Here's a very crude artistic impression (in ASCII-Art, yet!) of what this beautifully-
made machine looked like:
___
___ '-.
_ ___ '-. \
_ o\_____ ___ '-. \ |______
_ \ | ___ '-. \ | _/\
_ o\ | ___ '-. \ | _/ _ |
/ \ ___ '-. \ | _/ _/o\ \
| O | ___ '-. \ | _/ _/o | |
_/| |.-' '-. \ | _/ _/o o \ \
_/ / \ | _/ _/o o o | |
/_______| |_____ _/ _/o o o _/ _/ === ===
| .-. | /o o o _/ _/ === === ===
| /-. )_________ \ \ o o _/ _/ === === ===|
| ( )________ \ | | o _/ _/ === === ===| |
| \_________ \ ) \ \o _/ _/|=== === ===| |_|
| | ( ) | |/ _/|__|| || || |_|
| .-. | |'-' \ _/|____||__||__||_|
| ( ) _|____|_ | | | |___|
| '-' \ / | |_____|---
| \_____======O===========O/
|________________________________|/
The Japanese cipher machine the American solvers of which called it PURPLE didn't
have any rotors in it, but instead used telephone stepping switches. However, in some
ways, it was still closely related to a rotor machine, and so it will be discussed here as
well.
While the term code as distinct from cipher sometimes refers to a substitution on words
and phrases as distinct from one on letters or digraphs, and sometimes (as in "Morse
code", "Hamming code", or "Huffman code") seems to be applicable to any fixed
substitution, forcing me to employ it somewhat loosely, I have been fastidious in
restricting the use of the term "rotor machine" to cipher machines with wired rotors,
which operate by changing a substitution produced by wires inside the rotor to its
contacts when the rotor is rotated. Other cipher machines, operating on different
principles, but with rotating parts (such as the Hagelin lug and pin machines, or the
Lorenz SZ-40) which operate on entirely different principles, have occasionally been
referred to in print as "rotor machines". I wish to disparage this trend, as it would make
the term "rotor machine" much less useful, by causing it no longer to refer to a family
of cipher machines which all are based on a common cryptographic principle.
● Rotor Machine Basics

● The Interval Method
● The Isomorph Attack
● PURPLE, CORAL, and JADE
Chapter Start
Next Chapter
Table of Contents
Home Page
Rotor Machine Basics

A rotor is a small disk of insulating material, with perhaps 26 equally-spaced electrical contacts
in a circle on each side. The contacts on one side are connected to the contacts on the other side
in a scrambled order.
In Hebern machines, the contacts on the rotors were simply flat circles of metal; the machine
had ball contacts on springs to make contact with them. This allowed the rotors to be put in
upside down, for more possible keys. The Enigma, on the other hand, was built more cheaply;
the rotors had plain metal contacts on one side, and spring contacts on the other. This almost
halved the number of contacts needed, provided you didn't decide to use a new set of rotors.
A rotor provided a changing scrambled alphabet, by (you guessed it!) rotating. A rotor with 26
contacts on each side, each corresponding to a letter of the alphabet, that changed E to M before
rotating would now change D to L (or F to N, depending on the direction in which it rotated),
while E could become any other letter, depending on the way the different wire went that was
now brought into position to encipher it.
Note that the example given had the rotor moving "backwards" by default. If the rotors are
labelled with letters going in the same direction as the use of the input contacts, and they
advance so that the next letter in the alphabet becomes visible at a fixed position, the result will
be to move the contacts on the rotor to the input contacts corresponding to the previous letter
from the ones to which they were previously connected.
The five rotors on a Hebern machine came close to moving like the wheels of an odometer.
However, they did not move precisely in this way. There were fast rotors, which moved once for
every letter enciphered, medium rotors, which moved once for every 26 letters, after a carry
from the fast rotors, and there were slow rotors, which moved once after 650 (rather than 676)
letters were enciphered. And there could also be rotors that didn't move at all, except that they
could be set by hand before encipherment began. Some versions of the five-rotor Hebern
machine had control levers, which determined which rotors moved each way.
The 'carries' between rotors were handled by ratchet gears that were at the two ends of the shaft
carrying the rotors. The reason for the slow rotors moving after every 650 letters was because
the machine was designed to avoid having the slow rotor moving at exactly the same time as the
medium rotor, since having all the rotors move together seemed like a weakness.
A good picture of a Hebern rotor machine appears in the July, 1966 issue of Scientific American,
which has an article on cryptology by David Kahn.
The following diagram may illustrate a little about how a rotor machine works:
In the first section, we see the keyboard connected to a set of contacts, arranged in a circle,
forming the input to the first rotor. Often, the contacts are arranged so that the contacts on the
circle are in alphabetical order; the early commercial Enigmas were wired so that the contacts
matched the keyboard arrangement instead.
In the second section, I attempt to illustrate that the contacts on both sides of a rotor are
connected so that each contact on one side is connected to one contact on the other side, but in a
scrambled way.
In the third section, I follow the fate of the letter E through three rotors, before and after the one
in the middle advances one step. The path of electricity through the first rotor stays the same;
but the movement of the second rotor has brought a second wire into contact with the electricity;
the wire formerly used is shown as a dotted line in its new position. The third rotor has not
moved, but since the electrical current has left the second rotor from a different contact, a
different wire in that rotor is used also, the old one also shown as a dotted line, but this time in
the same position.
The Hagelin HX-63
One late rotor machine design that has become known to the public is that of the Hagelin HX-
63, which was offered for sale in the early 1960s, but was quickly phased out by electronic
cipher devices.
It had nine rotors, each with 41 contacts. As it enciphered a 26-letter alphabet, wires looped 15
of the rotor bank's output contacts back to its input.
There were two plugboards with the machine; one scrambled the 26 plaintext letters on input,
and another scrambled the 15 loopback connections. (It is somewhat surprising that a plugboard
scrambling the plaintext on input was chosen over one scrambling the ciphertext on output: it
would seem the latter would provide better protection against cryptanalysis, for the same reason
that a Type II slide is to be preferred over a Type I slide.)
The following diagram illustrates the wiring of an HX-63, showing the wires that are looped
back and the plugboards:
It is described as having a "very irregular" motion of the rotors, and each rotor had a set of 41
switches the setting of which would vary the effective wiring of that rotor.
Although I do not know what wiring scheme was chosen for those switches, one possibility
might be something like this:
Friedman Squares and Symmetry of Position for Rotors
The alphabets produced by a single rotor in its various positions can be shown in a tableau
similar to those used for Vigenere; such a table would look like this:
Rotor
position Plaintext
| A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
-----------|-----------------------------------------------------
A | L N K Y U W Z J X H E I A O G S P V C T D R B Q F M
B | M J X T V Y I W G D H Z N F R O U B S C Q A P E L K
C | I W S U X H V F C G Y M E Q N T A R B P Z O D K J L
D | V R T W G U E B F X L D P M S Z Q A O Y N C J I K H
E | Q S V F T D A E W K C O L R Y P Z N X M B I H J G U
F | R U E S C Z D V J B N K Q X O Y M W L A H G I F T P
G | T D R B Y C U I A M J P W N X L V K Z G F H E S O Q
H | C Q A X B T H Z L I O V M W K U J Y F E G D R N P S
I | P Z W A S G Y K H N U L V J T I X E D F C Q M O R B
J | Y V Z R F X J G M T K U I S H W D C E B P L N Q A O
K | U Y Q E W I F L S J T H R G V C B D A O K M P Z N X
L | X P D V H E K R I S G Q F U B A C Z N J L O Y M W T
M | O C U G D J Q H R F P E T A Z B Y M I K N X L V S W
N | B T F C I P G Q E O D S Z Y A X L H J M W K U R V N
O | S E B H O F P D N C R Y X Z W K G I L V J T Q U M A
P | D A G N E O C M B Q X W Y V J F H K U I S P T L Z R
Q | Z F M D N B L A P W V X U I E G J T H R O S K Y Q C
R | E L C M A K Z O V U W T H D F I S G Q N R J X P B Y
S | K B L Z J Y N U T V S G C E H R F P M Q I W O A X D
T | A K Y I X M T S U R F B D G Q E O L P H V N Z W C J
U | J X H W L S R T Q E A C F P D N K O G U M Y V B I Z
V | W G V K R Q S P D Z B E O C M J N F T L X U A H Y I
W | F U J Q P R O C Y A D N B L I M E S K W T Z G X H V
X | T I P O Q N B X Z C M A K H L D R J V S Y F W G U E
Y | H O N P M A W Y B L Z J G K C Q I U R X E V F T D S
Z | N M O L Z V X A K Y I F J B P H T Q W D U E S C R G
This kind of table, for a rotor, is called a Friedman square.
Just as a Vigenere table has a regularity, in that it shows the same alphabet in its rows (and
columns) repeatedly, only shifted, here a regularity is visible as well, but it is subtler: the
diagonals of this square are shifted regular alphabets.
A powerful technique, symmetry of position, is used with polyalphabetic ciphers produced by

mixed-alphabet slides. Since this table also has regularities, the same technique can be adapted
to its structure.
In a mixed-alphabet Vigenere, if the letters A and B become Q and V in one alphabet, and T and
R in another, then Q and V are separated by the same distance as T and R in the cipher alphabet.
In a rotor machine where the entry rotor is the fast rotor, the principle is the same, except now if
the fast rotor has moved one position between the two alphabets, the comparison would be
between A and B becoming Q and V in one position, and Z and A becoming T and R in the
other position.
So in this case, the two mixed alphabets being considered are the one provided by the fast rotor,
and the one provided by the other rotors. The shifts of the fast rotor need to be compensated for
in the input. Similarly, if the output rotor were the fast rotor, the shifts would be adjusted for in
the ciphertext letters.
What about the case when the input and output permutations to a rotor are both unknown? For
example, when the fast rotor is in the middle of a stack of five rotors. At first, it might seem
hopeless to apply symmetry of position to that case, because there seems no way to tell when an
input or output in one case involves the same wire in the moving rotor or not as in another case.
But there is a way to apply symmetry of position in this case, given enough text with
overlapping key settings. Incidentally, if the entry and exit alphabets of the rotor machine as a
whole are known, in the case we are considering, where rotor 3 is the fast rotor, positions where
rotors 1, 2, 4, and 5 are all displaced by the same amount, the known plaintext, known
ciphertext, and fast rotor position can all be translated to permit including known plaintext from
such a key setting for comparison.
One thing is assumed to be known, the position of the rotor being examined, which advances
one step each time while the other rotors do not move.
With nearly complete alphabets, some progress can definitely be made in this case.
Another possibility does not produce certain results, only probable relationships.
Suppose that in position 1 of the rotor under study, plaintext A becomes ciphertext B; in position
7 of the rotor under study, plaintext C becomes ciphertext B; in position 11 of the rotor under
study, plaintext C becomes ciphertext D; and in position 14 of the rotor under study, plaintext A
becomes ciphertext D.
This creates a closed cycle of equivalents, separated by a given pattern of rotor displacements.
If we also knew that in position 2 of the rotor under study, plaintext W became ciphertext X; in
position 8 of the rotor under study, plaintext Y became ciphertext X; in position 12 of the rotor
under study, plaintext Y became ciphertext Z; and in position 15 of the rotor under study,
plaintext W became ciphertext Z, then we might think it likely that the two structures
correspond, and the same rotor wires are involved in corresponding steps of the two cases.
If so, then W precedes A, and Y precedes C, on the input side of the rotor, and X precedes B,
and Z precedes D, on the output side of the rotor, by exactly one position in each case.
Since all our elementary facts about the rotors are of the form perm(e-7)=R-7, that is, a
relationship between one plaintext letter and its equivalent for one particular rotor position, there
is no way to directly amass equations that can be used to solve for any direct facts about the
structure of the rotor as an unknown; instead, differences and patterns have to be relied upon.
Entry Into a Rotor System
Symmetry of Position is a technique that is used to reconstruct rotor wirings when a large
amount of information is available about the alphabets produced by a rotor. But how does one
get started attacking ciphertext produced by a rotor machine?
Let us assume the simplest case, where one knows the initial positions of the rotors for each
message, and where the fast rotor is the exit rotor. However, we can allow an unknown
assignment of the exit contacts from the rotor bank to the display or printer of the rotor machine,
and we will assume that only ciphertext is available.
With the exit rotor the fast rotor, one has stretches, 26 letters long, where the fast rotor, in its
different positions, is the only thing enciphering monalphabetically enciphered text. But each
stretch deals with text enciphered in a different monalphabetic cipher, so how can that help us?
The chance that two texts, enciphered independently, will have the same letter at any given
position, is 1/26. Two plain-language texts, or two texts enciphered in an identical manner by
means of a polyalphabetic cipher, will have a greater number of coincidences; aligning
messages on the basis of single letter coincidences is called the kappa test. But let us assume we
do not have any overlapping rotor settings to help us. How can the principle of the kappa test
help us?
Monalphabetically enciphered texts, even if they are not enciphered by the same monalphabetic
cipher, still have one thing in common: they have an uneven frequency distribution. In English,
the letter E makes up 12% of an average text, and the letter T makes up 9%. Twelve percent of
26 is just over three.
Thus, one can take our stretches of 26 enciphered letters, and compare them with each other.
When we find coincidences, it is likely that the monalphabetic substitutions which provided the
inputs to the fast rotor in both cases used the same letter or letters as substitutes for one or more
high-frequency plaintext letters.
Thus, in the ideal case, by coincidences we might find a number of stretches with many
coincidences with each other, and in each of the 26 positions in a stretch, the letter involved in
the most coincidences would be the substitute provided by the fast rotor for the particular letter
that, for most of those stretches, was the substitute for plaintext E produced by the rest of the
rotor machine.
Since there are several high-frequency letters in English, the result is not likely to be that easily
obtained; instead, there will be many possibilities, and the technique of symmetry of position,
above, will be one of the things used to narrow down the possibilities.

Next
Chapter Start
Table of Contents
Main Page
The Interval Method

If you could rotate only one side of a rotor, then you would be guaranteed that for each of the 26 possible positions, every
input letter would be connected to a different output letter. A special kind of rotor, called a half-rotor, can do this, by
having contacts in a circle on one side, and bands around an axle on the other side. But this kind of rotor is bulky and
expensive compared to a normal rotor. To ensure that moving a rotor through its possible positions will produce 26
alphabets that are as different as possible, a method called the interval method can be used in wiring rotors.
Edward Hebern originated this method himself; this perhaps is less surprising than it seems (one would, perhaps, have
expected the master cryptologist W. F. Friedman to come up with it, for example) when one considers that his first rotor
machine, made for use by users in the commercial world, only had one rotor in it.
Finding an interval method rotor sequence is related to solving the Eight Queens problem, except in this case the problem
involves a chessboard that allows one to move off any edge and then back on on the opposite edge, and the "queens" can
only move and capture along one diagonal, the same diagonal for all of them. A perfect solution is possible only on a board
of odd order; seven queens on a 7x7 board, nine queens on a 9x9 board, but for this modified problem, there is no solution
for eight pieces.
A simple proof of this fact depends on properties of triangular numbers. The nth triangular number is (n^2+n)/2. If n is an
odd number, this is a multiple of n, but if it is an even number, this is an odd multiple of n/2.
On both sides of a rotor, one wire is connected to each contact. So, if the wires are connected to each contact on the
opposite side, the sum of the displacements must be equal to zero, modulo the size of the rotor, since the wires are still
connected to contacts with the same numbers, contact 1 through contact n. If one tries to use all possible displacements
from 1 to n, (or from 0 to n-1, if you prefer) then for even n, the sum will be wrong.
Here is an example of an interval method wiring:
From: 1 2 3 4 5 6 7 8 9
To: 5 4 3 2 1 9 8 7 6
(Difference: 4 2 0 7 5 3 1 8 6)
An interval method wiring for an even number of contacts will have exactly one possible difference omitted, and one
repeated twice. Fortunately, while the above example of an interval method sequence is highly symmetrical, there are many
possible arrangements that satisfy the interval criterion, and most appear almost random.
Here is another example of an interval method wiring, this time for a 26-contact rotor:
From: A B C D E F G H I J K L M N O P Q R S T U V W
X Y Z
To: L N K Y U W Z J X H E I A O G S P V C T D R B
Q F M
(Difference: 11 12 8 21 16 17 19 2 15 24 20 23 14 1 18 3 25 4 10 0 9 22 5
19 7 13)
Here, only the difference of 6 is omitted, and only the difference of 19 occurs twice.
Note that it is the alphabet used for constructing an example of a Friedman square on the previous page.
Table of the number of interval method wirings
Ignoring rotations Ignoring rotations All

of the whole rotor of the whole rotor
and one side by
itself
1-contact rotors: - 1 1
2-contact rotors: 1 2 2
8-contact rotors: 32 256 2,048
9-contact rotors: - 225 2,025
10-contact rotors: 464 4,640 46,400
11-contact rotors: - 3,441 37,851
12-contact rotors: 8,768 105,216 1,262,592
13-contact rotors: - 79,259 1,030,367
14-contact rotors: 227,008 3,178,112 44,493,568
15-contact rotors: - 2,424,195 36,362,925
16-contact rotors: 7,814,144 125,026,304 2,000,420,864
17-contact rotors: - 94,471,089 1,606,008,513
where the number of odd-contact rotors in the third column is from integer sequence A006717 in the Handbook of Integer
Sequences, while the number of even-contact rotors is calculated by my own computer program. Note that, in the case of 2-
contact rotors, one does not multiply by n (which is 2) going from the second to the third column, because in that case the
arrangements are symmetric.
The same type of backtracking algorithm as is used to solve the Eight Queens problem was used in my program to generate
the numbers for even-contact rotors, but instead of trying various permutations of the output contact numbers from 1 to n, I
instead tried permutations of the set of intervals I was using. This let me exploit a symmetry (instead of considering all
possibilities for the duplicated and omitted intervals, I only needed to work with one), and divide the number of
arrangements I generated by n, as well as reducing the number of levels the program went through to build an arrangement
by one, since the two duplicate intervals of zero were fixed by an outer loop.
Next
Chapter Start
Table of Contents
Return to Home Page
Isomorphs
It is possible to break even the complicated cipher produced by a rotor machine.
Especially when only one rotor moves with every letter enciphered, that rotor is at
either the input or output end of the rotor machine, and no other rotor moves more
often than once every 26 letters.
Of course, having some cribs, that is, plaintext for a number of cipher messages, will
be helpful. As will cracking the 'indicator system', that is, the method by which the
sender notifies the recipient of the starting positions of the rotors for each message.
When only one rotor moves, and the rest of the machine stands still, and the moving
rotor is on the outside, then the only difference between the cipher applied for one such
period of 26 letters and any other is a monalphabetic substitution.
With enough overlapping cribs, one may be able to reconstruct little pieces of the fast
rotor relative to more than one of the monalphabetic substitutions produced by the
others, and it may even be possible to link these pieces together. As soon as it becomes
possible to nullify the effect of the fast rotor, messages become almost trivial to solve.
If you know the wiring of all the rotors, and you have some known plaintext, and the
fast rotor is on the outside, the procedure is to try each rotor, in all 26 rotational
positions as the fast rotor (this amounts to 130 trials for a machine with five rotors)
until you find one that produces a monalphabetic result. If the fast rotor is on the output
side, you use it to decipher the ciphertext. If it is on the input side, you use it to
encipher the plaintext. Either way, if the plaintext and ciphertext are made to match, so
that repeated letters in both match up, you have found an isomorph.
Note that while frequent or complicated rotor movement can make it impossible to
mount an isomorph attack, having the fast rotor in the middle of the rotor stack makes
such an attack more difficult, since one has mixed alphabets to deal with, and these will
not be the same in all messages, it does not make attacks based on this principle
completely impossible.
Next
Chapter Start
Table of Contents
Return to Home Page
PURPLE, CORAL, and JADE

The Japanese cipher machine which the American cryptanalysts codenamed CORAL is
perhaps the easiest to understand of the three.
All three machines were built from common telephone stepping switches. These
switches had six input wires. Each wire was connected to a wiper, and each wiper
could make contact with one of twenty-five terminals. All six wipers moved together,
and each one had its own set of 25 terminals to contact.
A solenoid controlled the movement of the wipers. When a current pulse was fed to it,
the wipers advanced one position, except that, if the wipers were already at position 25,
a spring caused the wipers to go back to the first position. Thus, although the 25
terminals were arranged in a semicircle, the switch acted as though they formed a full
circle, with stepping in only one direction.
In CORAL, a stack of five stepping switches did the same job as a rotor would do in a
Hebern rotor machine. 26 input wires carried current to 26 outputs, in 25 different
ways. The alphabets for each of the 25 wiper positions, unlike the alphabets for the
different positions of a rotor, were completely independent and unrelated.
JADE was just about the same as CORAL, except that it was used to encipher
messages written with the Japanese katakana syllabary, which has 48 symbols. Thus, it
added a shift key to the keyboard. The shifts weren't enciphered; only a 25-symbol
alphabet was, giving equivalents to the 48 kana and the two diacritical marks used with
katakana.
PURPLE, the earliest of the three machines, had a somewhat stranger structure. A
plugboard selected 20 letters of the alphabet to be enciphered through banks of four
stepping switches. The other six letters were enciphered by means of only one stepping
switch. This division of the alphabet was easily detected through frequency counts, and
was perhaps the most serious weakness of the machine. (Another very serious
weakness, and also a strong contender for the title of "most serious", was the fact that
the stepping switch banks were, for obvious reasons, not removable, so one could never
perform the operation equivalent to changing the rotor order.)
The following diagram:

attempts, with many parts omitted, to illustrate how PURPLE worked. The plugboard
reassigned letters for both input and output. The stepping switches only have fifteen
tick marks around them - representing the 25 contacts each wiper actually has. For only
one wiper position for each switch or bank of ganged switches, the scrambled
arrangement in which the wires are connected to corresponding wires in the next stage
are shown. However, the 20 versus 6 division is easily visible in the diagram, as is the
general arrangement of the device.
Next
Chapter Start
Table of Contents
Main Page
The Enigma
In 1974, the British government permitted the disclosure of the story of the
decipherment of the German Enigma cipher machine in World War II. That the Enigma
had been broken by the Allies in World War II, however, was not in fact secret up until
that time; the account of the capture of the German U-505 submarine in David Kahn's
book The Codebreakers from 1967 notes not only that a German cipher machine was
captured along with its monthly keys, but that messages on machines of this type were
already being read, "with the help of a mass of machinery that filled two buildings".
Also, the book "The Broken Seal" by Ladislas Farago referred to a meeting between
British and U.S. representatives to discuss a swap of American information on
PURPLE for British information on the Enigma (the Americans were generous, but
went away empty-handed at the time, but Britain very shortly thereafter relented, as
later revealed). But only after 1974 did the details of this cryptanalytic feat emerge.
Despite some continued secrecy, it can fairly be said that the cryptanalysis of the
Enigma is the only case in which not merely the story of an isolated cryptanalytic
success, but instead the ongoing saga of coping with changes in a cipher system, has
become public.
Because of the intense concern in the United States about whether or not the Japanese
bombing of Pearl Harbor could somehow have been prevented, it was officially
revealed quite shortly after the war that cryptanalysts working for the U. S.
Government and Armed Forces had solved both Japanese codes and Japanese ciphers,
including the cipher produced by the so-called "PURPLE machine".
Had this not been the case, perhaps this would have been kept secret for the same
amount of time as the British success in cracking the cipher of the Enigma machine, as
a result of the normal reticence of nations concerning matters relating to an activity of
such high sensitivity.
As well, given the role of Polish nationals in the early part of the Enigma story, a
genuine concern to avoid any of them still residing in Poland being summoned for, at
the least, debriefing, may well have been a consideration. As to the sale of used
Engimas, I would think that the rule of caveat emptor, rather than any imputation of
fraud, would be applicable.
Starting with the commercial Enigma C, the Enigma differed from other rotor
machines (although, later, the British Typex and a commercial machine from Ottico
Maccina Italiana were based on it) in that the electrical signal for a plaintext letter did
not just go in one end of the rotor stack and out the other, but also was sent back to go
through the rotors the other way by a reflecting rotor.
This strengthened the cipher in some ways, but also gave it important weaknesses. And
it also meant that quite a number of unique cryptanalytic techniques were developed
for the Enigma which were specific to it. In comparison, CORAL, although a more
difficult target, would still be approached with almost the same techniques as would be
used against a Hebern rotor machine, with the exception that the unrelated nature of the
alphabets provided by a stepping switch increased the amount of text required for
applying those techniques.
● Basic Principles of the Enigma

● The Uhr Box
● The Enigma A and Enigma B
● Relatives of the Enigma
● Cryptanalysis of the Enigma
❍ Cliques on the Rods
❍ Indicators and Jefferys Sheets
❍ The Bombe and the Diagonal Board

Chapter Start
Table of Contents
Return to Home Page
Basic Principles of the Enigma

The Enigma had a stack of three or four normal rotors, not in principle unlike those in a Hebern machine.
They had 26 contacts in a circle on each side, those on one side were connected in a scrambled order to
those on the other, and the rotors moved to vary their effects on the alphabet.
There was a mechanical difference: the rotors had plain contacts on one side, and spring-loaded contacts on
the other. A Hebern machine had only plain contacts on its rotors, and the machine itself therefore needed
twice as many spring-loaded contacts as a permanent part of the machine. This cut total costs for an Enigma,
but it meant that rotors were more expensive, and indeed during the war, the German forces kept on using
their old rotors, only gradually adding the odd new one to the set.
In addition to the contacts and the wires between them, a rotor often has two other parts of significance to
the cipher it will generate which are often overlooked. Like the wheels in an odometer or a mechanical
adding machine, rotors in some rotor machines include what is essentially a gear with one tooth to cause the
next rotor to move one position forwards at one point in its own rotation. Some rotor machines, of course,
use completely different principles to move the rotors; the Hebern machine did use this principle, but still
kept that part of the gearing physically separate from the rotor itself. Also, the rotor has to be labelled, so
that there is some way of recording and communicating the starting position in which the rotors of a rotor
machine are to be set. Otherwise, the two parties to a communication will be unable to set up their machines
the same way. On the Hebern machine, the rotor itself was marked.
In the Enigma, a movable alphabet ring was labelled with the letters identifying rotor positions. The rotor
itself, of course, was marked so that alphabet ring settings could be written down too. The ratchet wheel,
which determined when one rotor would cause the next slower one to advance, was attached to the alphabet
ring. This is quite important to note, as it determined how methods of exploiting the Enigma's indicator
method would work, and how the Bombe had to be designed.
But the main distinguishing feature of the Enigma was its reflecting rotor. Instead of plaintext going in one
end with ciphertext coming out the other, the reflecting rotor, with the 26 contacts on one side connected to
each other in a scrambled fashion, caused the electrical signal to go through the rotors a second time in the
opposite direction, coming out on the same side it came in, but at a different contact.
This meant two contacts on the entrance side of the rotor stack were "live". Instead, therefore, of the switch
operated by a typewriter key on the Enigma merely connecting the battery to the proper contact of the
outermost rotor, it instead took the contact of that rotor, and disconnected it from the lamp under the same
letter as well as connecting it to the battery.
As an extra security feature, the Enigmas used by German forces during World War II included a plugboard.
The wires leading from the lamps and keyboard to the rotors were all cut, and then wired to a socket that
acted like the socket for a phone plug. If nothing was plugged in, the two wires to the plug were connected
together. If a plug was inserted, the two wires were not connected to each other, instead, each one was
connected to one of the two contact points in the plug.
Although a commercial Enigma, modified by Polish cryptanalysts to match a military Enigma, used phone
plugs, the plugs in the plugboard of the actual Enigma had two prongs, but they still functioned electrically
in the same way as phone plugs.
So, think of 26 phone plug sockets, and a set of ten wires, with a phone plug at each end, with the tip at one
end wired to the shaft at the other end, and you will have an accurate electrical picture of the plugboard of
the Enigma.
An attempt at a diagram of the Enigma in ASCII graphics:
| | |
----- ----------| ----------| ----------|
| --||- -----||----------||- -|------
| / || \ / || || \ / | |
| | -||--\- ---||- ----||- \ --/--|----- |
| | / || \ / || \ / || \ \| / | ||
| || -||- ------||----- ---||--\-\- _-|---- ||
| ||| || \ / || \ / || _-\|\-- | |||
| ---||---- ---||------ -||- \ ----|--- |||
| || || \ / || \ / || |\ | ||||
| | -||------ _-||--_ ----||--_ | ----|-- ||||
| | || _--\-- || ---/-_ || -|--_ | |||||
| --||-- ----||------ -||---- --|- |||||
----- ----------| ----------| ----------| ||||||
Slow | Medium | Fast | ||||||
||||||
---------------------------- ||||||
| | | | | | | ||||||
- | | | | | | ||||||
--- ( ) (*) ( ) ( ) ( ) ( ) Lamps ||||||
- | | | | | | ||||||
--- | | | | | | ||||||
| | | | | | | ||||||
--------|---|---|---|---|---|- ||||||
| | | | | | | | | | | | ||||||
I I / I I I Keyboard ||||||
| | | | | | ||||||
| | | | | | ||||||
|_ _| | | | | ||||||
_X_ I I I I Plugboard ||||||
| | | | | | ||||||
| | | | | ------------- |||||
| | | | ------------------ ||||
| | | ----------------------- |||
| | ---------------------------- ||
| --------------------------------- |
--------------------------------------
And here is a similar diagram in graphic form:

To make it simple to understand the principle which allows pressing a key on the Enigma to light the lamp
to which the key is connected through the rotors, but not the lamp connected to the key itself, the wires have
been colored red and blue, depending on whether they are at a positive or negative potential (I've chosen the
battery orientation in the diagram arbitrarily for clarity, and do not claim it matches that of the actual
Enigma) and wires carrying current are shown in a lighter red or blue, and, where convenient, are shown
thicker, with little yellow arrowheads showing the direction of current.
The Germans themselves broke messages transmitted by Republican forces during the Spanish Civil War on
conventional Enigma machines without plugboards. And it was the plugboard, more than anything else, that
convinced them that the Enigma was unbreakable.
The rotor wirings of the Naval Enigma, most of which were also used by the Wehrmacht, were:
Initial input contact:

Output contact from rotor #: In window

for "carry":
I : E K M F L G D Q V Z N T O W Y H X U S P A I B R C J Q
II : A J D K S I R U X B L H W T M C Q G Z N P Y F V O E E
III : B D F H J L C P R T X V Z N Y E I W G A K M U S Q O V
IV : E S O V P Z J A Y Q U I R H X L N F T G K D C M W B J
V : V Z B R G I T Y U P S D N H L X A W M J Q O F E C K Z
* VI : J P G V O U M F Y Q B E N H Z R D K A S X L I C T W MZ
* VII : N Z J H G R C X M Y S W B O U F A I V L P E K Q D T MZ
* VIII : F K Q H T L X O C B J S P D Z R A M E W N I U Y G V MZ
Thick reflecting rotors:

B : Y R U H Q S L D P X N G O K M I E B F Z C W V J A T
C : F V P J I A O Y E D R Z X W G C T K U Q S B N M H L
Extra ("Greek") rotors inserted before thin reflecting rotors:

* Beta: L E Y J V C N I X W P B Q M D R T A K Z G F U H O S
* Gamma: F S O K A N U E R H M B T I Y C W L Q P Z X V G J D
Thin reflecting rotors:

* B : E N K Q A U Y W J I C O P B L M D X Z V F T H R G S
* C : R D O B J N T K V E H M L F C W Z A X G Y I P S U Q
The first five regular rotors, and the two reflecting rotors above were used in both the Wehrmacht and the
Navy. Only the Navy used the last three regular rotors, numbers 6 through 8, and two thin rotors, one
reflecting, to replace the reflecting rotor. The rotors only used in the Naval Enigma are marked with an
asterisk.
Each rotor, other than the reflecting rotor, is described this way: the line at the top with the letters in order
from A to Z indicates the contact which is on the side of the rotor facing the wires from the keyboard and
lamps, and the table entry indicates the contact on the side facing the reflecting rotor connected to that
contact, when the alphabet ring is in the A position, and A is the letter showing through the window at the
top of the machine.
While this form of the Enigma was used by the Wehrmacht, and by the Navy with improvements, other
forms of the Enigma were used during the war by other military and governmental organizations within
Nazi Germany.
One of the most famous is the Abwehr Enigma, which used rotors with 11, 15, or 17 notches, but which had
no plugboard. Its keyboard had numerals and punctuation marks on the keys above the letters. The Mil Amt,
which succeeded the Abwehr, used a machine with a set of six rotors, all with nine notches.
The Railway Enigma was an Enigma with a typewriter keyboard entrance permutation, like the commercial
Enigma C and Enigma D.
Although the Army and Navy continued to use their original rotors throughout the war, each of the other
groups using Enigmas used their own rotor wirings. This was a natural security precaution. Probably the
reason that other Enigma machines used did not have plugboards is also because security kept groups using
Enigma machines from knowing about the Enigmas used by other groups: it may well be that the different
Enigmas were made in separate factories. However, the Mil Amt seems to have learned the same lesson as
was used in the Naval Enigma, by switching to rotors all having the same notches.
Next
Chapter Start
Table of Contents
Main Page
The Uhr Box

The Uhr box was a replacement for the patch cords that were plugged into the Enigma's
plugboard. Each day, the relationship between the alphabet and the contacts on the
Enigma's rotors was changed in accordance with the daily key by plugging in the patch
cords as it specified.
I am indebted to some USENET posts, in reply to questions of my own concerning the

Uhr box, by Frode Weierud from Switzerland in clearing up some of the details about
how it worked. The facts he provided allowed me to propose a tentative reconstruction
of how the Uhr box might have been wired internally.
By using the cords coming out of the Uhr box instead, it became convenient to change
the plugboard setting more often, because it could be changed just by turning the knob
on top of the Uhr box. The knob had forty settings, numbered from 0 to 39. These
settings were indicated by a two letter code, given by a sticker on the lid of the Uhr box.
When set to setting 0, the Uhr box acted like a set of ordinary patch cords. Of the
twenty plugs coming out of the Uhr box, ten were painted white, and ten were painted
red. The plugs in the two groups were numbered from 1 to 10, and the pairs of one red
plug and one white plug both bearing the same number each behaved like a patch cord
in setting 0.
Even in other settings, although the connections between the input of one plug and the
output of another plug were now scrambled, it was still true that the input of any red
plug was always connected to the output of a white plug, and the input of any white
plug was always connected to the output of a red plug.
Because patch cords always connected their input and output to the output and input on
the other end, they produced a reciprocal permutation of the alphabet. The Uhr box
allowed this to be avoided. This didn't change the fact that the Enigma's cipher was
reciprocal, since the permutations of the Enigma's individual rotors weren't reciprocal
either, but the cipher of the Enigma as a whole was still reciprocal, since the reflecting
rotor caused the electrical signal from the keyboard to the glowlamps to go through
each rotor twice, first one way, and then the other. The same thing was true of the Uhr
box.
But the fact that ordinary patch cords produced a permutation which was reciprocal on,
as it were, a second level did prove helpful to British cryptanalysts. For one thing, it
permitted an adjunct to the Bombe called the 'diagonal board' which allowed it to be
both more versatile and more effective.
Reconstruction of the Uhr box
Based on these facts concerning the Uhr box, I had suspected that it may have been
wired as follows:
The knob on the Uhr box would have turned what was, essentially, a reflecting rotor
with 40 contacts.
These 40 contacts could be thought of as being labeled with the letters

ABCDABCDABCD... over and over again.
The contacts marked A would all have wires connecting them to the contacts marked
C, but in scrambled order. Similarly, the contacts marked B would all be connected to
the contacts marked D, again in a scrambled order.
The contacts in the box which connected to this movable reflecting rotor would also be
divided into four groups, which we can also think of as being labelled
ABCDABCDABCD... and so on.
The input contacts from the red plugs would be connected to the contacts marked A,
and since these were always to be connected to the output contacts of the white plugs,
those would be connected to the contacts marked C.
Similarly, the input contacts from the white plugs could go to the contacts marked B,
and the output contacts from the red plugs to the contacts marked D.
The order in which the plugs were connected to the contacts would match the
scrambled wiring in the 40-contact reflecting rotor, so that when it was set to position
0, the desired objective of emulating plain patch cords would be achieved.
It would be possible, although unnecessary, for all the input contacts, for example,
from the patch cord plugs to be wired in numerical order around the circle.
The following diagram may make the description of my tentative reconstruction of the
Uhr box clearer:
However, a paper in the July 1999 issue of Cryptologia has now explained the actual
workings of the Uhr box, and it differed somewhat from my tentative reconstruction.
Instead of having 40 contacts, the reflecting rotor that was the heart of the Uhr box had
80 contacts, of which only 40 were used at any one time.
The contacts on the reflecting rotor were in two consecutive rings of 40 contacts, and
either the even or odd ones were used in any position. Thus, the contacts on the Uhr
box were in two rings of 20.
The outer ring was wired to the red plugs, and the inner ring was wired to the white
plugs. In both rings, the even-numbered contacts of the Uhr box were wired to the thick
pin of the two pins on the plugs. The wires from the red plugs were wired to these
contacts in order, but those from the white plugs were wired in a scrambled fashion.
Essentially, therefore, the Uhr box worked somewhat like my hypothetical
reconstruction, except that it had two sets of scrambled wirings, each one of which
could be rotated to only half as many positions.
However, there was another peculiarity of the wiring of the Uhr box that led to a
weakness.
Although the wires from the white plugs were not wired to the Uhr box contacts in
order, they were wired to those contacts in pairs. This meant that of the two wirings in
the reflecting rotor, one, in order to allow the zero setting to emulate ordinary
plugboard wires, had to take pairs of contacts (with a contact in between belonging to
the other wiring) to pairs of contacts in the other ring, reversing the two elements in the
pair (so as to take a large pin from a red plug to a small pin on a white plug and vice
versa). This meant that every fourth setting of the Uhr box behaved like a set of
conventional plugboard wires.
A diagram of the actual Uhr box may help to make its design clearer:
in this diagram, only the wires in the rotor are shown that are in the set used in the zero
position, which reflect the flaw in the device that makes every fourth setting (every
second setting using that set of wires) reciprocal. The Uhr box is shown here set in the
zero position. Because of the extra complexity of inner and outer contacts, a more
schematic diagram, rather than one showing the rotor contacts in a circle, is given.
While the Uhr box did not do much by itself, only providing a fixed substitution that
did not change during a message, this kind of design illustrates how one could, for
example, build an interesting type of rotor machine for a 26-letter alphabet using
especially-wired 52-contact rotors. The idea of wiring a rotor with a number of contacts
that is a multiple of the size of the alphabet used, so that it acts like two different rotors
that are used alternately, also will surface in the Hagelin B-21, which we will meet
later.
Another enhancement used on some Enigmas late in the war was a reflecting rotor that
could be completely rewired by the user based on a daily key.
Next
Chapter Start
Table of Contents
Main Page
The Enigma A and Enigma B

The very first cipher machines sold under the Enigma trademark were rotor machines,
but they did not have the reflecting rotor that made the Enigma so unique.
Also, they both looked like very large typewriters, and printed their output rather than
merely indicating letters with glowlamps. The Enigma B used the normal 26-letter
alphabet, while the Enigma A had a 28-letter alphabet, including three accented letters
for the German language, but omitting one letter of the alphabet not often used in
German.
Instead, they had four rotors, used once in normal fashion, controlled by four cams,
with 11, 15, 17, and 19 positions. These cams all moved one position with every letter
enciphered, and a raised tooth on any one cam caused the rotor corresponding to that
cam to advance one step.
Occasionally, none of the four rotors would advance between letters, and this probably
made the machine appear weak. However, this kind of irregular rotor movement does
eliminate the isomorph method of attack, and therefore this kind of design appears to
be quite promising. Since, however, it was cams and not user-settable pinwheels that
were used, an adversary knowing the sequence of raised teeth on each cam would no
doubt have been able to develop alternative methods of attack on this system.
Had the machine had five rotors instead of four, then the thirty-two possible rotor
motions would have exceeded the number of letters in the alphabet. With four rotors,
there were at most only sixteen possible alphabets the machine could present at each
step, and this could also be exploited.
A machine with ten pinwheels, all of different sizes, with the XOR from two pinwheels
controlling each of five rotors? Such a machine might well have been very strong.
However, the search for the ultimate in irregular rotor movements was pursued in a
different direction by the Americans, resulting in an even stronger machine, the
SIGABA, which we will meet later.
Another variation of the Enigma was the one used by the Abwehr. It was an Enigma
without a plugboard, but the rotors had a large number of notches, so that the slower
rotors still moved fairly often.
In the chapter of Codebreakers (not David Kahn's book, but a collection of

contributions by former cryptanalysts at Bletchley Park, published by Oxford
University Press) entitled "The Abwehr Enigma", it was observed that multinotched
rotors created a serious difficulty for the cryptanalyst, but not quite as serious as that
created by the plugboard. It was seen as peculiar - but fortunate - that the Germans did
not get the idea of putting both improvements on the same Enigma. As at that time,
thanks to the book Machine Cryptography and Modern Cryptanalysis by Cipher A.
Deavours and Louis Kruh, it was already public knowledge that the British were doing
exactly that: the Typex, which we will meet in the next section, used extra entrance
rotors as a non-reciprocal plugboard (thus also gaining the advantages of the Uhr box)
and highly multinotched rotors, this comment was worth a raised eyebrow when I first
encountered it.
It may also be noted that the Abwehr Enigma's reflecting rotor moved as the slowest
rotor during encipherment. Also, like the commercial pre-war Enigma C and D, in
addition to not having a plugboard, the keyboard and lamps were connected to the
rotors following the layout of the typewriter keyboard rather than in alphabetical order;
thus, an Abwehr Enigma had the rotating reflecting rotor, and the multiple notches on
the rotors, as its only changes from the commercial model Enigma. With one other
minor, but interesting, addition: this version of the Enigma also had digits and
punctuation marks printed above the letters on both the keyboard and the lampboard.
Next
Chapter Start
Table of Contents
Home Page
Relatives of the Enigma

Despite the fact that the Enigma never enciphered a letter as itself, thereby making it easy to align
probable plaintext with an intercept, several other rotor machines were based on the Enigma.
W. F. Friedman devised Converter M-325. It was similar to the Enigma, except that the rotor nearest
the reflecting rotor, rather than the rotor farthest from it, was the fast rotor. This produced a machine
that did not need a plugboard to be reasonably secure.
The British cipher machine during World War II was the Typex. Its rotors were notched several times
for frequent and irregular motion. Three rotors moved, and the farthest of them from the reflecting
rotor was still the fast rotor. But there were two other rotors beyond the fast rotor, and they acted as a
plugboard replacement.
Some models of the Typex had two concentric sets of 26 contacts. According to those who have had
the opportunity to examine surviving specimens of this machine, they were not used for the obvious
purpose of providing a return path for electrical current, thus allowing the unique weaknesses of the
Enigma design to be avoided.
Despite this, I still wonder; there is a simple way, using dummy rotors connected by cables, to turn a
SIGABA into a plain Hebern machine. As the SIGABA and the Typex were made to interoperate by
means of accessories which turned them into the "Combined Cipher Machine", it makes sense to
conclude that the second set of contacts was used as a return path on the Typex, since then suitably
wired rotors with some sets of contacts wired without scrambling could allow Hebern type operation
of such a machine as well, thus facilitating this particular method of interoperation. Although the fact
that the fast rotor is on the entrance side (like an Enigma, unlike an M-325) makes it more difficult to
turn a Typex into a Hebern machine with the fast rotor in the middle, it is not impossible: an
auxilliary wiring harness, with dummy rotors, is also required as with the SIGABA, and the reflecting
rotor is one of those that has to be replaced. The following diagram shows a principle that may have
been used:
As the details of the actual CCM are available, no doubt I will soon be hearing if my reconstruction is
near the mark or not. As only three rotors aren't much, the actual CCM may have been somewhat
more complicated, for example by including entry and exit plugboards to replace the two stators in a
real Hebern five-rotor machine.
As the Typex is said to have very closely resembled the Enigma, I had assumed that it had a "650
break" as well, and this would have further complicated interoperation with the SIGABA. However,
since the Typex used heavily multinotched wheels, such a gearing arrangement would have shortened
its period considerably, so perhaps that problem did not arise. (It's even possible there was a lever
somewhere to choose with!)
On some later models of the Typex, the two entrance rotors also moved. This is merely a speculation
on my part, but one simple way in which they could have been caused to move is this: the entrance
rotor would be the slow rotor, the next one the medium, and the same notches in the wheels that
caused the regular carry would also cause movement of the wheels on the entrance side, but the
ratchet wheels would be displaced. So, if the positions B, G, J, M, O, R, T, V, and X caused the
original medium wheel to move when the fast wheel reached them, and the original slow wheel to
move when the medium wheel reached them, then perhaps the positions Z, E, H, K, M, P, R, T, and
V, each two positions earlier, would cause movement on the other side of the fast rotor. Or another
row of notches could be present on the wheels, and the number of notches in that row could very well
be even, since the ordinary rotor motion would already be providing the maximum period. No such
motion, however, unlike the original motion with those two rotors as stators, or better yet a motion
resembling that of the Converter M-325, would allow easy interoperation with a SIGABA using
dummy rotors by emulating a Hebern machine, basically the lowest common denominator of the two
machine types.
Some time after World War II, Switzerland, which had been using a version of the Enigma for its
own communications, designed its own significantly improved cipher machine based on the Enigma,
the NEMA (for Neue Maschine, not National Electrical Manufacturers Association). Recently, a
computer program simulating its operation, accompanied by a description of the machine, became
available. One of the program's authors, Frode Weierud, has a forthcoming article in Cryptologia
about the machine.
It used lamps to indicate the letters it produced as output, and physically it looked like a metal box
with a sloped front in which a typewriter keyboard was sunk. Recently, examples have become
available on the open market, at prices considerably below those of World War II Enigmas.
The device had four rotors, plus a reflecting rotor, all of which (including the reflecting rotor) moved
during encipherment. However, it had the appearance of having ten (rather thin) rotors. This was
because each rotor was manually adjusted by means of a flange on its left with 26 segments labelled
with the letters of the alphabet, and bore on its right a ring of appearance similar to that flange, but
which contained a notched gear. Each rotor's movement was controlled by the ring to its right; when a
notch on the ring came into position, its corresponding rotor did not advance for the current letter
being enciphered. In addition, the ring on the entrance rotor, towards the right of the rotor bank, was
distinctively colored (it was red) and had a second notched gear on it. This gear, when a notch on it
came into position, prevented the second and fourth rotors, and their corresponding rings, from
moving. Usually, all the rings would move with every character enciphered.
Thus, the NEMA had a period of 17,576 letters, each ring-rotor pair having a period of 676. If the red
ring had stopped only two other rings, and not their corresponding rotors as well, the period could
have been 26 times longer. In any case, it has a large number of initial settings, and a very irregular
rotor movement, bettered only by that of the SIGABA (although the Enigma A and Enigma B also
had a rotor movement that is more irregular than usual). Note that the diagram, for simplicity, shows
the mechanics of the rotor movement by lines which may suggest electrical wires; actually, the result
was achieved mechanically. Also note that the wheels with notched gears, although concentric on the
same shaft as the rotors, are shown in the diagram in a row below the rotors, using the usual diagram
symbol for pinwheels.
And, during the sixties, an Italian firm, O.M.I., offered a version of the Enigma with seven rotors. But
it embodied an ingenious idea for providing security in a machine sold openly without requiring
customers to rewire their rotors. The rotors came in two pieces, both with scrambled wiring, that the
customer could interchange and rotate to form the rotor set to use.
It would be a little harder to do this with rotors of the Hebern type, if one wished to take full
advantage of the fact that both sides of these rotors are identical, but it could still be done using
androgynous connectors positioned in alignment with the centers of the contacts, as shown below:
An interesting web site in Germany, which no longer exists, described several cipher machines from
behind the Iron Curtain. Three of them were described in enough detail (which I tried to make out as
best I could, not understanding German) that I found their mention of interest.
The T217, or ELBRUS, is an electronic cipher machine, having at least a superficial external
resemblance to the early electronic cipher machines used by the United States (as those machines are,
as far as I know, still classified, I have no knowledge of whether the resemblance is more than
superficial). A linear-feedback shift-register generator feeds a longer shift register, and bits from that
are selected under the control a key cassette to go into combinatorial logic to produce bits for stream
cipher use.
The M105 uses a principle I don't quite understand yet: 5-level code characters are converted to a 12-
bit form, then XORed with a key tape, then converted back down to 5-bit form. It isn't quite clear to
me how transformations more involved than an XOR can actually be accomplished by this principle,
particularly when decoding is also performed by precisely the same method. However, such a
machine could work by cheating; for example, the 5-bit character
abcde
could be converted to
abcde0000000
to be enciphered, and then the 12-bit result of being XORed with the key tape could be converted to 5
bits by taking the first 5 bits, performing a nonlinear operation controlled by the last 2 bits, and then
XORing with the second 5 bits. To decipher using the same key tape, the 5-bit ciphertext character
pqrst
would simply be converted to
00000pqrst00
before the XOR with the key tape. Even something like that, particularly if a plugboard can be used to
scramble the 12 bits from the key tape, might not be entirely silly. Also, if the nonlinear transform
controlled by the last 2 bits leaves something invariant, that, rather than 0, could be put in the last 2
bits. For example, if the last 2 bits are used to choose between different ways of transposing the 5 bits
of a character, for encryption the parity of the plaintext character could be placed in one, or both, of
those bits before the XOR, affecting which bit transpose is used.
For decryption, the parity of the ciphertext character after being XORed with the five bits for that
purpose on the tape, XORed with the parity of the five bits that will later be XORed to form the
plaintext character, will produce the parity of the plaintext character before the bit transpose (affected
by that parity) is known.
And, finally, the M125, or the Fialka, is described on his site, which is why I am mentioning his site
on this page: it is a variation of the Enigma.
It enciphers a 31-character alphabet. A punched card is used to perform the function of the Enigma
plugboard, but for only of 30 of the 31 symbols enciphered. The punched card has been described to
me as square, with two centering holes, and with the regular punched holes only below a diagonal on
the card. This suggests to me that each hole position controls a double-pole double-throw (DPDT)
switch, determining if two lines in a folded crossbar pattern are crossed.
There are 10 highly multinotched rotors, and they have fixed contacts on one side and spring-loaded
contacts on the other, like those of the Enigma.
Now, these 10 rotors all have 31 contacts on each side. There is also a reflecting rotor, but how can a
reflecting rotor with an odd number of contacts work?
One contact of the reflecting rotor, instead of being connected to another contact, is connected to a
circuit that causes the machine to encipher the input letter as itself. Note, however, that the machine's
cipher is fully reciprocal.
Like the Typex, we have an Enigma with both multinotched rotors and a plugboard; British
cryptanalysts working on the Abwehr Enigma on the one hand, and the Army and Navy Enigmas on
the other saw that to be an effective combination. This may not be terribly surprising, as there was
Soviet penetration of the British Ultra effort during World War II. The patch panel, like the Uhr Box,
avoids the problem of the plugboard substitution being reciprocal in itself.
Although the machine is connected to 5-level tape equipment, instead of enciphering normal 5-level
code (leaving, perhaps, the all-zeroes character unenciphered) the German-language version of this
device omits the letters W, X, and Y, and uses J to represent the space (thus printing a space when
deciphering, and a J when enciphering), leaving room for the digits from 2 through 9 in the character
set. As Russian has a 32-letter alphabet, presumably the original Russian-language version did not
include digits in its character set.
My initial attempt to reconstruct the Fialka from the information I had found resulted in a somewhat
different machine, with its own features of interest.
In the a block diagram I saw, there were three signals going from the reflecting rotor to a transistor
symbol. I thought that perhaps this meant that three contacts were wired in a loop, with diodes going
from one to the next, in rotation. As a DC current is used to go from the keyboard to the rotors and
back to the output mechanism, this can mean that A becomes B, B becomes C, and C becomes A.
(However, there is nothing to prevent the current from going through two diodes in a row. This can be
avoided by the use of resistors or multiple diodes, and a suitable choice of voltage threshold, or by a
simple transistor circuit.)
That would mean the cipher of the machine as a whole would not be quite reciprocal, but no letter
could represent itself. The easiest way to reverse the action of such a circuit during decipherment
would be simply to reverse the polarity of DC current through the machine.
The fact that the punched-card "plugboard" affected only 30 of the machine's 31 characters was
baffling to me, and implied some sort of external constraint. As I assumed a simple crossbar
arrangement for card sensing, to minimize parts count, the fact that a standard 80-column card has
over 900 holes in it meant that it could indeed control a 30 by 30 crossbar patch panel. (One needs
961 hole positions for a 31 by 31 crossbar patch panel!) The diagram shows a possible arrangement
for the crossbar circuitry that uses the first 75 columns of the card, and which, by taking into account
the zone and digit positions of the card, allows key cards to be produced with conventional punched
card equipment, using only &, -, /, and the digits and the upper-case letters.
Perhaps the construction I reached through speculation will be helpful to amateur builders intending
to build a replica of the Fialka at home, but with the use of more standard parts, even if it departs
from the historical reality.
The following diagram is provided for those who aren't familiar with the code used on the 80-column
punched card:
or, if that diagram is difficult to understand, here is a more explicit one:

Gordon Welchmann, the inventor of the diagonal board, has commented that it would have been
possible, but difficult, to design an Enigma that did not have the feature of being unable to encipher a
letter as itself.
Obviously, the simplest method to avoid this problem with the Enigma would be to revert to sending
the signal through the rotors in only one direction, as with the Enigma A and Enigma B, or as with the
original Hebern machine. But if one wanted to avoid having to switch a large number of wires when
changing from encipherment to decipherment, or if one felt it useful to have the signal going through
the rotors twice instead of just once, how would an Enigma not having this problem be designed?
One can begin by merely changing the labels which are over the indicating light bulbs. If the light
bulb that is on the circuit with the Q key is now labelled B instead of Q, then it is B that the letter Q
will not be enciphered as.
But then one would have to have one wiring for encipherment, and a different wiring, either selected
by a large and complex switch, or by constructing enciphering Enigmas and deciphering Enigmas.
One way to avoid the problem would be to replace the plugboard of the Enigma with two
switchboards, one connecting the keys to the machine, and one connecting the lamps to the machine.
Then one could select any wiring configuration for encipherment, and its counterpart, with lamp and
key wirings exchanged, for decipherment.
Could a suitable choice of new labels for the light bulbs allow a simpler solution, one that involved a
lesser change to the way the Enigma worked? One possibility would be, given the keys are connected
to the rotor contacts in alphabetical order, to label the light bulb connnected to the A key with N, the
light bulb connected to the B key with O, and so on. Then, if the setting rings are labelled with two
alphabets similarly displaced, in contrasting colors, and the gear teeth by which one ring advances the
next are so arranged that if a tooth is at one position, there is also a tooth at the position diametrically
opposite (shortening the period, because all the rotors must now have an even number of teeth), one
could indeed have a machine that behaved almost exactly like the Enigma.
However, the fact that the letter A can now never be represented by N, instead of never by A, is just a
fixed substitution that would soon be discovered, and then it would cause no real difficulties for the
cryptanalyst. A normal Enigma plugboard would not change this: and the sockets on it would also
have to be labelled in two colors, as the plugboard wiring would have to be displaced 13 positions to
decipher.
Another thought would be, instead of having two switchboard-type plugboards, where a set of 26
sockets is matched by 26 plugs from within the Enigma, to have a second plugboard of the regular
Enigma type in a single Enigma. In addition to the one between the rotors and the lamps and keys
both, the additional plugboard would be between the lamps and the keys. The reciprocal nature of the
plugboard substitution would not be a problem, and would in fact allow the same wiring to serve for
encryption and decryption. This arrangement is illustrated below:
However, it wouldn't quite work as illustrated. Although the rotor substitution and the plugboard
substitution are both reciprocal, that does not mean that they commute. But a more complicated
wiring based on this principle would be possible, such as placing the rotors on the lamp side for
decipherment; this would require a bank of 26 relays to simulate the effect of the switches in the
keyboard.
One simple way to make this work, with some limitations, is this: for encipherment, use only the
plugboard between the lamps and keyboard. For decipherment, also use the regular plugboard, and
wire it in the same way as the plugboard between the lamps and keyboard. This works because
plugboard wirings are reciprocal.
The basic problem of this sort of arrangement is that the rotors are connected to the keyboard and not
the lamps in an Enigma, hence a permutation between the keyboard and lamps disrupts the
relationship between the rotor contacts and the lamps and keys that makes decipherment possible
when it is reversed for decipherment. Could an Enigma be modified so that the rotors were connected
to the lamps? Yes, if each lamp were shorted with a diode:
This diagram shows the flow of electricity in an Enigma. On the left, a simplified diagram of the
Enigma is shown. Wires at a positive potential are red, wires at a negative potential are blue, and
wires carrying current are shown thicker with yellow symbols indicating the direction of current.
On the right, the arrangement involving diodes needed to allow the rotors to be connected to the lamp
side of a modified Enigma is illustrated. Current that pressing a key allows to flow goes first through
the shorting diode belonging to the lamp with the same letter, then through the rotors, and on its
return trip lights the correct lamp, since it is going the other way, and cannot be shorted by that lamp's
diode.
Suitable switching circuitry, allowing either arrangement to be selected, and reversing other
connections, would allow a two-plugboard Enigma of the type shown above to even have an Uhr box
connected at either or both plugboards.
Next
Chapter Start
Table of Contents
Main Page
Cryptanalysis of the Enigma

The story of the cryptanalysis of the Enigma is perhaps the only story of military
cryptanalysis ever recounted where a detailed view was given of that cryptanalysis on
an ongoing basis, over multiple revisions and modifications of the cipher system under
attack.
The cryptanalytical methods used are sorted by type in the following sections, and thus
a more chronological summary may help to make the story more understandable.
Initially, the Enigma was without a plugboard. The method of "cliques on the rods"
was used against it at this stage; this was a version of the isomorph attack against a
Hebern machine, modified as required for the Enigma.
Next, a plugboard was used, but only three cords were plugged into it, affecting only
six of the twenty-six letters. A common ground setting was used to encipher the
starting setting which operators were supposed to choose at random; this setting was
enciphered twice. Here, the tables generated by the cyclometer were used: the doubly-
enciphered indicator meant that if one message had A as its first letter and Q as its
fourth, A as the first letter of the message always implied Q as the fourth. Thus, the
relation between the first and fourth letters of a day's intercepts defined an alphabet,
and the same was true of the second and fifth letters and the third and sixth. The
characteristics of these alphabets allowed those tables to pinpoint the day's ground
setting.
Then, instead of a ground setting, a setting picked also at random, and sent in the clear,
was used. This nine-letter indicator was attacked on the basis of watching for cases
where corresponding letters in the doubly-enciphered indicator, now the fourth and
seventh, fifth and eighth, and sixth and ninth letters of the message, were the same. The
original Polish Bombe, and also the perforated sheets, were used at this stage.
When the number of rotors in the rotor set was increased to five from three, the British
took over from the Poles, and relied mainly on the perforated sheets.
When the rotor starting position for an individual message was enciphered only once,
the Turing Bombe, soon augmented by the diagonal board, allowed decrypting Enigma
messages to continue.
On the Naval Enigma, eight rotors as well as a split reflecting rotor were used. This
was dealt with by aligning messages to find key overlaps; from this, and a study of the
indicators, constraints on the possible rotor orders were found, allowing the Bombe to
still be used.
Near the end of the war, the Uhr box and a rewirable reflecting rotor were used in some
places. The Uhr box merely required giving up the diagonal board. The reflecting rotor
required a major redesign of the Bombe, but decoding continued.
● Cliques on the Rods

● Indicators and Jefferys Sheets
● The Bombe and the Diagonal Board
Next Section
Chapter Start
Table of Contents
Home Page
Cliques on the Rods

Before the plugboard was added to the Enigma, the fact that the fast rotor was on the
side opposite the reflecting rotor meant that it was vulnerable to an isomorph attack.
But the isomorph attack had to be modified from that used on a Hebern machine, in the
obvious way.
Both the probable plaintext and the ciphertext had to be put through the fast rotor, and
it was the two results that had to match, that is, be monalphabetic encipherments of one
another, having repeated letters in the same places.
Since a rotor can be in 26 different positions, changing both the input and output
letters, one needs 26 different strips. Each strip shows, for one particular input letter,
the possible output letters for each position of the rotor.
Thus, if a rotor is wired as follows:
E K M F L G D Q V Z N T O W Y H X U S P A I B R C J
the strip for the letter A would contain the sequence
E J K C H...
and the strip for the letter B would contain the sequence
K L D I...
since in the A position of the rotor, A becomes E, the A strip begins with E. When the
B contact, that takes B to K in the A position, is moved back to the A position, then it
will take A to the letter before K, or J. Similarly, when the C contact is moved two
positions back, its destination, the M contact, is moved two places back to K. Of
course, the strips might also be prepared for the rotor moving the other way, with the
letters in reverse order.
The strips will have their sequences of letters repeated twice; one chooses the strips
which correspond to plaintext and ciphertext, and puts them next to one another, but
staggered, because the fast rotor is always moving one step for every letter. Then, the
rows across, between the strips, show the possible encipherments of the plaintext or
ciphertext letters for every starting position of the fast rotor.
Strips with the rotor outputs on them were aligned to produce the results, and thus the
method was called "La Méthode des Bâtons" in French, and in Britain the strips were
called rods, with the repeated letters that matched up called cliques.
The sequence of 26 letters that a rotor would produce from a given letter in different
positions cannot be a scrambled alphabet, with no letter repeated, for reasons seen in
the previous section on the interval method. In the colorful terminology of Bletchley
Park, the duplicated letter on a rod resulting from two wires producing the same
displacement was called a "beetle", and the result of two wires having exactly opposite
displacements was called a "starfish", as recently revealed in papers by C. H. O'D.
Alexander available on Frode Weierud's web page. These papers note, among other
things, that the rods were sometimes used against Enigmas with plugboards as well, in
cases where the indicators could not be interpreted. (Two of the papers, about
something called JNA-20, appear to be about PURPLE or CORAL, even though they
still use the term "Stecker" in reference to its plugboard.)
Next
Chapter Start
Table of Contents
Home Page
Attacking the Indicators

As is recounted in the several books and articles recounting the story of the Enigma,
the Germans used two very dangerous indicator systems with it.
First, they started the Enigma, for a given day, with a fixed secret setting, called the
ground setting or Grundstellung. At this setting, the actual starting rotor setting was
repeated twice and enciphered.
Then, still before the war started, while only the Poles were breaking the Enigma, a
change was made. Instead of a secret ground setting, a starting point was picked by the
user at random, and started the message in the clear. Then the starting rotor setting used
for the message itself was again repeated twice and enciphered.
In both cases, the relationship between the two repetitions of the rotor start position
gave too much away.
The Common Ground Setting
In the first case, since one had many messages for a given day, all with the same
ground setting, one could look at the alphabet formed by combining that produced by
the machine at the ground setting with that produced three letters later. This alphabet
was visible in the clear: if a message began VBT RSQ, then V became R in that
compound alphabet.
Essentially, tables could be made of the distinguishing features of the alphabets created
at each starting position. And alphabets had such features, even after the plugboard was
used. These were visible when an alphabet was reduced to 'cycle form': if V becomes
R, then what does R become, and how many steps does it take to get back to V? Any
scrambled alphabet basically divides the alphabet into pieces of various sizes, and
those sizes aren't changed by the plugboard. The cyclometer, used to create these
tables, will be described along with the Bombes in the next section.
The three alphabets derived from a day's intercepts (or three months' intercepts,
actually) had, when reduced to cycle form, some very special properties. Although they
were formed by comparing two encipherments at positions separated by 3, they could
also be thought of, since decipherment and encipherment were the same, as the results
of applying the encipherments at those two positions, one after the other.
This has the following curious result:
U V T X R W M I H Z Q P G S Y L K E N C A B F D O J
G K R P S Y A J M H B Q I U W D L C E V N T O Z F X
In the pair of reciprocal alphabets shown above, A becomes U, and then U becomes N.
So, in the compound alphabet, A becomes N. Note that U also becomes A in the first
alphabet, and N becomes U in the second, but these don't connect, so the compound
alphabet is not reciprocal.
As noted, in the compound alphabet, A becomes N. Then N becomes (S, then) E, E

becomes (R, then) C, C becomes (T, then) V, V becomes (B, then) K, K becomes (Q,
then) L, L becomes (P, then) D, D becomes (X, then) Z, Z becomes (J, then) H, H
becomes (I, then) M, and M becomes (G, then) A.
So, we have a cycle, involving the letters:
(a n e c v k l d z h m)
What happens if we follow the fate of the letter U, which becomes A in the first
alphabet, just as A became U?
U becomes A, which becomes G. G becomes M, which becomes I. I becomes H, which

becomes J. In starting with the middle letter of each two-step substitution, we simply
go through exactly the same cycle, but in reverse. So we have a second cycle of exactly
the same length, with the letters:
(u g i j x p q b t r s)
Because this sequence consists of the middle letters, taken in reverse order, of the
previous cycle, the individual substitutions can be found at one of the positions these
two sequences have when slid against each other after one is reversed:
A N E C V K L D Z H M
U S R T B Q P X J I G
are all pairs in the first alphabet, and
A N E C V K L D Z H M
G U S R T B Q P X J I
are all pairs in the second.
Because at that stage poorly chosen rotor starting positions, both consisting of adjacent
letters on the keyboard, and also consisting of the same letter repeated three times,
were common, it was possible to eliminate ambiguity in aligning the cycles and
determine the rotor starting positions, without as yet knowing either the alphabet ring
settings, the rotor order, or even the wiring of any rotors.
The Slotted Sheets, or Grilles
Knowing the letters visible in the little windows on the enemy's Enigma was an
accomplishment, but by itself it did not let you read any messages. The Poles did know
the rotor wirings of the Enigma, though. They had not captured a machine, and doing
so in peacetime would have made it obvious that one was missing. Instead, a spy had
given the French, and the French had given them, keys for a period and some matching
plain and enciphered messages, from which they laboriously reconstructed the rotor
wirings and internal connections of the Enigma.
In addition to knowing the initial rotor settings, applying the pencil-and-paper method
noted above provides you with six successive alphabets produced by the Enigma. At
this stage, only a limited number of letters are modified by the plugboard, and the
Enigma had only three rotors to insert in any of six different orders.
If, for the encipherment of the first six letters after the ground setting, the medium rotor
did not move, these alphabets are produced from an inner alphabet, produced by the
medium, slow, and reflecting rotors, at six consecutive positions of the fast rotor.
The grille or slotted sheet method involved sheets with the successive alphabets
produced by one rotor printed on them, which were slid over a piece of paper on which
these six alphabets were written.
If it weren't for the plugboard, negating the fast rotor would produce six identical
alphabets: even with the plugboard, the right position produced six alphabets with
many letters in common, and from the similarities and differences, both the plugboard
settings and the inner permutation could be determined.
The initial rotor settings are known in terms of where the alphabet rings are; now the
ground setting is known in terms of the positions of the rotors themselves. Still more
work needs to be done to read messages: the original Polish Bombe automated that
next step.
Arbitrary Ground Settings
Since the ratchet that allowed one rotor to move the next slower rotor and the alphabet
ring which was used to refer to rotor positions were fixed together, in the second
system it was often possible to determine, since the Enigma's original five rotors all
had their one carry in different positions, which rotor was the fast rotor.
Among the many indicators for a day, there would be some with repeated letters. And
there would be some with the starting positions given in the clear possibly adjacent to
each other. Which positions are adjacent depends on when carries occur. And if the
same letter becomes first N and then V three letters later, and then fails to change from
N to V when it is apparently in the same two positions, then one is mistaken about
when the medium rotor moved.
Combinations where the same letter becomes the same letter in the same message, in
two positions three places different could not always occur, and these indicators, called
"females", eliminated possible indicator settings.
Also useful to Bletchley Park at this stage were "Herivel tips", which were the result of
Enigma operators choosing, after setting up their machine for the day, to use as their
first setting the position of the rotors as they stood, or possibly moving them only a few
places, from the position after setup which meant the rotors were near their initial
positions, and the setting sent in the clear would give away the alphabet ring settings
(either by itself, or in combination with the arbitrary ground settings of other operators
making the same mistake).
The Perforated Sheets
The perforated sheets were one set of 26 square sheets, with punched holes, for each
possible rotor order. They were used when the ground setting was sent in the clear,
followed by two encipherments of the current setting. Each sheet corresponded to the
position of one of the wired rotors (in Poland, apparently the slow one) and the rows
and columns on the sheets corresponded to the positions of the other two rotors. The
rows and columns, except the first one, were repeated twice. A hole was punched in a
sheet whenever a letter would be enciphered to itself by an Enigma with that position
of the three rotors plus an Enigma with the fast rotor three places further ahead.
Since a rotor order is assumed by one's choice of perforated sheet set to use, one can
exclude all indicators in which the medium rotor moved. This is because the ratchet
wheel and the alphabet ring are attached to each other. In practice, unless there is other
information available, one needs to try all 60 rotor orders. And, yes, one also needs to
try 26 stacks of sheets for each rotor order. However, 1560 trials is not an
unmanageable brute-force search, even by manual methods.
One finds numerous indicators with repeated letters in the same position, and places,
one on top of each other, alphabet sheets so staggered as to match the relative
displacements of the ground settings for the different messages. Then, a hole through
the stack of alphabet sheets indicates which position of the wired rotors corresponds to
each of the ground settings.
The Final Period
During the war, the double encipherment of the indicator was eventually abolished.
This increased the reliance of cryptanalysts on a large piece of electrical machinery, the
Bombe. But for a period of time before it became available messages were still
deciphered, as the result of the continuation of the practice of choosing adjacent
keyboard letters, then called "cillies" by the British, (well, they were silly) even if
settings consisting of three identical letters were by then suppressed.
With the Naval Enigma, instead of switching to a single encipherment of the initial
rotor position, the use of a common ground setting was revived; however, the
indicators recieved an additional layer of encryption; the two repeated encipherments
of the initial rotor setting were enciphered by means of a table of digraphs.
If the enciphered starting setting was ABC DEF, then the digraphs that would be
enciphered in the table would be AY BD CE XF where X and Y represent two
additional letters chosen by the encipherer at random; that is, the starting setting was
staggered like this:
A B C X
Y D E F
and the digraphs were taken off by columns.
This would have made the indicators useless for cryptanalysts, except that the digraph
table was not itself part of the daily key. Instead, for one period, a set of nine digraph
tables were used, and only which one was to be used was part of the key that changed
each day. As copies of the digraph tables (which were, for convenience, reciprocal)
were captured, the result was merely that all nine possibilities had to be checked. With
a common ground setting, as noted above if letter 1 was A and letter 4 was D once,
then letter 4 had to be D whenever letter 1 was A, and so one would normally be able,
with 27 messages, to swiftly determine the right table to use.
Had this method been used with the later indicator method used by the other services,
an arbitrary ground setting and a single encipherment, considerably more work would
have been multiplied by a factor of nine, even using the digraph tables that had been
captured. Had the digraph tables been changed more often, that too would have
diminished the usefulness of the indicators, but by then the advanced Bombes in use
eliminated the need to break the indicator system; it would have meant more work, but
their Engima messages would not have become inviolate.
Next
Chapter Start
Table of Contents
Home Page
The Bombe
The Bombe, in its various forms, was a device containing multiple sets of Enigma
rotors that rotated quickly to try all possible positions of the rotors.
Because the Enigma had a plugboard, and because no simple relay circuit would
recognize valid German-language text, even having a device of that nature did not
make it trivial to crack the Enigma machine's cipher. Thus, the Bombe came in
different forms during the life of the cryptanalytic effort against the Enigma.
The Cyclometer
The cyclometer was the first modified Enigma mechanism used in cracking Enigma
ciphers, but it was used to prepare tables in advance, rather than working on
information from a specific day's intercepts.
It consisted of two sets of Enigma rotors connected so as to face one another, and
positioned so that the fast rotor was three positions different in the two sets, the other
rotors being in the same position. A keyboard and lights was also connected to the 26
wires between the rotor sets. A key did not disconnect the light corresponding to it.
The rotors were manually stepped. For each position, one depressed a key, and noted
how many lights lit up, and then depressed a key corresponding to a light that hadn't
yet lit up for that position, until all the letters were divided into groups of different size.
The table thus generated was useful when the indicators of the Enigma were
enciphered twice according to a common ground setting for the entire day.
From the messages intercepted, one could form alphabets based on the indicators.
Since the ground setting was always the same, if the first letter of the starting setting
chosen by the operator was A, the same two alphabets would be applied to it at the
ground setting position and the position three letters later, and so if the indicator was
X-- Q-- for one message, it would be in the form X-- Q-- for every message where A
was the first letter of the starting setting.
Thus, one could compile an alphabet in which X became Q, and so on.
The pattern of that alphabet which would survive changes in the plugboard settings was
its cycle decomposition. That is, an alphabet might be made up of three letters that
stayed the same, two pairs of letters swapped with each other, one group of three letters
in which each letter was replaced by the next one, and so on.
The characteristics of the three alphabets produced from a days indicators would match
three consecutive alphabets in the table produced by the cyclometer, unless the ground
setting was chosen so that the medium rotor moved during the first six letters.
The Polish Bombe
The original form of the Bombe was designed back when the Enigma only had a set of
three rotors to interchange, and when only three wires were connected to the
plugboard, affecting only six out of 26 letters.
It was used against the doubly-enciphered indicator system of the Enigma during the
period when ground settings were chosen at random by the operator, and sent in the
clear with each message.
If one has two "females", indicators where one letter is repeated in the two
encipherments of the actual rotor starting position, and furthermore, they result in the
same letter and are in different positions, which was a common enough occurence
given the volumes of traffic in use, one could proceed as follows:
Connect a voltage to that contact on four rotor sets. Take these in two pairs, each pair
with positions offset by three, and if both pairs, at the same time, produce the same
output letter (that is, both sets in each pair produce the same letter, but the two pairs
may produce a different one) then one has found the right starting position.
This won't work, however, if the letter found in the ciphertext was changed by the
plugboard. The actual machine had six rotor sets, and could take advantage of finding
the same letter in all three possible positions.
The Turing Bombe
The Turing Bombe exploited the fact that messages sent by the Enigma often included
long stretches of probable plain text, particularly the titles, spelled out in full, of
military officers. Since the Enigma never enciphered a letter to itself, it was possible to
find possible exact alignments for such likely phrases, or "cribs".
Let us suppose that, comparing some probable plaintext to matching ciphertext, we find
the following:
The 4th letter of the crib was a plaintext E that was enciphered to N.
The 8th letter of the crib was a plaintext E that was enciphered to X.
The 19th letter of the crib was a plaintext N that was enciphered to X.
These encipherments form a loop. For some position of the rotors, N becomes E at that
position, and then for the position four steps later, E becomes X, and a further 11
positions later, X goes back to E.
Since the Enigma has a plugboard, instead of N, E, and X, one can only say with
certainty that "some letter" becomes "some other letter", which then becomes "yet
another letter", which then goes back to "the first letter".
So, a Turing Bombe worked this way: the three rotors plus the reflecting rotor of an
Enigma were replaced by seven rotors, with a conventional rotor imitating the
reflecting rotor in the middle. For the loop in the example, one would have three such
sets (machines would be working in parallel for every possible rotor order, so as to
avoid taking time to re-order rotors: in fact, one complete set of all 60 orders
constituted a single Bombe at this point) positioned so that when one set was at the
position it was in for the 4th letter of the crib, the next was in the position 4 steps later,
and the next was in the position 15 steps later.
Each set of rotors was connected to the next set by 26 wires in parallel. A voltage was
applied to one of the wires at one point. That wire was chosen to be the wire for the
actual letter found in the crib, so that if that letter was not changed by the plugboard,
the actual closed loop in the crib would be the only part of the circuit reached by the
voltage, and so each of the 26-wire links would have only one live wire.
Otherwise, when the correct position was reached, even if all 25 other wires in each
link were reached by voltage, the actual closed loop would, being closed, be isolated,
and not get voltage.
So a relay circuit checked the 26 wires at one point in the loop, and halted the Bombe
whenever not all 26 wires had voltage (presumably ignoring the times when the rotors
were between positions).
If the notches that caused one wheel to move the next slower wheel had been fixed to
the rotor body, the Turing Bombe would have been simpler to understand, and would
always have worked, since then for any position of the wired rotors, the position of the
rotors a certain number of steps later would be known.
Since the notches were in fact fixed to the alphabet wheel, what was done instead was
to perform the carry from the fast wheel to the medium wheel, and one from the
medium wheel to the slow wheel, at only one position in the apparatus, with
corresponding wheels in all rotor sets linked together. If only the fast wheel was
displaced between rotor sets, the machine worked if the medium wheel did not move
anywhere inside the crib.
One could also displace the medium wheel by one place in some rotor sets to try
different assumptions about where the medium wheel moved.
It might be noted that, since we don't care which letter our test letter was taken to by
the plugboard, a relative displacement of the whole rotor set would make no difference.
Since the reflecting rotor could not even be moved to alternate positions by hand,
however, different rotor positions were absolute, not relative. But if the reflecting rotor
had been settable, the Bombe would not have had to run 26 times longer.
In the example, only a single closed loop was taken from a crib. In fact, a single closed
loop would have stopped the Turing Bombe with too many false alarms, and thus this
Bombe had more than three rotor sets, and was used with cribs that gave more than one
loop, with the loops connected to each other.
The Diagonal Board
The Turing Bombe, as noted, simply looked for cases where some letter became some
other letter, and so on. But the cribs also included information about which letter
became which other letter. Despite the plugboard, there was a way to make use of this
information, and that way was the diagonal board.
Let us begin with the simple 3-letter loop used as an example above: N becomes E
becomes X becomes N.
Let us suppose that E was not modified by the plugboard, for ease of understanding,
and so we apply our voltage to the wire corresponding to E at the point corresponding
to where we encountered E in the plaintext and ciphertext.
Then, E might become X at the point corresponding to X.
On the other hand, X might have been affected by the plugboard. If so, E will become
some other letter, which will become either N or some other letter, which becomes E
again.
Suppose E becomes N, at the point where X was expected.
This means that X and N were switched by the plugboard, and so this N had better
become an X at the point N is expected. Otherwise, an impossible plugboard
arrangement is required, and so the apparent successful hit is a false alarm.
The diagonal board was used to cover all the possibilities of an inconsistency like this.
It was a square matrix of sockets, wired so that column P in the Q row was wired to
row P in the Q column, for every two different letters in addition to P and Q.
The 26 wires for any position in a crib were also connected to the row of the diagonal
board corresponding to the plaintext and/or ciphertext letter that was seen at that
position of the crib. Current going through the wire for that actual letter was not
connected anywhere, but current for a different letter was connected to the row for that
different letter being seen, at the position where the original letter would be actually
encountered.
This provided additional connections. Yet, if the voltage entered the setup at the correct
position, the closed circuit was not extended to other wires; so, if the voltage entered at
another position, the closed circuit still recieved no voltage.
Thus, the Bombe still worked as before, except that it automatically ignored many of
the false alarms for which it had previously stopped.
The "Machine Gun"
An additional device attached to the Turing Bombe to eliminate additional false alarms
performed the following function:
When not all the wires were live, if all the wires but one were live, the voltage was
redirected to that one wire.
Then, all the different letters of the crib were scanned, to ensure that no two letters in
the crib (including both its plaintext and ciphertext forms) which were different would
have had to have been brought to the same letter, instead of to different letters, by the
plugboard for the current bombe position to be valid.
Autoscritcher
Thanks to a Cryptologia article by Cipher A. Deavours, and an earlier paper in IEEE

Annals of the History of Computing, the equipment used for dealing with the rewirable
reflecting rotor has been unveiled as well, at least in part.
For this device, a crib is required where, at several positions, the same plaintext letter
has become the same ciphertext letter.
A Bombe with sets of the three regular rotors only is used to find positions consistent
with this. As the letters can be displaced by the plugboard, all possible pairs of
plaintext and ciphertext letters are tried by external circuitry for each position of the
fast rotor. However, a very good crib is needed for there to be enough detectable
inconsistencies for such an approach to be useful; the article itself notes that the
description must still be incomplete.
Incidentally, I recently found that this page has a very good description of how the
Bombe worked as well.
Next
Chapter Start
Table of Contents
Home Page
The ECM Mark II, also known as SIGABA,

M-134-C, and CSP-889
During World War II, the United States used a rotor machine which was so well
designed that it appears to be immune to any kind of cryptanalysis other than a brute
force attack, offering security somewhat comparable to that which DES very much
later made available in the civilian sector. (Since writing these words, I have noted that,
if one had over a dozen messages enciphered at the same initial rotor setting, which
would be unlikely in practice, it is possible to compare different alphabets produced by
the machine and obtain at least some information about the rotor wirings. From there,
the technique used by Frank Rowlett against the M-228 might allow further progress.)
This machine was originally called the ECM Mark II within the predecessor of the
NSA that developed it. The ECM Mark I was a machine developed by Edward Hebern,
and the ECM Mark III was a machine that, like the Mark II, had irregular rotor
movement, but which achieved it by a simpler system. Edward Hebern was involved
with the development of both the ECM Mark I and the ECM Mark III, while the ECM
Mark II, our present subject, was developed entirely within the U.S. Government. Its
basic principles were originiated within the Army Security Agency, but its the ECM
Mark II itself, in its specific form, was developed within the U.S. Navy.
The basic principle of the SIGABA that made it so strong is the use of additional
rotors, rather than gears, to control the movement of the rotors used to encrypt a
message.
As this excellent design has, very recently, been declassified in its entirety, it has
become possible for you and I to examine and admire it.
The SIGABA contains fifteen rotors, ten of which are conventional 26-contact rotors,
and five of which are smaller rotors with only 10 contacts on each side. These rotors
are divided into three groups.
Five 26-contact rotors, called cipher rotors, encipher or decipher the message being
transmitted in the same way as the rotors in a regular Hebern rotor machine. Any of
them can move after a letter is enciphered; their motion is controlled by electrical
signals.
Another five 26-contact rotors are called control rotors. On the input side, the four
contacts (corresponding to the letters F, G, H, and I) get electricity. On the output side,
the contacts are wired together in nine bunches of various sizes, as follows:
1 B 4 FGH 7 PQRST
2 C 5 IJK 8 UVWXYZ
3 DE 6 LMNO 9 A
These rotors move as if they were controlled by conventional gearing (actually,

electromechanical means are also used to move them, for reasons of parts commonality
or due to patent considerations): the middle one moves one space for every letter
enciphered; the one after it (closer to the output side) moves once for every 26 letters,
and the one before the middle rotor moves once for every 676 letters. When a rotor
changes from the letter O to the letter N is when a carry takes place to the next slower
rotor.
The five 10-contact rotors are called the index rotors. They are only set by hand before
starting to use the machine. Nine of their ten inputs are connected to the nine bunches
of contacts which take the output of the control rotors, and the numbers of the bunches
in the table above show which contact recieves the signal from that bunch. Their ten
outputs are connected together in five pairs, each of which supplies the signal which
controls the advance of the cipher rotors.
The following diagram illustrates the wiring of the SIGABA:

Because exactly four inputs to the control rotors recieved a live signal, at most four of
the cipher rotors could step after any letter was enciphered. Since no signal was ever
thrown away, although the number of live signals could be reduced if two were both
wired together, at least one of the cipher rotors had to step each time.
When using the machine, the ten 26-contact rotors were first set to their starting
positions, which were the ones marked by the letter O instead of the ones marked with
the letter A that one might expect, usually with the aid of an automatic feature in the
machine. It could also be done by hand, but if the user was not careful, one of the
control rotors, particularly one of the two on the outside, could be left in a halfway
position, preventing the cipher rotors from ever moving.
The index rotors, however, were set by hand. Setting them was in a sense easier, or at
least less problematical, and for each day there were three different settings for them,
for three different levels of security classification of the message being sent. The order
of the index rotors apparently was at one time changed each day, but during World War
II the procedure was changed to always leave these rotors in order.
The wiring of the index rotors (or at least a wiring used at one time with the index
rotors) is known, and is as follows:
Input
0 1 2 3 4 5 6 7 8 9
Rotor -------------------
1 7 5 9 1 4 8 2 6 3 0
2 3 8 1 0 5 9 2 7 6 4
3 4 0 8 6 1 5 3 2 9 7
4 3 9 8 0 5 2 6 1 7 4
5 6 4 9 7 1 3 5 2 8 0
These rotors are all wired by the interval method. In addition, it is always the interval -
3 that is duplicated (and therefore the interval +2 that is omitted). And furthermore, the
two wires with interval -3 both always start from two contacts which have exactly one
contact between them.
This means that they all belong to one class of the classes into which a program I wrote
to count the number of interval method wirings for rotors of even size divided the
possible wirings into. As it turns out, rotor wirings recorded for the 26-contact rotors of
machines Edward Hebern made for the U.S. Navy to test had the same structure, which
has led me to suspect that this may also have been true of the 26-contact rotors of the
SIGABA, no actual specimens of which (the wirings, not the rotors) have been
preserved. However, the actual wirings of two rotors for SIGCUM, a telecipher
machine, which were recovered by Frank Rowlett during tests of its security have
survived, and have recently been disclosed, and these rotors were not wired according
to the interval method. Since SIGCUM was manufactured by the same contractor as
SIGABA, and it was also contemporary with the later period of the use of SIGABA,
this seems to be more conclusive.
The keyboard on the SIGABA had a row of digits like the keyboard on a regular
typewriter. While the SIGABA didn't encipher messages containing digits, the keys for
the digits 1 through 5 were used, when the machine was switched to a setup mode, to
advance the control rotors. When sending a message, the operator first picked five
letters at random, which were sent with the message as an indicator. Then, starting
from the OOOOO position, using the 1 to 5 keys, the control rotors were moved to
spell out the five letter indicator, starting with the first control rotor (which the 1 key
moved). Although the mechanical gears that usually moved the control rotors were not
active during this setup mode, each time a number key was pressed, the cipher rotors
moved based on the electrical signal travelling through the control and index rotors in
the same way as during normal encipherment. Thus, the indicator specified a position
for the cipher rotors as well as for the control rotors, but the starting position of the
cipher rotors was, in effect, well encrypted.
When messages were enciphered, the space bar could be used on the keyboard, and
caused the letter Z to be enciphered; on the other hand, the Z key as well as the X key
both caused the letter X to be enciphered. Also, the machine inserted a space after
every five letters enciphered for ease of reading for transmission. For decryption, Z
printed as space, thus restoring the spaces in the original message.
In the postwar period, the CSP-889, as the SIGABA was known in the Navy, was
replaced by a modified version, the CSP-2900. This had some interesting differences.
Six, rather than four, inputs to the control rotors were live. These corresponded to the
letters D, E, F, G, H, and I. Since this meant that all five cipher rotors could move at
the same time, cipher rotors 2 and 4 were changed to move backwards when they
moved, so that if all the rotors moved, they still wouldn't all move in step.
The outputs of the control rotors were now gathered in ten bunches instead of nine, and
the largest connected together only four contacts, not six. Also, three control rotor
outputs were left unused, instead of none, as before. Since the number of discarded
outputs was less than six, it was still true that at least one rotor would always move.
The arrangement was:
0 UV 4 FGH 8 WXYZ
1 B 5 IJK 9 A
2 C 6 LMNO
3 DE 7 ST not connected: PQR
This diagram is modified to illustrate the newer form of the ECM Mark II:
Machines of the ECM Mark II type used for a communications link between the
President of the U.S. and the Prime Minister of the U.K., which was called "POTUS-
PRIME", were operated in a fashion that produced additional security. The five cipher
rotors were set by hand, and apparently so were the control rotors, and the settings for
the cipher and control rotors were taken from a list of thirty five-letter groups for use as
either of cipher rotor settings and control rotor settings, with a three-letter codeword
which was pronounceable and had error-correction properties, for each one. (The two
three-letter codewords were combined into a single six-letter group for transmission.)
Thus, the idea of increasing the SIGABA key length by using a ten-letter indicator was
indeed considered, and it was used, along with the other possible way of achieving
ultimate rotor security, a codebook for message indicators, where circumstances
warranted the extra effort.
This link was used during World War II, and the British were not allowed access to the
American cipher machines at their end at that time.
The SIGABA, or the Electric Code Machine Mark II, was developed before World
War II by people from both the U.S. Army and the U.S. Navy. The story of its
development is a somewhat complicated one. The basic idea of electrically-controlled
rotors was originated by W. F. Friedman, who implemented it in the original M-134
machine, which had five rotors that enciphered text, the motion of which was
controlled by a paper tape. A plugboard was included to vary which channel of the
paper tape controlled which rotor. Frank Rowlett then came up with what could be
considered the core concept of the SIGABA: the idea of using rotors to control the
rotors that enciphered text.
At the time, the U.S. Army had limited funding for the development of new cipher
machines, and thus Friedman and Rowlett embodied this new principle in an add-on
device, called the M-229 or SIGGOO, that connected to the M-134. The M-229 had
three rotors. A six-position switch controlled how these rotors moved (shown as a
plugboard with three plugs and sockets in the diagram). Five inputs to these three
rotors, having the role of the control rotors in the SIGABA, were live. The outputs
were connected together in two groups of five and three groups of four. Here is a
diagram of the combined M-134 and M-229:
Meanwhile, this new idea was conveyed to the cryptological department of the U.S.
Navy as well. Laurence F. Safford and Donald J. Seiler developed the Electric Code
Machine Mark II (Mark I was the Hebern rotor machine) which was essentially the
SIGABA in its final form there. For a period during this development, Army-Navy
collaboration was disrupted by other factors, but when channels were reopened, the
Army group recognized that the ECM Mark II was a superior embodiment of their
ideas, and were happy to accept it as a cipher machine for use by both services.
The source for most of the information on this page is the U.S.S. Pampanito web site,
which has an entry in my Links section.
Next
Chapter Start
Table of Contents
Main Page
Miscellaneous Machine Ciphers

This section looks at a number of cipher machines which are more secure than the
relatively simple devices examined in the first section of this chapter, but which still
can be dealt with in less space.
● The Hagelin B-211

● Sweden's HC-9
● LACIDA
Next
Chapter Start
Table of Contents
Home Page
The Hagelin B-21 and B-211

The Hagelin B-21 makes an interesting use of half rotors for encipherment. It uses a 25-
letter alphabet, and the row and column co-ordinates of each letter are enciphered
separately.
For enciphering, co-ordinate signals entered on the spindle side of a half-rotor with ten
positions. Essentially, it worked like two separate half-rotors with five inputs and
outputs: the odd contacts were wired one way to the five contact strips on the output
side, and the even contacts were wired another way.
The following illustration:
shows how such a half rotor works: the five contact strips on the spindle side are shown
in yellow. Five wires in blue proceed to the rotor side; then these five wires are
connected in a random order to one group of five rotor contacts by green wires, and to
another group by purple wires.
The B-21 had pinwheels of sizes 17, 19, 21, and 23. These advanced one step for each
letter enciphered. An OR (not an XOR), between two pinwheels caused each half rotor
to move one step if the result was a 1.
The B-211, in addition to printing its output on a strip of paper, had two plugboards
with five plugs and five sockets to scramble the five outputs taken from the half rotors.
The arrangement of the B-211 is illustrated below:
The French military used a variation of the B-21 which had a second pair of half rotors.
The extra pair of half-rotors had fifteen rather than ten positions.
Next
Chapter Start
Table of Contents
Main Page
The HC-9
The HC-9 is a handheld mechanical cipher machine used by the Swedish armed forces
during the postwar era.
It is of some interest in that, although it operates by a completely different principle, it

and the original version of the Hagelin lug and pin machine are the only secure modern
cipher machines that are both very compact and of all-mechanical construction.
It behaves as if it contained five pinwheels, of sizes 29, 31, 33, 34, and 35. Each
"pinwheel" advances one space for every letter enciphered, and their outputs are used
to select one of sixteen cipher alphabets as follows: four bits are formed from the five
bits presented by the five sequences by taking the XOR of each pair of adjacent bits.
This result is treated as a four-bit number. Thus, the XOR of the bits from the 29-bit
and 31-bit sequences controls displacing the list of alphabets by eight places.
But instead of pinwheels, the sequences are supplied by a punched card, which sits in
the device and whose large round holes are sensed by little metal fingers inside the
device.
Another replaceable card inside the device gives the sixteen alphabets in use. These
alphabets were all chosen to be reciprocal in practice for ease of use.
Next
Chapter Start
Table of Contents
Home Page
LACIDA
LACIDA, a rotor machine developed in Poland, uses conventional rotors, like a Hebern
machine. However, it is unusual in that its moving rotors come in three different sizes;
with 24, 31, and 35 contacts.
These rotors each move one step with every character enciphered, thus providing a
period of 24*31*35, or characters.
The input alphabet consists of the alphabet with the letters Q and V omitted; the output
alphabet uses all the letters, and all the digits except zero.
The conversion between 24 contacts and 31 contacts, and the conversion between 31
contacts and 35 contacts, are claimed, in the accounts I have read, to be accomplished
by stators: rotors that don't move during encipherment, but which can be set initially to
any position. (The rotors and stators are marked with the alphabet from A to Z, and at
most 26 initial positions are used with any rotor.) In addition, an extra 35 contact rotor
is used as a stator on exit. Originally, I thought that rather odd, as it seemed to require
rotors made of rubber, but because mechanically, the rotors are similar to those of the
Enigma, in that they contain one set of spring-loaded contacts, and a flange that serves
as a gear, upon further reflection I realized that the conversion stators were possible,
and would probably be achieved by placing the teeth on their gear flange at somewhat
irregular positions.
Next
Chapter Start
Table of Contents
Home Page

Here, we have met a series of cipher systems that are fascinating in their intricacy. Most of them, however, share
many common features.
The Hill Cipher and the Bazeries Cylinder are the unusual members of this group in that they deal with several
characters at once.
Putting them aside, the other designs reflect the relative difficulty of incorporating any kind of memory in a simple
electrical or mechanical device.
Rotor machine usage illustrates an elaboration of the concept of a key to a cipher system. In addition to a general
method of enciphering, cipher systems require a key that is easily changed. This allows many messages to be sent in
a given system, while the number of messages enciphered in exactly the same way is kept limited by varying the key.
In the case of rotor machines, the key is split up into three parts, which are treated differently.
There are the rotor wirings. These are difficult to change, but they are worth keeping secret, and do need to be varied
periodically.
The order of rotors in the machine, and other settings depending on the type of the machine (index rotor settings in
the SIGABA, plugboard and alphabet ring settings in the Enigma) are changed perhaps each day, on the basis of a list
of daily keys which is distributed once a month.
The initial setting of rotors for a given message is also a part of the key. This part, however, is sent with the message,
perhaps in some way encrypted, as it is chosen randomly for each message by the operator of the rotor machine. (It is
often termed a message indicator, which is prefixed to a message along with a system indicator which identifies the
particular type of cipher used or the particular family of keys used.)
This same kind of multi-level key structure can be found in modern block ciphers, despite the fact that they operate
on very different principles. The contents of S-boxes can be thought of as at least potentially subject to change, and
therefore as corresponding to rotor wirings. The key proper is secret, and must be somehow distributed like a rotor
order. For many block cipher modes, an initialization vector is required, which functions like a message indicator.
Thus, rotor ciphers illustrate how care must be taken, for a system that will be used widely, to limit the number of
messages that will be sent with the same key, and to vary as much of the key as often as is feasible. So, the parts of
the key that are harder to vary are varied less often.
The different strengths of the different types of rotor cipher also teach us something about good cipher design.
The fact that the SIGABA stands head and shoulders above the other devices here illustrates the importance of
allowing elements in a cipher design to have the power to scramble the plaintext, and yet having these elements do so
in an indirect way, so that even with matching plaintext and ciphertext, their values are hard to determine.
The Enigma and the Bazeries cylinder shared a very serious weakness; since no letter can represent itself, it is easy to
align probable plaintext with enciphered messages. One apparently simple way to eliminate this weakness would be
to use columnar transposition on the ciphertext produced by such a device.
While that would create a very strong cipher, since the ciphertext produced by a Bazeries cylinder, let alone an
Enigma, is so scrambled that it would seem there would be little in the way of clues for breaking the transposition
cipher, such methods do not tend to be often used. That is because a pencil and paper transposition cipher is tedious
to perform, thus negating the advantage of using a machine for cryptography in making encryption quick and
efficient. Also, encrypted messages are often sent over the radio in Morse code. The problems caused by garbled
letters are magnified by a cipher of this type. However, as long as cipher letters are transmitted in five-letter groups,
and the total number of letters in a message is sent with every message, a garbled letter in the ciphertext would still
imply only one garbled letter in the plaintext, so such a method is not completely impractical.
For two of the systems covered in this chapter, an interesting question arises for the first time. For the Bazeries
cylinder, instead of a random arrangement of letters on the disks, a Latin square is used to improve resistance to the
de Viaris attack. For rotor machines, rotors wired according to the interval method may be used, to maximize the
variety in the alphabets produced by each rotor as it rotates.
The question arises: is good better than random? One way to look at it is to view any constraints on permutations as
part of the system of a cipher, part of what is needed for it to work properly; and to compare the cipher in that form to
one without the constraint, to evaluate whether a larger choice of keys, or the possibility of a design weakness
without the constraint, is a more serious problem.
While these examples seem to be ones in which the use of an optimum sequence is justified, there can be cases where
the reverse is true.
Sometimes, fairly poor sequences are used for paper-and-pencil digraph encipherment tables. Instead of an
arrangement of all 676 digraphs, one winds up performing an encipherment which is equivalent to reversing every
pair of letters, and then alternating between two cipher alphabets.
Obviously, a random table of digraphs is much better than this. One might not be sacrificing much if one used a table
that was reciprocal, since otherwise one would need two tables, one for enciphering and one for deciphering.
The advantage of a random table is that changing one cipher letter almost always changes both cipher letters.
It is possible to use a special form of table where changing one cipher letter is guaranteed to change both cipher
letters:
A aa xe bq wx hn qs my cm jn td zc yr di sl vw nz gu ck ep lo fj kf pb ut rg iv
B qc bb xf cr ax io rt ny dn ko ue zd ys ej tm wa oz hv dl fq mp gk lg vu sh jw
C mh rd cc xg ds bx jp su oy eo lp vf ze yt fk un ab pz iw em gr nq hl wv ti ka
D im ni se dd xh et cx kq tv py fp mq wg zf yu gl vo bc qz ja fn hs or aw uj lb
E ps jn oj tf ee xi fu dx lr uw qy gq nr ah zg yv hm wp cd rz kb go it ba vk mc
F ju qt ko pk ug ff xj gv ex ms va ry hr os bi zh yw in aq de sz lc hp cb wl nd
G iq kv ru lp ql vh gg xk hw fx nt wb sy is pt cj zi ya jo br ef tz md dc am oe
H ne jr lw sv mq rm wi hh xl ia gx ou ac ty jt qu dk zj yb kp cs fg uz ed bn pf
I vz of ks ma tw nr sn aj ii xm jb hx pv bd uy ku rv el zk yc lq dt gh fe co qg
J hi wz pg lt nb ua os to bk jj xn kc ix qw ce vy lv sw fm zl yd mr eu gf dp rh
K fv ij az qh mu oc vb pt up cl kk xo ld jx ra df wy mw ta gn zm ye ns hg eq si
L ot gw jk bz ri nv pd wc qu vq dm ll xp me kx sb eg ay na ub ho zn yf ih fr tj
M yg pu ha kl cz sj ow qe ad rv wr en mm xq nf lx tc fh by ob vc ip zo ji gs uk
N zp yh qv ib lm dz tk pa rf be sw as fo nn xr og mx ud gi cy pc wd jq kj ht vl
O kr zq yi rw jc mn ez ul qb sg cf ta bt gp oo xs ph nx ve hj dy qd ae lk iu wm
P bf ls zr yj sa kd no fz vm rc th dg ub cu hq pp xt qi ox wf ik ey re ml jv an
Q sf cg mt zs yk tb le op gz wn sd ui eh vc dv ir qq xu rj px ag jl fy nm kw bo
R gy tg dh nu zt yl uc mf pq hz ao te vj fi wd ew js rr xv sk qx bh km on la cp
S ln hy uh ei ov zu ym vd ng qr iz bp uf wk gj ae fa kt ss xw tl rx ci po mb dq
T dj mo iy vi fj pw zv yn we oh rs jz cq vg al hk bf gb lu tt xa um sx qp nc er
U tx ek np jy wj gk qa zw yo af pi st kz dr wh bm il cg hc mv uu xb vn rq od fs
V wo ux fl oq ky ak hl rb za yp bg qj tu lz es ai cn jm dh id nw vv xc sr pe gt
W xd ap vx gm pr ly bl im sc zb yq ch rk uv mz ft bj do kn ei je oa ww ts qf hu
X eb fc gd he if jg kh li mj nk ol pm qn ro sp tq ur vs wt au bv cw da xx yy zz
Y rl sm tn uo vp wq ar bs ct du ev fw ga hb ic jd ke lf mg nh oi pj qk yz zx xy
Z ck dl em fn go hp iq jr ks lt mu nv ow pa qb rc sd te uf vg wh ai bj zy xz yx
The digraphs in this table form a Graeco-Latin square of order 26. Something that Euler conjectured was impossible.
A Graeco-Latin square of order 6 is impossible. For larger numbers of the form 4n+2 for some integer n, a special
construction is required to create Graeco-Latin squares, which was only discovered in 1960. The square shown above
is, of course, constructed according to the method given in the original paper by Bose, Shirikande, and Parker.
While the Graeco-Latin square above could be dressed up to make it look more random, by applying a simple letter
substitution to its contents (three letters are special, but they don't have to be x, y, and z) and rearranging rows and
columns, it would seem that choosing such a square, instead of a random one, for a digraphic substitution would not
be a sensible idea.
However, as a mixing step, perhaps even an unkeyed mixing step, inside a block cipher with a long key in other
areas, Graeco-Latin squares may still be useful. This, in fact, is the subject of a patent for a technique called Balanced
Block Mixing, held by Terry Ritter. Also note that odd order, or order 4n, both allow a much larger number of
Graeco-Latin squares than order 4n+2.
Next, we can look at some elaborate rotor machine designs that combine the principles and original ideas of the rotor
machine designs we have examined in this chapter.
● Fantastic Rotor Machines

● Child's Play
● Irregular Rotor Movement
Next
Chapter Start
Table of Contents
Main Page
Fantastic Rotor Machines

Of course, many different encryption principles have been seen in the devices covered in this chapter. One could
imagine combining many of these techniques in a single elaborate device, such as the following:
The heart of this device is two pairs of two half rotors, each pair with one with five inputs and ten outputs and
one with five inputs and fifteen outputs, as in the improved French version of the B-211.
The coordinates for each letter of the alphabet are varied by preceding and following that part of the device by
three conventional rotors. Almost conventional, that is, since these rotors all have two duplicate concentric sets
of wiring, so that each letter is connected to its home in both row and column. Note that since these rotors have
26 positions, one letter bypasses the B-21 -like part of the device.
And to top it all off, these six rotors are advanced by means of a SIGABA-like setup. Obviously too bulky and
expensive to build out of real electromagnetic components, and yet fascinating.
Here is an example of an interesting rotor machine design using some of the ideas suggested by the design of the
Uhr Box:
The arrangement for rotor motion is of interest. With each letter enciphered, a pinwheel is used to select whether
rotor 2 or rotor 4 moves. Rotor 3 moves whenever a notch on either of those rotors is advanced, and then it
advances rotor 5, which advances rotor 1, normally. Given multinotched rotors, this produces a fairly irregular
movement with only one pinwheel.
However, the main unusual feature of the design is the way the rotors are wired.
As may not be readily apparent from the diagram, unless you are familiar with the conventions I've used in
previous diagrams in this chapter, the rotors have two concentric rings of 26 contacts on each side.
Rotors 1, 2, 4, and 5 are wired like this:
● The 26 contacts in the outer ring on one side are connected in a jumbled fashion to the 26 contacts in the
outer ring on the other side.
● The 26 contacts in the inner rings are divided into 13 odd contacts and 13 even contacts. The 13 odd
contacts in the inner ring on one side are connected in a jumbled fashion to the 13 odd contacts in the
inner ring on the other side, and the same applies to the 13 even contacts on both sides.
The middle rotor connects the 26 contacts in the outer ring on one side to the 13 odd contacts of the inner rings
on both sides, and the 26 contacts in the outer ring on the other side to the 13 even contacts of the inner rings on
both sides.
Plaintext enters through the contacts on the outer ring on the left side of the rotor stack, and ciphertext leaves
through the contacts on the outer ring on the right side.
On each side of the rotor stack, a plugboard controls the reflection of the odd contacts of the inner ring to the
even contacts of the inner ring.
When a letter is enciphered, its signal first passes through the outer rings of rotors 1 and 2 in a normal rotor
machine fashion.
Then, rotor 3 sends the signal through the inner rings, either of rotors 2 and 1 or of rotors 4 and 5, through their
odd (or even) contacts, to be reflected back through the even (or odd) contacts of rotors 1 and 2 or rotors 5 and 4.
And then rotor 3 takes the reflected signal, and sends it through the outer rings of rotors 4 and 5 to continue in a
normal rotor machine fashion.
There is some potential for additional flexibility in the design; for example, it would still work if the two
plugboards were cross-wired (but not if they were merged into one), and the specially-wired rotor used as rotor 3
does not absolutely have to be in the central position.
In the section on the Enigma, I noted that if one shorted the indicator lights with diodes, it would be possible to
attach the rotors to the lamps instead of the keys. This would allow one to design an Enigma in which the rotors
could be switched from being connected to the keys or the lamps, so that a plugboard could be placed between
the keys and the lamps. In this way, enciphering and deciphering would both be possible, but a letter could
represent itself.
This diagram illustrates how this principle could be taken to its ultimate conclusion. On the left hand side of the
keyboard and lampboard, a letter is being shown as being enciphered, and on the right hand side a letter is shown
as being deciphered. Note how the polarity needs to be taken into account in enciphering mode, so that the
diodes across the lamps do not prevent normal Enigma-like operation.
Here are a couple of other attempts to construct elaborate rotor machines combining principles we've seen in
previous examples. The first also uses rotors with two concentric rings of 26 contacts, but this time the two sets
of contacts are wired differently, not in parallel.
The cipher rotors act a bit like those in the Enigma; the plaintext letter causes electricity to go from left to right,
and then the signal returns, going right to left, to produce the ciphertext letter. However, the returning signal uses
the second set of contacts, and so the cipher is not reciprocal.
The general structure of the machine is like the SIGABA; but the extra set of contacts in the control rotors is
used to provide an ever-changing "reflecting rotor" for the cipher rotors.
The following (originally done for use as a background, with different colors) illustrates a double-sized
SIGABA. However, five of the signals controlling the ten cipher rotors are created somewhat differently, using a
method from a rotor-based telecipher machine, the SIGCUM, which we will encounter later.
The five new control signals have some poor properties, but they nicely complement the SIGABA-type ones,
since they have an exact 50% probability of being active.
Changing the wiring a bit (and making more rotors electrically controlled) gives us this:
While it has the drawback that the SIGABA-style superior control rotors may occasionally remain immobile,
because only the SIGCUM-style ones have unused output contacts, this design causes five of the ten cipher
rotors to be controlled by a set of control rotors (the SIGABA-style ones) that are themselves controlled by
control rotors (the SIGCUM-style ones) also used to directly control the other five cipher rotors. Not explicit in
the diagram is a timing issue requiring a more basic redesign; in the original SIGABA, the cipher rotors move in
response to the control rotor position at one time, and the control rotors advance at another time, requiring two
clock phases; as the SIGABA-style control rotors can't move simultaneously with either the SIGCUM-style
control rotors or with the cipher rotors, we now need three clock phases.
A simpler construct, based on the SIGABA, is illustrated below:
which is simply how I, and perhaps others, imagined the SIGABA might have worked after reading a brief
description of it by David Kahn from about 1980, and seeing the first pictures of it that were released some years
later. Since the actual design didn't involve the five ten-contact rotors moving, this design would have been even
more expensive to build.
Next
Chapter Start
Table of Contents
Main Page
Child's Play
The M-134 and the M-229, as described in the section on the SIGABA rotor machine,
have suggested to me the idea of a very flexible style of rotor machine, one which
could even be used, if made from plastic, as an educational children's toy!
As a toy, the heart of it would be three rotor machines of the type diagrammmed below.
These machines consist of a bank of five rotors. At each end, there is a plugboard like
that of the Enigma, but using standard phono plugs. Beyond the plugboard, on each
side, there is a 26-contact connector used to connect a keyboard and a lampboard, only
one of each being included in the set. The keyboard would also have a 26-contact
connector; plugging the lampboard into that connector would allow the Enigma to be
simulated.
The machine would use rotors that have plastic slip rings on the outside with bumps to
control rotor motion, signalling a carry from one rotor to the other. The rotors and the
rings would both be reversible.
The complement of rotors provided would be:
● Four unnumbered dummy rotors, wired straight through. (white)

● Six randomly wired rotors in two sets of three identical rotors, numbered from 1
to 2. (grey)
● Six randomly wired rotors in three sets of two identical rotors, numbered from 3
to 5. (grey)
● Ten randomly wired rotors, each of which is different, numbered from 6 to 15.
(grey)
● Five rotors wired by the interval method, each of which is different, numbered
from 16 to 20. (red)
● Three identical reflecting rotors, which have no contacts on one side, but which
otherwise fit in the same space as a regular rotor. (green)
● Three rotors with a symmetrical wiring that produces the same permutation
going through the rotor as is provided by reflection in the reflecting rotor. (blue)
● Six rotors in two sets of three identical rotors, wired so as to be mirror images of
the grey rotors numbered 1 and 2, also numbered from 1 to 2. (purple)
All the slip rings would have only one bump on one side. They would have multiple
bumps on the other side, and there they would differ.
● Five identical slip rings, with three bumps on the other side. (yellow)
● Five slip rings, with five bumps on the other side, each one having a different
arrangement, and numbered from 1 to 5. (green)
● Five identical slip rings, with seven bumps on the other side. (blue)
As noted, the plugboards on the device use phono plugs, and work like that on the
Enigma, so that straight-through wiring is the default when no plugs are inserted.
The cables provided with the machine will have the forms illustrated in this diagram:
Although it may not be obvious, the first cable crosses over the two parts of the
contact. The complement of cables would be:
● 52 cables with phono plugs at both ends, with crossover wiring like those of the
Enigma. (grey)
● 52 cables with phono plugs at both ends, and parallel wiring. These will
primarily be used when connecting different machines together. (red)
● 93 cables with a phono plug at one end, accompanied by a socket for a banana
plug, and a stackable banana plug (like the ones on cables made by Pomona
Electronics) on the other end. These allow arbitrary permutations to be set up.
93 is 78 plus 18, so that one set is provided for each machine, plus six extra for
the wheel advance section, with its smaller plugboard using the same connector.
The kit would include plans for many projects, starting with a Hebern rotor machine,
going on to an Engima, and then the SIGABA, and even a small Turing bombe for use
against a two-rotor Enigma. (Maybe that would require some additional pieces not
mentioned here. And, of course, I'd have to come up with a way to manufacture an
economical diagonal board.)
U. S. Patent 6097812 has recently been granted on the design used in the M-138 (and
M-138-T2 and M-138-A) cipher machine, and this design combines the M-138 with
the M-228 and M-229, and hence is likely to be affected by this patent.
Next
Chapter Start
Table of Contents
Main Page
Irregular Rotor Movement

In this chapter, we have seen some examples of rotor machines with very irregular rotor movements.
The SIGABA achieved very irregular rotor movement by a uniquely strong method, using the changing jumbled
maze of wires in a part equivalent to a complete conventional rotor machine to supply electrical signals
controlling the seemingly random stepping of rotors in what amounted to a second conventional rotor machine for
enciphering the letters of the text.
The Swiss NEMA cipher machine achieved irregular rotor movement by accompanying each rotor with an
adjacent rotating ring, which had notches on it that inhibited that rotor's movement. The rings always moved,
except for two rings that were sometimes prevented from moving by a second set of notches on the first rotor's
ring.
Also, U. S. Patent 4,143,978, filed on May 4, 1938, but only issued on March 13, 1979, with inventors Bern
Anderson and Donald J. Seiler, describes a machine which made use of five pinwheels with 25 positions to control
the five rotors with 26 positions. This patent appears to be for the ECM Mark I, which was the design which
preceded the ECM Mark II, also known as the SIGABA.
And, of course, the Enigma A and Enigma B had a very irregular rotor movement at the dawn of the rotor era, by
having each rotor controlled by its own cam, and each cam having a number of positions relatively prime to all the
others. Had the cams been resettable pinwheels, the design would have been quite impressive indeed.
Descriptions of a later rotor machine imply that it achieved irregular rotor stepping based on a principle we will
see later in the descriptions of the Siemens T-52d and T-52e Geheimschreiber telecipher machines:
Given three or more pinwheels or cams, each of which produces a sequence of binary bits as it rotates, bits from
each pinwheel (perhaps sensed at a different position on the cam than the bits used for the purpose of
encipherment) could be used to control the movement of other pinwheels.
Although this seems like a compromise of the potential security of a rotor machine, using the rotors to step
themselves instead of having a separate set of pinwheels or cams to control stepping has the major advantage of
making it simpler to set up the machine for an encipherment.
But if one tries to do this in the simplest way, just using one pinwheel to cause another to step, what is there to
prevent all the pinwheels from coming to a position where they are producing a zero value for their stepping
output, so that they will all stay in one position thereafter?
The Siemens Gehemschreiber prevented this by a scheme that looked something like this, illustrated with five
cams labelled A, B, C, D, and E:
A steps if D or (not E)
B steps if E or (not A)
C steps if A or (not B)
D steps if B or (not C)
E steps if C or (not D)
In this illustration, the output from each cam forces the stepping of one other cam, and the complement of that
output forces the stepping of a third cam. This ensures that some stepping will always take place.
In this case, as the bits from the cams are also used to encipher a binary signal by being XORed with it, active and
inactive positions on the cams need to be close to equal in number. Since each cam steps based on the OR of two
inputs, this means that the cams step about 3/4 of the time.
Since outputs from those cams are used for encipherment as well, they should step almost all the time. While
occasional failures to step can make the bit sequence irregular, bits that do not change also allow plaintext patterns
to be visible.
The Lorenz Schlusselzusatz, which used two sets of five pinwheels, one which always moved, and another set
which moved, or remained still, in unison, half the time either way, based on a more conventional scheme
involving control from two other pinwheels, was cryptanalyzed with the aid of the early electronic calculating
device COLOSSUS partly because the patterns of the constantly moving pinwheels were visible when the other
ones did not move. (The fact that 5-level teleprinter code is designed so that 0 bits strongly outnumber 1 bits, to
prevent mechanical wear and tear and to make paper tape less fragile, also was an important factor.)
In a rotor machine, however, moving even one rotor completely scrambles the cipher alphabet it provides. If each
rotor moved with probability 1/2, then each new alphabet would be from the largest and most uncertain possible
set of alternatives.
Could the principle used in the T-52 be modified to produce movement with probability 1/2, and yet still ensure
continual movement which will not cease to involve any of the rotors?
The first scheme I came up with to do this is illustrated by the following diagram:
It may be easier to understand with the diagram shown below and to the right:
Using seven rotors in this example, I first start with four live inputs,
which are turned into eight outputs having a 50-50 chance of being
live by being redirected by the active teeth on four of the rotors.
This is shown in the diagrams above and to the right by a red wire,
carrying a live input from the power supply, being switched to four of
eight wires by four switches, each controlled by a rotor. In the
diagram to the right, this is the first layer of the circuit, shown in the
leftmost column.
Then, six of these eight signals, in pairs from different rotors, are
swapped (or not) under the control of three other rotors.
One of the two remaining signals is selected by means of an extra pole

in the switch under one of the first four rotors.
The swapping and the selection is always done under the control of a
rotor which was not involved in determining if either signal used as
input was live. The color scheme in the diagrams is chosen to make
that clear. In the diagram to the right, this is the second layer of the
circuit, shown in the middle column.
The seven output signals then control the stepping of the rotors.
Again, as the colors help to make visible, each signal is directed to a
rotor that had no part in its creation, in either the first or the second
layers.
With reference to the color scheme in the diagrams:
Green: Two signals controlled by rotors 1 and 2 are then swapped

under the control of rotor 6. The two resulting signals control the
movement of rotors 4 and 7.
Dark Blue: Two signals controlled by rotors 3 and 4 are then swapped
under the control of rotor 5. The two resulting signals control the
movement of rotors 1 and 6.
Purple: Two signals controlled by rotors 1 and 3 are then swapped under the control of rotor 7. The two resulting
signals control the movement of rotors 2 and 5.
Gray: Two signals controlled by rotors 2 and 4 then have one signal selected from them under the control of rotor
1. The resulting signal controls the movement of rotor 3.
This basic principle, with little change, would work with any odd number of rotors, starting with five.
The specific arrangement in the diagrams shown above was selected to minimize wire crossings in the original
(horizontal) diagram, so that it would be as legible as possible, and, with the rotors labelled in order from left to
right as A, B, C, D, E, F, and G is:
A steps if (D and E) or (C and (not E))

B steps if ((not C) and G) or ((not A) and (not G))
C steps if ((not D) and A) or ((not B) and (not A))
D steps if (B and F) or (A and (not F))
E steps if ((not C) and (not G)) or ((not A) and G)
F steps if (D and (not E)) or (C and E)
G steps if (B and (not F)) or (A and F)
where the control signal different from the others is the one stepping rotor C.
Since we start with eight signals, four of which are active, and swap them in pairs, only in one case selecting only
one of two signals to use, half the time four rotors will advance, and the other half of the time three rotors will
advance.
With an even number of rotors, of course, the same principle could be applied even more simply, without the need
for one control signal to be different from the others.
But many other arrangements are also possible. An arrangement based on a slightly different principle is shown
here:
Here, each rotor is controlled by the OR of the AND of two independent inputs, so, based on each rotor having
half of its teeth present and half of them absent, causing each signal and its complement to be active half the time,
the chance of any one rotor moving on average is 7/16 rather than 1/2.
We start by creating seven signals. To ensure that at least one rotor will always move, two of them are the signal
from one rotor and its complement; the other five are the signals from five other rotors.
Then, we change these seven signals into fourteen signals, by switching them to one of two destinations, and the
output from each of the seven rotors is used to perform one such switch.
Finally, the wired-OR of two of these signals controls one rotor that had no direct part in creating it.
Here, from one to six rotors will always move, creating more possibilities for the next rotor position. However, as
we will see at the start of the following chapter, a 3 out of 7 code contains 35 entries, so with seven rotors rather
than five, having only 3 or 4 rotors move each time already creates more than twice as many possibilities as are
needed.
The actual arrangement in the diagram shown, again chosen for clarity, with the rotors labelled as A, B, C, D, E,
F, and G from left to right, is:
A steps if (B and D) or (E and (not G))

B steps if (C and E) or (F and (not A))
C steps if (D and F) or ((not A) and (not B))
D steps if (E and G) or (A and (not C))
E steps if (F and A) or (B and (not D))
F steps if ((not A) and B) or (C and (not E))
G steps if (A and C) or (D and (not F))
While these arrangements will certainly produce rotor movements that seem jumbled and unpredictable, it is not
immediately clear how long the period of such rotor motions might be; it might be only a few times larger than the
number of positions on a rotor.
Here is an example of a slightly more complicated setup, based on the same general principles.
Essentially, the wiring is the same as the first example, (although the ordering of the connections has been
changed slightly, as indicated by the reversal of the colors green and blue in one portion of the diagram) but in
addition, one signal is created using the scheme in the second example, and a switch controlled by rotor 4
determines whether that signal, shown in dark green, or the normal signal following the pattern of the first
example, shown in purple, is fed to rotor 5.
The sections of the diagram have been labelled.
The first three sections show the switches which operate as in the first example.
Section 1 shows the four switches which, given the live signal as input, produce eight outputs, four of which are
active.
Section 2 shows six switches, wired so as to swap three pairs (shown by blue, green, and purple wires) of signals
from the first four switches.
Section 3 shows one switch, which selects between the two remaining signals from the first four switches to
provide the seventh output signal.
The next two sections show the new wiring which creates an alternate signal that can be used to step rotor 5,
following the principle shown in the second example.
Section 4 shows two switches, fed the live input, which produce two outputs, each of which may be active or not.
Section 5 shows two switches, fed those two outputs, producing two outputs which are only have as likely to be
active, and which are then joined by a wired-OR.
The final section selects the signal to use to advance rotor 5.
Section 6 shows one switch, which selects between the output from section 5 or one of the outputs from section 2.
Again, labelling the rotors from left to right as the letters A through G, the logic of the wiring in the diagram is
equivalent to:
A steps if ((not D) and F) or ((not C) and (not F))

B steps if (C and G) or (A and (not G))
C steps if (B and (not A)) or (D and A)
D steps if ((not B) and E) or ((not A) and (not E))
E steps if (( (C and (not G)) or (A and G) ) and (not D)) or
((((not F) and B) or (G and C) ) and D)
F steps if ((not B) and (not E)) or ((not A) and E)
G steps if ((not D) and (not F)) or ((not C) and F)
Note that the signal controlling the stepping of rotor E is a function of whether an active or inactive tooth position
is found on all six other rotors.
One could even use, with a suitable rearrangement of rotor assignments in one case, the complete wiring
arrangements of both the first and second examples, with their outputs connected together in a wired-OR, and a
single switch controlling whether the live input goes to the first or second circuit. However, even if the first or
second examples would prove too simple, such a drastic remedy should not be required. Instead, the example
above should be sufficiently complex to correct the problem, because although only the stepping of rotor 5 (or E)
is made more complex in this example, it in turn affects the stepping of all the other rotors.
Other arrangements, based on the more conventional scheme of moving rotors like the wheels on an odometer,
which guarantees the maximum possible period, could be produced which also result in a fairly irregular
movement of the rotors.
Incidentally, before proceeding, it is very important to clarify the difference between the situation which I have
denoted in my schematic diagrams by and the situation which I denote by in a diagram. In the first
case, a tooth on one rotor causes another rotor to move only once, when the first rotor moves into the position
distinguished by that tooth. In the second case, a tooth on one pinwheel, or cam, or even a rotor, causes the next
one to move with the encipherment of each letter for as long as the first pinwheel remains in the position
associated with that tooth.
While the first type of movement is usually accomplished mechanically, the control rotors of the SIGABA and the
rotors of the M-228 and M-229 moved this way under electrical control. The second type of movement seems like
an obvious consequence of electrical control: a wheel that is in different positions turns a switch on and off
depending on what position it is in. So how can the first type of movement also be electrical?
This diagram illustrates the difference between the arrangements required for the two types of motion. The large
teeth shown in green correspond to the 26 normal positions of the rotor, where a tooth may be either present or
absent. The small teeth shown in red are located between rotor positions, so that a tooth, if present, will move
across the sensing position as the rotor advances from one position to the next.
For the first type of motion, pulses occur when the rotor that is their source is moving, and so it is reasonable that
another rotor would move when a pulse of electricity is switched on. Making a rotor move only one step per pulse
seems like only a small mechanical detail.
For the second type of motion, instead of an elaborate approach involving storing the
signals sensed from the rotors in a buffer, what is necessary is, first of all, that the
live inputs to the circuit are actually timing pulses, and, so that the rotors will not
move while their positions are being sensed, rotors should move just after the
trailing edge of a pulse. This can be achieved by having the pulse go through a
solenoid, pulling a lever back which is then restored to its original position by a
spring after the pulse ends, with a rachet mechanism causing the lever to advance the
rotor it controls only on its return journey: this is a very common and standard
mechanical arrangement, illustrated in the diagram at left. Since the device also
supplies a gentle push to the sawtooth gear when moving in the "wrong" direction, a
conventional ratchet mechanism, which is not shown in the illustration, is also
required to keep that gear moving only one way (although in some cases, friction
may be sufficient).
For the other case, the same mechanical arrangement could be used, although in that case, having the rotor
advance on the leading edge of the pulse would be appropriate, as it would avoid unnecessary delay. This would
involve reversing the positions of the electromagnet and the spring in the diagram above, and in that case, the
spring would not have to be as strong, since it would only return the mechanism to position instead of also having
to push on the gear. A similar mechanism, rather than a small motor, is likely to be found in those quartz clocks
and quartz watches that have hands instead of a numeric display.
Now that this is clarified, let us examine a more complicated design based on the first type of rotor motion.
Instead of having just one notch or tooth on a rotor, any number of teeth that is relatively prime to the number of
positions on the rotor, if used in an odometer-style arrangement, would still produce a maximal period, since when
one rotor returns to its original position, the rotor it advances will be in a spot from which it will only return to its
original position at the same time that the rotor preceding it returns to its original position after being advanced 26
times if it is a 26-position rotor, even if it has also passed through its original positions at different times several
times before then.
Another thing that would not interfere with a maximum period would be for a rotor participating in such an
arrangement to also be advanced any number of times for each revolution of a rotor which preceded the rotor
directly controlling it. All such advances would ultimately cancel out, being a multiple of 26 or other rotor size,
over a full revolution of the rotor immediately preceding the rotor.
I would diagram such an arrangement in this fashion:
One important thing, to avoid problems with a mechanical version of this design, and to ensure that maximum
period is achieved, is that the teeth used to advance a later rotor must never be in the same position as the teeth
used to advance the next rotor.
Of course, to achieve both a guaranteed long period, and a more irregular sequence of motions, one could combine
both types of rotor motion, the first type, or transition-driven advance, and the second type, or state-driven
advance, in a single design.
Thus, we might have two groups of rotors, ABCDE and GHIJK, which are connected for state-driven advance,
and in addition, rotor E might drive rotor F, and rotor F might drive rotor G, using transition-driven advance.
Is it possible to combine a guarantee of long period with irregular rotor movement from the same source?
Obviously, one could use five cams to produce an irregular motion, and another five cams to produce motion with
a period equal to the product of their lengths. But can things be arranged so that the period is guaranteed to reflect
all the items used, and yet the motion is irregular as well? Already, we've seen in my example of a transition-
driven design with extra further forward carries one way to do this, but while the period is guaranteed, the motion
is only irregular to a limited extent.
Would the SIGABA have a guaranteed period of 26 to the tenth power if it were modified as shown in this
diagram:
Here, all ten of the rotors are shown as being advanced by a conventional rotor mechanism, in addition to the
cipher rotors being advanced by the unique control signals of the SIGABA. Instead of showing an OR gate
controlling input to the rotor stepping mechanism, two separate symbols for rotor advance are shown, one behind
the other. This indicates that, to ensure maximum period, I think it would be necessary to use different clock
phases for the two types of rotor advance, so that it would be possible, if both systems of rotor advance would
cause a rotor to advance, for that rotor to step twice. However, when one rotor advances due to a control signal, it
would also have to cause conventional carries. But this separation of phases would then occur without (a certain
kind of) special effort, since the control rotors cannot be moving when the cipher rotors are moving in response to
the control signals which have passed through their wiring.
One way that it seems obvious it is safe to combine transition-driven and state-driven rotor advance would be
through something like this:
Here, superimposed on a conventional transition-driven odometer-like rotor advance, earlier rotors are also
driving later rotors, further down the chain, but based on their state, not on transitions. Again, it seems that over a
full cycle of transition-driven advances, the extra state-driven advances should cancel out, not affecting the overall
period, even if they provide additional movement in the interim.
Next
Chapter Start
Table of Contents
Main Page
This page is about a dark and mysterious subject. (Or, more
accurately, and for fairness' sake, a subject with a dark and mysterious
reputation.) A subject that is fascinating both for the air of mystery
that has surrounded it, and because of the complexities and intricacies
which are unavoidably part of its subject matter.
My little book about cryptography:
This series of pages has information about a large number of cipher systems. So far, the
coverage of cryptanalysis is quite limited, though.
Direct link to full table of contents

Direct link to start
This page covers a wide range of topics. None of the

things described on this page are, of course, secret
today, although some were secret until fairly recently.
It only mentions, here and there, a few things about

breaking ciphers; it is mostly concerned with the various
kinds of ciphers people have used. Except where
unavoidable, the use of mathematics has been kept to a
strict minimum. It begins with ciphers that only require
pencil and paper to apply, and it continues with
electrical and mechanical cipher machines of the type
used during World War II, both the rotor machines and the
machines used with teletypewriters. Then, it continues on
into the computer age, with a discussion of block ciphers
like DES and then proceeds further, attempting to make
understandable the advanced topic of public-key
encryption which has made the use of encryption practical
under circumstances where it had never been practical
before. Finally, it addresses other miscellaneous topics
relating to cryptography, such as data compression and
key management.
This site now contains a very useful table of powers of integers that uses frames.
Also, this page is still under construction.
Although there is no space for an archived version of the entire site, there is one, which
may not be fully up to date at any given time, at this location.
I have many interests, such as old science-fiction TV shows, and easy listening music
from Tin Pan Alley.
One interest, cryptography, is dealt with at length on this site.
Items covering a number of other topics as well are at the following location:
http://members.xoom.com/quadibloc/index.html
At that site are charts for some methods of storing Chinese characters. Here in this site,
you can find a space habitat design, a discussion about going to Mars, a tall building
design, a page about signal flag systems as used by ships, a map projection, several
topics concerning mathematics: (an explanation of the mathematical notion of infinity,
a discussion of Gödel's proof and the halting problem, an explanation of two famous
equations, a diagram of the rotations of a dodecahedron, a page about pentagonal
tilings, a page about Archimedian solids, a little page about the fourth dimension), an
attempt to explain the Einstein-Podolsky-Rosen experiments, and a discussion of the
Eldredge-Gould theory of punctuated equilibria some color charts, an example of a
computer architecture, a discussion of the musical scale, a couple of comments about
chess, and three pages about calendars: (perpetual calendars for the Gregorian calendar
which show not only the day of the week, but also the position of the day in the
Chinese sexagesimal cycle of days, a luni-solar calendar, and a simplified calendar
proposal), and, finally, a page containing some handy unit conversions.
Links to Other Sites Other Topics
Highlights of the Cryptography

Pages
Needless to say, any trademarks referenced are the property of their respective owners,
and are used here only for purposes of identification.
As this series of web pages contains some ideas and speculations about how to design
and implement ciphers, readers are notified that I am not engaging in providing
professional advice in these pages, and are advised to seek the direct advice of a
competent professional before embarking on projects using cryptography.
Copyright (c) 1998, 1999, 2000 John J. G. Savard

The Lorenz Schlusselzusatz

The Lorenz SZ-40 and SZ-42 cipher machines were widely used by German forces
during World War II. It was primarily to break this machine's cipher that the British
devised what is now considered the world's first electronic computing machine, the
once-secret COLOSSUS.
It had twelve pinwheels, all of which could have all their pins set by the user. Ten of
these pinwheels formed two groups of five, and one wheel from each group inverted its
corresponding plaintext bit when a pin was active on it.
The wheels of the first group had sizes 41, 31, 29, 26, and 23. Those of the second
group had sizes 43, 47, 51, 53, and 59.
Two additional wheels were of size 37 and 61. The wheels of the first group, and the
wheel with 61 positions, advanced one position with every letter enciphered. When the
current pin on the 61-position wheel was active, the wheel with 37 positions advanced
one space. When the current pin on the 37-position wheel was active, then the wheels
of the second group advanced one space.
The following diagram illustrates the workings of the Lorenz Schlusselzusatz:
Although the SZ-40 appears to be a simple design, and a very similar design proposed
by Col. Parker Hitt, but without the feature that the stepping of five wheels was
irregular, was shown to be insecure, the British found breaking SZ-40 messages to be a
more difficult problem than breaking Enigma messages. Some cribs were available that
helped them to break into the system; part of the difficulty seems to have come from
the limited availability of resources, and another part from the lack of captured
equipment and tables: for example, the list giving numbers representing wheel settings
was never captured, while the bigram tables for the Enigma were.
The machines used in cracking messages on the Lorenz Schlusselzusatz, known as

HEATH ROBINSON and COLOSSUS, have been described to a limited extent in the
open literature. A paper by F. L. Carter, in "Cryptography and Coding", the
proceedings of the 6th IMA International Conference, from December, 1997, gave
significant additional details of how COLOSSUS was used.
HEATH ROBINSON, named after a British cartoonist who, like Rube Goldberg in the
U.S., was famous for his drawings of elaborate contraptions (although the styles of the
two artists were very different), worked by comparing the holes punched in two paper
tapes, one containing an intercepted message, and one containing a reproduction of part
of the sequence of bits the pinwheels of an SZ-40 might be expected to generate. The
tapes were padded with nulls to make them of relatively-prime length, and HEATH
ROBINSON indicated at what point in the motions of both tapes a correlation between
the two was found. This required the two tapes to move synchronously, and so the
sprocket holes had to be used, which limited the speed at which the tapes could move.
COLOSSUS was built to improve on HEATH ROBINSON by generating the SZ-40

stream cipher output, or the portion thereof used for testing (such as the output of the
five always-moving wheels) electronically. This way, the tapes could be moved on
pulleys, at very high speeds, without any problems. A glass mask with lens-shaped
patterns was used so that the light shining through the round holes on the paper tape
would produce an approximation to a square wave. Thus, the paper tape, in addition to
supplying input data, actually supplied the clock signal for COLOSSUS' internal logic.
Apparently, in generating the pattern which a second paper tape provided on HEATH
ROBINSON, COLOSSUS was capable of some sort of conditional branching, on
which its claim (having been first installed in December 1943) to being the first
electronic computer rests.
The paper by Carter sheds considerable light on the cryptanalytic principles behind
COLOSSUS. The 5-level code used for teletypewriters was designed to minimize
mechanical wear and tear; hence, the codes for the most frequent letters E and T, as
well as the code for the space, consisted of a single 1 bit and four zeroes. This meant
that zeroes predominated in the plaintext, and in addition, it meant that for any two
characters in succession, corresponding bits in them were more likely than not to be the
same. (Of course, this characteristic of the plaintext was weaker than the higher
frequency of zeroes.)
Since one set of pinwheels in the SZ-40 did not advance with every character
enciphered, this meant that when two succeeding cipher characters had a corresponding
bit that changed, then it was likelier than not that the fast pinwheel for that bit was at a
point where two adjacent pins were in different positions, and when two succeeding
cipher characters had a corresponding bit that stayed the same, then the probability that
the fast pinwheel had two similar pins was also increased. (Since the slow pinwheels
did move half the time, this correlation was again weakened, but it still existed.)
Because the pin settings for the fast pinwheel were chosen so that like and unlike pairs
of pins were as close to being equally likely as possible, it was not possible in practice
to correlate a single pinwheel at a time, but correlations involving pairs of pinwheels
were easier. (At first, this appears odd, since, the fast wheels all having relatively prime
periods, they are independent. However, since all the slow pinwheels either move or
not at the same time, a search for correlations in two wheels at once could improve its
effectiveness by giving more weight to an observation in one wheel which takes place
when another wheel is in the more common change or no-change state for its part of
the period of that fast wheel.) An abbreviated notation was used to specify types of
tests to be run with COLOSSUS: one test was a simple correlation on two particularly
favored pinwheels; other tests searched for common pairs of characters, such as space-
figures shift, or figures shift-period. In some messages, doubled letters were quite
common, and there was a test that looked for them as well.
There is also a paper by W. T. Tutte, one of the cryptanalysts who worked on messages
enciphered by the Schlusselzusatz at Bletchley Park, now available on the site of Frode
Weierud that details the early days of the cryptanalysis of the Schlusselzusatz,
codenamed Tunny by the British. That source notes the following:
Originally, the machine was used with a 12-letter indicator, which contained initial
positions for all twelve pinwheels without encryption (e.g. under a "ground setting").
Each letter stood for an initial position, and the wheels had only 25 positions which a
letter could indicate, except, of course, for the wheel with only 23 positions.
The initial analysis which allowed the British to determine the basic principles of the
Sclusselzusatz was aided by the reciept of some pairs of messages enciphered with the
same starting positions, including one re-encipherment of a long message with changes
in word spacing and punctuation with exactly the same indicator.
In 1943, the Germans switched to using a number as an indicator, which was assumed
to signify a 12-letter combination from a list. Later, they switched from changing
pinwheel settings once a month to changing them each day, and they also modified the
machine so that the wheels in the second group, instead of having their irregular
motion controlled only by the 37 and 61 pinwheels, had that motion depend on a
function of the pinwheels that moved with each character, or on the previous plain text
(thus employing the autokey principle). However, the five wheels that stepped with
every character continued to do so, and although the five slow wheels were controlled
differently, they still either all moved or all stayed still, so the existing cryptanalytic
approaches remained valid.
Next
Chapter Start
Table of Contents
Main Page
Error-Correcting Codes
After text has been compressed, and even more so after it has been encrypted, the resulting output is random in appearance.
This makes it easy to make mistakes in handling it, and hard to see errors if they are introduced through electrical noise on a
communications link or any similar cause.
Thus, even if redundancy is removed as far as is possible before encryption by means of data compression, after encryption is
complete, it becomes desirable to put redundancy back in, to give resistance to errors.
There are mathematical techniques, given an arbitrary text, to add more symbols to it in a way that gives resistance to a
specific number of errors. Since they depend only on the input text, if the ciphertext is used as input, this kind of added
redundancy does not help the cryptanalyst, except by giving both him and the legitimate recipient a copy of the ciphertext that
is more likely to be accurate.
Thus, telegraph codes were designed so that an error in a single letter of a codeword, or switching two adjacent letters in a
codeword, would not result in another valid codeword, by the use of tables such as this:
AA AB AC AD AE AF AG AH AI AJ AK AL AM AN AO AP AQ AR AS AT AU AV AW AX AY AZ A&
BB BC BD BE BF BG BH BI BJ BK BL BM BN BO BP BQ BR BS BT BU BV BW BX BY BZ B& BA
CC CD CE CF CG CH CI CJ CK CL CM CN CO CP CQ CR CS CT CU CV CW CX CY CZ C& CA CB
DD DE DF DG DH DI DJ DK DL DM DN DO DP DQ DR DS DT DU DV DW DX DY DZ D& DA DB DC
EE EF EG EH EI EJ EK EL EM EN EO EP EQ ER ES ET EU EV EW EX EY EZ E& EA EB EC ED
FF FG FH FI FJ FK FL FM FN FO FP FQ FR FS FT FU FV FW FX FY FZ F& FA FB FC FD FE
GG GH GI GJ GK GL GM GN GO GP GQ GR GS GT GU GV GW GX GY GZ G& GA GB GC GD GE GF
HH HI HJ HK HL HM HN HO HP HQ HR HS HT HU HV HW HX HY HZ H& HA HB HC HD HE HF HG
II IJ IK IL IM IN IO IP IQ IR IS IT IU IV IW IX IY IZ I& IA IB IC ID IE IF IG IH
JJ JK JL JM JN JO JP JQ JR JS JT JU JV JW JX JY JZ J& JA JB JC JD JE JF JG JH JI
KK KL KM KN KO KP KQ KR KS KT KU KV KW KX KY KZ K& KA KB KC KD KE KF KG KH KI KJ
LL LM LN LO LP LQ LR LS LT LU LV LW LX LY LZ L& LA LB LC LD LE LF LG LH LI LJ LK
MM MN MO MP MQ MR MS MT MU MV MW MX MY MZ M& MA MB MC MD ME MF MG MH MI MJ MK ML
NN NO NP NQ NR NS NT NU NV NW NX NY NZ N& NA NB NC ND NE NF NG NH NI NJ NK NL NM
OO OP OQ OR OS OT OU OV OW OX OY OZ O& OA OB OC OD OE OF OG OH OI OJ OK OL OM ON
PP PQ PR PS PT PU PV PW PX PY PZ P& PA PB PC PD PE PF PG PH PI PJ PK PL PM PN PO
QQ QR QS QT QU QV QW QX QY QZ Q& QA QB QC QD QE QF QG QH QI QJ QK QL QM QN QO QP
RR RS RT RU RV RW RX RY RZ R& RA RB RC RD RE RF RG RH RI RJ RK RL RM RN RO RP RQ
SS ST SU SV SW SX SY SZ S& SA SB SC SD SE SF SG SH SI SJ SK SL SM SN SO SP SQ SR
TT TU TV TW TX TY TZ T& TA TB TC TD TE TF TG TH TI TJ TK TL TM TN TO TP TQ TR TS
UU UV UW UX UY UZ U& UA UB UC UD UE UF UG UH UI UJ UK UL UM UN UO UP UQ UR US UT
VV VW VX VY VZ V& VA VB VC VD VE VF VG VH VI VJ VK VL VM VN VO VP VQ VR VS VT VU
WW WX WY WZ W& WA WB WC WD WE WF WG WH WI WJ WK WL WM WN WO WP WQ WR WS WT WU WV
XX XY XZ X& XA XB XC XD XE XF XG XH XI XJ XK XL XM XN XO XP XQ XR XS XT XU XV XW
YY YZ Y& YA YB YC YD YE YF YG YH YI YJ YK YL YM YN YO YP YQ YR YS YT YU YV YW YX
ZZ Z& ZA ZB ZC ZD ZE ZF ZG ZH ZI ZJ ZK ZL ZM ZN ZO ZP ZQ ZR ZS ZT ZU ZV ZW ZX ZY
M N O P Q R S T U V W X Y Z & A B C D E F G H I J K L AA BB CC
DD EE FF GG HH II JJ KK LL MM NN OO PP QQ RR SS TT UU VV WW XX YY ZZ
N O P Q R S T U V W X Y Z & A B C D E F G H I J K L M A& BA CB
DC ED FE GF HG IH JI KJ LK ML NM ON PO QP RQ SR TS UT VU WV XW YX ZY
O P Q R S T U V W X Y Z & A B C D E F G H I J K L M N AZ B& CA
DB EC FD GE HF IG JH KI LJ MK NL OM PN QO RP SQ TR US VT WU XV YW ZX
P Q R S T U V W X Y Z & A B C D E F G H I J K L M N O AY BZ C&
DA EB FC GD HE IF JG KH LI MJ NK OL PM QN RO SP TQ UR VS WT XU YV ZW
Q R S T U V W X Y Z & A B C D E F G H I J K L M N O P AX BY CZ
D& EA FB GC HD IE JF KG LH MI NJ OK PL QM RN SO TP UQ VR WS XT YU ZV
R S T U V W X Y Z & A B C D E F G H I J K L M N O P Q AW BX CY
DZ E& FA GB HC ID JE KF LG MH NI OJ PK QL RM SN TO UP VQ WR XS YT ZU
S T U V W X Y Z & A B C D E F G H I J K L M N O P Q R AV BW CX
DY EZ F& GA HB IC JD KE LF MG NH OI PJ QK RL SM TN UO VP WQ XR YS ZT
T U V W X Y Z & A B C D E F G H I J K L M N O P Q R S AU BV CW
DX EY FZ G& HA IB JC KD LE MF NG OH PI QJ RK SL TM UN VO WP XQ YR ZS
U V W X Y Z & A B C D E F G H I J K L M N O P Q R S T AT BU CV
DW EX FY GZ H& IA JB KC LD ME NF OG PH QI RJ SK TL UM VN WO XP YQ ZR
V W X Y Z & A B C D E F G H I J K L M N O P Q R S T U AS BT CU
DV EW FX GY HZ I& JA KB LC MD NE OF PG QH RI SJ TK UL VM WN XO YP ZQ
W X Y Z & A B C D E F G H I J K L M N O P Q R S T U V AR BS CT
DU EV FW GX HY IZ J& KA LB MC ND OE PF QG RH SI TJ UK VL WM XN YO ZP
X Y Z & A B C D E F G H I J K L M N O P Q R S T U V W AQ BR CS
DT EU FV GW HX IY JZ K& LA MB NC OD PE QF RG SH TI UJ VK WL XM YN ZO
Y Z & A B C D E F G H I J K L M N O P Q R S T U V W X AP BQ CR
DS ET FU GV HW IX JY KZ L& MA NB OC PD QE RF SG TH UI VJ WK XL YM ZN
Z & A B C D E F G H I J K L M N O P Q R S T U V W X Y AO BP CQ
DR ES FT GU HV IW JX KY LZ M& NA OB PC QD RE SF TG UH VI WJ XK YL ZM
& A B C D E F G H I J K L M N O P Q R S T U V W X Y Z AN BO CP
DQ ER FS GT HU IV JW KX LY MZ N& OA PB QC RD SE TF UG VH WI XJ YK ZL
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z & AM BN CO
DP EQ FR GS HT IU JV KW LX MY NZ O& PA QB RC SD TE UF VG WH XI YJ ZK
B C D E F G H I J K L M N O P Q R S T U V W X Y Z & A AL BM CN
DO EP FQ GR HS IT JU KV LW MX NY OZ P& QA RB SC TD UE VF WG XH YI ZJ
C D E F G H I J K L M N O P Q R S T U V W X Y Z & A B AK BL CM
DN EO FP GQ HR IS JT KU LV MW NX OY PZ Q& RA SB TC UD VE WF XG YH ZI
D E F G H I J K L M N O P Q R S T U V W X Y Z & A B C AJ BK CL
DM EN FO GP HQ IR JS KT LU MV NW OX PY QZ R& SA TB UC VD WE XF YG ZH
E F G H I J K L M N O P Q R S T U V W X Y Z & A B C D AI BJ CK
DL EM FN GO HP IQ JR KS LT MU NV OW PX QY RZ S& TA UB VC WD XE YF ZG
F G H I J K L M N O P Q R S T U V W X Y Z & A B C D E AH BI CJ
DK EL FM GN HO IP JQ KR LS MT NU OV PW QX RY SZ T& UA VB WC XD YE ZF
G H I J K L M N O P Q R S T U V W X Y Z & A B C D E F AG BH CI
DJ EK FL GM HN IO JP KQ LR MS NT OU PV QW RX SY TZ U& VA WB XC YD ZE
H I J K L M N O P Q R S T U V W X Y Z & A B C D E F G AF BG CH
DI EJ FK GL HM IN JO KP LQ MR NS OT PU QV RW SX TY UZ V& WA XB YC ZD
I J K L M N O P Q R S T U V W X Y Z & A B C D E F G H AE BF CG
DH EI FJ GK HL IM JN KO LP MQ NR OS PT QU RV SW TX UY VZ W& XA YB ZC
J K L M N O P Q R S T U V W X Y Z & A B C D E F G H I AD BE CF
DG EH FI GJ HK IL JM KN LO MP NQ OR PS QT RU SV TW UX VY WZ X& YA ZB
K L M N O P Q R S T U V W X Y Z & A B C D E F G H I J AC BD CE
DF EG FH GI HJ IK JL KM LN MO NP OQ PR QS RT SU TV UW VX WY XZ Y& ZA
L M N O P Q R S T U V W X Y Z & A B C D E F G H I J K AB BC CD
DE EF FG GH HI IJ JK KL LM MN NO OP PQ QR RS ST TU UV VW WX XY YZ Z&
A miniature version of such a code construction table is shown in The Codebreakers by David Kahn, but here I've put the last
two letters of the codeword in alphabetical order in the rows of the square on the lower right, since a code compiler would
want to generate codewords in alphabetical order. The row of the top square, and the column of the square on the lower right,
which contain digraphs beginning with &, are omitted, since those are unused if codewords from a 26-letter alphabet are
wanted.
Valid codewords consist of two letters from the top, a letter from the lower left, and two letters on the lower right, such that
the single letter shares the same column as the pair of letters from the top and the same row as the pair of letters from the
lower right. The use of an extra dummy letter & is required to avoid codewords differing only by a swap of two adjacent
letters. The middle square can start with any letter; here it is started with M to indicate that this feature can be used to produce
codewords different from those in someone else's code.
For example, given a string of bits, a single bit which contains the parity of that string of bits can be appended to it. In that
case, if the result is transmitted, and exactly one bit is in error in what is recieved, the parity will be wrong, and the fact that an
error has taken place will be detected.
Another simple example would be to transmit one's message three times. For every group of three corresponding bits from the
three copies of the message, if exactly one error takes place in communications, that error can be corrected, because of the
three recieved copies of that bit, two will be correct, and only one will be wrong.
These are the two trivial examples of perfect codes: adding a parity bit, and repeating each bit a certain number of times.
If we confine ourselves to the even parity form of a parity bit, both these codes can be represented by matrices:
A parity bit:
1 0 0 0 0 0 0 0 1
0 1 0 0 0 0 0 0 1
0 0 1 0 0 0 0 0 1
0 0 0 1 0 0 0 0 1
0 0 0 0 1 0 0 0 1
0 0 0 0 0 1 0 0 1
0 0 0 0 0 0 1 0 1
0 0 0 0 0 0 0 1 1
Triple repetition:
1 1 1
In general, matrix multiplication works like this: introduce the numbers which are the elements of the vector being multiplied
from the left, starting with the first one on the top; for each bit in that row, calculate the product of the number introduced
from the side with the number in the matrix; then, after all the products have been calculated, total them down the columns to
obtain the output.
For error-correcting codes illustrated by matrices, it is the bits of the message that are introduced from the left. Then, an AND
is performed (rather than a multiplication) between them and the bits of the matrix, and the results are accumulated by an
XOR going down the columns (rather than addition).
Illustrating this in the case of a parity bit applied to a nybble:
1 0 0 0 1
1 --> 1 0 0 0 1
0 1 0 0 1
0 --> 0 0 0 0 0
0 0 1 0 1
1 --> 0 0 1 0 1
0 0 0 1 1
1 --> 0 0 0 1 1
-------------------
1 0 1 1 1
As this is a code applied to a binary signal, all arithmetic is done modulo 2 (hence, 1+1+1 = 1 instead of 3).
Just using parity bits can allow correcting errors. One way to do this is to have both a parity bit for each byte of data, and a
parity byte that results from the XOR of all the data bytes. If there is one error, the byte it is in is indicated by the parity bit for
that byte, and the bit it is in is indicated by which byte of the final parity byte shows the wrong parity.
A simple way to obtain row and column parity for a sequence of characters on a computer would be to add three parity
characters to a line of 49 7-bit characters on this basis:
● Start with three seven-bit accumulators, initialized to zero.

● With each character read, modify the three accumulators as follows:
❍ XOR the character to the first accumulator, and rotate it right one bit.
❍ XOR the character to the second accumulator, and rotate it left one bit.
❍ XOR the character to the third accumulator, and after every seven characters, rotate it right one bit.
This would allow one single-bit error in a line to be found and therfore corrected, as follows:
33333X3-----*------*------*------*------*------*- ==?
----2-13333*3*----2-1----2-1----2-1----2-1----2-1 ===
1--2---1--2---*33*3331--2---1--2---1--2---1--2--- ?==
-12-----12-----12----3**3333-12-----12-----12---- ===
-21-----21-----21-----21----3**3333-21-----21---- ===
2--1---2--1---2--1---2--1---2--1---*33*3332--1--- =?=
----1-2----1-2----1------1-2----1-2----1-23333*3* ===
The X is at the only point where the three lines of bits marked by 1, 2, and 3 all coincide. Note that the asterisks mark points
where two of them cross. Assuming the shifts after a byte is XORed in even take place after the last byte, the question marks
indicate where the three parity characters would show the wrong parity if there was an error at the point marked by the X.
It is easier to do this for 7-bit characters because 7 is an odd number, but it can also be done for 8-bit bytes, simply by rotating
only one accumulator by one bit for each byte, and not rotating one accumulator at all, as follows:
33313333---1-------1-------1-------1-------1-------1-------1---- ==?
----1---3333*333----1-------1-------1-------1-------1-------1--- ===
22222*2222222*22*****X**22222*2222222*2222222*2222222*2222222*22 =?=
------1-------1-------1-333333*3------1-------1-------1-------1- ===
-------1-------1-------1-------13333333*-------1-------1-------1 ===
1-------1-------1-------1-------1-------*33333331-------1------- ?==
-1-------1-------1-------1-------1-------1------3*333333-1------ ===
--1-------1-------1-------1-------1-------1-------1-----33*33333 ===
However, approaches based only on using parity bits are unsophisticated, and more efficient ways of correcting and detecting
multiple errors can be found if more sophisticated codes are used.
Another class of error-correcting codes are called Hamming codes. No longer trivial, these codes are also perfect, which
means they add exactly enough redundancy to a group of input bits to detect and correct a certain number of errors.
Note that this perfection applies to one particular situation, where errors occur randomly among bits. Where there is a
tendency for bits close together in a message to be in error together, this being called a burst error, other strategies are needed.
One common way of dealing with this is simply to apply conventional error-correcting codes to widely-separated bits at equal
intervals in a message. This, or the strategy of applying the error-correcting code first, and then spreading out the bits of each
output group, is called interleaving.
In a Hamming code, after the group of bits being encoded, the extra parity bits are formed by allocating every combination of
those bits with two or more of them equal to 1 to each bit position in the input. Hence, changing one bit in the input always
changes at least three bits in the word with error-correction added. Since no two rows in the error-checking part of the matrix
are identical, changing two bits in the input still results in a three-bit change at least; thus, the number of bits difference (or the
Hamming distance) between possible outputs (valid codewords) is a minimum of three.
A parity bit can be added to a Hamming code; the result is another perfect code, this time with a four-bit change resulting
from any change in the input.
The Hamming distance between valid codewords tells us how much error-checking we have. If there is no error-checking
added, each different input still gives a different output, for a distance of 1. If the distance is 2, one error can be detected, as is
the case for the code that just adds one parity bit. If the distance is 3, as for repeating a bit three times, or the basic Hamming
code without a parity bit added, one error can be corrected.
The error-correcting capabilities of an error-correcting code are given by the Hamming distance between codewords, but it is
possible to choose how to make use of them. For example, if we repeat every bit three times, we can either choose to accept
011 as standing for 1, hence correcting one error when it occurs, but being fooled if two errors happen, or we can choose to
discard it, accepting only 000 and 111. Thus, a Hamming distance of 3 can be used either to correct one error, or to detect two
errors. A distance of 4, such as obtained by a Hamming code with a parity bit, or by repeating a bit four times, allows
correcting one error and detecting two errors, or detecting up to three errors.
Some Hamming codes are:
1 0 0 0 0 1 1
0 1 0 0 1 0 1
0 0 1 0 1 1 0
0 0 0 1 1 1 1
1 0 0 0 0 0 0 0 0 0 0 0 0 1 1
0 1 0 0 0 0 0 0 0 0 0 0 1 0 1
0 0 1 0 0 0 0 0 0 0 0 0 1 1 0
0 0 0 1 0 0 0 0 0 0 0 1 0 0 1
0 0 0 0 1 0 0 0 0 0 0 1 0 1 0
0 0 0 0 0 1 0 0 0 0 0 1 1 0 0
0 0 0 0 0 0 1 0 0 0 0 0 1 1 1
0 0 0 0 0 0 0 1 0 0 0 1 0 1 1
0 0 0 0 0 0 0 0 1 0 0 1 1 0 1
0 0 0 0 0 0 0 0 0 1 0 1 1 1 0
0 0 0 0 0 0 0 0 0 0 1 1 1 1 1
1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1
0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 1
0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0
0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 1
0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 1 0
0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 0
0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 1
0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 1 0
0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 1 0 0
0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 0 0
0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 1
0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 1 1
0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 1
0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 1 0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 1 0 0 1 1
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 1 0 1 0 1
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 1 0 1 1 0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 1 1 0 0 1
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 1 1 0 1 0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 1 1 1 0 0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 1 1 1 1
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 1 0 1 1 1
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 1 1 0 1 1
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 1 1 1 0 1
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 1 1 1 1 0
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 1 1 1 1
Since a Hamming code, as shown, can only correct one error, decoding is simple:
● Take the data portion of the recieved codeword (the portion that should just contain the unmodified input data), and
place it through the Hamming code again. If there is a perfect match between the error-checking part of the recieved
block and the error-checking part of the one now generated, or if there is no more than one bit difference, the data as
recieved is assumed to be correct.
● If there are two or more bits of difference, find the row in the matrix where those bits are 1 bits in the error checking
part. The data bit which is passed through by a 1 on the diagonal in the data part of the matrix is the one in error.
This, of course, assumes that the transmitted block actually was subjected to no more than one error. When a parity bit is
added to the Hamming code, decoding is modified slightly:
● If parity is correct, decode the first part of the block, but accept the result only if no errors are found. (In this case, the
block is assumed to have been recieved correctly.)
● If parity is wrong, decode the first part of the block, and accept the result if either no errors are found (here, the error is
assumed to be in the parity bit itself), or if one error is found (and therefore corrected).
These are just one particular form for each of the three Hamming codes shown. Rearranging the rows or columns, or certain
other modifications, will not change the ability of the code to be used to detect or correct errors. Replacing one row of the
matrix by the XOR of itself and another row is allowed, because that will result in the matrix generating exactly the same set
of codewords, but they will be generated in some cases for different inputs.
There are a number of other codes used for error detection and correction. Examples of codes used in the same kind of form as
used with Hamming codes include Hadamard codes and Reed-Muller codes. These codes all add slightly more redundancy
than is required for the error-checking they seek to attain.
An example of a Hadamard code looks like this:
1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0
1 0 1 0 1 0 1 0 0 1 0 1 0 1 0 1
1 1 0 0 1 1 0 0 0 0 1 1 0 0 1 1
1 0 0 1 1 0 0 1 0 1 1 0 0 1 1 0
1 1 1 1 0 0 0 0 0 0 0 0 1 1 1 1
1 0 1 0 0 1 0 1 0 1 0 1 1 0 1 0
1 1 0 0 0 0 1 1 0 0 1 1 1 1 0 0
1 0 0 1 0 1 1 0 0 1 1 0 1 0 0 1
These codes are obtained by a procedure similar to that used to create fractal designs:
1 1 1 1
1 1 1 0 1 0
1 0 - becomes -->
1 1 0 0
1 0 0 1
applied as many times as desired, and then the result has its complement appended to it. Mariner 9 used the code of this type
that occupies a 32 by 64 matrix. This method only generates Hadamard codes of orders which are powers of 2. Hadamard
codes and matrices of many other orders which are multiples of 4 are also known, and it is conjectured, but not yet proven,
that one exists for every such order. These Hadamard codes are obtained by other, more difficult methods.
Only one other perfect code for binary signals is known, the binary Golay code. It takes a 12-bit input, and adds 11 error-
checking bits to it. Like the Hamming codes, an extra parity-check bit can be added, and the code remains perfect.
A modified form of the Golay code with parity bit added, so that the parity bit is no longer explicitly visible, is shown in a
book by two of the three co-authors of the Handbook of Applied Cryptography, and an equivalent form, modified by some
rearrangement of rows and columns (to obtain a shifting of the cyclic 11 by 11 portion of the error-checking matrix, and to put
the row and column of 1 bits in a more conventional position) is shown here:
1 0 0 0 0 0 0 0 0 0 0 0 1 0 1 1 0 1 1 1 0 0 0 1
0 1 0 0 0 0 0 0 0 0 0 0 0 1 1 0 1 1 1 0 0 0 1 1
0 0 1 0 0 0 0 0 0 0 0 0 1 1 0 1 1 1 0 0 0 1 0 1
0 0 0 1 0 0 0 0 0 0 0 0 1 0 1 1 1 0 0 0 1 0 1 1
0 0 0 0 1 0 0 0 0 0 0 0 0 1 1 1 0 0 0 1 0 1 1 1
0 0 0 0 0 1 0 0 0 0 0 0 1 1 1 0 0 0 1 0 1 1 0 1
0 0 0 0 0 0 1 0 0 0 0 0 1 1 0 0 0 1 0 1 1 0 1 1
0 0 0 0 0 0 0 1 0 0 0 0 1 0 0 0 1 0 1 1 0 1 1 1
0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 1 0 1 1 0 1 1 1 1
0 0 0 0 0 0 0 0 0 1 0 0 0 0 1 0 1 1 0 1 1 1 0 1
0 0 0 0 0 0 0 0 0 0 1 0 0 1 0 1 1 0 1 1 1 0 0 1
0 0 0 0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1 1 1 1 1 0
In this code, the minimum Hamming distance between valid codewords is eight; without the parity bit, it would be seven.
A distance of seven allows either correcting three errors, correcting two errors and detecting four errors, correcting one error
and detecting five errors, or detecting six errors.
A distance of eight allows either correcting three errors and detecting four errors, correcting two errors and detecting five
errors, correcting one error and detecting six errors, or detecting seven errors.
Examine the error-checking portion, the second square half, of the matrix for the Golay code shown above. The right and
bottom edges consist of all ones except for a zero where they meet.
The remaining 11 by 11 square consists of the sequence 10110111000 repeated in every row, but shifted one space to the left
in each row. This sequence contains exactly six one bits, an even number.
The matrix is symmetric, hence unchanged when flipped around the diagonal running from the top left to the bottom right.
Hence, the fact that every row contains an odd number of 1 bits, the last row ANDed with any other row produces a row with
six one bits, and any two of the first 11 rows, when combined by an AND, produces a rotated version of one of the following
strings:
10110111000 and 01101110001 = 00100110000 (3 bits)
10110111000 and 11011100010 = 10010100000 (3 bits)
10110111000 and 10111000101 = 10110000000 (3 bits)
10110111000 and 01110001011 = 00110001000 (3 bits)
10110111000 and 11100010110 = 10100010000 (3 bits)
10110111000 and 11000101101 = 10000101000 (3 bits)
10110111000 and 10001011011 = 10000011000 (3 bits)
10110111000 and 00010110111 = 00010110000 (3 bits)
10110111000 and 00101101110 = 00100101000 (3 bits)
10110111000 and 01011011100 = 00010011000 (3 bits)
preceded by a single 1 bit, means that, using modulo 2 arithmetic, the error-checking matrix in the code as represented here is
its own inverse. (If it weren't for that extra zero, a different decoding matrix would be required, and a slightly more
complicated version of the decoding procedure given below would be required.) Because of the symmetry around the
diagonal, this is true both in the usual convention for matrix multiplication (numbers go in from the top, and come out on the
right) and the one used for error-correcting codes (numbers go in from the left, and come out on the bottom). For more
information on matrix multiplication, see the section concerning the Hill Cipher.
This helps to make it practical to check a codeword formed by this code, and then transmitted, for errors. The following
procedure will find the correct original 12-bit input if there were three or fewer errors in the transmitted 24-bit block, or it will
fail if there were four errors. (With more than four errors, of course, it can be fooled.)
● First, take the first half, and put it through the code, to see what the codeword would have looked like, if the first half
containing the actual data happens to be perfectly without error. Since we are able to correct up to three errors, if the
error-checking part of this result differs by no more than three bits from what was recieved, all the errors (if any)
happened in the error-checking part, so the data as recieved can be accepted.
● Second, take the second half, and put it through the code. Since the error-checking part of the matrix is its own inverse,
the error-checking half of the result will be what the data was supposed to have been, if the error-checking half of the
block was recieved perfectly without error. If that result differs by no more than three bits from what was recieved in
the data portion of the block, then the data as recovered from the error-checking part can be accepted.
● Third, consider the possibility that there were errors in both the data and error-checking part of the block. With three
errors it is possible that there could be one error in one of the two parts of the block, and two errors in the other part.
So, decoding continues by a limited amount of trial and error. Here, we will assume that exactly one bit in the data
portion of the block is in error. Thus, we will take the data portion of the block, and for each of the 12 bits of it in turn,
we will invert that bit, put the result through the code, and compare the error-checking portion of the result with that
recieved. If the result is two or fewer errors in the error-checking portion then the right bit has been found, and the data
portion with the bit you flipped is correct.
● Fourth, assume that exactly one bit in the error-checking portion of the block is in error, and for each of the 12 bits in
the error-checking portion, invert that bit, apply the code to the result, and compare the error-checking portion of the
output to the data portion of the recieved block. If two or fewer errors are found, then the data calculated from the error-
checking portion with one flipped bit contains the correct data.
Another perspective on the binary Golay Code, which I also found understandable, is contained in this thesis. In the form of
the Golay Code given above, eleven rows are cyclic, and one special, in the error-checking matrix; in the form discussed in
that thesis, all twelve rows are equivalent, but as they relate to the faces of a dodecahedron, there is no way to put them in a
cyclic order.
The form of the Golay code discussed there is:
1 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 1 1 1 1 1 1
0 1 0 0 0 0 0 0 0 0 0 0 0 1 0 1 1 0 0 0 1 1 1 1
0 0 1 0 0 0 0 0 0 0 0 0 0 0 1 0 1 1 1 0 0 1 1 1
0 0 0 1 0 0 0 0 0 0 0 0 0 1 0 1 0 1 1 1 0 0 1 1
0 0 0 0 1 0 0 0 0 0 0 0 0 1 1 0 1 0 1 1 1 0 0 1
0 0 0 0 0 1 0 0 0 0 0 0 0 0 1 1 0 1 0 1 1 1 0 1
0 0 0 0 0 0 1 0 0 0 0 0 1 0 1 1 1 0 1 0 1 1 0 0
0 0 0 0 0 0 0 1 0 0 0 0 1 0 0 1 1 1 0 1 0 1 1 0
0 0 0 0 0 0 0 0 1 0 0 0 1 1 0 0 1 1 1 0 1 0 1 0
0 0 0 0 0 0 0 0 0 1 0 0 1 1 1 0 0 1 1 1 0 1 0 0
0 0 0 0 0 0 0 0 0 0 1 0 1 1 1 1 0 0 0 1 1 0 1 0
0 0 0 0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 0 0 0 0 0 1
Each of the twelve rows and columns of the error-checking part of the matrix corresponds to a face of the dodecahedron, and
it contains a zero for every pair of faces that are next to one another. (A face is not considered to be next to itself.) This is still
a Golay code, with the same error-correcting property of a Hamming distance of 8 between codewords, and not only is the
error-checking matrix symmetric, but once again it is its own inverse as shown here. Because of the dodecahedral symmetry,
once again, it is only necessary to AND one row of the matrix with the eleven other rows to establish that. For example, row 1
shares four bits with rows 2 to 11, and two bits with row 12.
But being self-dual is not a necessary property of a Golay code; either example of a Golay code given here would still be a
Golay code if the error-checking matrix were reflected left to right, since the error-checking properties would be identical, but
then that matrix would not be its own inverse.
This site contains a link to a paper in DVI format giving eight different constructions of the binary Golay code.
(Unfortunately, you may have difficulty in viewing documents in DVI format on your system.)
And here is an example of a form of the Golay code, again one that generates 24-bit output, with the parity bit concealed, that
may have actually been used in the transmission of information; it is part of an unofficial draft standard for automatically
establishing radio links, and thus it may have been taken from previous actual practice or standards:
1 0 0 0 0 0 0 0 0 0 0 0 1 0 1 0 1 1 1 0 0 0 1 1
0 1 0 0 0 0 0 0 0 0 0 0 1 1 1 1 1 0 0 1 0 0 1 0
0 0 1 0 0 0 0 0 0 0 0 0 1 1 0 1 0 0 1 0 1 0 1 1
0 0 0 1 0 0 0 0 0 0 0 0 1 1 0 0 0 1 1 1 0 1 1 0
0 0 0 0 1 0 0 0 0 0 0 0 1 1 0 0 1 1 0 1 1 0 0 1
0 0 0 0 0 1 0 0 0 0 0 0 0 1 1 0 0 1 1 0 1 1 0 1
0 0 0 0 0 0 1 0 0 0 0 0 0 0 1 1 0 0 1 1 0 1 1 1
0 0 0 0 0 0 0 1 0 0 0 0 1 0 1 1 0 1 1 1 1 0 0 0
0 0 0 0 0 0 0 0 1 0 0 0 0 1 0 1 1 0 1 1 1 1 0 0
0 0 0 0 0 0 0 0 0 1 0 0 0 0 1 0 1 1 0 1 1 1 1 0
0 0 0 0 0 0 0 0 0 0 1 0 1 0 1 1 1 0 0 0 1 1 0 1
0 0 0 0 0 0 0 0 0 0 0 1 0 1 0 1 1 1 0 0 0 1 1 1
The error-checking part of the matrix is not symmetric along the main (upper left to lower right) diagonal, and its transpose is
shown as being used in decoding. Also, it is said to have been generated from the polynomial
11 9 7 6 5
x +x +x +x +x +x+1
Each column has seven ones in it, so when multiplied by its transpose, there will be a 1 in every position on the diagonal in
the result. Any two distinct columns have either four or two ones in common, (as I had to verify by brute force with a short
BASIC program) and so the transpose of the error-checking part of the matrix is indeed also the inverse of that part.
Despite the fact that each column and row contains seven ones, the error matrix can't be produced simply by rearranging rows
and columns of the one produced from the dodecahedron. This can be shown because the columns corresponding to opposite
faces can be identified (no zeroes in the same row), and two non-opposite faces must be adjacent to two other faces, and those
two faces must be adjacent to three other (than the first two: those two faces may be adjacent to each other if the two non-
opposite faces were not adjacent) faces each, two from each group of which are opposite to two from the other group (which
is the point at which it breaks down if you start with the first two columns).
Error-checking in this case involves the use of the inverse of the error-checking part of the matrix, but otherwise the algorithm
is the same as the one given above.
The field of error-correcting codes, like the field of data compression, is still a very active one, with new research being done
and patents being issued on new methods.
In the 1970s, a set of error-correcting codes called "Fire codes" were developed. One of the simplest of these could be used as
a direct replacement for a parity bit, used with each character in many existing systems, providing error correction instead of
just the detection of erroneous characters.
It worked like this:
Data * - - - - - - - * * - - * - - - - * - - *
bits - * - - - - - - * - * - - * - - - * - - *
- - * - - - - - * - - * - - * - - * - - *
- - - * - - - - * - - - * - - * - * - - *
- - - - * - - - * - - - - * - - * * - - *
- - - - - * - - * - - - - - * - - X - - *
- - - - - - * - * - - - - - - * - * * - *
- - - - - - - * * - - - - - - - * * - * *
Parity = = = = = = = = P = = = = = = = = ! = = !
Each parity bit is the XOR of parity for the data byte with which it is associated and parity for staggered bits from the eight
previous bytes. Essentially, it is a clever way to obtain the same results as are provided by the use of row and column parity
bits. (After the last byte of data, one extra byte, with the extra parity bit, is needed to provide parity for all the remaining
diagonals.)
More complicated forms involved XORing these parity bits with the parity of another group of eight bits, staggered by being
from bytes separated by a larger distance.
A very recent exciting development in error-correcting codes is the class of codes known as "Turbo Codes". These codes are
based on the principle of applying two error-correcting codes to the data bits, but with different interleaving. Just as
interleaving by itself turns a burst error into scattered individual-bit errors, which error-correcting codes can deal with more
easily, using two different interleaving schemes on the data being transmitted reduces to a very small value the chance that
any bit will be unrecoverable due to an excessive number of random errors in both of the error-correcting code blocks in
which it is found. (The same principle can also be applied to continuous error-correcting codes as well as block codes.)
Table of Contents
Home Page
The Siemens and Halske

Geheimschreiber T-52
This teletypewriter enciphering machine was bulky and expensive and complicated.
Swedish cryptanalysts under Arne Beurling cracked the cipher of the simplest variant
of this machine, the T-52a and T-52b.
The British never achieved a regular penetration of T-52 messages. It now appears that,
at least during the war, that the only T-52 messages they deciphered were messages
that belonged to pairs sent with the same key, but they were able to determine how the
T-52 worked from those messages.
One part of the reason for this is that many messages encrypted by the T-52 were sent
over land lines, which the Swedes, but not the British, had the opportunity to intercept.
But another reason was that the T-52 was used to encrypt high-level strategic traffic for
the Luftwaffe, which also sent similar messages using Enigmas. Thus, attacking the T-
52 was lower in priority than attacking the Lorenz Schlusselzusatz, which was used to
encrypt high-level strategic traffic for the German Army, or Heer, which, although it
did use Enigmas for tactical messages, did not generally use them for messages with
information of strategic importance.
It may also be noted that the final version of the machine, the T-52e, which included
two improvements which previously appeared separately in the T-52c and T-52d,
seems to be a very secure design, although the use of cams instead of resettable
pinwheels was a serious flaw.
Ten wheels, in this machine cams whose pattern of 0 and 1 positions could not be
modified, of sizes 73, 71, 69, 67, 65, 64, 61, 59, 53, and 47, which were called A, B, C,
D, E, F, G, H, and K respectively, provided the raw material for this machine's cipher.
In additon to having their states sensed at the primary tap point, producing the output
that was XORed with the plaintext characters or controlled their shuffling, they were
also sensed at a point 25, 24, 23, 23, 22, 22, 20, 20, 18, and 16 positions earlier,
respectively.
This additional position controlled the movement of the wheels, so that they stepped in
an irregular fashion.
The way in which the wheels stepped can best be explained by an oversimplified form
of that motion. Each wheel moved unless both of two possible conditions was met, in
which case it was prevented from moving: In the simplified model:
These wheels remain still:

A B C D E F G H J K
if
~C C ~E E G ~G J ~J A ~A
and
~B ~D D F ~F ~H H K ~K B
Note that the twenty conditions involved both the extra tap on each wheel and its
inverse, and no wheel controlled itself. Since every wheel had to be either 1 or 0, and
the condition was OR for movement, at least five of the ten wheels had to move with
this arrangement, so although the wheels controlled each other, they could not get stuck
in a state where they never stepped.
Mechanically, this worked as follows: both the plus and minus connections to an
electromagnet were controlled by relays, so the electromagnet was energized only if
the relays at both ends allowed current to flow. The magnets were interposer magnets:
if active, they prevented the cam they controlled from moving.
From the main sensing position on the cams A through K, ten signals were derived,
labelled 1, 3, 5, 7, 9, and I, II, III, IV, and V, that performed the actual operation of
modifying the plaintext to produce the ciphertext.
I through V were XORed with bits 1 through 5 of the plaintext character. Then bits in
the character were swapped: 1 caused (if its value was 1 instead of 0) bits 1 and 5 to be
swapped; signals 3, 5, 7, and 9 swapped bits 4 and 5, 3 and 4, 2 and 3, and finally 1 and
2.
First, bits A through K were exchanged, by a simple plugboard on the T52a, T52b, and
T52d, and by a set of switches that performed the same function as a plugboard on the
T52e, and by an elaborate set of five switches with eight positions on the T52c. Then,
in the T52c and the T52e, the ten signals went into a bank of relays, so that each of the
signals, 1 through 9 and I through V, that performed the actual encipherment was the
XOR of several cam outputs.
The following is a diagram of the T52e:

Circles, except when they are sockets or plugs for a plugboard, are XOR gates. The
rectangles are AND gates. The black and white hourglasses are inverters. The wide
white hourglasses swap the two inputs from the top to form the two outputs at the
bottom depending on the input from the side. The logic being relay logic, wired-OR is
present.
The T52e, shown here, included all the features that this telecipher acquired over its
development. The extra features, over and above a simple set of ten cams controlling
XORs and swaps of plaintext bits, are divided into two groups; one group was also
present only on the T52c, and the other group was also present only on the T52d.
The relay bank was also present in the T52c, but it was wired differently. The T52c
also had a means of altering the order in which cam outputs went to the relay bank, but
instead of a plugboard, it was a set of five eight-position switches, each one controlling
three swaps of the cam signals.
The T52d did not have those features, but it did have cam stepping logic; again, that
logic was somewhat different from that of the T52e.
Here is a diagram of the T52c:
In this diagram, the switch-controlled swaps should be considered to be positioned as

follows:
3 6 9 12 15
2 5 8 11 14
1 4 7 10 13
and the five switches control the fifteen swaps as follows:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
-----------------------------------------------------
P 0 0 0 0 1 0 0 0 1 1 0 1 1 1 1
S 0 1 0 1 0 0 0 1 1 1 1 0 0 0 0
T 1 0 0 0 0 1 1 0 1 1 1 1 0 1 0
U 0 0 1 0 1 1 1 1 0 0 0 0 1 0 0
W 0 1 1 1 0 1 1 1 1 0 1 0 0 0 1
X 1 0 1 1 1 0 0 0 0 1 0 0 0 1 1
Y 1 1 0 1 1 1 0 1 0 0 0 1 1 0 1
Z 1 1 1 0 0 0 1 0 0 0 1 1 1 1 0
And here is one of the T52d:
The T52d and T52e are shown here in the "ohne Klartextfunktion" mode. They also
had a feature where the third bit of a plaintext character, after a delay, was introduced
into the cam stepping logic, which was also changed in that mode. This limited
autokey, or "clear text function", caused serious problems of garbling in practice, and
was therefore little used.
However, that does not prevent me from including diagrams of the T52d and T52e in
this mode, particularly as the stepping logic is somewhat more symmetrical in this
mode in both cases.
First, the T52e "mit Klartextfunktion":

then, the T52d "mit Klartextfunktion".
Next
Chapter Start
Table of Contents
Main Page
The Swedish SA-1

This telecipher device combines some of the features of the SZ-40 and T-52, in a
design that is secure yet economical.
The device has two sets of five pinwheels, of lengths 19, 21, 23, 25, and 26. ( Toby's
Cryptopage, now available again after a hiatus, also discusses the TA-1, a later version
with larger pinwheels of lengths 26, 29, 31, 33, and 35.) The pins are pushed in or
pulled out by the user, and the five bits of each plaintext character are modified by
being subjected to an exclusive-OR operation with the current pin of the corresponding
pinwheel from each of the two sets.
The first set of pinwheels steps one position for every character enciphered. An
additional position on the pinwheels, besides the one used to XOR the plaintext, is
sensed (two positions earlier). That alternate output, from all five pinwheels, is XORed
together, creating a single bit; if 0, the second set of pinwheels steps only once; if 1,
they step twice.
The second set of pinwheels is also sensed at the same alternate position, and the
output from all of them is combined by XOR. This time, the result, if 1, causes the
entire output ciphertext character to be inverted.
This design allows two identical modules to be used in the device, thus making
manufacture more economical. It achieves irregular stepping, but only ten, not twelve,
pinwheels are required.
The source for the information on this page is the home page of Torbjörn Andersson,
entitled Toby's Cryptopage, which has an entry in my Links section. It is well worth a
visit, and includes original photos of many of the machines discussed here; not just the
SA-1, but also the T-52 and the B-211.
Next
Chapter Start
Table of Contents
Main Page
An American Patent
U. S. Patent 4157453 is one of the few patents that were secretly issued to people
working for the NSA or one of its predecessor agencies that has now been publicly
issued in normal fashion, many years later.
It was filed on October 10th, 1944, but issued on June 5th, 1979. The inventor was Leo
Rosen, known to history as the one who had the inspiration to realize that the Japanese
cipher machine codenamed PURPLE used telephone stepping switches.
This patent refers only to scrambling the order of bits in a teletypewriter signal, without
inverting any bits. However, in addition to shuffling the bits within a single character,
as the T-52 did, this device moved bits between characters.
Originally, I was only able to see the claims of this patent, but the text of it has since
become available. It turns out that it referred to buffering two or four 5-level-code
characters, recieved serially, in banks of relays, transposing the stored bits, and then
transmitting the result. Given the technology of the time, commutator switches were
used to access relays serially; today, a designer thinking of how to perform such an
operation would no doubt think of shift registers.
Having just seen a brief description of the purpose of the invention, I had supposed that
this patent could have been for a system that was actually applied to a combined time
and frequency division voice scrambler, with its application disguised for security.
However, as a telecipher device, one of the simplest ways in which to accomplish this
kind of scrambling would be to do the following: use pinwheels to scramble the bits
within a character; then, subject these bits to a fixed pattern of delays, so that they are
distributed among two to five different characters; then, perform a second pinwheel-
controlled scramble of the bits within each character.
To decipher, one first inverts the second scramble. Then, one delays the bits in a
complementary fashion to that used for enciphering: if bits 1 to 5 are subject to delays
0 1 0 1 0 on enciphering, then use delays 1 0 1 0 1 on deciphering, for a net delay of
every bit by 1 character; if bits 1 to 5 are subject to delays 0 1 2 3 4 on enciphering, use
delays 4 3 2 1 0 for deciphering, for a net delay of 4 characters. Then, invert the first
scramble, with the pinwheels controlling it offset so that their scramble is delayed to
match the net delay of the enciphering delay stage and its deciphering complement.
Next
Chapter Start
Table of Contents
Home Page
Converter M-228 or SIGCUM

This machine is described in an article in a recent issue of Cryptologia magazine,
which also provides accompanying information of historical and human interest.
It is a telecipher device built around a five-rotor machine.
The original version supplied thirteen live inputs to the input rotor. Five outputs from
the other end were XORed to the five bits of a teletypewriter character. The rotors
advanced conventionally for each character enciphered, and had only one carry
position. Like the SIGABA, the letter O, and not A, indicated the zero position of the
rotors. The five rotors included one that moved for every letter enciphered, and one that
moved only when that first rotor completed a full rotation and so on, like an odometer,
but with one difference: which rotor moved with which frequency could be chosen
arbitrarily. The original Hebern machine had three classes of rotor movement, and it
too allowed the selection of how the individual rotors moved, but in a less
straightforwards manner.
Here is a diagram of the way the original SIGCUM was wired:

Since 13 inputs out of 26 were live, each bit of the five outputs had a 50-50 chance of
being live, but not all 32 combinations of all five outputs were equally likely: five ones
or five zeroes were the least likely, and 2 or 3 of each was the most likely.
This simple design was found to be insecure, after being put into use, for a particular
case of operator error. A considerably revised version served for some time, and its
description is as follows:
In the revised version, there were only five live inputs to the input rotor. Fifteen
outputs from the other end were wired together in five groups of three to provide the
five output bits. This gave each bit a probability of about 48.846%, or exactly 381/780,
of being a one.
In the original design, all five rotors moved in the conventional manner of wheels on an
odometer, except that the position of the rotor that moved with every character
enciphered, and the position of each rotor that moved when another rotor completed a
full circle, could be set arbitrarily. In the revised design, three rotors moved in that
way, and two other rotors had movements called fast bump and slow bump that
depended on the bits the rotors generated.
If bit 1, bit 3, and bit 5 of the generated bits (to be XORed with the plaintext to create
ciphertext) were all ones, the slow bump rotor would advance for the next character. If
bit 2 and bit 4 were both 1, the fast bump rotor would advance. In addition, the slow
bump rotor skipped an extra position when it reached O, as well as stepping the slow
rotor (if the slow rotor was also at O; this may have been a misprint for 'slow bump',
since that won't happen very often).
Here is a diagram of the modified version of the SIGCUM:

The bump rotors meant that extra parts did have to be added to the machine to effect
the conversion; it was not a simple case of rewiring. Even the early version of the
machine appeared to be highly secure at first glance, which makes Frank Rowlett's feat
of establishing its weaknesses impressive.
An issue of Cryptologia some years previous to the issue in which SIGCUM or the M-
228 was described, quoted a government memo which referred to the M-294. This
machine was very similar to the SIGABA, except that the five "cipher rotors" supplied
a bitstream to encipher a teletypewriter message; presumably using an arrangement
similar to that seen here. Such a device would certainly provide a method of
encipherment for teletypewriter messages of impressive security. SIGNIN was an
alternative designation for the M-294. The M-138 and M-138-A, indirect predecessors
of the SIGABA, were rotor machines, of the Hebern type, acting upon the 26 letters of
the alphabet, but with the motions of their five rotors controlled by a paper tape; in a
way, these machines were the exact inverse or complement of SIGCUM.
Frank B. Rowlett passed away on June 29, 1998, at the age of 90.
Next
Chapter Start
Table of Contents
Main Page

In some ways, the cipher systems outlined in this chapter are disappointing, compared
to what we had seen in the previous chapter.
This reflects the difficulty of manipulating binary signals with simple

electromechanical devices, and it may also involve the psychological effect of
overconfidence in the security of a system based on new and unfamiliar principles.
The M-228 is an exception to both halves of this generalization; it is secure, but it isn't
entirely new, being largely based on a rotor mechanism.
Of course, it is true that I could have described the T-52 in more detail (at least in
words, for those who cannot recieve the schematic diagrams included in that section,
which do accurately describe it). It is certainly very complex. But the complexity and
expense of the machine are beyond those of the SIGABA, while the security may well
be less even than that of the Enigma. (Yes, it was broken less often than the Enigma;
but there were fewer intercepts, and the more restricted distribution of the machine
makes it likely that it was more carefully used.) Had the routing of signals to the
various inversion and swapping relays changed with every character, instead of merely
being a static part of the key, the system might have been significantly more secure. Of
course, even more important would be the change to pinwheels instead of cams.
It is interesting that one wire in the Swedish SA-1 seems to hold the key to the security
of that machine. That wire is the one from the first pinwheel bank which controls the
stepping of the second pinwheel bank. But can something that contains only a single bit
of information per five-bit character really provide security?
The M-228 is interesting, and as noted in the section on it, apparently a newer machine
existed that was like a SIGABA, except that the cipher rotors were used to encipher
teletypewriter signals in the fashion of the M-228.

illustrates an interesting idea for taking that concept even further. The cipher rotors
work like the old M-228, in order to XOR the message with unbiased individual bits.
The control rotors are also simplified, so that they can produce five extra signals, which
are also XORed with the message.
This appears to strengthen the machine, since bits from two essentially independent
sources are XORed with the plaintext. Can we be sure that the bits from the cipher
rotors completely mask those from the control rotors, though, or could this design have
a weakness, by offering a "window" to the control rotors?
Next
Chapter Start
Table of Contents
Main Page
LUCIFER: the first block cipher

One could perhaps quarrel with the title of this section. What about Playfair, or
the Hill cipher? But LUCIFER, part of an experimental cryptographic system
designed by IBM, was the direct ancestor of DES, also designed by IBM.
Like DES, LUCIFER was an iterative block cipher, using Feistel rounds. That is,
LUCIFER scrambled a block of data by performing an encipherment step on that
block several times, and the step used involved taking the key for that step and
half of that block to calculate an output which was then applied by exclusive-OR
to the other half of the block. Then, the halves of the block were swapped, so that
both halves of the block would be modified an equal number of times.
Incidentally, this page refers to LUCIFER as actually implemented, and

described in an article in the journal Cryptologia by Arthur Sorkin. An article in
Scientific American discussed plans for LUCIFER on a more general level, and
described what was essentially a different kind of block cipher.
LUCIFER enciphered blocks of 128 bits, and it used a 128-bit key.
The F-function in LUCIFER had a high degree of symmetry, and could be

implemented in terms of operations on one byte of the right half of the message
at a time. However, I will describe LUCIFER here in the same general fashion
that DES is described.
Subkey generation
Each round uses a 72-bit subkey. The subkey for the first round consists of the
first byte of the key repeated twice, followed by the next seven bytes of the key.
Rotate the key left by seven bytes, then generate the subkey for the next round.
The f-function
XOR the right half of the block with the last eight bytes of the subkey for the
round.
Based on the bits of the first byte of the subkey for that round, swap nibbles in
the eight bytes of that result for those bytes which correspond to a 1 bit.
Use S-box 0 for the most significant nibble of each of these eight bytes, and S-
box 1 for the least significant nibble of each byte:
Input: 0 1 2 3 4 5 6 7
S-box 0 output: 12 15 7 10 14 13 11 0
S-box 1 output: 7 2 14 9 3 11 0 4
Input: 8 9 10 11 12 13 14 15
S-box 0 output: 2 6 3 1 9 4 5 8
S-box 1 output: 12 13 1 10 6 15 8 5
Permute the 64 bits of the result, numbered from 0 (for the most significant bit)
to 63 (for the least significant bit), by the following permutation:
10 21 52 56 27 1 47 38 18 29 60 0 35 9 55 46
26 37 4 8 43 17 63 54 34 45 12 16 51 25 7 62
42 53 20 24 59 33 15 6 50 61 28 32 3 41 23 14
58 5 36 40 11 49 31 22 2 13 44 48 19 57 39 30
The General Structure

LUCIFER has sixteen rounds. In each round, the f-function is calculated using
that round's subkey and the left half of the block. The result is then XORed to the
right half of the block, which is the only part of the block altered for that round.
After every round except the last one, the right and left halves of the block are
swapped.
Comments
Although LUCIFER has a larger block and key size than DES, it is considerably
more vulnerable to attacks from differential cryptanalysis, and is also weak due
to the regular nature of its key schedule.
However, this does not mean that the LUCIFER algorithm is useless. If a
reasonably good stream cipher is used both before and after LUCIFER, its
weaknesses essentially become irrelevant, and its strengths are still present. It
might indeed be argued that this kind of precaution ought to be used with DES as
well.
Next
Chapter Start
Table of Contents
Main Page Home Page
The Data Encryption Standard

You may remember that when the Data Encryption Standard was first presented,
there was a great deal of controversy. Since then, much of the dust has settled.
We know now for sure that the key was much too short. (Since that was written,
we learned that it was really much too short, thanks to this project.)
But we also know that enciphering whole messages by means of public-key

systems is not a reasonable alternative. Instead, just encrypt the key that way, and
use a conventional cryptosystem, but a better one than just plain DES, for the
message.
It's clear that the secret the NSA asked IBM not to reveal was the method of
differential cryptanalysis. Since the S-boxes were not optimized against linear
cryptanalysis, this proves that IBM didn't know about that attack back then.
Although the fact that the NSA did certify the design as secure might suggest that
the NSA didn't have that technique either, the inference is not really warranted:
the NSA is, after all, an agency noted for its reticence.
And there is also a result showing that DES with all sixteen subkeys specified
independently is not much stronger than a cipher with a 65-bit key.
DES is designed for implementation in hardware, and even includes some steps
which do not appear to strengthen the cipher at all but which are hard to perform
in software. If, however, DES had been a secret algorithm, these extra steps
would have helped to make it harder to determine the algorithm by analysis.
As it is a Frequently Asked Question, I think I really can't skip giving the

algorithm here, although it appears in many other sources; the official standard is
even available from the NIST web server.
DES closely resembles LUCIFER, since it is also a cipher based on sixteen

Feistel rounds.
Details of DES
Variations of DES
Next Section
Chapter Start
Table of Contents
Main Page
Home Page
Details of the Data Encryption

Standard
In my description of LUCIFER, I numbered bits from 0 to 127 or from 0 to 63;
here, bits will be numbered from 1 to 64 or from 1 to 32. In both cases, the
lowest-numbered bit is the MSB of the first character, and the highest-numbered
bit is the LSB of the last character; that is, big-endian (68000-like and not 8086-
like) conventions are observed throughout.
First, for no particularly good reason (except, just possibly, to group together the
most and least significant bits of uncompressed text characters) the bits of the
block are transposed according to the following permutation:
58 50 42 34 26 18 10 2 60 52 44 36 28 20 12 4
62 54 46 38 30 22 14 6 64 56 48 40 32 24 16 8
57 49 41 33 25 17 9 1 59 51 43 35 27 19 11 3
61 53 45 37 29 21 13 5 63 55 47 39 31 23 15 7
As in the section on LUCIFER, all bit permutations are to be interpreted as

follows: if the permutation begins 58 50 42..., that means that the first bit of the
output came from bit 58 of the input, the second bit of the output came from bit
50 of the input, and so on.
For 16 rounds, the left half, or the first 32 bits, is modified by being XORed with
a 32 bit result calculated from the right half of the block in its current state and
the subkey for that round. After each of the first 15 rounds, the halves are then
swapped.
The f-function
This calculation, known as the f-function, proceeds as follows:
The 32-bit right half of the block is expanded to 48 bits by means of this, the
expansion permutation:
32 1 2 3 4 5 4 5 6 7 8 9 8 9 10 11 12 13
12 13 14 15 16 17 16 17 18 19 20 21 20 21 22 23 24 25
24 25 26 27 28 29 28 29 30 31 32 1
The eight groups of four bits in the right half are each made the middle four bits
of a group of six bits in the result, and they are joined, on each side, by the bits
that were adjacent to them originally. Those two outer bits are, in a way,
supplementary to the four bits in the middle, since the S-box tables contain four
encodings of the middle bits, in which every different value has a different result,
selected by the two outer bits.
(One could even implement DES with a permutation starting
32 5 1 2 3 4 4 9 5 6 7 8
to allow the S-boxes to be laid out more simply, provided that one generated and
stored the subkeys with the same change in the order of their bits.)
After the right half of the block has been expanded to 48 bits, it is XORed with
the current round's 48-bit subkey. The result is then used as the input to eight
lookup tables, with a six bit input and a four bit output.
The DES S-boxes

Bit |Bits 2, 3, 4, and 5 form:
1 6 | 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
|-----------------------------------------------
0 0 |14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 7
0 1 | 0 15 7 4 14 2 13 1 10 6 12 11 9 5 3 8
1 0 | 4 1 14 8 13 6 2 11 15 12 9 7 3 10 5 0
1 1 |15 12 8 2 4 9 1 7 5 11 3 14 10 0 6 13

7 12 | 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
|-----------------------------------------------
0 0 |15 1 8 14 6 11 3 4 9 7 2 13 12 0 5 10
0 1 | 3 13 4 7 15 2 8 14 12 0 1 10 6 9 11 5
1 0 | 0 14 7 11 10 4 13 1 5 8 12 6 9 3 2 15
1 1 |13 8 10 1 3 15 4 2 11 6 7 12 0 5 14 9

13 18 | 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
|-----------------------------------------------
0 0 |10 0 9 14 6 3 15 5 1 13 12 7 11 4 2 8
0 1 |13 7 0 9 3 4 6 10 2 8 5 14 12 11 15 1
1 0 |13 6 4 9 8 15 3 0 11 1 2 12 5 10 14 7
1 1 | 1 10 13 0 6 9 8 7 4 15 14 3 11 5 2 12

19 24 | 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
|-----------------------------------------------
0 0 | 7 13 14 3 0 6 9 10 1 2 8 5 11 12 4 15
0 1 |13 8 11 5 6 15 0 3 4 7 2 12 1 10 14 9
1 0 |10 6 9 0 12 11 7 13 15 1 3 14 5 2 8 4
1 1 | 3 15 0 6 10 1 13 8 9 4 5 11 12 7 2 14

25 30 | 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
|-----------------------------------------------
0 0 | 2 12 4 1 7 10 11 6 8 5 3 15 13 0 14 9
0 1 |14 11 2 12 4 7 13 1 5 0 15 10 3 9 8 6
1 0 | 4 2 1 11 10 13 7 8 15 9 12 5 6 3 0 14
1 1 |11 8 12 7 1 14 2 13 6 15 0 9 10 4 5 3

31 36 | 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
|-----------------------------------------------
0 0 |12 1 10 15 9 2 6 8 0 13 3 4 14 7 5 11
0 1 |10 15 4 2 7 12 9 5 6 1 13 14 0 11 3 8
1 0 | 9 14 15 5 2 8 12 3 7 0 4 10 1 13 11 6
1 1 | 4 3 2 12 9 5 15 10 11 14 1 7 6 0 8 13

37 42 | 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
|-----------------------------------------------
0 0 | 4 11 2 14 15 0 8 13 3 12 9 7 5 10 6 1
0 1 |13 0 11 7 4 9 1 10 14 3 5 12 2 15 8 6
1 0 | 1 4 11 13 12 3 7 14 10 15 6 8 0 5 9 2
1 1 | 6 11 13 8 1 4 10 7 9 5 0 15 14 2 3 12

43 48 | 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
|-----------------------------------------------
0 0 |13 2 8 4 6 15 11 1 10 9 3 14 5 0 12 7
0 1 | 1 15 13 8 10 3 7 4 12 5 6 11 0 14 9 2
1 0 | 7 11 4 1 9 12 14 2 0 6 10 13 15 3 5 8
1 1 | 2 1 14 7 4 10 8 13 15 12 9 0 3 5 6 11
Then, the 32 bit result formed by the output of the eight S-boxes above in turn is
subjected to the following permutation, P:
16 7 20 21 29 12 28 17 1 15 23 26 5 18 31 10
2 8 24 14 32 27 3 9 19 13 30 6 22 11 4 25
One round of DES, with the f-function shown in detail, is illustrated by the
following diagram, accompanied by another diagram giving an overview of the
whole block cipher:
Round:
Overview:
Since bit transposition is slow in software, software implementations of DES will

normally use, for the S-boxes, a table with 32-bit entries showing each four-bit
output as it looks after going through permutation P.
After the sixteen rounds of DES are complete, the left and right halves of the
block together, not swapped in the last round, are then subjected to the inverse of
the initial permutation, which takes the bits from 1 to 64 of the block, and puts
them in the final result in this order:
40 8 48 16 56 24 64 32 39 7 47 15 55 23 63 31
38 6 46 14 54 22 62 30 37 5 45 13 53 21 61 29
36 4 44 12 52 20 60 28 35 3 43 11 51 19 59 27
34 2 42 10 50 18 58 26 33 1 41 9 49 17 57 25
Subkey generation
The 56-bit key used by DES is, when in standard format, stored in eight bytes, in
which the least significant bit of each byte is used for parity! Thus, the
permutation, called Permuted Choice 1, which divides the 56-bit key into two 28-
bit halves, acts on bits 1 through 7, 9 through 15, 17 through 23, and so on.
Permuted choice 1 is the following:
First half:
57 49 41 33 25 17 9 1 58 50 42 34 26 18
10 2 59 51 43 35 27 19 11 3 60 52 44 36
Second half:
63 55 47 39 31 23 15 7 62 54 46 38 30 22
14 6 61 53 45 37 29 21 13 5 28 20 12 4
Like the initial permutation and inverse initial permutation, permuted choice 1 is
irrelevant to the strength of DES, except insofar as it makes things awkward for
general-purpose computers. On the other hand, the permutation P is vitally
necessary to the cryptographic strength of DES.
The two 28-bit quantities are then subjected to successive circular left shifts of
different sizes before the subkey for each round is determined from them. These
circular left shifts, one of which is applied before the first subkey is taken, are in
order of the following sizes:
1 1 2 2 2 2 2 2 1 2 2 2 2 2 2 1
Note also that to decrypt, the only alteration in the DES algorithm is that the
subkeys are used in reverse order.
The 48-bit subkey for each round is extracted from the two 28-bit quantities, the
first consisting of bits 1 to 28, and the second of bits 29 to 56, by the following
permutation, Permuted Choice 2:
14 17 11 24 1 5 3 28 15 6 21 10
23 19 12 4 26 8 16 7 27 20 13 2
41 52 31 37 47 55 30 40 51 45 33 48
44 49 39 56 34 53 46 42 50 36 29 32
Note that, since only 48 bits are produced, some numbers from 1 through 56 are
absent. This permutation is important to the strength of DES. (Also, if the
implementation is modified to simplify the arrangement of the S-boxes, as noted
in the preceding parenthetical note, then this permutation is the one that must be
changed correspondingly, to 14 5 17 11 24 1, 3 10 28 15 6 21, and so on. Also,
likely the subkeys would be stored in 8-byte spaces, with each byte containing
only six bits of the subkey.)
Next
Chapter Start
Table of Contents
Main Page Home Page
Variations of DES
DES, being the best known of a whole class of ciphers, has inspired many
suggestions for variations of it.
The initial permutation and inverse initial permutation, and perhaps also
permuted choice 1, could be removed, to obtain a cipher of equivalent intrinsic
strength, but simpler to perform on a computer.
The sixteen subkeys could be supplied directly as a key, instead of being derived
from a short 56-bit key. However, a result reported in Bruce Schneier's book
Applied Cryptography shows that the strength of that is only a slight
improvement on that of regular DES, essentially equivalent to using a 65-bit key.
If the eight S-boxes are moved, from their regular positions so that the order in
which they are applied to the successive six-bit groups of their input is 2, 4, 6, 7,
3, 1, 5, and 8, without altering the permutation P, DES remains highly resistant to
differential cryptanalysis, but becomes resistant to linear cryptanalysis as well.
(Any re-ordering of the S-boxes in which S-boxes 1, 7, and 4 are consecutive and
in that order can make DES very weak against differential cryptanalysis, as noted
in Biham and Shamir's original paper on differential cryptanalysis.)
RSA Data Security has recommended DESX, which is simply DES strengthened
by performing an XOR against additional key bits at the beginning and at the end
of encipherment.
One way in which DES might be strengthened by a simple modification that has
occurred to me is this: retain the initial and inverse initial permutations, but
perform them after rounds 4 and 12 of the cipher respectively. This way, they are
contributing something to its strength. Perhaps it would even be possible to use a
112-bit key, as follows: for the first 56 bits, generate the regular key schedule,
and use it during rounds 1 through 4 and 13 through 16. For the last 56 bits, use
the decrypting key schedule from those bits during rounds 5 through 12. Unlike
DESX, though, this kind of modification is only applicable if one is performing
DES encryption in software, not when using existing DES hardware.
Another possible way of using a 112-bit key would be by enhancing DES with an
idea I use in QUADIBLOC: use 32 subkeys, by applying the f-function twice,
first to the right half of the block, then to the first f-function output, before
XORing the result to the right half. This propagates changes in the block more
quickly.
Also, it would seem to me that one could obtain a very strong cipher by
alternating pairs of rounds of DES with rounds of SAFER, a block cipher based
on very different principles.
A more economical way to realize increased strength would be, perhaps, to take
the variation suggested above, with IP after round 4, and IIP after round 12, and
apply, before and after each of these permutations a user-supplied substitution,
part of the key, acting on the eight bytes of the block. The inverse of this
substitution would be used on deciphering. Since differential cryptanalysis
depends on substitutions being known, this would seem to improve the strength
of the cipher against that kind of attack; and, since a random substitution on the
possible byte values from 0 to 255 takes quite a bit more than 56 bits to describe
it, key size is also increased. Applying the substitution at the beginning and end
of the block cipher would probably be advisable as well; this would increase the
amount of this extra key that is actually used, and it would protect all sixteen,
rather than just the middle eight, rounds of the block cipher from outside scrutiny.
Next
Chapter Start
Table of Contents
Main Page Home Page
SAFER (Secure And Fast Encryption

Routine)
This algorithm is of interest for several reasons. It is designed for use in software.
Unlike DES, or even IDEA, it does not divide the block into parts of which some
parts affect others; instead, the plaintext is directly changed by going through S-
boxes, which are replaced by their inverses for decryption.
Description of SAFER
SAFER uses eight rounds. The first step for a round is to apply the first subkey
for the round to the eight bytes of the block. The operation by which each byte of
the subkey is applied to each byte of the block depends on which byte is used: the
sequence is
XOR, add, add, XOR, XOR, add, add, XOR
Then, the S-box is used. Those bytes to which the subkey was applied by an
XOR go through the regular S-box; those bytes to which it was applied by
addition go through the inverse S-box.
The S-boxes:
The regular box represents 45 raised to successive powers modulo 257 (with the
modulo 257 result then squeezed into a byte by being taken modulo 256):
1 45 226 147 190 69 21 174

120 3 135 164 184 56 207 63
8 103 9 148 235 38 168 107
189 24 52 27 187 191 114 247
64 53 72 156 81 47 59 85
227 192 159 216 211 243 141 177
255 167 62 220 134 119 215 166
17 251 244 186 146 145 100 131
241 51 239 218 44 181 178 43

136 209 153 203 140 132 29 20
129 151 113 202 95 163 139 87
60 130 196 82 92 28 232 160
4 180 133 74 246 19 84 182

223 12 26 142 222 224 57 252
32 155 36 78 169 152 158 171
242 96 208 108 234 250 199 217
0 212 31 110 67 188 236 83

137 254 122 93 73 201 50 194
249 154 248 109 22 219 89 150
68 233 205 230 70 66 143 10
193 204 185 101 176 210 198 172

30 65 98 41 46 14 116 80
2 90 195 37 123 138 42 91
240 6 13 71 111 112 157 126
16 206 18 39 213 76 79 214

121 48 104 54 117 125 228 237
128 106 144 55 162 94 118 170
197 127 61 175 165 229 25 97
253 77 124 183 11 238 173 75

34 245 231 115 35 33 200 5
225 102 221 179 88 105 99 86
15 161 49 149 23 7 58 40
Since the second S-box is the inverse of the first, it can be thought of as
containing logarithms base 45 modulo 257, although, given the intractability of
the discrete logarithm problem, it is not calculated that way directly, but is
instead just the inverse of the preceding one:
128 0 176 9 96 239 185 253

16 18 159 228 105 186 173 248
192 56 194 101 79 6 148 252
25 222 106 27 93 78 168 130
112 237 232 236 114 179 21 195

255 171 182 71 68 1 172 37
201 250 142 65 26 33 203 211
13 110 254 38 88 218 50 15
32 169 157 132 152 5 156 187

34 140 99 231 197 225 115 198
175 36 91 135 102 39 247 87
244 150 177 183 92 139 213 84
121 223 170 246 62 163 241 17

202 245 209 23 123 147 131 188
189 82 30 235 174 204 214 53
8 200 138 180 226 205 191 217
208 80 89 63 77 98 52 10
72 136 181 86 76 46 107 158
210 61 60 3 19 251 151 81
117 74 145 113 35 190 118 42
95 249 212 85 11 220 55 49
22 116 215 119 167 230 7 219
164 47 70 243 97 69 103 227
12 162 59 28 133 24 4 29
41 160 143 178 90 216 166 126

238 141 83 75 161 154 193 14
122 73 165 44 129 196 199 54
43 127 67 149 51 242 108 104
109 240 2 40 206 221 155 234

94 153 124 20 134 207 229 66
184 64 120 45 58 233 100 31
146 144 125 57 111 224 137 48
Then the second subkey for the round is applied to the block. This time, the
sequence of operations complements that used previously:
add, XOR, XOR, add, add, XOR, XOR, add
Then, the different bytes are mixed together without using a bit transpose.
Instead, arithmetic is used.
The first byte is replaced by twice the old first byte plus the old second byte. The
second byte is replaced by the old first byte plus the second byte. Only the last
eight bits of the sums are kept, of course.
This same method of combining the bytes is applied to the third and fourth bytes,
the fifth and sixth bytes, and the seventh and eighth bytes.
Then the bytes are interchanged; after the interchange, the order of the bytes
becomes
1 3 5 7 2 4 6 8
in terms of which byte each byte was before.
The mixing is performed on pairs of bytes again, and then the interchange, and
then the mixing.
After the eighth round, an extra subkey is applied in the same way as the first
subkey of each round.
The following diagram illustrates a round of SAFER:

Decryption
Unlike most other block algorithms, SAFER is inverted by doing the reverse of
each step, in reverse order, without the possibility of achieving the same result
merely by some alteration of the subkeys used.
The reverse of the method of mixing pairs of bytes is this: to get the old first
byte, subtract the new second byte from the new first byte. The old second byte is
the new second byte minus the old first byte, which is the same as twice the new
second byte minus the new first byte.
Subkey generation
In the original version of SAFER, the first 64-bit subkey was the key itself. To
generate successive subkeys, the individual bytes of the key were given a circular
left shift of 3 bits between the rounds, and the current result is then XORed with
a fixed constant for each round.
These constants are:
(for the first subkey, 0)

16733B1E8E70BD86
477E2456F1778846
B1BAA3B7100AC537
C95A28AC64A5ECAB
C66795580DF89AF6
66DC053DD38AC3D8
6AE9364943BFEBD4
9B68A0655D57921F
715CBB22C1BE7BBC
63945F2A61B83432
FDFB1740E6511D41
8F29DD0480DEE731
7F01A2F739DA6F23
FE3AD01CD1303E12
CD0FE0A8AF82592C
7DADB2EFC287CE75
1302904F2E723385
8DCFA981E2C4272F
7A9F52E115382BFC
42C708E409555E8C
The first several constants are given, enough for up to 10 rounds. Originally, six
rounds were proposed for SAFER, but this was increased to 8. The constants are
also derived mathematically.
SAFER SK
A new version of SAFER, SAFER SK, has a more secure key schedule.
The 64-bit key is expanded by one byte, that byte being the XOR of all the
previous bytes. For generating the first subkey, that byte is ignored; for the
second, where the key would have been used, one instead takes the eight bytes
starting with the second byte of the nine-byte expanded key; for the second, start
with the third, and after the ninth go back to the first; and so on.
SAFER SK-40
A 40-bit version of SAFER-SK also exists, with the starting nine-byte expanded
key beginning with bytes 1 to 5 being the 40-bit key, and the remaining bytes
being, in order:
byte 1 xor byte 3 xor 129

byte 1 xor byte 4 xor byte 5 xor 66
byte 2 xor byte 3 xor byte 5 xor 36
byte 2 xor byte 4 xor 24
SAFER-128, SAFER SK-128

The 128-bit key schedule, both for SAFER and SAFER-SK, consists of using the
first subkey and the other odd subkeys from the sequence generated from the
right half of the key, and the second and the other even subkeys from the
sequence generated from the left half of the key.
Next
Chapter Start
Table of Contents
Main Page Home Page
IDEA (International Data Encryption

Algorithm)
IDEA, unlike the other block cipher algorithms discussed in this section, is patented by
the Swiss firm of Ascom. They have, however, been generous in allowing, with
permission, free noncommercial use of their algorithm, with the result that IDEA is
best known as the block cipher algorithm used within the popular encryption program
PGP.
The IDEA algorithm is interesting in its own right. It includes some steps which, at
first, make it appear that it might be a non-invertible hash function instead of a block
cipher. Also, it is interesting in that it entirely avoids the use of any lookup tables or S-
boxes.
IDEA uses 52 subkeys, each 16 bits long. Two are used during each round proper, and
four are used before every round and after the last round. It has eight rounds.
The plaintext block in IDEA is divided into four quarters, each 16 bits long. Three
operations are used in IDEA to combine two 16 bit values to produce a 16 bit result,
addition, XOR, and multiplication. Addition is normal addition with carries, modulo
65,536. Multiplication, as used in IDEA, requires some explanation.
Multiplication by zero always produces zero, and is not invertible. Multiplication

modulo n is also not invertible whenever it is by a number which is not relatively prime
to n. The way multiplication is used in IDEA, it is necessary that it be always
invertible. This is true of multiplication IDEA style.
The number 65,537, which is 2^16+1, is a prime number. (Incidentally, 2^8+1, or 257,
is also prime, and so is 2^4+1, or 17, but 2^32+1 is not prime, so IDEA cannot be
trivially scaled up to a 128-bit block size.) Thus, if one forms a multiplication table for
the numbers from 1 through 65,536, each row and column will contain every number
once only, forming a Latin square, and providing an invertible operation. The numbers
that 16 bits normally represent are from 0 to 65,535 (or, perhaps even more commonly,
from -32,768 to 32,767). In IDEA, for purposes of multiplication, a 16 bit word
containing all zeroes is considered to represent the number 65,536; other numbers are
represented in conventional unsigned notation, and multiplication is modulo the prime
number 65,537.
Description of IDEA
Let the four quarters of the plaintext be called A, B, C, and D, and the 52 subkeys
called K(1) through K(52).
Before round 1, or as the first part of it, the following is done:
Multiply A by K(1). Add K(2) to B. Add K(3) to C. Multiply D by K(4).
Round 1 proper consists of the following:
Calculate A xor C (call it E) and B xor D (call it F).
Multiply E by K(5). Add the new value of E to F.
Multiply the new value of F by K(6). Add the result, which is also the new value of F,
to E.
Change both A and C by XORing the current value of F with each of them; change
both B and D by XORing the current value of E with each of them.
Swap B and C.
Repeat all of this eight times, or seven more times, using K(7) through K(12) the
second time, up to K(43) through K(48) the eighth time. Note that the swap of B and C
is not performed after round 8.
Then multiply A by K(49). Add K(50) to B. Add K(51) to C. Multiply D by K(52).
The intricacies of IDEA encryption may be made somewhat clearer by examining the
following diagrams:
Details: Overview:
Decryption
How can the round in IDEA be reversed, since all four quarters of the block are
changed at the same time, based on a function of all four of their old values? Well, the
trick to that is that A xor C isn't changed when both A and C are XORed by the same
value, that value cancels out, no matter what that value might be. And the same applies
to B xor D. And since the values used are functions of (A xor C) and (B xor D), they
are still available.
This cross-footed round, rather than a Feistel round, is the most striking distinguishing
factor of IDEA, although its use of multiplication, addition, and XOR to avoid the use
of S-boxes is also important.
Those that are added are replaced by their two's complement. Those that are multiplied
in are replaced by their multiplicative inverse, modulo 65,537, in IDEA notation when
used to change blocks directly, but those used to calculate the cross-footed F-functions
are not changed. Keys XORed in would not need to be changed, but there aren't any
such keys in IDEA. Due to the placement of the swap, the first four keys for decryption
are moved somewhat differently than the other keys used for the same operation
between rounds.
The decryption key schedule is:
The first four subkeys for decryption are:
KD(1) = 1/K(49)
KD(2) = -K(50)
KD(3) = -K(51)
KD(4) = 1/K(52)
and they do not quite follow the same pattern as the remaining subkeys which follow.
The following is repeated eight times, adding 6 to every decryption key's index and
subtracting 6 from every encryption key's index:
KD(5) = K(47)
KD(6) = K(48)
KD(7) = 1/K(43)
KD(8) = -K(45)
KD(9) = -K(44)
KD(10) = 1/K(46)
Subkey generation
The 128-bit key of IDEA is taken as the first eight subkeys, K(1) through K(8). The
next eight subkeys are obtained the same way, after a 25-bit circular left shift, and this
is repeated until all encryption subkeys are derived.
This method of subkey generation is regular, and this may be a weakness. However,
IDEA is considered to be highly secure, having stood up to all forms of attack so far
tried by the academic community.
Next
Chapter Start
Table of Contents
Main Page
Home Page
Skipjack
Skipjack, the originally secret algorithm associated with the infamous Clipper chip, was
declassified on Tuesday, June 23, 1998, and appeared as a .PDF document at the NIST web
site the following morning.
The basic round type of Skipjack forms another alternative, alongside those offered by SAFER
and IDEA, to the Feistel round structure seen in DES, LUCIFER and Blowfish, among other
block ciphers. In each round, one of four quarters of the block is subjected to four Feistel
rounds on a small scale, and one other quarter is modified by being XORed with the round
number and the quarter that went through the mini-Feistel cipher, either before or after that
step. No bit transposes are required in Skipjack, making it efficient to implement on a general-
purpose computer.
Skipjack has 32 rounds. These rounds are of two types, A and B. A type A round proceeds as
follows:
The first quarter of the block (called W1) is enciphered by the "G permutation", which is
actually a four-round Feistel cipher. The result, and the round number (where round numbers
go from 1 through 32), are XORed with the fourth quarter of the block (W4). Then each
quarter of the block is moved to the next position; W1 to W2, W2 to W3, W3 to W4, and W4
back to W1.
A type B round proceeds as follows:
The second quarter of the block (W2) is XORed with the round number and the first quarter of
the block (W1). Then the first quarter of the block is enciphered by the "G permutation".
Again, each quarter of the block is moved to the next position; W1 to W2, W2 to W3, W3 to
W4, and W4 back to W1.
The rotation of quarters of the block is not omitted after the last round. The 32 rounds of
Skipjack consists of eight type A rounds, eight type B rounds, eight type A rounds, and eight
type B rounds. Note that by having a type A round first, and a type B round last, the form of
the first quarter on the "inside" is XORed with one of the other quarters in the first and last
rounds.
Permutation G is a four-round Feistel cipher, involving dividing its 16-bit input into two 8-bit
halves. Like DES, the left half of the block is not changed in each round, but acts as input to
the f-function, the output of which is XORed to the right half. Unlike DES, the two halves are
swapped after the last round (as the algorithm has only four rounds, all four iterations of the f-
function can be illustrated, going alternately from right to left, and then from left to right; in
that form, no swaps at all are required).
The f-function of the G permutation is as simple as one might expect for an f-function only 8
bits wide: the input is first XORed with the current round's subkey, and then the result is
substituted according to a lookup table, called F.
The subkeys for G, each one byte long, are simply four consecutive bytes of the 80-bit key.
The first four bytes are used in the first round, the next four bytes in the second, the last two
bytes followed by the first two bytes in the third, and so on.
The operation of Skipjack may be made clearer by the following diagram:
which illustrates the first 12 rounds of Skipjack. The first round, of type A, is shown with the
G function illustrated in full. The next seven rounds, also of type A, are shown with the G
function indicated by a box marked with a G. Then the last four of the twelve rounds shown, of
type B, are showed the same way. There are dotted lines dividing the rounds in the diagram.
Instead of rotating the quarters of the block, the functions move between columns; since the
last rotation is not skipped, this illustration will show, if continued to include all 32 rounds, the
quarters ending up in their proper places without any final rotation being required.
The S-box of Skipjack, called F, which is the heart of the f-function of the Feistel mini-cipher
that is the G permutation, is as follows:
a3 d7 09 83 f8 48 f6 f4 b3 21 15 78 99 b1 af f9
e7 2d 4d 8a ce 4c ca 2e 52 95 d9 1e 4e 38 44 28
0a df 02 a0 17 f1 60 68 12 b7 7a c3 e9 fa 3d 53
96 84 6b ba f2 63 9a 19 7c ae e5 f5 f7 16 6a a2
39 b6 7b 0f c1 93 81 1b ee b4 1a ea d0 91 2f b8
55 b9 da 85 3f 41 bf e0 5a 58 80 5f 66 0b d8 90
35 d5 c0 a7 33 06 65 69 45 00 94 56 6d 98 9b 76
97 fc b2 c2 b0 fe db 20 e1 eb d6 e4 dd 47 4a 1d
42 ed 9e 6e 49 3c cd 43 27 d2 07 d4 de c7 67 18
89 cb 30 1f 8d c6 8f aa c8 74 dc c9 5d 5c 31 a4
70 88 61 2c 9f 0d 2b 87 50 82 54 64 26 7d 03 40
34 4b 1c 73 d1 c4 fd 3b cc fb 7f ab e6 3e 5b a5
ad 04 23 9c 14 51 22 f0 29 79 71 7e ff 8c 0e e2
0c ef bc 72 75 6f 37 a1 ec d3 8e 62 8b 86 10 e8
08 77 11 be 92 4f 24 c5 32 36 9d cf f3 a6 bb ac
5e 6c a9 13 57 25 b5 e3 bd a8 3a 01 05 59 2a 46
or, in decimal form,
163 215 9 131 248 72 246 244 179 33 21 120 153 177 175 249
231 45 77 138 206 76 202 46 82 149 217 30 78 56 68 40
10 223 2 160 23 241 96 104 18 183 122 195 233 250 61 83
150 132 107 186 242 99 154 25 124 174 229 245 247 22 106 162
57 182 123 15 193 147 129 27 238 180 26 234 208 145 47 184
85 185 218 133 63 65 191 224 90 88 128 95 102 11 216 144
53 213 192 167 51 6 101 105 69 0 148 86 109 152 155 118
151 252 178 194 176 254 219 32 225 235 214 228 221 71 74 29
66 237 158 110 73 60 205 67 39 210 7 212 222 199 103 24
137 203 48 31 141 198 143 170 200 116 220 201 93 92 49 164
112 136 97 44 159 13 43 135 80 130 84 100 38 125 3 64
52 75 28 115 209 196 253 59 204 251 127 171 230 62 91 165
173 4 35 156 20 81 34 240 41 121 113 126 255 140 14 226
12 239 188 114 117 111 55 161 236 211 142 98 139 134 16 232
8 119 17 190 146 79 36 197 50 54 157 207 243 166 187 172
94 108 169 19 87 37 181 227 189 168 58 1 5 89 42 70
This was double-checked by looking at the inverse of this S-box generated by the same
program that converted what I typed from hexadecimal to decimal, as the S-box is a straight
permutation of the numbers from 0 to 255. In the original document in its electronic form,
lowercase c and e are sometimes difficult to distinguish.
For decipherment, each round is replaced by a corresponding deciphering round, and these
rounds are, of course, executed in the reverse of the enciphering order.
The deciphering equivalent of a type A round is as follows:
The first quarter, W1, is XORed with W2 and the round number (rounds now counting down
from 32 to 1). Then the second quarter, W2, is subjected to the inverse of the G permutation.
Then, each quarter is moved to the position of the preceding one; W1 to W4, W2 to W1, W3 to
W2, and W4 to W3.
The deciphering equivalent of a type B round is the following:
The second quarter, W2, is subjected to the inverse of the G permutation. The third quarter,
W3, is then XORed with the round number and the changed value of W2. Again, each quarter
is moved to the position of the preceding one; W1 to W4, W2 to W1, W3 to W2, and W4 to
W3.
The deciphering equivalent of the G permutation involves using the four subkeys in reverse
order - and reversing the roles of the right and left halves of the 16-bit quarter block.
Comments
SKIPJACK was declassified in order to facilitate finding private companies to manufacture

devices using that algorithm for use by the U.S. Government. Some people have called
attention to the fact that only a short time previously, government spokespersons were saying
that the disclosure of that algorithm would harm national security.
However, I have noted that the inconsistency involved may be more apparent than real.
Between the statements cited, and the declassification of SKIPJACK, a paper was published by
an academic researcher noting that Feistel ciphers of a particular type, specifically those in
which the f-function was itself a series of Feistel rounds, could be proven to be immune to
differential cryptanalysis.
SKIPJACK, although not precisely of that type, is closely related: one of the four subblocks
undergoes Feistel rounds, but in addition to the result being used, as an f-function output, on
another subblock, the subblock is also retained in its modified state.
Also, note that SKIPJACK consists of eight type A rounds, followed by eight type B rounds
twice, instead of sixteen type A rounds and then sixteen type B rounds. Since the type A
rounds are appropriate for the beginning of the cipher, and the type B rounds are appropriate
for its end, it might seem at first that this weakened the cipher. However, the boomerang
attack, which was discovered after the declassification of SKIPJACK, allows differential
cryptanalysis to be done independently on the first and last half of a block cipher; thus, if
SKIPJACK were composed of two halves, each with one type of round, it could have been
attacked as if it consisted of only a single type of round.
It may also be noted that a recent book, Top Secret Intranet, reveals that SKIPJACK was
considered adequate to safeguard information classified SECRET but not information
classified TOP SECRET. This appears to refer to early 1999, and may still be the case as of
this writing (May 1999). Also, note that SKIPJACK has an 80-bit key, the key-length limit for
exportable ciphers is 40 bits, and some suppliers of encryption equipment to the U.S.
government have advertised their equipment provides a 120-bit key or a 160-bit key. This may
be because 40 is a multiple of both 8 and 10, and 2^10 equals 1024, which is just over 1000.
Thus every 40 bits in a key can have just over a trillion possible values, making it easy to
express the number of possible keys in decimal terms.
One notes that the key consists of 10 bytes, which is a number of the form 4n+2. While it
might not increase the security of SKIPJACK to do so, if there are no subtle traps in the
structure of SKIPJACK, which appears to have a simple and uniform structure, it might be
possible to use a key composed of the next such number of bytes with it: 14 bytes. That is an
interesting possibility, because such a key would be a 112-bit key, exactly twice as long as the
key used in DES.
Next
Chapter Start
Table of Contents
Main Page
Home Page
Blowfish
The Blowfish program was developed by author and computer security and
cryptography consultant Bruce Schneier. Blowfish is a cipher based on Feistel
rounds, and the design of the f-function used amounts to a simplification of the
principles used in DES to provide the same security with greater speed and
efficiency in software. The block ciphers Khafre and CAST have somewhat
similar rounds.
The main claim to fame of Blowfish, however, is in its method of key scheduling.
The round keys, and the entire contents of all the S-boxes, are created by multiple
iterations of the block cipher. This enhances the security of the block cipher,
since it makes exhaustive search of the keyspace very difficult, even for short
keys.
Description of Blowfish
Unlike DES, Blowfish applies the f-function to the left half of the block,
obtaining a result XORed to the right half of the block. Originally, I had said that
this departure from convention may cause confusion in reading the description of
Blowfish. However, upon further reflection, I think that it is really DES that is
creating confusion; the time sequence of events should move from left to right
(particularly in a design that is otherwise big-endian); this is generally what
happens in more recent designs, such as the AES candidates, and particularly in
ciphers with unbalanced Feistel rounds.
Blowfish consists of sixteen rounds. For each round, first XOR the left half of the
block with the subkey for that round. Then apply the f-function to the left half of
the block, and XOR the right half of the block with the result. Finally, after all
but the last round, swap the halves of the block. There is only one subkey for
each round; the f-function consumes no subkeys, but uses S-boxes which are key
dependent.
After the last round, XOR the right half with subkey 17, and the left half with
subkey 18.
The f-function
Blowfish uses four S-boxes. Each one has 256 entries, and each of the entries are
32 bits long.
To calculate the f-function: use the first byte of the 32 bits of input to find an
entry in the first S-box, the second byte to find an entry in the second S-box, and
so on. The value of the f-function is ((S1(B1) + S2(B2)) XOR S3(B3)) + S4(B4)
where addition is performed modulo 2^32.
Decryption
Decryption is the same as encryption, with the 18 subkeys used in reverse order.
At first, this seems unbelievable (although not quite as bad as understanding
decryption of IDEA), because there are two XOR operations following the last
use of the f-function, and only one preceding the first use of the f-function.
However, if you modify the algorithm so that use of subkeys 2 through 17 takes
place before the output of the f-function is XORed to the right half of the block,
and is done to the same data before that XOR, although that means it is now on
the right half of the block, since the XOR of the subkey has been moved before a
swap of the halves of the block, you have not actually changed anything since the
same information is XORed to the left half of the block between each time it is
used as input to the f-function. In fact, you can even move the XOR still earlier,
before the preceding swap of block halves. Once you do that, you have the exact
reverse of the decryption sequence.
Subkey generation
Begin by initializing subkeys 1 through 18, followed by elements zero through
255 of the first S box, then elements zero through 255 of the second S box, all the
way to element 255 of the fourth S box, with the fractional part of pi. The most
significant bit of the fractional part of pi becomes the most significant bit of the
first subkey.
Then, take the key, which may be of any length up to 72 bytes, and, repeating it
as often as necessary to span the entire array of 18 subkeys, XOR it with the
subkey array contents.
Then execute the Blowfish algorithm repeatedly, with an initial input of a 64-byte
block of all zeroes as plaintext input. After each execution, replace part of the
subkeys or S boxes with the successive outputs of Blowfish, in the same order as
the digits of pi in binary (or hexadecimal) form were placed in them; after the
first iteration, replace subkeys 1 and 2; after the tenth iteration, replace the first
two entries (0 and 1) in S-box 1; and so on.
For each iteration of Blowfish in key generation, also use the output of the
preceding iteration as input. (The original description of Blowfish in the April
1994 issue of Dr. Dobb's Journal could be interpreted to imply that zero should
be used as input for every iteration. As the later iterations only change individual
S-box entries, this could lead to large stretches of identical data in the S-boxes,
and is thus a misreading of the directions, not a slightly different original form of
the algorithm.)
Thus, loading Blowfish with a new key takes as much time as encrypting 521
blocks ((256*4+18)/2) in Blowfish. This gives Blowfish an extra 9 bits of
security against a brute force search for keys shorter than maximum length,
which makes the 32-bit, instead of 40-bit limit for export versions of Blowfish
reported by one individual just about exactly right. (Seems you just can't fool the
NSA.)
Next
Chapter Start
Table of Contents
Main Page
Home Page
QUADIBLOC (QUick And Dirty

Implementable BLOck Cipher)
QUADIBLOC is a little block cipher that I developed myself. It was designed to be
very easy to implement, so that any obstacles to the distribution of program source
would not be too great an inconvenience for people using it. It uses a modified Feistel
round; when the left-hand half is modified by the f-function of the right-hand half,
instead of merely performing an XOR, the left-hand half first goes through an S-box,
then is XORed with the f-function output, and then goes through an S-box again. The
main security feature of QUADIBLOC that is of interest is that the f-function is
iterated twice, thus accelerating the propagation of changes in the plaintext block
through the entire ciphertext block.
I claim trademark rights to the terms QUADIBLOC, QUADIBLOC-80, QUADIBLOC-

64, QUADIBLOC-40, QUADIBLOC-320, QUADIBLOC-640, QUADIBLOC 96,
QUADIBLOC 99, QUADIBLOC SE, QUADIBLOC-320SE, Quadibloc II, Quadibloc
III, Quadibloc III SC, Quadibloc III MD, Quadibloc III SD, Quadibloc IV, Quadibloc
V, Quadibloc VI, Quadibloc VII, Quadibloc VIII, Quadibloc IX, Quadibloc X, and
Quadibloc S, but except for requiring that these terms be used only to designate the
block ciphers described here, as they are described, the QUADIBLOC block cipher is
freely available for anyone to use, although I do not warrant them as free from patent
problems.
● Description of QUADIBLOC
❍ Euler's Constant and the QUADIBLOC S-boxes
● Variants with different key sizes

● The QUADIBLOC FAQ (includes funny stuff)
● Key Augmentation
● Quadibloc II
● Quadibloc III
● Quadibloc IV
● Quadibloc V
● Quadibloc VI
● Quadibloc S
● Quadibloc VII
● Quadibloc VIII
❍ The Standard Rounds
❍ The Mixing and Whitening Phase

❍ The Key Schedule
❍ The Rationale of the Design
● Quadibloc IX
● Quadibloc X
Next Chapter
Chapter Start
Table of Contents
Main Page
Home Page
Description of QUADIBLOC
The intent of the following proposed block cipher is to provide a cipher which is at
least as secure as DES, and possibly somewhat more secure, which is reasonably
efficient when implemented in software, and is furthermore easy to implement.
Changes required for QUADIBLOC 99, which corrects known weaknesses in the
original QUADIBLOC (QUADIBLOC 96), are indicated in highlighted boxes.
Two S-boxes, taking 8 binary inputs uniquely to 8 binary outputs, are used, as well as
the inverse of the second S-box. The S-boxes are constructed from Euler's constant
(.57721...) as follows:
start with an array, A, such that A(0) is 0, A(1) is 1, up to A(255) which is 255. Place
Euler's constant to sufficient precision in ACC. Number of choices starts at 256, and is
decreased by 1 for each iteration; element to choose starts at 0, and increases by 1 for
each iteration. The iteration where Number of choices is 2 is the last iteration.
During each iteration, multiply ACC by Number of choices. Leave the fractional part
of the result in ACC; swap
A( Number of choices )
and
A( Number of choices + the integer part of the result).
This generates S-box 1; repeat the procedure with the contents remaining in ACC to
obtain S-box 2. (ACC must be long enough to hold Euler's constant to sufficient
precision to support both applications of the procedure.)
The S-boxes are given on the page entitled Euler's Constant and the Quadibloc S-boxes.
In QUADIBLOC 99, a third S-box, generated by continuing the process, is also used.
In addition, the following 4 of 8 code for the numbers 0 to 63 is used during subkey
generation:
given the 6 bits abcdef, in the output word, let c stand for 01 if the bit c is 0, or 10 if the
bit c is 1, and let DD stand for 0011 if the bit d is 0, or 1100 if the bit d is 1, then
00cdef becomes cdef

010def becomes DDef
011def becomes deFF
100def becomes dEEf
101def becomes DefD
110def becomes DeDf
111def becomes dEfE
or, giving the 64 equivalents in hex,
55 56 59 5A 65 66 69 6A 95 96 99 9A A5 A6 A9 AA
35 36 39 3A C5 C6 C9 CA 53 5C 63 6C 93 9C A3 AC
4D 4E 71 72 8D 8E B1 B2 17 1B 27 2B D4 D8 E4 E8
1D 1E 2D 2E D1 D2 E1 E2 47 4B 74 78 87 8B B4 B8
The cipher is an iterative block cipher, with 16 rounds and 48 subkeys, and uses Feistel
rounds: half the block is used to encipher the other half in each round. It operates on a
64-bit block, and has a 160-bit key.
Initially, the first 4 bytes of data to encrypt are taken as the left half, and the last 4
bytes are taken as the right half.
Each round proceeds as follows:
A copy of the right half, which will actually be unchanged by this round, is taken.
This now describes the f-function
The copy is XORed with the round's first subkey (subkey 1 for round 1, subkey 4 for
round 2, to subkey 46 for round 16).
Then, each byte is replaced by its substitute in S-box 1.
In QUADIBLOC 99, the fourth byte is instead replaced by its substitute in S-box 2.
The bits of the result, considered to be numbered from 1 (most significant bit of the
first, leftmost byte) to 32 (least significant bit of the last, rightmost byte) following the
pattern in DES, are to be transposed to lie in the following positions:
1 2 27 28 21 22 15 16
9 10 3 4 29 30 23 24
17 18 11 12 5 6 31 32
25 26 19 20 13 14 7 8
Note that this arrangement posesses a great deal of symmetry: only ONE version of S-
box 1, with 256 32-bit entries is needed to perform both the S-box substitution, and the
subsequent permutation, in a single step for efficiency on a computer without hardware
instructions for bit transposition. And, since no bits change their position within a byte,
a slower implementation, using S-box 1 with single byte entries, and doing the
transposition using masking, is also possible.
In QUADIBLOC 99, the symmetry of the bit transposition remains, but one expanded
version of S-box S2 is also required.
The 32 transposed bits are now XORed with the round's second subkey.
In QUADIBLOC 99, the value generated at this point is also retained, and is called
the intermediate result of the f-function.
Each byte of the result is again replaced by its substitute in S-box 1, and the bits of the
result are transposed as before.
In QUADIBLOC 99, in the second part of the f-function, the second and third bytes
are instead replaced by their substitutes in S-box 2.
The result is XORed with the round's third subkey. This produces the output of the f-
function.
Applying the f-function output to alter the left half of the block:
In a QUADIBLOC 99 type A round, the first (leftmost) half of the intermediate result
of the f-function is used to control an ICE-style swap of bits between the halves of the
left half of the block at this time: each bit in that 16-bit quantity which is 1 indicates
that corresponding bits in the two halves of the 32-bit left half of the block are to be
swapped.
Each byte of the left half is replaced by its substitute in S-box 2.

In QUADIBLOC 99, S-box 3 is used for this purpose.
In a QUADIBLOC 99 type B round, the first (leftmost) half of the intermediate result
of the f-function is used to control an ICE-style swap of bits between the halves of the
left half of the block at this time: each bit in that 16-bit quantity which is 1 indicates
that corresponding bits in the two halves of the 32-bit left half of the block are to be
swapped.
The result is XORed with the result of the f-function applied to the right half.
In a QUADIBLOC 99 type B round, first the second and third bytes of the left half of
the block are swapped, and then the second (rightmostmost) half of the intermediate
result of the f-function is now used to control another ICE-style swap of bits between
the halves of the left half of the block: each bit in that 16-bit quantity which is 1
indicates that corresponding bits in the two halves of the 32-bit left half of the block
are to be swapped.
Each byte of the result is replaced by its substitute in S-box 2.
In QUADIBLOC 99, S-box 3 is used for this purpose.
In a QUADIBLOC 99 type A round, first the second and third bytes of the left half of
the block are swapped, and then the second (rightmostmost) half of the intermediate
result of the f-function is now used to control another ICE-style swap of bits between
the halves of the left half of the block: each bit in that 16-bit quantity which is 1
indicates that corresponding bits in the two halves of the 32-bit left half of the block
are to be swapped.
The sequence of rounds:
In QUADIBLOC 99, the type A and type B rounds alternate as follows:
Round: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
Type: A A B B A A B B B B A A B B A A
Except for the four middle rounds, this ensures that the ICE-style bit transpositions
alternate with the byte substitutions using S-box 3.
The swap:
After every round except round 8 and round 16:

the left half for the next round is the unchanged right half from the previous round;
the right half for the next round is the modified left half, after the XOR and the two
substitutions, subjected to a circular left shift of 8 bits (which can be carried out by
moving whole bytes, of course).
In QUADIBLOC 99, the swap is performed in all rounds except round 16 only. The
bit transpose after round 8 is removed as not having as much effectiveness as was
hoped for, and instead the ICE-style bit swap is added to every round. The circular left
shift of 8 bits is no longer part of the swap, and is replaced by the exchange of two
bytes preceding the last bit swap.
After round 8:
Each byte of the right half is replaced by its substitute in S-box 2.
Subject the bits of the block, numbered from 1 to 64, from left to right, to the following
(reciprocal) bit transpose:
1 34 11 44 21 54 31 64 9 42 3 36 29 62 23 56
17 50 27 60 5 38 15 48 25 58 19 52 13 46 7 40
33 2 43 12 53 22 63 32 41 10 35 4 61 30 55 24
49 18 59 28 32 6 47 16 57 26 51 20 45 14 39 8
Each byte of the right half of the result is replaced by its substitute in S-box 2.
As previously mentioned, this operation is completely omitted from QUADIBLOC

99, and a simple swapping of halves takes place instead.
After round 16:
Nothing happens: the result at that point, without further swapping, is the output of the
cipher.
The following diagram illustrates what happens during a normal round of

QUADIBLOC 96 (from 1 to 7, or 9 to 15), to help make the description clearer:
And these are the corresponding diagrams for QUADIBLOC 99:
For a type A round:

For a type B round:
Some comments at this stage:
Using a 'double' f-function means:
a) every bit of the f-function output depends on every bit of the right half of the block,
thus making propagation very rapid, and
b) the first half of the f-function can be thought of as substituting for the absence of an
expansion permutation and auxilliary S-box inputs as found in DES.
Decipherment is the same as encipherment, except:
a) S-box 2 is replaced by the inverse of S-box 2 (S-box 1 is unchanged),
In QUADIBLOC 99, for decipherment, S-box 3 is replaced by its inverse, and S-

boxes 1 and 2 are unchanged.
b) after every round except rounds 8 and 16, the modified left half from one round
becomes the right half for the next, and the unmodified right half receives a right
circular shift of 8 bits before becoming the left half for the next round, and
In QUADIBLOC 99, the swap of the second and third bytes in the left half of the
block is changed to take place after the first ICE-style swap and before the first use of
S-box 3. Also, now the ICE-style swap that occurs first uses the second (rightmost)
half of the intermediate result of the f-function as input, and the ICE-style swap that
occurs second uses the first (leftmost) half of the intermediate result of the f-function
as input.
c) the 16 groups of three subkeys for the 16 rounds are used in reverse order, but the
three subkeys within each group are still used in the same order.
The bit transpose with partial substitution between rounds 8 and 9 is intended to create
a 'wall' between the first 8 and the last 8 rounds that will make the cipher much harder
to analyze and solve.
The bit transpose has been removed since the boomerang attack has cast some doubts
on its efficacy.
Subkey generation:
The 160-bit key shall be expanded to 176 bits by applying the 4 of 8 bit code specified
above to each group of 6 bits in the last 48 bits of the key, thus expanding these 48 bits
to 64 bits. (This is done to prevent weak keys.)
In QUADIBLOC 99, the last 64 bits of the 160-bit key shall be used, reduced to 48
bits by ignoring the most significant two bits of each byte, as input to the 4 of 8 bit
code. This avoids having to perform unnecessary shift operations. Then, the 160-bit
key will be expanded to the following: the first 96 bits of the original 160-bit key, the
64 bits generated from the 4 of 8 code, and the last 64 bits of the original 160-bit key
XOR the first 64 bits of the original 160-bit key (so that the expanded key does not
contain both the original form, and the 4 of 8 encoding, of the same bits) to produce
an expanded key that is 224 bits long.
The first 128 bits of the result shall be divided into four 32-bit blocks, which shall be
called, from left to right, P, Q, R, and S.
The subkeys shall be generated for the 16 encipherment rounds in order.
P, Q, and R will be taken as the three subkeys for the current round, subject to an XOR
to be subsequently described.
Then, P, Q, and R shall be shifted left n bits, and S shall be shifted left 3n bits, with the
first n bits of P, then the first n bits of Q, then the first n bits of R being shifted into S,
while the bits shifted out of S into P, Q, and R will alternate, one bit at a time, into
these three registers/locations.
Thus, when n is 6, we have:
Before:
P) P1 P2 ... P32
Q) Q1 Q2 ... Q32
R) R1 R2 ... R32
S) S1 S2 ... S32
and after:
P) P7 P8 ... P32 S1 S4 S7 S10 S13 S16

Q) Q7 Q8 ... Q32 S2 S5 S8 S11 S14 S17
R) R7 R8 ... R32 S3 S6 S9 S12 S15 S18
S) S19 S20 ... S32 P1 P2 ... P6 Q1 Q2 ... Q6 R1 R2 ... R6
The value of n to use for each round in turn shall be
5, 6, 5, 5,
7, 7, 7, 7,
7, 8, 7, 7,
5, 6, 5, 5.
Each of the 48 subkeys thus generated will now be XORed with the leftmost 32 bits of
T, where T begins as the last 48 bits of the expanded key, and is given a right circular
shift of 17 bits after each use.
In QUADIBLOC 99, a right circular shift of 11 bits will be used after generating all
but the last of the 27 subkeys used by the first nine rounds, and then a right circular
shift of 17 bits will be used afterwards. Since the expanded key is 224 bits long, rather
than 176 bits long, T will be 96 bits long and will initially contain the last 96 bits of
the expanded key.
● Euler's Constant and the QUADIBLOC S-boxes

Next
Chapter Start
Table of Contents
Main Page
Home Page
Euler's Constant and the Quadibloc S-

Boxes
The initial values of the subkeys and S-boxes in Blowfish are based on pi. To dispel
worries about S-boxes with a designed-in weakness in my amateur designs, I have chosen
a standard mathematical constant as their source.
The constant I am using is Euler's constant, sometimes called the Euler-Mascheroni

constant, also known as gamma. Its value is .57721 56649 01532 86060 65120 90082...
Euler's constant is defined as the limit, as n tends to infinity, of the sum of 1 + 1/2 + 1/3
+ ... up to 1/n, minus the natural logarithm of n, normally written:
n
/ ____ \
| \ 1 |
lim | > --- | - ln(n)
n -> infinity | /___ i |
\ i=1 /
Since
_n
/
| 1
| ---, dx = ln(n)
| x
_/
1
that is, the integral from 1 to n of 1/x with respect to x is the natural logarithm of n, the
following diagram illustrates what Euler's constant is in graphical form:
Allowing the graph to continue on indefinitely to the right, the boxes shown which are
divided into green and gray areas have a total overall area of 1. (Note that the vertical
scale in the graph is exaggerated compared to the horizontal scale for clarity.) Euler's
constant, .57721 56649... is the total of the areas of the gray parts of the boxes.
Because only scaling makes the shape of the graph of 1/x from 1 to 2 different from the
graph of 1/x from 2 to 4, or the graph of 1/x from 4 to 8, the following diagram:
illustrates a way in which it is possible to derive a formula for Euler's constant that would
only involve calculating the natural logarithm of 2.
This formula is:
(i+1)
infinity 2
____ ____
\ \ 1 1
gamma = (1 - ln(2)) + > (1 - ln(2)) - > --- - ---
/___ /___ i j
i = 1 i 2
j = 2 +1
By superimposing the areas from 1 to 2, from 2 to 4, and 4 to 8 after adjusting them to fit,
one sees that another series for Euler's constant, not involving any logarithms, is possible,
as it is (1/2 - 1/3) + 2 * ((1/4 - 1/5) + (1/6 - 1/7)) + 3 * ((1/8 - 1/9) + (1/10 - 1/11) + (1/12 -
1/13) + (1/14 - 1/15)) + ..., or, in other words:
(i+1)
infinity 2 - 1
____ ____
\ \ (j-1) 1
gamma = > i * > (-1) * ---
/___ /___ j
i = 1 i
j = 2
Euler's constant is more difficult to calculate than the square root of 2, e, or pi, and it is
less well understood. Mathematicians have not yet proven which of rational, algebraic, or
transcendental it is.
The S-boxes constructed from Euler's constant (.57721 56649...) for use in the Quadibloc
series of block ciphers are derived as follows:
start with an array, A, such that A(0) is 0, A(1) is 1, up to A(255) which is 255. Place
Euler's constant to sufficient precision in ACC. Number of choices starts at 256, and is
decreased by 1 for each iteration; element to choose starts at 0, and increases by 1 for each
iteration. The iteration where Number of choices is 2 is the last iteration.
During each iteration, multiply ACC by Number of choices. Leave the fractional part of
the result in ACC; swap
A( Number of choices )
and
A( Number of choices + the integer part of the result ).
This generates S-box 1; repeat the procedure with the contents remaining in ACC to
obtain S-box 2. (ACC must be long enough to hold Euler's constant to sufficient precision
to support both applications of the procedure.)
A BASIC program to generate these S-boxes is given here. And this BASIC program
produced the DATA statements it required from a file containing the value of Euler's
constant.
Here are the S-boxes thus produced. S-boxes from 1 through 4 are used in several of the
ciphers in the Quadibloc series. S-boxes 5 and 6 are combined into one S-box with 512
entries, called S5, in Quadibloc II and III, and similarly S-boxes 7 and 8 become S6 and S-
boxes 9 and 10 become S7. S-box 11 is used under the name S9 in Quadibloc III.
S-box 1 is:
147 196 164 55 9 6 90 236

192 207 17 58 52 112 227 221
122 94 60 10 153 245 195 194
50 135 133 186 183 1 177 132
48 126 125 12 137 104 105 77
167 46 228 74 201 5 68 165
0 204 212 254 97 65 14 113
134 171 72 151 169 19 211 71
168 209 238 43 83 84 53 101
187 214 145 231 172 210 36 175
76 38 7 79 156 100 222 103
4 95 217 127 152 198 32 128
70 96 13 131 41 39 250 205
91 102 61 241 22 73 247 28
20 136 33 56 93 108 193 182
233 213 47 11 16 188 224 240
106 208 2 140 230 82 166 99
54 190 243 253 181 255 138 237
111 219 49 220 143 142 161 162
251 226 239 180 98 130 107 24
119 78 146 123 88 45 120 118
57 21 15 234 150 40 64 35
154 25 29 139 114 59 144 215
87 26 37 248 75 86 202 197
34 163 206 44 69 173 81 92
216 31 159 62 27 244 30 232
179 80 218 66 129 148 225 246
252 170 174 8 200 124 18 203
191 189 116 3 67 242 229 141
199 117 121 89 157 42 51 115
85 160 235 109 158 178 176 223
249 155 184 185 63 149 110 23
S-box 2 is:
187 91 192 149 175 80 48 231
19 23 210 35 104 31 72 111
180 20 79 100 45 173 240 113
63 236 201 69 118 181 248 185
115 62 29 166 253 67 60 41
247 124 101 24 135 87 221 144
197 188 93 65 123 142 207 195
105 53 163 145 190 18 130 76
233 251 146 161 193 211 10 235
83 14 174 96 27 151 126 112
43 34 117 157 56 5 219 22
155 4 213 186 245 66 214 196
246 64 49 147 71 61 133 37
12 227 121 17 68 143 165 176
191 232 8 116 238 59 184 102
224 138 170 11 39 205 36 244
183 140 217 228 237 209 212 42
177 77 208 78 25 242 15 50
114 81 97 0 154 13 216 2
119 152 250 88 220 171 127 103
1 21 74 70 252 200 92 156
73 32 226 95 150 99 167 122
182 84 47 136 3 162 125 139
98 153 158 134 172 239 168 178
85 194 249 51 128 33 38 223
107 254 141 241 148 46 120 198
137 75 132 108 58 243 225 204
89 129 131 16 203 255 44 86
160 189 230 106 215 55 222 229
94 164 82 202 26 179 6 7
199 90 30 54 57 40 109 28
206 9 110 52 218 234 169 159
S-box 3 is:
169 101 98 166 37 253 215 99

85 233 210 135 201 79 5 239
53 11 150 105 141 198 219 234
195 60 127 143 165 42 64 121
255 18 78 132 251 159 213 245
230 106 40 175 153 20 81 23
212 217 147 74 240 174 171 97
89 26 187 115 38 220 51 249
73 7 86 24 82 16 164 250
179 123 107 49 194 154 204 94
66 118 231 183 22 113 192 188
180 167 29 119 46 96 117 28
35 114 186 197 138 191 52 122
247 19 103 6 31 102 227 254
145 246 148 12 156 144 189 8
61 33 13 58 36 216 41 68
185 63 69 178 228 172 125 142
59 243 75 235 202 221 80 151
120 226 21 155 93 32 25 209
57 9 168 30 116 252 56 203
128 146 163 205 95 157 222 177
244 190 130 17 242 87 161 83
27 139 44 62 50 4 54 65
225 72 88 3 232 104 136 10
48 109 206 218 126 112 43 90
229 133 14 110 100 162 158 211
152 2 92 176 199 207 1 84
34 173 214 170 223 77 184 67
129 149 182 196 45 200 160 47
224 39 238 208 124 70 137 193
15 71 111 237 76 131 0 248
236 241 181 140 91 108 55 134
S-box 4 is:
56 185 51 63 131 246 69 102

177 84 61 1 228 251 219 60
64 103 34 164 4 0 106 17
120 53 118 204 127 100 27 231
93 26 146 133 72 195 240 202
12 209 236 245 247 149 32 212
47 70 135 158 79 230 76 223
9 125 99 31 16 136 77 147
189 40 188 90 210 159 21 48
74 145 179 132 14 20 55 243
24 39 222 134 38 19 232 119
206 124 168 142 211 171 249 36
15 121 163 187 161 97 215 203
71 201 92 113 128 153 181 167
244 126 58 214 208 250 186 226
111 162 183 199 140 175 110 213
50 139 154 94 174 68 207 11
89 248 166 157 82 115 160 98
180 221 112 235 25 182 169 194
116 28 5 8 2 229 176 88
130 66 192 42 13 86 73 59
225 7 52 18 57 205 234 237
178 255 143 218 114 95 29 109
242 33 129 122 155 35 80 191
238 67 101 137 138 216 108 85
253 152 3 123 217 190 96 197
198 148 200 75 10 233 30 37
41 227 6 254 252 83 43 220
104 49 239 196 45 65 172 105
165 91 150 184 44 173 107 22
62 46 144 170 117 78 151 87
141 81 23 156 224 241 54 193
S-box 5 is:
218 16 5 224 122 22 160 207

90 43 170 153 221 213 140 178
93 145 46 135 10 72 229 102
249 74 254 149 192 45 225 245
94 105 128 206 114 162 23 233
117 7 83 169 31 143 109 230
100 91 34 6 223 240 30 210
86 2 98 147 77 204 188 106
103 244 177 27 184 112 191 9
18 58 68 198 138 251 253 12
200 42 78 176 20 234 150 144
116 146 8 164 88 32 222 59
186 175 47 194 195 141 127 41
155 255 1 28 24 217 252 165
154 21 243 92 70 212 139 205
131 166 196 111 173 123 118 209
183 125 197 220 126 136 69 26
48 216 52 85 242 132 35 36
3 163 219 99 33 211 236 39
179 187 115 110 56 14 66 142
79 121 171 108 208 50 60 13
215 51 181 53 199 167 201 180
133 84 62 113 157 226 40 159
239 214 29 119 231 97 81 57
190 227 168 189 76 11 107 185
38 25 4 63 71 237 182 151
137 80 246 232 174 202 134 203
193 49 250 120 101 96 75 152
73 64 89 124 44 238 148 65
247 15 61 158 235 19 156 129
67 95 54 228 0 87 17 161
241 37 248 172 130 55 104 82
S-box 6 is:
237 205 82 124 69 99 132 0

94 5 244 127 104 115 192 77
217 63 119 245 61 72 222 118
75 234 37 167 134 19 243 210
204 60 195 34 151 229 116 130
32 176 165 197 38 152 41 180
20 249 83 31 46 117 103 87
92 71 108 214 253 144 190 102
10 129 91 8 160 207 157 223
232 153 247 159 12 36 163 27
49 121 79 138 64 219 53 203
42 200 250 137 47 62 107 23
246 67 17 248 142 135 139 154
218 59 68 70 224 97 233 81
45 24 28 25 202 251 169 74
184 14 51 85 1 239 255 21
133 111 120 43 128 215 96 2
227 35 16 30 122 238 193 40
84 126 56 150 211 26 50 146
236 100 44 206 182 158 162 18
76 252 54 145 125 155 156 73
186 183 11 6 15 9 3 140
172 171 48 13 185 164 105 143
78 228 141 39 213 194 90 209
230 254 113 4 95 168 55 147
123 65 175 109 93 196 7 110
149 212 221 201 57 181 148 216
166 240 191 136 241 179 170 52
173 225 98 131 101 33 187 208
231 242 66 161 189 58 198 86
178 188 177 80 29 220 235 22
199 88 174 112 106 89 114 226
S-box 7 is:
182 195 39 188 242 168 253 54

47 205 57 244 111 228 245 221
142 51 237 73 164 190 201 225
74 227 36 251 41 83 8 70
79 222 61 189 224 239 97 139
107 130 48 211 213 55 123 160
161 162 75 105 175 19 148 30
42 33 88 219 134 118 143 66
45 63 0 29 103 67 252 247
174 159 220 178 92 236 22 132
231 12 125 170 49 255 155 169
109 65 56 209 6 181 235 198
136 131 101 197 233 15 230 117
241 217 184 7 163 116 31 153
223 108 194 216 166 114 187 112
16 102 113 104 27 14 86 229
87 11 154 183 214 218 106 40
80 90 64 146 185 119 151 254
91 100 238 126 243 226 172 77
191 68 26 145 52 9 23 179
99 95 206 165 173 4 207 137
122 176 144 13 17 46 1 98
96 158 72 127 28 208 18 35
177 71 60 167 232 249 58 133
32 78 82 203 25 24 21 69
10 85 89 196 202 152 147 157
62 215 246 248 93 210 44 212
34 5 128 149 110 200 193 76
250 192 59 199 124 20 138 115
120 50 53 43 234 84 141 180
135 204 240 150 94 2 3 121
38 156 140 37 81 129 171 186
S-box 8 is:
170 12 142 79 20 169 211 194

48 41 50 44 67 166 237 62
107 68 54 175 28 133 190 214
4 159 108 242 23 207 130 136
36 119 150 110 168 201 156 85
183 189 184 11 239 45 60 140
84 72 249 30 243 158 81 42
29 202 144 90 241 80 135 111
94 212 55 160 38 32 164 122
114 31 224 149 103 97 210 174
177 227 179 181 165 216 252 82
14 232 208 34 18 52 57 71
33 198 217 219 22 121 147 43
151 228 88 167 132 251 63 78
236 255 92 86 253 3 100 188
66 199 235 154 112 248 102 53
21 77 49 197 233 139 6 105
83 218 99 186 220 185 254 91
245 157 176 128 240 178 10 75
0 129 155 24 238 7 117 51
120 123 182 143 191 116 8 196
19 250 27 126 73 39 162 247
76 141 244 221 35 15 37 204
234 205 246 58 95 173 206 187
65 215 172 40 16 69 109 192
124 56 152 26 46 93 145 148
118 195 115 203 223 225 64 131
231 229 134 163 125 98 226 213
161 17 9 25 87 230 138 153
2 61 1 137 70 13 89 106
47 113 222 104 209 200 96 101
59 171 146 74 193 5 180 127
S-box 9 is:
143 174 59 186 83 80 63 121

15 68 182 65 146 189 179 18
253 219 154 42 135 164 74 196
136 229 197 161 4 224 120 238
145 239 103 168 235 245 152 93
62 46 226 91 173 77 22 109
94 95 209 87 86 246 8 122
128 104 64 81 198 236 78 26
1 99 194 180 0 240 125 204
144 175 60 14 176 25 31 222
70 170 167 237 215 142 149 254
20 181 107 36 41 92 72 166
126 255 249 52 214 150 40 7
247 193 234 67 33 210 242 50
248 250 206 133 102 163 199 2
84 134 127 49 243 244 96 132
55 129 39 165 138 117 32 82
160 47 35 216 148 195 218 225
66 156 183 101 76 71 24 124
251 11 153 230 90 211 158 200
85 98 221 233 241 6 69 227
190 207 10 61 73 187 157 123
37 185 100 28 118 16 56 106
51 188 27 131 13 169 17 9
139 21 205 88 29 141 231 108
110 162 54 45 159 111 48 232
114 155 113 203 140 75 208 97
79 223 202 115 53 177 30 217
178 220 38 130 172 192 119 171
3 43 184 112 105 12 212 57
58 19 151 89 252 213 228 116
201 44 34 147 191 5 137 23
S-box 10 is:
18 230 126 161 150 80 132 11

40 51 68 43 192 3 233 179
48 105 33 16 118 6 227 28
231 8 154 168 181 97 223 221
188 209 76 64 27 131 210 13
35 134 164 222 244 145 206 199
243 10 158 239 15 121 171 238
34 162 205 84 90 9 234 99
19 253 207 218 0 178 115 137
170 196 42 155 212 143 119 148
106 104 24 177 140 255 144 120
60 54 110 185 50 91 78 191
111 159 240 47 160 70 22 39
215 59 128 65 112 204 186 216
125 250 195 138 245 247 5 96
92 242 163 77 141 146 55 83
167 224 30 153 252 190 46 103
203 241 208 152 114 52 85 32
219 74 26 200 14 101 20 117
193 214 249 95 67 89 135 94
156 124 72 236 169 56 183 123
166 2 98 237 172 57 217 61
41 189 113 194 136 226 248 63
108 17 180 184 69 44 66 116
37 175 228 130 4 127 53 49
71 235 75 29 81 100 109 211
157 93 246 23 187 86 79 45
102 149 1 176 198 232 165 73
62 147 107 142 87 88 225 182
213 38 197 58 21 82 201 229
12 151 220 122 129 31 202 7
133 139 36 25 174 254 251 173
S-box 11 is:
45 216 52 146 179 234 195 38

199 56 32 25 229 72 190 163
2 12 221 242 154 188 113 0
233 173 251 207 243 231 107 6
16 184 91 50 162 94 51 230
205 30 165 210 187 74 129 232
178 150 177 105 22 156 213 215
235 14 90 203 59 85 183 139
70 212 64 247 180 120 218 240
220 73 110 62 27 39 245 49
175 79 15 238 40 78 86 111
98 169 33 17 167 228 181 253
24 75 61 117 115 35 66 224
126 19 182 193 31 11 47 109
136 255 159 138 96 89 160 10
80 151 121 20 246 143 155 206
82 171 186 164 114 57 119 161
102 241 124 249 26 5 71 192
141 101 9 99 174 84 77 145
236 131 53 103 88 58 118 127
48 87 147 223 152 123 132 252
211 166 29 28 36 13 237 202
63 122 69 4 217 197 201 148
254 60 200 208 95 54 7 130
92 112 222 239 1 204 67 191
194 248 8 142 157 44 34 189
41 225 100 176 23 97 93 198
42 140 116 250 133 106 128 196
81 104 144 137 125 65 83 37
18 68 172 135 3 21 214 43
46 170 219 108 158 244 209 134
227 226 76 168 185 55 153 149
Next
Table of Contents
Main Page
Variations of QUADIBLOC
QUADIBLOC-80
Using QUADIBLOC with the initial key formed by concatenating the 80-bit key with
its inverse (one's complement, bitwise negation), encipher the following:
1) Expand the first 18 bits of the key to 24 bits using the 4 of 8 bit code in
QUADIBLOC; repeat these as often as required to XOR with the last 64 bits of the
key. (Yes, 2 bits are used twice.)
2) Take the first 64 bits of the key; XOR with the 24 bits formed by expanding the last
18 bits of the key, repeated starting from the right.
3) Form a 48-bit string by XORing the first 40 bits + 00000000 with 00000000 + the
last 40 bits; convert that to 64 bits using the 4 of 8 bit code on all of it.
Using the 192 bits which result from these three block encryptions, convert to a 160-bit
key as follows:
concatenate the 64 bits of 1) enciphered with the 64 bits of 2) enciphered and the first
(leftmost, most significant) 32 bits of 3) enciphered,
and XOR these 160 bits with the last 32 bits of 3) enciphered, repeated five times.
QUADIBLOC-64
Expand a 64-bit key to an 80-bit key by converting the first 48 bits of the key to 64
bits, using the 4 of 8 bit code. This, concatenated with the last 16 bits, makes 80 bits.
Produce a 160-bit key from this as outlined for QUADIBLOC-80.
Then XOR the 64 bit key with that, repeated 2 and 1/2 times. (The last one-half uses
the first 32 bits.)
QUADIBLOC-40
Expand the 40-bit key to an 80-bit key by concatenating it with its inverse.
Produce a 160-bit key from this as outlined for QUADIBLOC-80.
Expand the 40-bit key to 52 bits by converting the first 36 bits to 48 bits using the 4 of
8 bit code. XOR the 52 bit result (48 expanded bits + 4 original bits) starting with a
whole block on the left repeatedly with the 160-bit result to get the 160-bit key to use.
QUADIBLOC-320
The first half is used to generate subkeys normally, and so is the second half. First-half
subkeys are used in rounds 1, 2, 5, 6, 9, 10, 13, and 14; second-half subkeys are used in
rounds 3, 4, 7, 8, 11, 12, 15, and 16.
QUADIBLOC-640
The key is divided into four quarters, each of which is used to generate subkeys
normally, and the subkeys generated from the first quarter are used in rounds 1, 2, 9,
and 10; from the second in 3, 4, 11, and 12; from the third in 5, 6, 13, and 14; and from
the fourth in 7, 8, 15, and 16.
Enhanced QUADIBLOC
S-box 2, in QUADIBLOC, is used only when enciphering, and its inverse is used when
deciphering. Since this S-box gets changed anyways, Enhanced QUADIBLOC is
QUADIBLOC changed in that S-box 2 is part of the key, and supplied by the user,
instead of being the fixed value shown in the definition of QUADIBLOC.
Next
Chapter Start
Table of Contents
Main Page
Home Page
The QUADIBLOC FAQ

1) Why is this bozo cluttering up my computer with a 12K file?
2) What are the design goals of Quadibloc?
3) Where can I get source code?
4) What are the known weaknesses of Quadibloc?
5) How could it have been made stronger?
6) Where does Quadibloc get its security from?
7) How does Quadibloc compare to DES?
8) How does Quadibloc compare to Skipjack?
9) How does Quadibloc compare to Blowfish?
10) What is the likely impact of Quadibloc?
1. Why is this bozo cluttering up my computer with a 12K file?
Obviously a shameless attempt to obtain 15 minutes of fame by getting mentioned in

the third edition of Schneier.
2. What are the design goals of Quadibloc?
There are three goals, in the following order:
- Ease of implementation,
- Security, and
- Efficiency in software and hardware.

The primary goal, ease of implementation, was addressed by keeping the size and
number of S-boxes in the cipher to a minimum. Ease of implementation and efficiency
were also promoted by keeping the few bit transposes in the cipher simple. Because of
the order of the goals, security was obtained by performing part of the F-function
twice, rather than relying on fancier S-boxes, and a full bit-transpose was included
ONCE in the cipher.
3. Where can I get source code?
I haven't written any yet. Maybe in a couple of years. At least, in addition to

distributing the source, I'll NEED to implement it at least once in order to generate test
vectors. Which everyone else will probably want before they try their hands at it.
4. What are the known weaknesses of Quadibloc?
QUADIBLOC-640 can have its effective key size shortened by from 32 to 64 bits
through a meet-in-the-middle attack.
Since Quadibloc uses one S-box all the way across in the F-function, if Quadibloc had
weak keys (which, fortunately, it doesn't) it would have a rotational symmetry for all
rotations of a multiple of 8 bits applied to the two halves of the block together. The
permutation after round 8 also limits the damage this would do.
It probably has much worse ones than that, but I don't have the prestige to get Eli
Biham et al to do my work for me... .
Other possible weaknesses:
Does doing an XOR after the substitution and P-permutation in the F-function leak key
bits?
Should an odd value, instead of 8 bits, be used for the circular shift done along with the
swap of halves?
The F-function is more complicated than that of DES in some ways, but unlike that of
DES, it isn't a one-way hash; it's invertible.
The P-permutation, and the "wall" permutation used after round 8, are both regular.
Additional notes:
The use of a single S-box all the way across in the f-function also means that if
characteristics are found for applying differential cryptanalysis, it is easier to use them
in successive rounds. However, the fact that the S-box has 256 entries, the fact that the
f-function is doubled, and the use of S-box 2 on the left half, all make a differential
attack unlikely.
The use of a permutation after round 8 is not as total an obstacle to analysis as I had
originally thought. It is no hindrance whatever to the boomerang attack, discussed in
the section on differential cryptanalysis. However, in addition to a permutation, I also
put the right half of the block through S2 both before and after (the left half goes
through S2 anyways). Thus, it does not appear at this time that the boomerang attack
requires immediate alterations to the QUADIBLOC design.
5. How could it have been made stronger?
I can think of two obvious improvements that I avoided for the sake of ease of
implementation.
- Replace the swap plus circular shift with a straight swap, but in ALL 16 rounds, after
the XOR, and before the second use of S-box 2, do a right circular shift of 12 bits on
the left half of the block.
- Replace S-boxes 1 and 2 by two sets of 8 S-boxes.
6. Where does Quadibloc get its security from?
DES could be made TOTALLY insecure by stripping just TWO elements from it:
- remove the expansion permutation, changing all the S-boxes to have 4 inputs as well
as 4 outputs;
- replace the permutation P with the identity permutation.
Then, DES would become a set of 8 ciphers applied to 8 blocks of 8 bits.
Quadibloc relies on the fact that it uses a simple S-box followed by a regular P
permutation, and repeats that process twice. The first application substitutes for the
expansion permutation, as well as providing some security of its own.
In addition, after round 8, a non-keyed scramble that makes every bit of the block
depend on every other bit is applied, in hopes of frustrating analysis. S-box 2 gets extra
use here, but the bit transpose differs from the rest of the cipher.
The key is expanded slightly, from 160 bits to 176 bits, using a 4 of 8 code. The 4 of 8
code is not intended to have any security properties, since it would not contribute to the
security of the cipher if it were more random. What it DOES do is eliminate weak keys,
like all zeroes or all ones.
Also, by XORing key material before AND after the use of S box 1, complementation
properties are eliminated.
7. How does Quadibloc compare with DES?
DES has a 56 bit key, 48 bits of which are used in each round.
Quadibloc has a key of 160 bits. This is expanded to 176 bits; then, 128 bits are used in
each round to generate an effective round subkey which is 96 bits in length.
DES uses engineered S-boxes with auxiliary inputs from adjacent nibbles for
heightened nonlinearity, and an irregular bit transpose P. The S-boxes are based on
multiple permutations of (0..15). The key material is applied by an XOR prior to using
the S-boxes.
Quadibloc uses a random S-box containing a single permutation of (0..255) and a

regular bit transpose. But this is applied twice, and key material is XORed three times,
at the start, in the middle, and at the end.
DES simply XORs the f-function output with the left half.
Quadibloc uses a second S-box before and after the XOR with the f-function output.
Thus, plaintext actually goes through an S-box, which seems intuitively more
satisfying.
8. How does Quadibloc compare with Skipjack?
Originally, I wrote the following:
How should I know? After all, it is secret, and I have had no access to
the secret.
However, some comparisons can be made on the basis of publicly

available information.
Quadibloc was deliberately designed to have two desirable properties

claimed for Skipjack: no 'weak keys', and freedom from
complementation properties.
Quadibloc has only 16 rounds, not 32 as for Skipjack.
Quadibloc has a 160-bit key, which is longer than an 80-bit key.
Quadibloc does not have a 48-bit internal structure.
Quadibloc was designed to be easy to implement, and has S-boxes of

minimal size.
Quadibloc was designed in one weekend by one person with neither any
particularly relevant academic credentials nor relevant cryptanalytic
experience (hey, I do have an M.Sc. in Nuclear Physics!). Skipjack was
designed by the top cryptographers and cryptanalysts in the U.S.,
entrusted with guarding the nation's security.
You and I don't get to make use of Skipjack without key escrow,
Quadibloc doesn't have this problem.
(Note that, since this was written, Fortezza PCMCIA cards without key
escrow were made available to the public in the U. S., which was an
interesting, and perhaps even amusing, development in the ongoing
Clipper Chip saga.)
Quadibloc is available for open review. However, it is probably so

insignificant that it will never recieve any such review.
At present, I no longer have the excuse I began that section with, as Skipjack has now
been declassified. (I write these words as part of the update of these pages to include its
description!)
Skipjack has a regular key schedule, which would seem to open up the possibility of
related-key attacks; Quadibloc has an irregular one, based on that of DES.
Quadibloc's f-function has two stages to it, which was an apparent innovation at the
time. However, Skipjack's G permutation is actually a four-round miniature block
cipher with a 16-bit block.
Skipjack is both easier to implement than Quadibloc, and more efficient.
9. How does Quadibloc compare to Blowfish?
Quadibloc-40, Quadibloc-64, and Quadibloc-80 all have a relatively simple method of

expanding the key size to 160 bits; they do not explode the work factor in the way
Blowfish does to handicap attempts at brute-force searching. This was done
deliberately, both for ease of implementation, and in hopes that Quadibloc-40 might be
approved for export, thus giving U.S. software authors a royalty-free alternative.
The natural key size of Quadibloc is only 160 bits, while Blowfish makes full use of a
key up to 384 bits in length.
On the other hand, the added complexity of the F-function may be to the credit of
Quadibloc. On balance, though, it may be fair to say that the advantages of Blowfish
over Quadibloc in security are of a sort likely to have real- world value, while the
advantages of Quadibloc are of a more theoretical nature.
10. What is the likely impact of Quadibloc?
Very little.
Possible results:
- revealing Quadibloc to unevolved uninitiates may lead to burdening of my karma
Not worried. Saddam Hussein has already heard of IDEA, Triple-DES, Blowfish...if
the NSA thinks I have endangered U.S. national security, then they've done so, by
choosing to live in a fool's paradise.
- NSA releases Skipjack patent in order to prevent use of Quadibloc
Probability slightly lower than that of one of the primes in your RSA modulus actually
being a Carmichael number.
- Complications of Quadibloc found illusory; new cryptanalytic method discovered that

is an extension of differential/linear cryptanalysis
I can dream, can't I? That would be a noble way to have failed.
The intent of boring the world with yet another block cipher should, however, be stated.
Due to restrictions on source code export, (which may not apply to us lucky Canadians)
I have chosen to lead the way in showing that a secure algorithm can be designed to be
so simple to implement that coding it is trivial, and does not depend on giant S-boxes
or difficult mathematics which requires access to a reference source code
implementation.
Also, Quadibloc illustrates techniques that could be applied to other ciphers. Doubling
the F-function is possible in Blowfish quite simply (you will need more pi); and it
could even be done in DES, with more violence to the key schedule. (In fact, it is
probably one of the more secure ways to create a 112-bit key DES variant.)
Next
Start of Section
Table of Contents
Main Page
Home Page
Key Augmentation
The key schedule of QUADIBLOC, while designed to avoid weak keys, and resist
related-key attacks, is still something of an afterthought compared to the rest of the
cipher.
A procedure to add 64 bits to the key of any variant of QUADIBLOC, and improve its
key schedule (which may be applied repeatedly, even to the extent of modifying the
key for every block enciphered, causing QUADIBLOC to act as sort of a stream
cipher) is described here.
First, the key to be augmented is to be used normally to generate the 48 32-bit long
subkeys used by QUADIBLOC.
Then, the augmented schedule of subkeys is generated as follows:
The 64 bit supplementary key is to be encrypted normally by QUADIBLOC with the

schedule of subkeys in place. (The encrypted result is to be made available externally
by hardware implementations of QUADIBLOC, to allow iterated key augmentation
with a single 64-bit key supplement.) However, both the encrypted result of the
QUADIBLOC encipherment, and the 32-bit output of the f-function in each round of
that encipherment, are to be retained (in internal storage).
These results are to be applied to the subkeys of QUADIBLOC as follows:
The subkeys are to be moved as follows:
The second subkey for each round is to be replaced by the previous value of the first
subkey for the previous round. The second subkey for round 1 is to be replaced by the
previous value of the first subkey of round 16.
The third subkey for each round is to be replaced by the previous value of the second
subkey that round.
The first subkey for each round is to be replaced by the previous value of the third
subkey for that round.
Then, the saved f-function values are to be applied by being XORed with subkeys (the
result replacing the former value of the subkey) in the following sequence:
The f-function for round:
9 7 11 5 13 3 15 1 16 2 14 4 12 6 10 8
is to be XORed with the first subkey for round:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
The left half of the result of the QUADIBLOC encryption is to be XORed with the
second subkey for the first round.
The right half of the result of the QUADIBLOC encryption is to be XORed with the
third subkey for the ninth round.
Three key augmentations will ensure that every subkey is XORed with one f-function
output; twenty-four key augmentations will ensure that every subkey is XORed with
one of the halves of an encryption result.
Key augmentation is equally applicable to QUADIBLOC 96 and QUADIBLOC 99. In

the plain form described here, key augmentation adds at least 64 bits to the length of
the key. Some block ciphers include a process like key augmentation, but with a fixed
input value, as a standard step in the key generation process to improve the quality of
the key schedule.
To operate QUADIBLOC in this fashion, which will be referred to as closed key

augmentation, after generating the initial key schedule from the 160-bit key, perform
three iterated key augmentations, the latter two using as their input value the output
value from the previous one, and the first one using the constant value
55330FAACCF05533
as the input value.
Key Extension
In addition to key augmentation, the use of a longer key can be permitted by the use of
the following operation, intended to be applied after key augmentation has been
applied to a previous set of subkeys.
In key extension, a new 160-bit key is used to generate subkeys in the normal fashion,
but the resulting subkeys are then XORed to the existing subkeys instead of replacing
them.
Thus, an alternative variant of QUADIBLOC with a 320-bit key can be achieved by:
● Using the first 160 bits as a key to generate an initial set of subkeys.
● Performing closed key augmentation.
● Performing key extension with the remaining 160 bits of the key.
● Performing closed key augmentation.
This variant shall be known as QUADIBLOC-320SE (96 or 99), and QUADIBLOC

with closed key augmentation will be known as QUADIBLOC SE (96 or 99).
Next
Start of Section
Table of Contents
Main Page
Home Page
Quadibloc II
Although this expanded version of Quadibloc is a cipher with a 128 bit block size, I am not trying to detract from
the importance of the candidate ciphers for the AES process. Prior to the deadline for a submission, I had
considered a few designs, but I had nothing that I was quite satisfied with. Precisely because the other designs
were now available to examine, I was able to find the "missing pieces" needed to complete a design.
This design allows key lengths of 128, 192, or 256 bytes, and in fact also allows keys of any length in the
sequence starting 128, 144, 160, 176... provided that the key is not longer than 36 bytes times the number of
rounds. The number of rounds can be 8, 12, 16, 20, 24, 28, 32, 36..., any multiple of 4 greater than or equal to 8.
One round of Quadibloc II takes perhaps 7 1/2 times as long as a round of DES, although a more optimistic
estimate might be 3 3/4 times as long. Thus, 8-round Quadibloc II might manage to take less than 6 times as long
as DES even with the initial estimate, and that would make Quadibloc II more efficient than Triple-DES. (The
estimate is based on the fact that a round of DES requires eight fetches of a 32-bit quantity from a table; a round
of Quadibloc II requires 24 fetches of a 32-bit quantity, and 24 fetches of an 8-bit quantity.)
This design also begins life with an unfair advantage: it partly results from the inspiration provided by the
various AES candidates, and has, in fact, swiped good ideas from two or three of them at least. In any case, this
design is proposed not as something that would have been a potential candidate were it not too late, but instead,
particularly in its 32-round form, as something for those people who want a very secure block cipher without
concern for efficiency.
Instead of two S-boxes, this design uses ten S-boxes generated from Euler's constant, by repeating the following
process, the same one as used in the original QUADIBLOC:
● Load Euler's constant into a very long multi-precision register which is simulated by an array.
● Repeat the following for each S-box to be created.
● Load an array with the numbers from 0 to 255 in order. A pointer to an element of the array is set to point
to the first element in the array, and is called TARGET.
● Repeat the following for each of the integers from 256 down to 2; call the current integer SIZE.
● Multiply the contents of the multi-precision register by SIZE. Leave the fractional part of the result in the
multi-precision register; call the integer part of the result CHOICE. (CHOICE will be an integer from 0 to
SIZE minus one.)
● Swap the elements TARGET and TARGET + CHOICE in the 256-element array. (If CHOICE is zero, do
nothing for this step.)
● Proceed to the next number from 256 down to 2.
● The 256-element array now contains a complete S-box. Save or print out its contents.
● Proceed to the next S-box to be generated.
As previously noted, I chose Euler's constant instead of, say, pi, because the mathematical theory behind Euler's
constant is more complicated than that behind pi, which in turn is somewhat more complicated than e, the base of
the natural logarithms.
The first four of these S-boxes are likely to be stored as arrays of 256 32-bit words, with the bits spread out
reflecting the P permutation, which is again the same one as used in QUADIBLOC, and is as follows:
The bits
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32
become
1 2 27 28 21 22 15 16 9 10 3 4 29 30 23 24
17 18 11 12 5 6 31 32 25 26 21 22 13 14 7 8
and this permutation is to be interpreted according to the following convention: the numbers in the bottom
sequence identify the source of each bit in the permuted result in order.
The round structure of Quadibloc II uses essentially the same f-function as was used in QUADIBLOC, with one
addition: after the second substitution/permutation layer, and the third XOR of subkey material, the 32-bit
subblock then goes through a key-dependent S-box. No permutation follows this S-box.
Three out of four 32-bit subblocks are used as input to f-functions. The f-function of the first subblock is used to
supply additional inputs both to the other two f-functions and to the application of their outputs to the fourth
subblock, which they modify.
There are other things going on in the round, and there are some minor changes to the f-function as well. The
following diagram shows how the main part of a round proceeds:
The dotted lines show a part of the round which is required if less than 32 rounds are used, but which, involving
as it does use of intermediate results from the f-function might produce some theoretical advantages if omitted.
Before the regular rounds of Quadibloc II begin, and after they end, there is an additional phase of extra
manipulations the purpose of which is to make life more difficult for the cryptanalyst. This phase is shown in the
following diagram which gives an overview of Quadibloc II:
The wide boxes are the key-dependent byte permutations; the fixed permutations that take place between regular
rounds are shown as wire crossings.
Initially, the block is divided into 16-bit units, which undergo substitution by means of a miniature block cipher
of four Feistel rounds with the key-dependent S-box S8 as the f-function. First the leftmost byte in each pair of
bytes is used to index into S8, finding the byte to XOR with the rightmost byte, and then it is done in the reverse
direction, and so on, alternating for four rounds.
The 16 bytes of the block are rearranged according to a key-dependent permutation.
Then, each half of the block undergoes two rounds of Feistel encryption with a simplified f-function having only
one S/P (substitution/permutation) layer. For faster diffusion, each f-function output is, in two of the rounds,
XORed with the two subblocks in the other half of the block, and in the other two used to control swapping bits
bitween those two subblocks, in the fashion pioneered by ICE. This operation is illustrated below:
The f-function consists of:
● XOR one subkey with the current subblock.

● Use S-boxes S1, S2, S3, and S4 in order to substitute for each of the bytes in the result.
● Use the QUADIBLOC P-permutation to transpose the bits.
Four rounds are performed. In each round, the f-function of one subblock is XORed to the other subblock in the
same half of the block. In the outer two rounds, that output is also XORed to the two subblocks in the other half;
in the inner two rounds, it is used to control the swapping of bits between those two subblocks, a 1 bit
corresponding to a bit position where swapping occurs, as was done in the block cipher ICE. The four subblocks
are chosen in order, from left to right, as the input to the f-function.
Then, the bytes of the block are again rearranged according to a key-dependent permutation. A similar
transformation takes place at the end. (MARS, of course, uses a different round structure before and after the
main part of the cipher, but here the main idea swiped, but placed in a new form, is the idea of FROG. Instead of
making the targets of XORs key-dependent, a key-dependent rearrangement of the bytes before a series of XORs
achieves the same thing with a simpler key setup.)
The changes required to decipher in Quadibloc II are hinted at by the following diagram:
The initial and final miniature Feistel rounds need not be changed. The degenerate rounds with a short f-function
have to operate on the four subblocks in reverse order, as well as using the subkeys in reverse order. The regular
round experiences these changes: the steps changing the fourth subblock need to be reversed as well as being
done in reverse order: thus, the substitution layers use the inverses of S7, S6, and S5; and the XOR/plus stages
take the f-function of the third subblock first, then that of the second; also, more subtly, the order in which the
two intermediate results of the f-function of the first subblock are XORed to the second and third subblocks are
reversed.
The first four S-boxes generated above are called S1 through S4, and function as S-boxes with 8 inputs and 8
outputs in the first f-function. But in the next two f-functions, they are combined in pairs to form S-boxes with 9
inputs and 8 outputs. This is shown on the diagram: S1/S3 is an S-box that acts like S1 when the extra input is
zero, and like S3 when the extra, most significant or leftmost, input is one.
S-boxes S1, S2, S3, and S4 are as given in the page on Euler's Constant and the Quadibloc S-boxes.
The Rounds
In detail, the round proceeds in this manner; and hopefully the diagram above will enable you to follow the
lengthy description below:
● The first subblock is used as input to the first f-function, calculated as follows:
❍ The first subkey for the round is XORed to it.
❍ The four bytes of the current value are substituted using S1, S1, S2, and S2, from left to right.
(Note that this method of avoiding cyclic symmetry, with a bare minimum of S-boxes, comes from
LOKI 97.)
❍ The result is permuted by the QUADIBLOC permutation P. (This permutation is simple and
uniform, to minimize storage needed to hold the S-box outputs after permutation for a common
optimized implementation of ciphers like this and like DES: this is one way in which I am
specifically differing from LOKI 97.)
❍ The current subblock value is the first intermediate value from the first f-function, and is used
later.
❍ The second subkey for the round is XORed in.
❍ The current value's four bytes are substituted in S-boxes S3, S4, S3, and S4 from left to right.
❍ QUADIBLOC permutation P is applied.
❍ This result is now the second intermediate value from the first f-function.
❍ The third subkey for the round is XORed in.
❍ The four bytes of the result are substituted by means of the key-dependent S-box, S8.
❍ The result is the output of the first f-function. Its bits are considered to be numbered from 1 to 32
from left (MSB of first byte) to right (LSB of last byte), and they will be used individually in
groups of four in what follows.
● The first subblock remains unchanged going into the next round, although an f-function was calculated
from it.
● The second subblock is modified: its new value will be itself XORed with the XOR of the two
intermediate results from the first f-function. The third subblock is also modified in this same way.
However, the input to the second f-function is the second subblock XORed with the first intermediate
result only, and the input to the third f-function is the third subblock XORed with the second intermediate
result only. This can be achieved as follows:
❍ XOR the second subblock with the first intermediate result.
❍ Take the result as the input to the second f-function.
❍ XOR the second subblock with the second intermediate result.
❍ XOR the third subblock with the second intermediate result.
❍ Take the result as the input to the third f-function.
❍ XOR the third subblock with the first intermediate result. (Note that this method of applying the
intermediate results to the middle subblocks is similar to the ingenious technique of applying key
material in LOKI 97. Here, the intent is twofold: to conceal the f-function input, and to minimize
the risk of attack created by the additional use of intermediate f-function results in the round.)
● The second f-function is calculated using its input and the fourth, fifth, and sixth subkeys for the round. It
differs from the first f-function in these particulars:
❍ The intermediate results are not saved.
❍ The first S-box stage consists of placing all four bytes of the current result into the compound S-
box S1/S3. For each byte, the corresponding bit from bits 1 to 4 of the first f-function output
indicate whether that S-box acts like S-box S1 for that byte or like S-box S3.
❍ The second S-box stage consists of placing all four bytes of the current result into the compound S-
● The third f-function is calculated using its input and the seventh, eighth, and ninth subkeys for the round.
It is very similar to the second f-function, but the S-boxes are again slightly different, as follows:
❍ As with the second f-function, the intermediate results are not saved.
❍ The first S-box stage consists of placing all four bytes of the current result into the compound S-
❍ The second S-box stage consists of placing all four bytes of the current result into the compound S-
● The fourth subblock is the one that undergoes the most thorough modification, the change that is the point
of the round. (The changes to the second and third subblocks were an afterthought that may create the risk
of a weakness in the cipher, but which were necessary to make it possible that the cipher could be secure
after only eight rounds, instead of thirty-two, as might be needed if only one subblock were modified in
each round.) This modification proceeds as follows:
❍ The four bytes of the subblock are substituted for using S-box S5, with bits 17 through 20 of the
first f-function output used as the most significant bit of the S-box input for each byte (that
switches between two different permutations of the numbers 0 through 255).
❍ The output of the second f-function is applied to the result. Bits 29 through 32 of the first f-
function output determine if each byte of the second f-function output is XORed (0) or added (1).
❍ The four bytes of the subblock are substituted using S-box S6, with bits 21 through 24 of the first f-
function output supplying the most significant bit of S-box input associated with each byte.
❍ The output of the third f-function is applied to the result. Bits 29 through 32 of the first f-function
output determine if each byte of the second f-function output is added (0) or XORed (1). (This use
of an addition or an XOR followed by its opposite is, of course, reminiscent of SAFER.)
❍ The four bytes of the subblock are now substituted using S-box S7, with the most significant bit of
each S-box input coming from bits 25 through 28 of the first f-function output.
This involved procedure constitutes the round. After each round except the last, a step corresponding to the swap
of left and right halves of the block in DES is performed. Here, however, the movement of individual bytes is
involved.
Bytes
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
become
15 16 8 11 13 1 9 10 2 14 5 6 7 4 3 12
if the number of rounds is a multiple of 16, and
5 10 15 16 9 14 3 12 13 6 7 4 1 2 11 8
if that is not the case (but the number of rounds must still be a multiple of 4, and must be at least 8). Both byte
permutations are presented as a series of 16 numbers giving the number of the source byte for each byte in the
result in order.
It might be noted that some time before I designed Quadibloc II, the idea of using different operations in a block
cipher, based on a data-dependent result in the cipher, played an important role in the block cipher "Anigma"
designed by Kostadin Bajalcaliev.
Key Generation
Each round of Quadibloc II requires nine 32-bit subkeys. In addition, the extra scrambling phases at the
beginning and end of the cipher require four subkeys each. Thus, 8-round Quadibloc II uses 80 subkeys, from K1
to K80, requiring 320 bytes of RAM.
The key for Quadibloc II must be at least eight bytes, or 64 bits, long, and may be any whole number of bytes up
to twice the length of the total size of the subkeys plus sixteen bytes, or 128 bits. Many maximum-length keys
will lead to duplicate internal key states of the cipher, of course; this maximum is an absolute maximum, beyond
which some bits of the key will simply be ignored in the keying process.
As well, S8, the key-dependent S-box, is subkey material, and requires an additional 256 bytes of RAM. This
total requirement of 576 bytes of RAM is the amount of storage needed for a key after key generation, which
may have to be non-volatile in some applications; additional RAM is of course also needed for scratchpad
storage in calculations, particularly during key generation.
Note: the bytes of S8 are stored as single bytes; they do not need to be expanded to four-byte entries to speed up
a permutation, as is true of the fixed S-boxes S1 through S4, and the inverse of S8 is not required for
deciphering, unlike S-boxes S5 through S7; the S-box requiring the least storage was chosen as the key-
dependent one. (Having a key-dependent S-box, of course, is a way to achieve a high degree of resistance to
differential and linear cryptanalysis.)
Initially, the subkeys are filled in the following order:
K1 K2 K3 K4
K5 K8 K11 K6 K9 K12 K7 K10 K13
K14 K17 K20 K15 K18 K21 K16 K19 K22
K23 K26 K29 K24 K27 K30 K25 K28 K31
...
K68 K71 K74 K69 K72 K75 K70 K73 K76
K77 K78 K79 K80
and so on; thus the subkeys are filled for one round before going on to the next, but the first subkey for each f-
function is filled before the second subkey for each f-function, and so on.
The subkeys for the degenerate rounds are just filled in numerical order, the first four at the start, and the last
four at the end.
They are filled from the following sources, in turn:
First, the actual key is placed directly into the subkeys. It must consist of a whole number of bytes, and be at
least eight bytes long, for the rest of the procedure to work.
Next, generate additional bytes of initial subkey material as follows:
Fill A1, A2, A3, and B1, B2, B3, B4, and B5 with the first eight bytes of the key in order. Initialize the variable
Q to be zero.
Split the key into two pieces as follows, where L is the number of bytes in the key:
● If L is odd, the first piece consists of the first (L+1)/2 bytes of the key, the second piece is the remaining
bytes of the key. Then increase each piece in length by one byte by appending the one's complement of
the first byte in the piece to it.
● If L is an even number of the form 4n, the first piece consists of the first (L/2)+1 bytes of the key, the
second piece is the remaining bytes of the key. Then increase each piece in length by two bytes by
appending the one's complement of the first two bytes in the piece to it.
● If L is an even number of the form 4n+2, the first piece consists of the first (L/2)+2 bytes of the key, and
the second piece is the remaining bytes of the key. Then increase each piece in length by two bytes by
In the first case, the lengths of the two pieces of the key are two consecutive numbers, one even, and one odd. In
the second case, the lengths of the two pieces of the key are two odd numbers, differing by two. In the third case,
the lengths of the two pieces of the key are two odd numbers, differing by four. In all three cases, the lengths of
the two pieces of the key are relatively prime, and uniquely identify the length of the original key.
Each group of bytes is then used as the initial contents of a shift register, which operates as follows:
The sum of the first and third bytes in the shift register is XORed with the second-last byte in the shift register.
The result is used as the output of the shift register, and is also used as the new last byte in the shift register, all
other bytes being moved to the next earlier place, the first byte being discarded.
For each byte generated by XORing the outputs from the two shift registers, that byte is then transformed by
carrying out the following instructions:
For each of the numbers 0 to 4, do the following:
● Add the contents of A1 to the number, modulo 256.

● Replace that number by its substitute in S-box 5a (that is, the first half of S-box 5, an S-box with 8 bits of
input as well as 8 bits of output, created by setting the MSB of the input to 0).
● Add the contents of A2 to the result, modulo 256.
● Replace that number by its substitute in S-box 5b (the second half of S-box 5).
Modify the variables B1 through B5 by adding the results of this process for the numbers 0 to 4, respectively, to
them. (This is a permanent change; for each byte generated, new values are added to them, and the totals are
cumulative.)
Now, generate a byte from the two shift registers containing the two unequal pieces of the key as outlined above.
Add Q to that byte. Put that byte through the following process:
● Add the contents of B1 to the number, modulo 256.

● Replace that number by its substitute in S-box 6a (the first half of S-box 6).
● XOR the result with the contents of B2.
● Add the contents of B3 to the result, modulo 256.
The result of this process is the output byte, to be placed in the subkeys. The output byte is also stored in the
variable Q.
One more step, however, remains in the process; the variables A1, A2, and A3 are changed (just as B1 through
B5 have already been changed) as follows: increment A2. If A2 wraps around, being incremented from 255 to
zero, increment A1. If A1 wraps around, increment A3.
An initial value for S8, the key-dependent S-box is generated as follows:
● Generate three permutations of the numbers from 0 to 255 from the subkeys by the following procedure:
❍ Use successive bytes from the subkeys, starting with the leftmost (most significant) byte of subkey
K1, and going through the subkeys in numerical order, that is, K1, K2, K3, K4..., and then starting
where one has left off for subsequent permutations.
❍ Each permutation is generated by the use of either 512, or, under some rare circumstances, only
256, bytes. Note that 8-round Quadibloc II only has 320 bytes of subkey; (4 bytes times 9 subkeys
times 8 rounds, plus 8 additional subkeys for the start and finish); and therefore additional bytes
need to be generated for this version of Quadibloc II and other versions without a sufficiently large
number of rounds. The SIGABA-like procedure used initially to extend the key is used for this, but
with some modifications. In this case, A1 through B5 are filled with the last eight subkey bytes
(the first eight contain the first eight bytes of the key, which were previously used to fill A1
through B5, which would cause the generation process here to partially repeat the operations of the
earlier generation process), and the input byte to the process is obtained from a single shift register,
similar in form to each of the two shift registers using pieces of the original key, which initially
contains all of the subkeys, including the last eight bytes.
❍ A permutation is generated as follows:
■ Begin with three arrays of 256 numbers, the first of which is filled with the numbers from 0
to 255 in order. The arrays must also be able to hold the value -1. The second and third
arrays are filled with -1.
■ For each byte used: let the value of the byte be called N, and let I be a counter which starts
at 0 for the first byte, incrementing with each byte used, and ending at 255.
■ Then, for each byte:
■ If element N of the first array is not -1, set element N of the first array to -1, and set
element I of the second array to N.

■ Otherwise, store N in the first unused position (the first position containing -1) in the
third array.
■ Once this has been done, if the third array contains any numbers other than -1, proceed as
follows:
■ If there is only one filled (not equal to -1) element in the third array, then there is only one
remaining element in the first array, and one element of the second array equal to -1, so fill
the second array with the one available byte, and finish.
■ If there are only two filled elements in the third array, take the least significant bit of the
first filled element. If it is zero, fill the -1 elements of the second array with the remaining
elements of the first array in order; if it is one, do so in reverse order, and finish.
■ If there are less than 256 filled elements in the third array, repeat them over and over to fill
the array. Then, take an additional 256 input bytes (thus, 512 bytes are used except when
the first 256 bytes contain two or fewer duplicate bytes) and XOR them with the bytes of
the third array.
■ Now, use the third array to complete the second array by doing the following for II from 0
to 255:
■ Let the value of element II of the third array be XX.
■ Swap elements II and XX of the first array.
■ Then, scan through the second array. When an element of the second array is -1, fill it with
the corresponding element of the first array (if it is not also -1) and set that element of the
first array to -1.
■ If there are any -1 elements left in the second array, fill them with the elements of the first
array that are not -1 in order.

● The three permutations obtained in this manner are used to generate a key dependent S-box as follows:
❍ For N from 0 to 255:
❍ Set A to be element N of the first permutation; set B to be element N of the second permutation,
and set C to be element B of the third permutation.

❍ Set element A of the S-box to equal C.
The key-dependent byte transpositions used at the beginning and end of the cipher are derived from the key-
dependent S-box S8 as follows: the first permutation consists in taking bytes 0, 1, ... 16 to the bytes indicated by
the least significant nibbles of the S-box entries in S8 of the form 0x in hexadecimal, taken in the order they are
found. Note that this builds up the permutation in "dispatch" form, while all the fixed permutations in this
description of Quadibloc II are given in "fetch" form. The second permutation is built up from the bytes of the
form 1x in hexadecimal. The third one, which takes place after the rounds are completed, is the inverse of the one
built up from the bytes of the form 9x in hexadecimal, and the fourth one is the inverse of the one built up from
the bytes of the form 8x in hexadecimal.
Then, the actual key sequence used for encipherment is generated by the following procedure:
Using the last 128-bits of the key, if the key is 128 bits long or more, or the key repeated as many times as
required to fill a 128-bit block otherwise (starting from the beginning, not the end and working backwards) as the
plaintext block, encipher it using the initial key schedule generated above, but with the following modifications.
The intermediate results of all three f-functions are saved. The following nine 32-bit words are produced from
each round of the encipherment process:
● The first intermediate result of the first f-function XOR the final value of the fourth subblock
● The second intermediate result of the first f-function
● The first f-function output
● The first intermediate result of the second f-function XOR the initial value of the fourth subblock
● The second intermediate result of the second f-function
● The second f-function output
● The first intermediate result of the third f-function
● The second intermediate result of the third f-function
● The third f-function output
Also, the degenerate rounds produce their f-function outputs as well, so exactly one 32-bit output is produced for
every subkey.
After each round of the encipherment process which is used to generate the final subkeys, the nine words above
are XORed to nine subkeys. The four f-function outputs of the degenerate rounds are also used, so the number of
words used equals the number of subkeys; each set of four degenerate rounds is treated as a single round in that
the four results are not applied to the subkeys until the set of four rounds has been performed completely. The
sequence of subkeys to which they are applied is as follows (reading across):
K80 K76 K67 ... K49 K40 K31 K22 K13

K79 K75 K66 ... K48 K39 K30 K21 K12
K78 K74 K65 ... K47 K38 K29 K20 K11
K77 K73 K64 ... K46 K37 K28 K19 K10
K72 K63 ... K45 K36 K27 K18 K9
K71 K62 ... K44 K35 K26 K17 K8 K4
K70 K61 ... K43 K34 K25 K16 K7 K3
K69 K60 ... K42 K33 K24 K15 K6 K2
K68 K59 ... K41 K32 K23 K14 K5 K1
thus, first the last subkey of each round is modified, then the second-last subkey of each round, and so on. The
subkeys are modified before the encipherment is completed, but only after each round is completed. The subkeys
used in the degenerate rounds are placed in the sequence as well as possible. The intermediate values applied are
taken from those generated by the subkeys in their numerical order.
Once the subkeys have been modified in this manner, if the size of the key was greater than the total size of the
subkeys, any remaining bytes in the key are to be XORed with the subkeys that are now present, using the same
order as was used for initially filling the subkey space,
K1 K2 K3 K4
K5 K8 K11 K6 K9 K12 K7 K10 K13
...
et cetera.
Allowing the key to be larger than the total size of the subkeys, of course, doesn't make sense after a point; but if
the excess is small, the main result is to make it possible for the same set of subkeys to be accompanied by
different values of the key-dependent S-box S8.
Then, the same procedure used to generate the initial value of S8 from the initial subkeys is applied to the final
subkeys. Since the subkeys may not have enough bytes in them to supply the permutation-generating process, the
SIGABA-like procedure of generating additional bytes is used again, as done previously for generating the initial
value of S8. Once again, A1 through B5 are filled from the last eight subkey bytes, and the earlier subkey bytes
are divided into two almost equal parts as was done with the key previously.
The generated result, however, is not used as the final value of S8. Instead, each element of S8 is replaced by the
value it points to in this result; that is, for N from 0 to 255, S8(N) becomes R(S8(N)). (Thus, S8 depends on both
the old and new subkeys, and doesn't relate to the current subkeys in a simple way.)
The new value of S8 is also used as the old value was above to provide the four key-dependent byte
transpositions which begin and end the cipher.
One may, if one wishes, see the view of the subkeys (other than those of the degenerate rounds) as belonging to a
rectangular prism of 32-bit words, accessed in three different directions, as evocative of Rijndael.
An Even More Secure Variation
If you have time to encipher your data with 40 rounds of Quadibloc II, I have a variation for you. A diagram
giving an overview of this variation is provided.
First, the tiny Feistel rounds, the key-dependent byte permutation (derived from
the 0x bytes), the initial degenerate four-subkey series of rounds, and another
key-dependent byte permutation (derived from the 1x bytes), then a second layer
of tiny Feistel rounds, another key-dependent byte permutation (derived from
the 4x bytes), another series of four degenerate rounds, and another key-
dependent byte permutation (derived from the 5x bytes).
Then, four rounds of Quadibloc II, with the byte interchange after the first three
rounds following the pattern for a multiple of four rounds that is not a multiple
of 16 rounds.
Now, the whitening sequence is repeated, again first with a series of miniature
Feistel rounds.
Then, another key dependent byte permutation, derived from the elements of S8
in the form 2x.
Another degenerate four rounds.
Key-dependent byte permutation, derived from the 3x elements in S8.
Miniature Feistel rounds, permutation (6x), degenerate four rounds, permutation

(7x).
Thirty-two rounds of Quadibloc II, but with the additional XORs of the second
and third subblocks with the two intermediate values from the f-function of the
first subblock omitted. Byte interchange after the first 31 of these rounds is as
for a multiple of 16 rounds.
Key-dependent byte permutation, the inverse of the one derived from the
elements of S8 of the form Fx.
Inverse Ex from S8 byte transposition.
Miniature Feistel rounds in inverse form.
Key-dependent byte permutation, the inverse of the one derived from the elements of S8 of the form Bx.
Inverse Ax from S8 byte transposition.
Miniature Feistel rounds in inverse form.

Four rounds of Quadibloc II.
The final three-step whitening sequence, plus the tiny Feistel rounds, and byte transpositions, all repeated twice.
Byte transpositions are the inverses of those derived from the elements of S8 in the forms Dx, Cx, 9x, and 8x.
By restricting the perhaps dangerous - but diffusion-enhancing - XOR of intermediate results to the outer eight
Quadibloc rounds, one has a diffusing outer part and a secure core. This, of course, comes even closer to the
design of MARS.
Note that for this variation, when the keys are initially filled, the thirty-two subkeys for the four sets of
degenerate rounds stand outside the sequence; sixteen at the start, and sixteen at the end, and when the keys are
modified, the subkeys for the first four degenerate rounds are at the left of the top four rows, those for the last
four at the right of the bottom two rows.
Thus, the order for initially filling the keys is as follows:
K1 K2 K3 K4
K5 K6 K7 K8
K9 K12 K15 K10 K13 K16 K11 K14 K17
K18 K21 K24 K19 K22 K25 K20 K23 K26
K27 K30 K33 K28 K31 K34 K29 K32 K35
K28 K39 K42 K37 K40 K43 K38 K41 K44
K45 K46 K47 K48
K49 K50 K51 K52
K53 K56 K59 K54 K57 K60 K55 K58 K61
...
K332 K335 K338 K333 K336 K339 K334 K337 K340
K341 K342 K343 K344
K345 K346 K347 K348
K349 K352 K355 K350 K353 K356 K351 K354 K357
...
K376 K379 K382 K377 K380 K383 K378 K381 K384
K385 K386 K387 K388
K389 K390 K391 K392
and the order for adjusting the keys from f-function outputs and intermediate results is:
K392 K388 K348 K344 K384 K375 K366 K357 K340 ... K26 K17
K391 K387 K347 K343 K383 K374 K365 K356 K339 ... K25 K16
K390 K386 K346 K342 K382 K373 K364 K355 K338 ... K24 K15
K389 K385 K345 K341 K381 K372 K363 K354 K337 ... K23 K14
K380 K371 K362 K353 K336 ... K22 K13
K379 K370 K361 K352 K335 ... K21 K12 K52 K48 K8 K4
K378 K369 K360 K351 K334 ... K20 K11 K51 K47 K7 K3
K377 K368 K359 K350 K333 ... K19 K10 K50 K46 K6 K2
K376 K367 K358 K349 K332 ... K18 K9 K49 K45 K5 K1
Other modifications to Quadibloc II are possible. The following illustration:

shows how the basic Quadibloc II round can be modified to double the size of the S-boxes in the f-functions for
the second and third subblocks; one S-box, made from S-boxes 1 through 4 is used, so two extra nonlinearity bits
are used as input. This function uses all 32 nonlinearity control bits produced as the output of the f-function of
the first subblock.
Instead of using S-boxes S5 through S7 singly, they are used in pairs on the fourth subblock, and so the extra
nonlinearity bits required here are doubled as well. An additional 32 nonlinearity control bits are created from the
XOR of one intermediate result from the f-function of the second subblock and the other intermediate result from
the f-function of the third subblock. As switching between addition and XOR for applying the f-function outputs
directly to the fourth subblock requires only one bit per byte, the remaining four bits are used to switch the
addition operation to a subtraction operation.
The other major modification in this extended variant of the basic round is to use S8 in the same method as used
in the initial whitening phase to promote diffusion within the fourth subblock.
However, I find the following variation on the basic Quadibloc II round even more interesting:
Here, two other intermediate values in the f-function of the first subblock are used to form a 32-bit value used for
an ICE-style interchange between the f-functions of the second and third subblocks. The interchange takes place
just before S8 is applied, thus ensuring it significantly alters the f-function outputs applied to the fourth subblock.
As well, a micro-Feistel layer is used, as in the doubled nonlinearity variant, but this time to modify the first
subblock, so that all four subblocks are changed, and changed in a key-dependent way by every round (the
changes to the first three subblocks depend on the first subblock as well as the key, while those to the fourth
subblock depend on all of the first three subblocks).
To proceed further, we can also have the following type A round:

with its corresponding round of type B:
which adds some additional operations to the round structure. Not wishing to give up being endian-neutral,
instead of throwing in a Pseudo-Hadamard Transform between the second and third subblocks, I used an XOR
but used S8 to avoid it cancelling out. The intent is merely to have an alteration to those subblocks that is slightly
more involved than a simple XOR of intermediate f-function results from the first subblock, but a little bit of
propagation between bytes is achieved by displacing bytes before the second XOR.
Also added is an interaction, taken from the block cipher 3-Way, between three of the subblocks. This places a
very small (3 bits input and output) nonlinear S-box in the cipher that operates on corresponding bits in the three
subblocks. Since it either operates on all but the first subblock, or all but the fourth subblock, two round types
were required to make the cipher equally secure against attacks from either direction. (The deciphering form of
the round could also be used, but that of course creates the slim possibility of some rounds partly undoing the
work of other rounds.)
Since each bit of the output is the bit of the input XOR a function of the other two bits that is 1 most of the time,
the identities of the bits are in a sense preserved; thus, it does not appear that the apparent danger of information
leaking past the involved transformation of the fourth subblock is a genuine concern. In addition, the type A
rounds are used at the beginning, and the type B rounds at the end, so that any leakage is towards the inside of
the block cipher rather than towards the outside.
Since the first subblock is aloof from the values and changes in the other three subblocks, the interaction between
the last three subblocks does not prevent the round from being invertible, even though it happens after the XOR
of intermediate results from the f-function of the first subblock. The interaction between the first three subblocks
does not prevent the round from being invertible, because the operations taking place before it are all self-
contained.
In analyzing Quadibloc II, it may be interesting to examine how it could be attacked if part of the internal key is
known. If S8 is known, Quadibloc II becomes a more conventional block cipher. Is the conventional part of it
still reasonably strong? If the conventional subkeys, but not S8, are known, but not the intermediate subkey
values, can part of the generation of S8 still be retraced? With only a small part of the internal operations of the
cipher controlled by the secret part of the key, can cryptanalysis trace enough to obtain information about S8?
Next
Start of Section
Table of Contents
Main Page
Home Page
Quadibloc III
Quadibloc III is an extension of Quadibloc II which uses a different type of block cipher as its inner core. It too
uses a 128-bit block size. Unlike Quadibloc II, which, at least with only eight full rounds, is not too much slower
than a typical AES candidate (although it isn't fully clear to me if eight rounds is enough for security), Quadibloc
III, while secure, is clearly too slow and complicated to be useful for practical purposes. Its value is that it
illustrates a number of concepts which may be useful in ciphers of a more practical size.
Here is a diagram giving an overview of the structure of Quadibloc III, to accompany a description of its rounds:
The steps in the cipher are symmetric, and they are as

follows:
● Small Feistel rounds, using no subkeys, but

using the key-dependent S-box S8 as their f-
function, transforming 16-bit subkeys of the
block.
● Key-dependent permutation (derived from the
0x elements of S8) of the bytes in the block.
● Four simple rounds, using a single-level f-
function, that are aimed at obtaining high
diffusion, and which use 32-bit subkeys K1
through K4.
● Eight normal Quadibloc II rounds, each of
which uses nine subkeys, the first using
subkeys K5 through K13, the last using subkeys
K68 through K76.
● Two rounds of a form of Mishmash, whose
large quantity of subkeys is generated after the
contents of S10 and S11, and by the same
process. These rounds use fixed Quadibloc
subkeys for one half of the block, the subkeys
being K77 through K88 for the encipherment of
that block, and K89 through K100 for the f-
functions applied to the intermediate f-function
results, for the first Mishmash round, and K101 through K124 for the second Mishmash round.
● Key-dependent permutation (derived from the 3x elements of S8) of the bytes in the block.
● Sixteen rounds in which the block is enciphered as follows:
❍ one 16-bit subblock is enciphered by four Feistel rounds, using S8 as the f-function, but this time
preceded by the XOR of a subkey byte;

❍ the results of the XOR are used as intermediate results, and are fed into the S-box S9.
❍ The four S9 outputs produce a 32-bit result whose first 16 bits are the first four bits of each of their
outputs, and whose last 16 bits are the last four bits of each of their outputs.
❍ This result is then enciphered by means of four Feistel rounds, where the f-function consists of first
XORing in a 16-bit half of a subkey, then using the two bytes of the result to index into two key-
dependent S-boxes, S10 and S11, which each take an 8-bit input and give a 16-bit output. The sum
of the two outputs is XORed with the other half of the 32-bit block.
❍ The 32-bit result of this process is used as a 32-bit subkey was used initially to encipher a further
16 bits of the block, and this continues until the entire 128-bit block has been enciphered in 16-bit
pieces.
These sixteen rounds each use fifteen subkeys; the first one uses subkey K125 to supply the four bytes
used for enciphering the first 16-bit subblock, and then subkeys K126 through K139, two at a time, for
enciphering the 32-bit intermediate results from enciphering one subblock to produce the 32-bit input to
use to encipher the next one, and the last one uses subkeys K350 through K364.
● Then, the preceding steps are done in reverse order, with the key-dependent byte permutations now being
the inverses of the ones derived from the Bx, Ax, 9x, and 8x elements of S8, and with the two Mishmash
rounds using subkeys K365 through K412, the eight normal Quadibloc II rounds using subkeys K413
through K484, and the set of four degenerate rounds using subkeys K485 through K488.
The Middle Rounds (GoodStuff)
The following diagram illustrates the method used for the middle 16 rounds of Quadibloc III:
Using four eight-bit subkeys (derived from a single 32-bit subkey, to remain within the overall structure derived
from Quadibloc II), four Feistel rounds are used to encipher a 16-bit subblock; in the first round, the right half is
XORed with the first subkey, then replaced through S8, then added to the left half. The direction of the f-function
alternates from right to left to left to right, and in the two outer rounds, the subkey is XORed and the f-function
output added, and in the two inner rounds, the subkey is added and the f-function output XORed.
The four intermediate results of the f-functions, derived before S8 substitution, are used to index into the fixed S-
box S9. The S-box outputs are used to form a 32-bit word consisting of the first nibbles of the four substituted
results in order, then the second nibbles. (Since, looking sideways, the bottom, rather than the top, of the
previous four rounds are to the left, the diagram shows that the order needs to be reversed when drawing a left-to-
right round of this cipher, by means of a twist upon entry and exit from the horizontal Feistel rounds.)
The resulting 32-bit word is then itself enciphered by four Feistel rounds of a cipher which, like Blowfish, uses
wide key-dependent S-boxes in the f-function. Here, four 16-bit subkeys are used, and so they are derived from
two 32-bit regular subkeys.
The final interchange is not omitted, or the rounds can be thought of, as they are drawn, in in-place format, and
the first round goes from right to left (or, in the diagram, top to bottom).
If the first set of four Feistel rounds operating on a 16-bit subblock is denoted by 1, the second by 2, and angle
brackets are used to show how one round provides the subkey input for the next, the pattern of rounds used in
this phase is as follows:
1 > 2 > 3 > 4 > 5 > 6 > 7 > 8

< 7 < 6 < 5 < 4 < 3 < 2 < 1 8 <
> 8 1 > 2 > 3 > 4 > 5 > 6 > 7 >

8 < 7 < 6 < 5 < 4 < 3 < 2 < 1
> 7 > 8 1 > 2 > 3 > 4 > 5 > 6 >
< 1 8 < 7 < 6 < 5 < 4 < 3 < 2 <
> 6 > 7 > 8 1 > 2 > 3 > 4 > 5 >

< 2 < 1 8 < 7 < 6 < 5 < 4 < 3 <
> 5 > 6 > 7 > 8 1 > 2 > 3 > 4 >

< 3 < 2 < 1 8 < 7 < 6 < 5 < 4 <
> 4 > 5 > 6 > 7 > 8 1 > 2 > 3 >

< 4 < 3 < 2 < 1 8 < 7 < 6 < 5 <
> 3 > 4 > 5 > 6 > 7 > 8 1 > 2 >

< 5 < 4 < 3 < 2 < 1 8 < 7 < 6 <
> 2 > 3 > 4 > 5 > 6 > 7 > 8 1 >

< 6 < 5 < 4 < 3 < 2 < 1 8 < 7 <
The S-box S9 is fixed, and is generated by continuing the process used for generating S-boxes 1 through 7 from
Euler's constant to generate one more permutation of the numbers 0 through 255, therefore this S-box is the one
designated S11 on the page entitled Euler's Constant and the Quadibloc S-Boxes.
The Next Innermost Layer (Mishmash)
The concept of a cipher called Mishmash is noted in the conclusions section of this chapter, to which reference
may be required.
The left half of the block (in the second round, the right half) is enciphered using four rounds of Quadibloc. The
intermediate results, after XORing in the second of the three subkeys, of each of the four f-function outputs are
then subjected to the Quadibloc f-function again, with another twelve subkeys, and the four 32-bit outputs are
XORed together.
The 32-bit result controls the encipherment of the right half of the block. The right half of the block is enciphered
by cipher steps 1 through 5. The first 25 bits of the 32-bit result is divided into five 5-bit values, indicating for
each of the five cipher steps, in order of their numeric labels, which of 32 sets of subkey material is used for
them.
The last 7 bits of the 32-bit result indicates the order in which the five cipher steps take place. Values 0 through
119 of these seven bits give the 120 permutations of the numbers from 1 through 5 in numerical order, as shown
in the following table:
0 12345 24 21345 48 31245 72 41235 96 51234

1 12354 25 21354 49 31254 73 41253 97 51243
2 12435 26 21435 50 31425 74 41325 98 51324
3 12453 27 21453 51 31452 75 41352 99 51342
4 12534 28 21534 52 31524 76 41523 100 51423
5 12543 29 21543 53 31542 77 41532 101 51432
6 13245 30 23145 54 32145 78 42135 102 52134

7 13254 31 23154 55 32154 79 42153 103 52143
8 13425 32 23415 56 32415 80 42315 104 52314
9 13452 33 23451 57 32451 81 42351 105 52341
10 13524 34 23514 58 32514 82 42513 106 52413
11 13542 35 23541 59 32541 83 42531 107 52431
12 14235 36 24135 60 34125 84 43125 108 53124
13 14253 37 24153 61 34152 85 43152 109 53142
14 14325 38 24315 62 34215 86 43215 110 53214
15 14352 39 24351 63 34251 87 43251 111 53241
16 14523 40 24513 64 34512 88 43512 112 53412
17 14532 41 24531 65 34521 89 43521 113 53421
18 15234 42 25134 66 35124 90 45123 114 54123

19 15243 43 25143 67 35142 91 45132 115 54132
20 15324 44 25314 68 35214 92 45213 116 54213
21 15342 45 25341 69 35241 93 45231 117 54231
22 15423 46 25413 70 35412 94 45312 118 54312
23 15432 47 25431 71 35421 95 45321 119 54321
and the remaining values give the following eight preferred orders once again:
120 31425
121 32415
122 51423
123 52413
124 31524
125 32514
126 41523
127 42513
Only one pool of 32 subkey values is used by all four Mishmash rounds in the cipher (which is different from the
Mishmash concept described in the conclusions section), despite the danger that a subkey may be used more than
once.
The five cipher steps are:
1. Two rounds of DES. Two 48-bit subkeys are the subkey material this uses.
2. Two rounds of Quadibloc. Six 32-bit subkeys are the subkey material this uses.
3. Four rounds of SKIPJACK. Sixteen 8-bit subkeys are the subkey material this uses.
4. One round of SAFER. Two 64-bit subkeys are the subkey material this uses.
5. Two rounds of GoodStuff. This consists of two rounds, similar to the middle rounds of this cipher, but
acting on only four 16-bit subblocks each. The ordering of the operations is 1234 followed by 4321 (not
3214). This uses fourteen 32-bit subkeys as subkey material.
In the Mishmash rounds, the final interchange is not omitted after the DES and Quadibloc rounds, since they are
part of an ongoing block cipher. This is true also of the Mishmash concept, as can be seen from the diagrams,
which show the ciphers in in-place form.
The four Skipjack rounds are type A in the first two Mishmash rounds in the cipher, and type B in the last two. In
addition, the SAFER rounds in the last two Mishmash rounds are rounds of SAFER decryption instead of
SAFER encryption, for the same reason.
Subkey Generation
Subkey generation for Quadibloc III follows the same general scheme as for Quadibloc II; initial subkeys are
generated using a method similar to the one used in Quadibloc II, but somewhat more elaborate.
Fill A1, A2, and A3; B1, B2, B3, B4, and B5; and C1, C2, C3, C4, and C5 with the first thirteen bytes of the key
in order. Initialize the variable Q to be zero.
Split the key into two pieces as follows, where L is the number of bytes in the key:
● If L is odd, the first piece consists of the first (L+1)/2 bytes of the key, the second piece is the remaining
bytes of the key. Then increase each piece in length by one byte by appending the one's complement of
the first byte in the piece to it.
● If L is an even number of the form 4n, the first piece consists of the first (L/2)+1 bytes of the key, the
second piece is the remaining bytes of the key. Then increase each piece in length by two bytes by
● If L is an even number of the form 4n+2, the first piece consists of the first (L/2)+2 bytes of the key, and
the second piece is the remaining bytes of the key. Then increase each piece in length by two bytes by
In the first case, the lengths of the two pieces of the key are two consecutive numbers, one even, and one odd. In
the second case, the lengths of the two pieces of the key are two odd numbers, differing by two. In the third case,
the lengths of the two pieces of the key are two odd numbers, differing by four. In all three cases, the lengths of
the two pieces of the key are relatively prime, and uniquely identify the length of the original key.
Each group of bytes is then used as the initial contents of a shift register, which operates as follows:
The sum of the first and third bytes in the shift register is XORed with the second-last byte in the shift register.
The result is used as the output of the shift register, and is also used as the new last byte in the shift register, all
other bytes being moved to the next earlier place, the first byte being discarded.
For each byte generated by XORing the outputs from the two shift registers, that byte is then transformed by
carrying out the following instructions:
For each of the numbers 0 to 4, do the following:
● Add the contents of A1 to the number, modulo 256.

● Replace that number by its substitute in S-box 5a (that is, the first half of S-box 5, an S-box with 8 bits of
input as well as 8 bits of output, created by setting the MSB of the input to 0).
Modify the variables B1 through B5 by adding the results of this process for the numbers 0 to 4, respectively, to
cumulative.)
Once that has been done, using the modified values of B1 through B5, we once again use the numbers 0 to 4 in
order as inputs as we do the following:
● Add the contents of B1 to the number, modulo 256.

● Replace that number by its substitute in inverse S-box 7b (the inverse of the second half of S-box 7).
● Replace that number by its substitute in inverse S-box 5b (the inverse of the second half of S-box 5).
● Replace that number by its substitute in inverse S-box 7a (the inverse of the first half of S-box 7).
● Replace that number by its substitute in inverse S-box 5a (the inverse of the first half of S-box 5).
Modify the variables C1 through C5 by adding the results of this process for the numbers 0 to 4, respectively, to
cumulative.)
Now, generate a byte from the two shift registers containing the two unequal pieces of the key as outlined above.
Add Q to that byte. Put that byte through the following process:
● Add the contents of C1 to the number, modulo 256.

● XOR the result with the contents of C2.
● Add the contents of C3 to the result, modulo 256.
● XOR the result with the contents of C4.
● Add the contents of C5 to the result, modulo 256.
The result of this process is the output byte, to be placed in the subkeys. The output byte is also stored in the
variable Q.
One more step, however, remains in the process; the variables A1, A2, and A3 are changed (just as B1 through
B5 have already been changed) as follows: replace A1 with the former contents of A2; replace A2 with the
former contents of A3; and replace A3 with the former contents of A3 XOR the current output byte (also stored
in Q).
After generating the first 440 regular 32-bit subkeys, initial values of the remaining subkey material is generated
in the following order:
● first, initial subkeys K441 through K488 (which will later be used for subkeys with different numbers),
(192 bytes)
● then the contents of key-dependent S-box S8, (from 1536 to 2304 bytes are used to produce this, since it
is generated from three permutations which require either 512 or 768 bytes to produce)
● then the 256 16-bit entries for each of S10 and S11; (1024 bytes)
● then the Mishmash subkeys; 32 sets of two 48-bit subkeys for the DES rounds, (384 bytes)
● 32 sets of six 32-bit subkeys for the Quadibloc rounds, (768 bytes)
● 32 sets of sixteen 8-bit subkeys for the Skipjack rounds, (512 bytes)
● 32 sets of two 64-bit subkeys for the SAFER rounds, (512 bytes)
● 32 sets of fourteen 32-bit subkeys for the GoodStuff rounds. (1792 bytes)
● An additional 2304 bytes of subkey material to be used later. (2304 bytes)
All the subkey material thus generated, except the material used to produce S-box S8, is retained in order in an
array for later modification.
An initial value for S8, the key-dependent S-box is generated as follows:
● Generate three permutations of the numbers from 0 to 255 from the subkeys by the following procedure:
❍ Use successive bytes from the subkeys, starting with the leftmost (most significant) byte of subkey
K1, and going through the subkeys in numerical order, that is, K1, K2, K3, K4..., and then starting
where one has left off for subsequent permutations.
❍ Each permutation is generated by the use of either 512, or, under some rare circumstances, only
256, bytes.
❍ A permutation is generated as follows:
■ Begin with three arrays of 256 numbers, the first of which is filled with the numbers from 0
to 255 in order. The arrays must also be able to hold the value -1. The second and third
arrays are filled with -1.
■ For each byte used: let the value of the byte be called N, and let I be a counter which starts
at 0 for the first byte, incrementing with each byte used, and ending at 255.
■ Then, for each byte:
■ If element N of the first array is not -1, set element N of the first array to -1, and set
element I of the second array to N.
■ Otherwise, store N in the first unused position (the first position containing -1) in the
third array.
■ Once this has been done, if the third array contains any numbers other than -1, proceed as
follows:
■ If there is only one filled (not equal to -1) element in the third array, then there is only one
remaining element in the first array, and one element of the second array equal to -1, so fill
the second array with the one available byte, and finish.
■ If there are only two filled elements in the third array, take the least significant bit of the
first filled element. If it is zero, fill the -1 elements of the second array with the remaining
elements of the first array in order; if it is one, do so in reverse order, and finish.
■ If there are less than 256 filled elements in the third array, repeat them over and over to fill
the array. Then, take an additional 256 input bytes (thus, 512 bytes are used except when
the first 256 bytes contain two or fewer duplicate bytes) and XOR them with the bytes of
the third array.
■ Now, use the third array to complete the second array by doing the following for II from 0
to 255:
■ Let the value of element II of the third array be XX.
■ Swap elements II and XX of the first array.
■ Then, scan through the second array. When an element of the second array is -1, fill it with
the corresponding element of the first array (if it is not also -1) and set that element of the
first array to -1.
■ If there are any -1 elements left in the second array, fill them with the elements of the first
array that are not -1 in order.

● The three permutations obtained in this manner are used to generate a key dependent S-box as follows:
❍ For N from 0 to 255:
❍ Set A to be element N of the first permutation; set B to be element N of the second permutation,
and set C to be element B of the third permutation.

❍ Set element A of the S-box to equal C.
Only the first 440 subkeys, each 32-bits long, which are the first subkey material generated by this method, are
modified by the key augmentation technique of performing an initial encipherment, and XORing subkeys with
intermediate results. Because some of the rounds do not produce intermediate results suitable for this use, the key
augmentation step undergoes an important change. Instead of modifying the 440 subkeys by performing a normal
Quadibloc III encipherment, and using its intermediate results, a modified encipherment, using only normal
rounds found in Quadibloc II is used.
The modified encipherment consists of one group of four degenerate rounds, forty-eight normal Quadibloc II
rounds, and one more group of four degenerate rounds. This arrangement uses exactly 440 subkeys. Four key-
dependent byte permutations are used, from 0x, 1x, and inverse 9x and 8x; only one unkeyed whitening step,
followed by the 0x permutation, begins the cipher; the 1x permutation follows the first group of four degenerate
rounds, preceding the first conventional Quadibloc II round.
The subkeys are initially filled in the following order, consistent with Quadibloc II practice:
K1 K2 K3 K4
K5 K8 K11 K6 K9 K12 K7 K10 K13
K14 K17 K20 K15 K18 K21 K16 K19 K22
...
K428 K431 K434 K429 K432 K435 K430 K433 K436
K437 K438 K439 K440
and are modified during key enrichment in the following order (although the subkeys are aligned in columns to
illustrate their pattern, the order used is that found by reading across):
K440 K436 ... K22 K13

K439 K435 ... K21 K12
K438 K434 ... K20 K11
K437 K433 ... K19 K10
K432 ... K18 K9
K431 ... K17 K8 K4
K430 ... K16 K7 K3
K429 ... K15 K6 K2
K428 ... K14 K5 K1
Bytes for use in the 48 additional subkeys, S10 and S11, and in Mishmash, are generated during the initial part of
subkey generation, even though these parts of the cipher aren't used in key-enrichment; then, during the key-
enrichment phase, nine bytes of output from the same shift register process as was used to fill all the subkey
material with its initial values, but modified in an analogous fashion to that used for Quadibloc II (the last 13
bytes of the 440 regular subkeys are used to fill A1 through C5, and one shift register, rather than two, is used,
consisting of the rest of the subkey material), are used to modify eight bytes in this additional subkey material.
This is done as follows: the first byte determines the use of the next eight bytes; if its most significant bit is a 1,
the next byte is XORed to the previously generated byte, if its most significant bit is a 0, the next byte replaces
the corresponding previously generated byte, and so on through the bits of the first byte and the bytes following.
The additional subkey material being modified in this step consists of 7488 bytes. For the purpose of an
additional operation to be performed concurrently with the XOR or replacement of these bytes in groups of eight
using generated bytes in groups of nine, these bytes are to be considered as 20 blocks of 256 bytes each, plus 64
extra bytes.
The additional manipulation to be performed consists of two steps. Only during the processing of the second
through the 19th of the 20 complete blocks are both steps done; one is done during the processing of the first
block.
For each of the first 256 generated bytes of the 288 generated bytes required to modify the 256 bytes of the
current block, the next block is modified as follows:
Letting c be a counter, 0 for the first generated byte, and incremented by one as we change to use each additional
generated byte, and letting n be the value of the current generated byte, we swap byte c and byte n of the next
block.
This only requires the existence of a following block, and is therefore done when the current block is any block
from the first through the nineteenth.
For each of the last 256 generated bytes of the 288 generated bytes we use in modifying the 256-byte current
block, immediately following the use of that same byte for modifying the next block during the period when both
operations overlap, we modify the preceding block as follows:
Letting c be a counter, 0 for the first generated byte used by this step, the 33rd of the 288 generated bytes for the
current block, and letting n be the value of the current generated byte, we let p be the value of byte c of the next
block, and let q be the value of byte n of the previous block.
We then swap bytes p and q of the previous block. Letting k be the XOR of the values of the two bytes so
swapped, byte n of the previous block is then modified by being XORed with byte k of the next block.
This requires both a preceding and a following block, and is done for the second block through the nineteenth.
Performing these transposition steps on the subkey material helps to destroy any pattern it might contain.
As many of the last 2304 bytes of subkey material as required are used to generate a permutation following the
steps used for generating the initial value of S8. The generated result, however, is not used as the final value of
S8. Instead, each element of S8 is replaced by the value it points to in this result; that is, for N from 0 to 255, S8
(N) becomes R(S8(N)). (Thus, S8 depends on both the old and new subkeys, and doesn't relate to the current
subkeys in a simple way.)
Then, the 488 subkeys required for Quadibloc III are produced from the 440 subkeys generated normally and the
48 additional ones by using the 48 additional subkeys in order as the ones for the f-functions that are used to
modify the f-function results before being XORed together in the Mishmash rounds.
Hence,
● subkeys K1 through K88 retain their identity,

● subkeys K441 through K452 are moved to subkeys K89 through K100,
● and, finally, subkeys K365 through K440 are moved to subkeys K413 through K488.
Note that implementations need not actually move the subkeys around, but merely need to ensure that each
encipherment step uses the correct subkeys from those stored in memory.
Variations of Quadibloc III
Specific named variations of Quadibloc III are provided here to broaden its range of applicability.
The first variation is Quadibloc III SC (Short Cycle). This version retains the complexity of Quadibloc III, but
eliminates the large number of rounds of the GoodStuff kind in the middle of the cipher. Instead, only two such
rounds are retained, with the following arrangement:
1 > 2 > 3 > 4 > 5 > 6 > 7 > 8

8 < 7 < 6 < 5 < 4 < 3 < 2 < 1
This, by reducing the amount of required subkey material from 488 subkeys to 278, and hence the key
augmentation phase of key generation is modified as follows: eight regular Quadibloc II rounds are used, the first
10 words of S10 are also modified, and there is no shifting of subkeys out of numerical order, as was required to
exclude a particular 48 subkeys from key augmentation in the normal version. The unkeyed whitening step, and
the initial and final byte transposes (0x and 8x) are also retained in the modified encipherment.
The next variation is Quadibloc III MD (Maximum Dispersion). This version adds eight 64-bit words of subkey
material to what is used by the cipher. They are not used during the modified encipherment cycle performed for
key augmentation, but they are generated initially, like other parts of the subkey material not then used. They are
generated immediately after the 32 extra normal subkeys which are modified after, instead of during, key
augmentation, and immediately before calculating S-box S8. Otherwise, since the key schedule is only
lengthened, key augmentation is not otherwise modified for this variation.
These 64-bit words are used to perform an ICE-style interchange of the left and right halves of the block,
immediately after the first four key-dependent byte interchanges derived from S-box S8 and immediately before
the last four such byte interchanges. A 1 bit corresponds to a bit to be interchanged, and the words are used in
order during encipherment.
Finally, Quadibloc III SD (Short/Dispersive) combines the modifications in Quadibloc III SC and Quadibloc III
MD. As it has 294 32-bit words of normal subkey, the key augmentation phase of its key generation is based on a
modified encipherment involving a byte transpose based on the 0x row of S8, an unkeyed whitening step, a set of
four degenerate rounds, a byte transpose based on the 1x row of S8, eight normal Quadibloc II rounds, the 9x
transpose, four degenerate rounds, inverse whitening, and the 8x transpose. The first two words of S10 are also
included in the key augmentation for this variation.
A variation in the round structure, like those illustrated for Quadibloc II, will also be illustrated here, but in this
case it is for the Mishmash portion of the cipher.
This diagram gives an overview of the Mishmash rounds as modified. Instead of placing the intermediate results
of the four QUADIBLOC 96 rounds on the left side through an additional QUADIBLOC f-function, these results
are used to produce a 32-bit result by means of the 32-bit Feistel structure used within the GoodStuff portion of
the cipher. This reduces the number of additional subkeys required for this part of the cipher to 8 from 48, but the
strength of the modified cipher appears fully satisfactory.
Another variation on Quadibloc III uses the modified Mishmash rounds described above, but in addition changes
the order of the rounds in line with insights that have come out of looking at how some differential attacks,
including the boomerang attack work. The idea is that parts of the cipher that are analytically simple are put on
the outside, and parts that are harder to analyze, but possibly leaving room for new probing attacks, are put in the
center. A diagram giving an overview of the variation, accompanied by its description, are below:
● Small Feistel rounds, using no subkeys, but

using the key-dependent S-box S8 as their f-
function, transforming 16-bit subkeys of the
block.
● Four simple rounds, using a single-level f-
function, that are aimed at obtaining high
diffusion, and which use 32-bit subkeys K1
through K4.
● Two rounds in which the block is enciphered as
follows:
❍ one 16-bit subblock is enciphered by
four Feistel rounds, using S8 as the f-

function, but this time preceded by the
XOR of a subkey byte;
❍ the results of the XOR are used as
intermediate results, and are fed into the

S-box S9.
❍ The four S9 outputs produce a 32-bit
result whose first 16 bits are the first

four bits of each of their outputs, and
whose last 16 bits are the last four bits of
each of their outputs.
❍ This result is then enciphered by means
of four Feistel rounds, where the f-

function consists of first XORing in a 16-
bit half of a subkey, then using the two
bytes of the result to index into two key-
dependent S-boxes, S10 and S11, which
each take an 8-bit input and give a 16-bit
output. The sum of the two outputs is
XORed with the other half of the 32-bit
block.
❍ The 32-bit result of this process is used
as a 32-bit subkey was used initially to

encipher a further 16 bits of the block,
and this continues until the entire 128-bit block has been enciphered in 16-bit pieces.
These two rounds each use fifteen subkeys; the first one uses subkey K5 to supply the four bytes used for
enciphering the first 16-bit subblock, and then subkeys K6 through K19, two at a time, for enciphering the
32-bit intermediate results from enciphering one subblock to produce the 32-bit input to use to encipher
the next one, and the second one uses subkeys K20 through K34.
● Eight normal Quadibloc II rounds, each of which uses nine subkeys, the first using subkeys K35 through
K43, the last using subkeys K98 through K106.
● Four rounds of a form of Mishmash, whose large quantity of subkeys is generated after the contents of
S10 and S11, and by the same process. These rounds use fixed Quadibloc subkeys for one half of the
block, the subkeys being K107 through K118 for the encipherment of that block, and K119 through K120
for the Feistel rounds with a 32-bit block using S-boxes S10 and S11 that modify its intermedate results,
for the first Mishmash round, and the remaining Mishmash rounds use subkeys K121 through K162.
● Then, the preceding steps are done in reverse order, with the key-dependent byte permutations now being
the inverses of the ones derived from the Bx, Ax, 9x, and 8x elements of S8, and with the eight normal
Quadibloc II rounds using subkeys K163 through K234, the two GoodStuff rounds using subkeys K235
through K264, and the set of four degenerate rounds using subkeys K265 through K268.
The 268 subkeys required, plus the first 20 32-bit words of the S-box S11, are modified after initial subkey
generation by key augmentation through 32 normal Quadibloc II rounds with no degenerate rounds, (and two
byte transposes, based on the 0x and 8x rows, instead of four, and two unkeyed whitening steps, as for the
regular cipher) and there is no shifting of subkeys out of numerical order, as was required to exclude a particular
48 subkeys from key augmentation in the normal version.
Next
Start of Section
Table of Contents
Main Page Home Page
Quadibloc IV
Quadibloc IV is a block cipher with a 128-bit blocksize with a simpler design than that
of either Quadibloc III or even Quadibloc II. It has 32 rounds, numbered from 1 to 32,
each using three 32-bit subkeys.
It uses the S-boxes S1, S2, and S3 (S3 is only used during key generation) derived
from Euler's constant, as listed in the description of Quadibloc II.
It attempts - despite the fact that A xor B and B xor A are the same thing - to use a
strategy derived from hash functions to produce a secure f-function; the quantity
XORed to the first subblock in each round is the XOR of two f-functions, one which
uses a subblock as input, and two subkeys as keys, and one which uses a subkey as
input, and two subblocks as keys.
The Rounds
A round of Quadibloc II proceeds as follows:
The 128-bit block is considered to be divided into four 32-bit subblocks, B1 through
B4. The leftmost subblock, B1, is the only one modified in a round. It has two
quantities XORed to it:
● An f-function, using B2 as input, with the first two subkeys for the round as
keys, using S1 as the S-box.
● An f-function, using the third subkey for the round as input, with B3 and B4 as
keys, using S2 as the S-box.
The f-function is essentially the basic Quadibloc f-function: XOR the input and the first
key, substitute the bytes in the S-box, and then perform the following regular
permutation of the bits:
1 2 27 28 21 22 15 16 9 10 3 4 29 30 23 24
17 18 11 12 5 6 31 32 25 26 19 20 13 14 7 8
Then, XOR the input and the second key and again perform the S and P steps. In
Quadibloc IV, no third key is used.
The following diagram illustrates a typical round of Quadibloc IV:

The diagram illustrates the way in which the subblocks are interchanged after a typical
round:
3 4 2 1
No interchange is performed after the last round, round 32.
After round 4 and after round 28, the bytes of the 128-bit block are interchanged in the
following order:
1 14 11 8 5 2 15 12 9 6 3 16 13 10 7 4
After round 16, the four subblocks are interchanged in this order:
3 2 1 4
After the other rounds whose numbers are divisible by 4, the four subblocks are
interchanged in this order:
3 1 4 2
Hence, if one numbers the subblocks on entry to round 5 as 1, 2, 3, and 4, the orders in
which they appear from round 5 to round 28 are as follows:
1 2 3 4 3 4 2 1 2 1 4 3 4 3 1 2
1 4 2 3 2 3 4 1 4 1 3 2 3 2 1 4
1 3 4 2 4 2 3 1 3 1 2 4 2 4 1 3
1 4 3 2 3 2 4 1 4 1 2 3 2 3 1 4
1 2 4 3 4 3 2 1 2 1 3 4 3 4 1 2
1 3 2 4 2 4 3 1 3 1 4 2 4 2 1 3
thus going through all 24 possible orders exactly once.
Because of the byte interchange after rounds 4 and 28, the first and last four rounds
function as a whitening phase of the block cipher.
Key Generation
Two shift registers, one 64 bytes in length and one 65 bytes in length, are used to
generate subkeys, and are loaded with the key, which can be from 2 to 63 bytes in
length, as follows:
● If the key is 256 bits (32 bytes) in length or shorter:

❍ The 64-byte shift register is loaded with the key, followed with the one's
complement of the key, followed by as many repetitions of the key as are

needed to fill it.
❍ The 65-byte shift register is loaded with the bytes of the key in reverse
order, followed by the one's complement of the key (in normal order),
followed by as many repetitions of the key as are needed to fill its first
64 bytes, followed by the one's complement of the first byte of the key.
● If the key is from 33 to 63 bytes in length:
❍ The 64-byte shift register is loaded with the first half of the key
(including one more byte than the second half, if the number of key bytes
is odd), followed by the one's complement of the first half of the key and
as many repetitions of the first half of the key as are needed to fill it.
❍ The 65-byte shift register is loaded with the second half of the key,
followed by the one's complement of the second half of the key, and as
many repetitions of the second half as are needed to fill its first 64 bytes,
followed by the one's complement of the first byte of the second half of
the key.
Initial values of subkey bytes are generated from these two shift registers as follows:
The first shift register is cycled as follows:
Take the 49th byte, add the 33rd byte, and XOR the 64th byte. Find the substitute for
the result in S-box S3. XOR the 3rd byte, and add the 1st byte.
The result will be the new first byte of the shift register, the other bytes being advanced
one place, and the old 64th byte being discarded.
The second shift register is cycled as follows:
Take the 23rd byte, add the 65th byte, and XOR the 11th byte. Find the substitute for
the result in S-box S3. Add the 50th byte, and XOR the 1st byte.
The result will be the new 65th byte of the shift register, the other bytes being moved to
the next earlier place, and the old 1st byte being discarded.
The byte of the subkey generated from this step is the generated new first byte of the
first shift register, replaced with its substitute from S-box S3, XORed with the
generated new 65th byte of the second shift register.
Once all 96 subkeys have been filled with their initial values, key augmentation takes
place. A normal encipherment cycle is performed, enciphering the 128-bit block
A5 C3 E1 2D B4 87 96 F0 0F 69 78 4B D2 1E 3C 5A
but after each round, the four intermediate values generated in the round are applied as
follows:
The four intermediate values are:
1. The output of the SP operation following the use of the first subkey for the
round;
2. The output of the SP operation following the use of the second subkey for the
round;
3. The output of the SP operation following the use of the third subblock;
4. The output of the SP operation following the use of the fourth subblock;
Intermediate values 1, 2, and 4 of each round are XORed to the subkeys after the round
is over, and the order in which the subkeys is modified is:
K1 K4 K7 K10 K13 ... K94

K2 K5 K8 K11 K14 ... K95
K3 K6 K9 K12 K15 ... K96
and then, intermediate value 3 from the round is added, using byte-wide addition (as
well as creating no endian confusion, this is sure to be implementable, even on systems
that support only 16-bit arithmetic with no way to disable integer overflow exceptions)
to the following subkeys in this order:
K96 K93 K90 K87 K84 ... K3
Use as a Hash Function
As this block cipher was designed using design principles from hash functions, it
seemed appropriate to specify a mode in which it could be used to generate a hash of a
file. However, only the simplest mode is specified here, generating a 128-bit hash,
which is not considered adequately long to obtain collision resistance.
One iteration of the cipher will be used to hash a block consisting of 32 32-bit words,
or 128 bytes. The string of bits to be hashed will be converted to a whole number of
blocks by having a 1 appended to it, and then the result will be filled out with zeroes to
fill the last block.
The starting value to be "enciphered" by the block cipher will be:
A5 C3 E1 2D B4 87 96 F0 0F 69 78 4B D2 1E 3C 5A
as used for key augmentation.
The subkeys for the encipherment will be supplied by the block to be hashed as follows:
Both subkeys
K3 K6 K9 K12 K15 ... K96
and subkeys
K95 K92 K89 K86 K83 ... K2
will be supplied from the bytes of the block, taken in groups of four, in order. (The first
byte is the leftmost byte of the word.)
Subkeys
K1 K4 K7 K10 K13 ... K94
will be the following:

K1: 243F6A88 K4: 85A308D3 K7: 13198A2E K10: 03707344
K13: A4093822 K16: 299F31D0 K19: 082EFA98 K22: EC4E6C89
K25: 452821E6 K28: 38D01377 K31: BE5466CF K34: 34E90C6C
K37: C0AC29B7 K40: C97C50DD K43: 3F84D5B5 K46: B5470917
K49: 9216D5D9 K52: 8979FB1B K55: D1310BA6 K58: 98DFB5AC
K61: 2FFD72DB K64: D01ADFB7 K67: B8E1AFED K70: 6A267E96
K73: BA7C9045 K76: F12C7F99 K79: 24A19947 K82: B3916CF7
K85: 0801F2E2 K88: 858EFC16 K91: 636920D8 K94: 71574E69
which are the hexadecimal digits in the fractional portion of pi (also used as the starting
value of the S-boxes and subkeys in Blowfish, although it uses 784 of them, not just 32
of them).
After each block is hashed, the input to the encryption cycle is XORed with the output
to produce the current value of the hash, which will be the input to the next encryption
cycle.
A Variation of Quadibloc IV
In Quadibloc IV ER (Extra Resistance), after generating the initial values of the

subkeys, an additional 1536 to 2304 bytes are generated to create S8 in the same
fashion as the initial value of S8 was generated in Quadibloc II and Quadibloc III. This
key-dependent S-box is not modified again after key augmentation, and it is used to
perform a substitution on the four bytes of the two f-function outputs after the second
SP portion. This modification makes Quadibloc IV considerably more secure against
differential and linear cryptanalysis.
Next
Start of Section
Table of Contents
Main Page Home Page
Quadibloc V
Quadibloc V is a straightforward and simple member of the Quadibloc family of ciphers. It operates on a 128-bit
block, and has a key which must consist of number of bytes that is a multiple of four and which is equal or
greater than 8. It uses S-box S1 derived from Euler's constant, as used in other ciphers of the Quadibloc series,
and it uses one key-dependent S-box, called S2, which has 16 entries, each 64 bits long.
It has four rounds, and each round uses 72 bytes of subkey material. The halves of the block are swapped after
each of the first three rounds.
As encipherment and decipherment are different, and as the f-function only diffuses half of the information in the
left half of the block, it might seem that there are opportunities for cryptanalysis. But what happens to the right
half of the block, and the use of a key-dependent S-box, even if only a minimal one, appears to close any such
opportunities. Also, the key schedule seems to be secure, although it too is greatly simplified over that of
Quadibloc II or III.
The Rounds
The following diagram illustrates what happens during a round of Quadibloc V:

The bytes in the left half of the block are used in pairs to generate bytes the nybbles of which are then used to
select two entries from S-box S2.
One copy of the second byte in the pair is XORed with a byte of subkey material; the next copy has the next byte
of subkey material added to it. Then both copies are replaced by their corresponding entries in S-box S1. The
first byte in the pair first has the first copy of the other byte, as modified, added to it. This intermediate result is
retained for later use. Then it is replaced by the entry it now selects in S-box S1. Finally, the second copy of the
other byte, as modified, is XORed to it.
The first and second nybbles of this resulting byte are used to index to two elements of S-box S2. The entry
chosen by the second nybble of a byte then has its halves swapped. The intermediate result saved for later use is
also split into two nybbles, each used to index an element from S-box S2. The one chosen by the first nybble is
rotated 16 bits left, and the one chosen by the second nybble is rotated 16 bits right.
These elements of S-box S2 are XORed with the right half of the block at various times.
This portion of the cipher uses the first eight subkey bytes for the round.
First, the bytes in the right half of the block are modified by going through tiny Feistel rounds, similar to
permutation G of SKIPJACK, but here using S-box S1 as the f-function. First, each pair of bytes goes through
two rounds of this, first the left-hand byte modifying the right-hand byte, then the right-hand byte modifying the
left-hand byte. Two subkeys are used to perform these two rounds for one pair of bytes, then the next two
subkeys are used for two rounds for the next pair of bytes, as is visible from the numbering in the diagram.
Then, four S2 outputs,
● the one from the first nybble of the byte generated from the first pair of bytes in the left half of the block
● the one (with its halves swapped) from the last nybble of the byte generated from the last pair of bytes in
the left half of the block
● the one (rotated 16 bits to the left) from the first nybble of the intermediate result generated from the
second pair of bytes in the left half of the block
● the one (rotated 16 bits to the right) from the second nybble of the intermediate result generated from the
third pair of bytes in the left half of the block
are XORed to the right half of the block as currently modified.
Then, two more tiny Feistel rounds are applied to each pair of bytes in the right half, and then the bytes are
interchanged as follows:
1 4 3 6 5 8 7 2
and then another two tiny Feistel rounds are applied. Note that this interchange, applied three times, ensures that
each even byte is paired with each odd byte for four tiny Feistel rounds during this process.
Now, four S2 outputs
● the one from the first nybble of the byte generated from the second pair of bytes in the left half of the
block
● the one (with its halves swapped) from the last nybble of the byte generated from the third pair of bytes in
● the one (rotated 16 bits to the left) from the first nybble of the intermediate result generated from the first
pair of bytes in the left half of the block
last pair of bytes in the left half of the block
are XORed to the right half of the block in its present state.
Then, another four tiny Feistel rounds with a byte interchange in the middle.
Now, four S2 outputs
● the one from the first nybble of the byte generated from the third pair of bytes in the left half of the block
● the one (with its halves swapped) from the last nybble of the byte generated from the second pair of bytes
in the left half of the block
● the one (rotated 16 bits to the left) from the first nybble of the intermediate result generated from the last
first pair of bytes in the left half of the block
are XORed to the right half of the block.
Then, another four tiny Feistel rounds with a byte interchange in the middle.
And then the following four S2 outputs
● the one from the first nybble of the byte generated from the last pair of bytes in the left half of the block
● the one (with its halves swapped) from the last nybble of the byte generated from the first pair of bytes in
● the one (rotated 16 bits to the left) from the first nybble of the intermediate result generated from the third
second pair of bytes in the left half of the block
are XORed with the right half.
And now, two tiny Feistel rounds are applied to each pair of bytes in the right half of the block. Finally, the bytes
are interchanged as follows:
1 3 5 7 2 4 6 8
This final interchange sorts the odd and even bytes into groups, so that pairs will later be made on a different
basis.
The Key Schedule
The key material used during encipherment consists of a 512 byte key-dependent S-box S2, and 288 bytes of
subkey material.
Initially, this key material is loaded as follows:
● The key is split into two parts, the first having one byte less than half the bytes in the key, and the second
having the remaining bytes.
● Bytes of subkey material are alternately filled from each half of the key.
● Each time one returns to the first byte of a part of the key, after using the last byte previously, one adds 1
to a constant (initially zero) which is added to each byte as it is taken.
Thus, if the key is initially:
200 160 001 100 080 020 140 120
it is split into the two parts
200 160 001

100 080 020 140 120
and the subkey material is initially filled as follows from it:
200 100 160 080 001 020 201 140

161 120 002 101 202 081 162 021
003 141...
Using this initial subkey material, a block is enciphered consisting of the first sixteen bytes of the key, or, if the
key is shorter than sixteen bytes, the key followed by the key with each byte XORed with 1, followed by the key
XORed with 2 if necessary, all the bytes then replaced with their substitutes in S-box S1.
Each round of encipherment produces eight 64-bit intermediate results: an intermediate result is obtained by
taking the current value of the right half of the block after each pair of tiny Feistel rounds, except that in the case
of those rounds followed by XORing in S-box S2 entries, the intermediate value is taken after that XOR.
After each round is completed, and five rounds are performed, rather than the four used for normal encipherment,
the fifth using the same subkeys as the first, the intermediate results are used to modify the subkeys.
The first 36 of the 40 intermediate results generated are XORed with the subkey material, in the following order:
Result: Subkey bytes:
1 K1 K2 ... K8
2 K73 K74 ... K80
3 K145 K146 ... K152
4 K217 K218 ... K224
5 K9 K10 ... K16
6 K81 K82 ... K88
...
36 K281 K282 ... K288
In addition, each byte of all but the first eight intermediate results (leaving the last 32 intermediate results, which
amount to 256 bytes) is used to modify the 512-byte S-box S2, as follows:
● The S-box S2 is to be considered as consisting of two halves, each 256 bytes in length, called H0 and H1.
H0(n) is the (n+1)th byte of H0; that is, H0(0) is the first byte of H0.
● Let the byte being used to modify the S-box have the value X.
● Let a counter, initially equal to 0, and increasing by 1 each time be noted by N. This counter will run from
0 to 255 as the process below takes place.
● Let W=N xor X.
● Let P=H0(W) xor X and Q=H1(W) xor X
● In all cases, first modify H1(P) by XORing it with H0(P) and with X, then modify H0(Q) by XORing it
with H1(Q) and with X.
● Modify H0(X) by XORing it with Q and with W, and modify H1(X) by XORing it with P and with W.
● If N and X are not equal, swap H0(N), H0(X), H1(N), and H1(X) as follows: H0(N) is replaced by H0(X),
which is replaced by H1(N), which is replaced by H1(X), which is replaced by the former value of H0(N).
Variations
If one wishes to use Quadibloc V with eight rounds, then the key augmentation step of the key schedule is
modified as follows:
The encipherment step used to generate intermediate results now runs for nine rounds. All intermediate results
are used to XOR with subkey bytes, and the order is similar to that for the four-round version: first, an XOR is
done to the first eight bytes in each of the eight rounds, then the next eight bytes in each of the eight rounds. The
ninth round uses the subkeys for the first round.
The last 512 bytes so generated, which involve all but the first eight intermediate results, are used to carry out the
modification of the S-box S2, but this time twice.
With sixteen rounds, the key augmentation step will involve encipherment with eighteen rounds, the last two
using the subkeys of the first two rounds. Again, all intermediate results are used to XOR with subkey bytes. The
last 1024 bytes generated, which exclude the first sixteen intermediate results (or those from the first two rounds)
are used to modify S-box S2 four times.
Next
Start of Section
Table of Contents
Main Page
Home Page
Quadibloc VI
Quadibloc VI attempts to achieve the attractive characteristics of Quadibloc III, but with fewer rounds. The main intention in the design of Quadibloc VI is to
make a block cipher that has the advantages of a stream cipher.
A typical block cipher subjects each block of data it enciphers to a series of manipulations, with the only variation in these manipulations due to the variable and
secret key being that the data, while being manipulated, occasionally has subkey material XORed to it. Perhaps addition will also be used.
A stream cipher can resist analysis by applying different key material to the encipherment of each byte or block it encounters.
Thus, the Mishmash encipherment method used within Quadibloc III imitates a stream cipher, by choosing subkeys from a pool to encipher one half of a block, the
choice being determined by the other half of the block. This principle is employed here as well, but with a simpler structure.
Quadibloc VI uses the same fixed S-boxes S1 and S2 derived from Euler's constant as QUADIBLOC and other ciphers in the Quadibloc series, whose contents
have been listed in previous sections.
Description of Mixing/Whitening
The first step in encipherment, when a 128-bit block is submitted to Quadibloc VI, is to ensure that every bit in the block affects, or potentially affects, every bit in
every other block, through a short series of mixing and whitening transformations, as shown in the diagram below:
First, the bytes, by pairs, go through four mini-Feistel rounds, using the key-dependent S-box S8 as the f-function.
Then, using 64-bit subkey LK1, the two halves of the block have selected corresponding bits swapped, in the manner originated by the block cipher ICE.
Then, to bring bytes that have not yet influenced each other into contact, the bytes are transposed so that after transposition, the bytes in order came from the
following positions, from 1 to 16, as indicated by the numbers below:
1 13 2 14 3 15 4 16 5 9 6 10 7 11 8 12
Once this is done, another four mini-Feistel rounds with the key-dependent S-box S8 used as the f-function are performed on adjacent pairs of bytes.
Then, once again bytes are moved to bring bytes that had not affected one another into contact. As a possible transposition to do so here is the one used previously,
it is applied once again.
Then, a completely unkeyed step is used for the final merging of bytes, a set of Pseudo-Hadamard Transforms applied to pairs of bytes.
Finally, the bytes in the block are transposed according to a key-dependent byte transposition derived from the contents of key-dependent S-box S8.
Description of Regular Rounds
In a regular round of Quadibloc VI, the leftmost six bytes of the block are enciphered by means of two rounds of the GoodStuff method, which proceeds as follows:
Using four eight-bit subkeys (derived from a single 32-bit subkey), four Feistel rounds are used to encipher a 16-bit subblock; in the first round, the right half is
XORed with the first subkey, then replaced through S8, then added to the left half. The direction of the f-function alternates from right to left to left to right, and in
the two outer rounds, the subkey is XORed and the f-function output added, and in the two inner rounds, the subkey is added and the f-function output XORed.
The four intermediate results of the f-functions, derived before S8 substitution, are used to index into the fixed S-box S2. The S-box outputs are used to form a 32-
bit word consisting of the first nibbles of the four substituted results in order, then the second nibbles. (Since, looking sideways, the bottom, rather than the top, of
the previous four rounds are to the left, the diagram shows that the order needs to be reversed when drawing a left-to-right round of this cipher, by means of a twist
upon entry and exit from the horizontal Feistel rounds.)
The resulting 32-bit word is then itself enciphered by four Feistel rounds of a cipher which, like Blowfish, uses wide key-dependent S-boxes in the f-function.
Here, four 16-bit subkeys are used, and so they are derived from two 32-bit regular subkeys.
The final interchange is not omitted, or the rounds can be thought of, as they are drawn, in in-place format, and the first round goes from right to left (or, in the
diagram, top to bottom).
The following diagram illustrates the operations that take place during a regular round of Quadibloc VI upon the leftmost eight bytes of the block:
The first six bytes are subjected to encipherment according to the GoodStuff algorithm, first in one direction, and then in another.
The final f-function outputs in the Feistel rounds applied to the 32 bit quantity that serves as subkeys for the 16-bit Feistel rounds in each of the GoodStuff
encipherments are XORed to the last two of the first eight bytes. Before, between, and after these XORs, those two bytes are modified using the same type of mini-
Feistel round as was used in the initial mixing/whitening phase.
Note that the first and last f-function (or S-box S8) outputs are XORed together to produce one byte of output.
This byte is used to control the encipherment of the other half of the block, which is enciphered using the modification of the original QUADIBLOC round used in
Quadibloc S, to be described in the next section. A Quadibloc S round is illustrated below:
The single byte of output has 256 possible values. 7 times 6 times 5 is 210, which is less than 256, therefore this byte can be used to choose three distinct subkeys
from a pool of seven subkeys to be used as the three subkeys for the Quadibloc S round.
After the first three regular Quadibloc IV rounds in a group of four, the bytes are interchanged according to the following pattern, where each number denotes the
position of a byte in the source to the permutation, the numbers being in the order of the bytes upon] output:
3 4 5 6 7 8 1 2 13 14 15 16 9 10 11 12
The intent of this is to have the two bytes in the first half which are enciphered differently take on four different values, while the halves of the second half are
swapped each time.
After every group of four regular Quadibloc IV rounds except the last four, the halves of the block are swapped.
It is assumed that a mere eight rounds of Quadibloc IV will suffice. At least sixteen rounds, however, would be absolutely required were it not for the initial
mixing and whitening rounds. This is because four rounds are, in a sense, really only one round.
Finally, using 64-bit subkey LK2, the operations of the mixing/whitening rounds are performed in reverse order. The Pseudo-Hadamard Transform is replaced by
its inverse, and so are the two fixed byte permutations. But the groups of four mini-Feistel rounds stay the same (instead of being inversed by having left and right
bytes switched), and the ICE-style swap is its own inverse.
The steps involved in the final mixing/whitening step may be made clearer by this diagram:
The Key Schedule
Although, when compared with the method for generating the key schedule for Quadibloc II and Quadibloc III, many shortcuts are taken in the method used for
Quadibloc VI, it will be seen that key generation for Quadibloc VI is still long and complicated.
Quadibloc VI with eight regular rounds uses the following subkey material:
● Eighty 32-bit subkeys, designated K1 through K80, ten of which are used for each regular round which contains two rounds of GoodStuff encipherment;
● Eight banks of seven 32-bit subkeys used in the Quadibloc S type rounds which are applied to the right half of the block, which may be designated V1
through V56;
● The key-dependent S-boxes S10 and S11, each of which contains 256 random 16-bit entries;
● Two 64-bit subkeys, LK1 and LK2;
● The key-dependent S-box S8, which contains the bytes 0 to 255 in random order;
● A key-dependent table with 256 entries, each entry being a triple of three distinct integers from 1 to 7, which will contain all 210 possible arrangements
once, and 46 of those arrangements twice, for use in selecting subkeys from the subkey pool for the Quadibloc S type rounds applied to the right half of the
block.
For what follows, the first three items in the list above are to be considered to be stored in order contiguously in memory.
First, initially fill the key-dependent S-box S11 as follows:
<key> 1 <key> 1 2 <key> 1 2 3 <key>
that is, repeat the key, following it each time by a series of bytes with successive values that is one byte longer.
Then generate initial values for subkeys K1 through K80, pooled subkeys V1 through V56, and the contents of key-dependent S-box S10 (as well as an initial
value for key-dependent S-box S8) by generating 1056 bytes
( (80*4) + (56*4) + (256*2) =

320 + 224 + 512 = 1056 )
through the following procedure: take a copy of the key, and appended to that copy, after its last byte, is a byte equal to the inverse, the bitwise negation, or one's
complement, of the XOR of all the bytes of the original key. This ensures the key as expanded does not consist entirely of zeroes.
Bytes are then generated from the key by chain addition. This means that a byte is generated as follows: the sum, modulo 256, of the first two bytes of the key is
the generated result; and it is also appended to the end of the key, whose first byte is then removed. (Note that the cipher itself uses XOR only, and not addition
modulo 256.)
The method of producing subkey bytes is a degenerate form of the MacLaren-Marsaglia generator. An array with 256 byte positions, called A(0) to A(255), is
filled by generating 256 bytes by means of chain addition.
Then, a subkey byte is generated as follows:
Generate two bytes by chain addition. Call these bytes p and q.
The byte to be used in a subkey is the current value of A(q).
Replace A(q) with p.
The initial value for the key-dependent S-box S8 is generated concurrently with subkey generation by means of the use of two additional arrays, B(0) to B(255)
and C(0) to C(255).
These two arrays are initialized so that B(0) contains 0, B(1) contains 1, and so on, and C also contains the 255 byte values in order as well.
Then, each time a value is stored in a location of A, both the 256 initial values, and the value stored in A(q) each time a subkey byte is generated, the following
procedure is performed:
Let p be the value being stored in the array A, and let q be the index in A of where it is being stored.
If B(q) equals p, then we are finished.
Otherwise:
Store the value of B(q) in v.
Swap element q and element C(p) of array B. (Element C(p) of array B will equal p.)
Store the value of C(p) in w.
Store q in C(p) (since B(q) now has p stored in it), and store w in C(v) (since our swap placed v, the former value of B(q), in B(w) which originally contained p).
Once all the subkeys are generated, starting from the first (most significant) byte of subkey 1, and ending with the last (least significant) byte of subkey 12, the
contents of the array B are used as the key-dependent S-box.
Once these portions of the required subkey material have inital values assigned to them (LK1 and LK2, as well as the table used to choose subkey pool values for
the Quadibloc S part of a round are still empty), we will encipher the contents of S-box S11 as follows:
Four entries in S-box S11, or eight bytes, will be enciphered at a time. Using the initial values of S8 and S10, and the value of S11 upon entry to the encipherment
of four more entries in it, the encipherment of the right half of the block during a regular Quadibloc VI round will be performed, with the following subkeys:
Subkey material Entries in S11

used enciphered
K1 to K10 S11(0) to S11(3)

K11 to K20 S11(4) to S11(7)
...
K71 to K80 S11(28) to S11(31)
V1 to V10 S11(32) to S11(35)
...
V41 to V50 S11(48) to S11(51)
V51 to V56,
S10(0) to S10(7) S11(52) to S11(55)
S10(8) to S10(27) S11(56) to S11(59)
S10(28) to S10(47) S11(60) to S11(63)
...
S10(108) to S10(127) S11(76) to S11(79)
After the first encipherment, the entries in S11 to be enciphered will first be XORed with the result of the previous encipherment, after that result has been rotated
left by two bytes.
Then, the first 80 (16-bit) entries in S11 are swapped with the first 40 (32-bit) subkeys for GoodStuff encipherment.
Starting with the first byte in K41, and continuing to the last byte in S11(255), each byte in this contiguous array of subkey material except for the first 40
GoodStuff subkeys is now modified as follows:
New Byte(n) = Old Byte(n) XOR

Byte(n-1) XOR
S8( Byte(n-158) + Byte(n-160) )
Next, the second 80 entries in S11 are enciphered, S11(80) through S11(159), two at a time, using the left half of a regular Quadibloc VI round as above, once
again using the subkeys in the order above for the encipherment, starting with subkeys K1 through K10, and are swapped after encipherment with the second group
of 40 subkeys for GoodStuff encipherment.
Once again, after the first encipherment in this group of encipherments, the entries in S11 to be enciphered will first be XORed with the result of the previous
encipherment, after that result has been rotated left by two bytes.
Then, the last 112 entries in S11, S11(144) through S11(255), are enciphered by the same method, and are afterwards swapped with V1 through V56. This time,
the subkey material used will extend into the start of S11, as illustrated by the table below:

used enciphered
K1 to K10 S11(144) to S11(147)

K11 to K20 S11(148) to S11(151)
...
K71 to K80 S11(172) to S11(175)
V1 to V10 S11(176) to S11(179)
...
V41 to V50 S11(192) to S11(195)
V51 to V56,
S10(0) to S10(7) S11(106) to S11(199)
S10(8) to S10(27) S11(200) to S11(203)
S10(28) to S10(47) S11(204) to S11(207)
...
S10(108) to S10(127) S11(220) to S11(223)
...
S10(208) to S10(227) S11(240) to S11(243)
S10(228) to S10(247) S11(244) to S11(247)
S10(248) to S10(255),
S11(0) to S11(11) S11(248) to S11(251)
S11(12) to S11(32) S11(252) to S11(255)
And again, after the first encipherment in this final group of encipherments, the entries in S11 to be enciphered will first be XORed with the result of the previous
Starting with the first byte in S10(0), and continuing to the last byte in S11(255), the bytes in the array of subkey material are modified, possibly repeatedly, by the
formula:

Byte(n-1) XOR
S2( Byte(n-542) + Byte(n-544) )
where the values n-542 and n-544 begin, on the first pass, as pointing into K1 to K80, and then V1 to V56, but afterwards are confined to the area from the start of
S10 to the end of S11. As this process is performed when the final value of S8 is produced, the fixed S-box S2 is now used.
The old value of Byte(n) is made available to other subkey generation processes, specifically the generation of the control table for Quadibloc S-type subkeys and
of the final value of S8, and this process is repeated only as many times as these processes require input.
First, an array is filled with the first 46 numbers from 0 to 219 in the initial value of S8, followed by the numbers 0 to 219 in order.
Then, a permutation is produced from several blocks of 256 values generated as old Byte(n) values from the shift-register process above applied to the area from
V1 to S11(255), utilizing the following procedure (as seen in Quadibloc II and Quadibloc III):
● Each permutation is generated by the use of either 512, or, under some rare circumstances, only 256, bytes.
● A permutation is generated as follows:
❍ Begin with three arrays of 256 numbers, the first of which is filled with the numbers from 0 to 255 in order. The arrays must also be able to hold the
value -1. The second and third arrays are filled with -1.
❍ For each byte used: let the value of the byte be called N, and let I be a counter which starts at 0 for the first byte, incrementing with each byte used,
and ending at 255.

❍ Then, for each byte:
■ If element N of the first array is not -1, set element N of the first array to -1, and set element I of the second array to N.
■ Otherwise, store N in the first unused position (the first position containing -1) in the third array.
❍ Once this has been done, if the third array contains any numbers other than -1, proceed as follows:
❍ If there is only one filled (not equal to -1) element in the third array, then there is only one remaining element in the first array, and one element of
the second array equal to -1, so fill the second array with the one available byte, and finish.
❍ If there are only two filled elements in the third array, take the least significant bit of the first filled element. If it is zero, fill the -1 elements of the
second array with the remaining elements of the first array in order; if it is one, do so in reverse order, and finish.
❍ If there are less than 256 filled elements in the third array, repeat them over and over to fill the array. Then, take an additional 256 input bytes (thus,
512 bytes are used except when the first 256 bytes contain two or fewer duplicate bytes) and XOR them with the bytes of the third array.
❍ Now, use the third array to complete the second array by doing the following for II from 0 to 255:
■Let the value of element II of the third array be XX.
■Swap elements II and XX of the first array.
❍ Then, scan through the second array. When an element of the second array is -1, fill it with the corresponding element of the first array (if it is not
also -1) and set that element of the first array to -1.
❍ If there are any -1 elements left in the second array, fill them with the elements of the first array that are not -1 in order.
● When this procedure is completed, the contents of the second array are the desired permutation.
Once the permutation is generated, replace every element in it as follows: if the value of that element is N, replace it with element N of the array filled, based on
the initial value of S8, with numbers from 0 to 209, 46 of them twice.
These numbers from 0 to 209 then need to be converted to triples used for selecting subkeys from a group of seven subkeys in the V1 to V56 group. The numbers
from 0 to 34 will be considered to represent triples of distinct numbers in ascending order in numerical order:
0 1 2 3 7 1 3 6 14 1 6 7 21 2 4 7 28 3 5 6
1 1 2 4 8 1 3 7 15 2 3 4 22 2 5 6 29 3 5 7
2 1 2 5 9 1 4 5 16 2 3 5 23 2 5 7 30 3 6 7
3 1 2 6 10 1 4 6 17 2 3 6 24 2 6 7 31 4 5 6
4 1 2 7 11 1 4 7 18 2 3 7 25 3 4 5 32 4 5 7
5 1 3 4 12 1 5 6 19 2 4 5 26 3 4 6 33 4 6 7
6 1 3 5 13 1 5 7 20 2 4 6 27 3 4 7 34 5 6 7
and then this sequence is repeated but with the three elements in each of the other five of the six possible orders to make all 210 combinations:
0 1 2 3 1 1 2 4 ... 34 5 6 7
35 1 3 2 36 1 4 2 ... 69 5 7 6
70 2 1 3 71 2 1 4 ... 104 6 5 7
105 2 3 1 106 2 4 1 ... 139 6 7 5
140 3 1 2 141 4 1 2 ... 174 7 5 6
175 3 2 1 176 4 2 1 ... 209 7 6 5
Now, generate another permutation by the method above. Then, the final value of S8 is produced as follows: for i from 0 to 255, let N equal element i of the old
value of S8, and set element N of the final value of S8 (stored in another array) to be element i of this permutation.
Finally, using our shift register method as applied to V1 through S11(255), acquire sixteen more bytes by replacing their old values with new ones; the old values
taken will be LK1 and LK2.
The key-dependent byte permutations used between the mixing/whitening rounds and the regular rounds are generated as follows:
The one performed after the first mixing/whitening round is obtained by taking the bytes in the final form of S-box S8 of the form 0x, and using their least
significant nibbles to indicate which position each byte of the block will be moved to. This is the dispatch form of the permutation, which is the opposite of the one
used to describe bit and byte transpositions in the description of the Quadibloc ciphers. The one performed after the regular rounds is generated from the bytes of
the form 8x, but is in fetch form, the least significant nibble of each of these bytes indicating the source from which each byte of the result is obtained.
Key generation is now complete.
Variations of Quadibloc VI
Although Quadibloc VI would absolutely need sixteen rounds if the mixing/whitening stages were absent, that does not mean that sixteen rounds are not a good
idea in any case. With sixteen rounds, the required key material consists of:
● One hundred and sixty 32-bit subkeys, designated K1 through K160, ten of which are used for each regular round which contains two rounds of GoodStuff
encipherment;
● Sixteen banks of seven 32-bit subkeys used in the Quadibloc S type rounds which are applied to the right half of the block, which may be designated V1
through V112;
● The key-dependent S-boxes S10 and S11, each of which contains 256 random 16-bit entries;
● Two 64-bit subkeys, LK1 and LK2;
● The key-dependent S-box S8, which contains the bytes 0 to 255 in random order;
● A key-dependent table with 256 entries, each entry being a triple of three distinct integers from 1 to 7, which will contain all 210 possible arrangements
once, and 46 of those arrangements twice, for use in selecting subkeys from the subkey pool for the Quadibloc S type rounds applied to the right half of the
block.
The key generation process closely parallels that for eight rounds, with small changes as follows:
Once again, we begin by filling the key-dependent S-box S11 as follows:
<key> 1 <key> 1 2 <key> 1 2 3 <key>
that is, repeat the key, following it each time by a series of bytes with successive values that is one byte longer.
Then generate initial values for subkeys K1 through K160, pooled subkeys V1 through V112, and the contents of key-dependent S-box S10 (as well as an initial
value for key-dependent S-box S8) by generating 1376 bytes
( (160*4) + (112*4) + (256*2) =

640 + 224 + 512 = 1376 )
through the degenerate MacLaren-Marsaglia procedure from Quadibloc S, and the permutation generated as its side effect is the initial value for S-box S8.
Once these portions of the required subkey material have inital values assigned to them (LK1 and LK2, as well as the table used to choose subkey pool values for
the Quadibloc S part of a round are still empty), we will encipher the contents of S-box S11 as follows:
Four entries in S-box S11, or eight bytes, will be enciphered at a time. Using the initial values of S8 and S10, and the value of S11 upon entry to the encipherment
of four more entries in it, the encipherment of the right half of the block during a regular Quadibloc VI round will be performed, with the following subkeys:

used enciphered
K1 to K10 S11(0) to S11(3)

K11 to K20 S11(4) to S11(7)
...
K151 to K160 S11(60) to S11(63)
V1 to V10 S11(64) to S11(67)
...
V101 to V110 S11(104) to S11(107)
V111 to V112,
S10(0) to S10(15) S11(108) to S11(111)
S10(16) to S10(35) S11(112) to S11(115)
S10(36) to S10(55) S11(116) to S11(119)
...
S10(236) to S10(255) S11(156) to S11(159)
After the first encipherment, the entries in S11 to be enciphered will first be XORed with the result of the previous encipherment, after that result has been rotated
left by two bytes.
Then, the first 160 (16-bit) entries in S11 are swapped with the first 80 (32-bit) subkeys for GoodStuff encipherment.
Starting with the first byte in K81, and continuing to the last byte in S11(255), each byte in this contiguous array of subkey material except for the first 80
GoodStuff subkeys is now modified as follows:

Byte(n-1) XOR
S8( Byte(n-318) + Byte(n-320) )
Next, entries S11(80) through S11(240) in S11 are enciphered, two at a time, using the left half of a regular Quadibloc VI round as above, once again using the
subkeys in the order above for the encipherment, starting with subkeys K1 through K10, and are swapped after encipherment with the second group of 80 subkeys
for GoodStuff encipherment.
Once again, after the first encipherment in this group of encipherments, the entries in S11 to be enciphered will first be XORed with the result of the previous
Then, the last 224 entries in S11, S11(32) through S11(255), are enciphered by the same method, and are afterwards swapped with V1 through V112. This time,
the subkey material used will extend into the start of S11, as illustrated by the table below:

used enciphered
K1 to K10 S11(32) to S11(35)

K11 to K20 S11(36) to S11(39)
...
K151 to K160 S11(92) to S11(95)
V1 to V10 S11(96) to S11(99)
...
V101 to V110 S11(136) to S11(139)
V111 to V112,
S10(0) to S10(15) S11(140) to S11(143)
S10(16) to S10(35) S11(144) to S11(147)
S10(36) to S10(55) S11(148) to S11(151)
...
S10(216) to S10(235) S11(184) to S11(187)
S10(236) to S10(255) S11(188) to S11(191)
S11(0) to S11(19) S11(192) to S11(195)
...
S11(200) to S11(219) S11(232) to S11(235)
At this point, the subkey material required has caught up with the bytes we are attempting to encipher, and so we return to the beginning of the available subkey
material, as follows:

used enciphered
K6 to K15 S11(236) to S11(239)

K16 to K25 S11(240) to S11(244)
...
K46 to K55 S11(252) to S11(255)
And again, after the first encipherment in this final group of encipherments, the entries in S11 to be enciphered will first be XORed with the result of the previous
Starting with the first byte in S10(0), and continuing to the last byte in S11(255), the bytes in the array of subkey material are modified, possibly repeatedly, by the
formula:

Byte(n-1) XOR
S2( Byte(n-862) + Byte(n-864) )
where the values n-862 and n-864 begin, on the first pass, as pointing into K1 to K160, and then V1 to V112, but afterwards are confined to the area from the start
of S10 to the end of S11. As this process is performed when the final value of S8 is produced, the fixed S-box S2 is now used.
The old value of Byte(n) is made available to other subkey generation processes, specifically the generation of the control table for Quadibloc S-type subkeys and
of the final value of S8, and this process is repeated only as many times as these processes require input.
First, an array is filled with the first 46 numbers from 0 to 219 in the initial value of S8, followed by the numbers 0 to 219 in order.
Then, a permutation is produced from several blocks of 256 values generated as old Byte(n) values from the shift-register process above applied to the area from
V1 to S11(255), utilizing the procedure for generating permutations from Quadibloc II and Quadibloc III.
Once the permutation is generated, replace every element in it as follows: if the value of that element is N, replace it with element N of the array filled, based on
the initial value of S8, with numbers from 0 to 209, 46 of them twice.
These numbers from 0 to 209 then need to be converted to triples used for selecting subkeys from a group of seven subkeys in the V1 to V56 group.
Now, generate another permutation by the method above. Then, the final value of S8 is produced as follows: for i from 0 to 255, let N equal element i of the old
value of S8, and set element N of the final value of S8 (stored in another array) to be element i of this permutation.
Finally, using our shift register method as applied to V1 through S11(255), acquire sixteen more bytes by replacing their old values with new ones; the old values
taken will be LK1 and LK2.
And hence ends key generation for Quadibloc VI with sixteen rounds.
Next
Start of Section
Table of Contents
Main Page
Home Page
Quadibloc S
Quadibloc S is a block cipher with a 64-bit block, based on the original QUADIBLOC, but
including in its f-function one feature from Quadibloc II, while omitting the use of S-box S2
on the half of the block being modified.
The version with four rounds is being specifically proposed here. Since each f-function
involves three table lookups, even this could be considered to be comparable, at least in the
time taken, to 12-round DES. That means that six rounds (comparable to 18) would be
acceptably fast: but the four round version is being considered specifically to examine what
sort of cryptanalytic attacks are possible.
It may be that Quadibloc S with eight rounds, except for the fact of a 64-bit block size, would
be secure enough for actual use. Certainly, it should be secure with sixteen rounds, being
comparable to original QUADIBLOC. Also, a key schedule is used that should be more secure
than that of the original QUADIBLOC, but much less complicated than that of Quadibloc II.
The Rounds
Each round proceeds as follows:
A copy of the right half, which will actually be unchanged by this round, is taken.
This now describes the f-function:
The copy is XORed with the round's first subkey (subkey 1 for round 1, subkey 4 for round 2,
to subkey 10 for round 4).
Then, each byte is replaced by its substitute in S-box 1, whose contents are given in the section
on Euler's Constant and the Quadibloc S-Boxes.
The bits of the result, considered to be numbered from 1 (most significant bit of the first,
leftmost byte) to 32 (least significant bit of the last, rightmost byte) following the pattern in
DES, are to be transposed so that these bits are then in the order below, still labelled with their
previous positions:
1 2 27 28 21 22 15 16
9 10 3 4 29 30 23 24
17 18 11 12 5 6 31 32
25 26 19 20 13 14 7 8
The result is then XORed with the second subkey for the round. Then, S-box S1 and the bit
transposition are applied again, and the result of that is XORed with the third subkey for the
round.
Then, the four bytes of the result are replaced with their substitutes in a key-dependent S-box.
This produces the final result, which is XORed with the left half of the block. This change to
the value of the block is the end product of the round. Finally, in all rounds but the last one, the
two halves of the block are swapped.
The operation of a round of Quadibloc S is illustrated by this diagram:
The Key Schedule
The key consists of four or more bytes.
The first step of key generation is this: appended to the key, after its last byte, is a byte equal to
the inverse, the bitwise negation, or one's complement, of the XOR of all the bytes of the
original key. This ensures the key as expanded does not consist entirely of zeroes.
Bytes are then generated from the key by chain addition. This means that a byte is generated as
follows: the sum, modulo 256, of the first two bytes of the key is the generated result; and it is
also appended to the end of the key, whose first byte is then removed. (Note that the cipher
itself uses XOR only, and not addition modulo 256.)
The method of producing subkey bytes is a degenerate form of the MacLaren-Marsaglia
generator. An array with 256 byte positions, called A(0) to A(255), is filled by generating 256
bytes by means of chain addition.
The key-dependent S-box is generated concurrently with subkey generation. Two additional
arrays, B(0) to B(255) and C(0) to C(255), are used in this process.
These two arrays are initialized so that B(0) contains 0, B(1) contains 1, and so on, and C also
contains the 255 byte values in order as well.
Then, each time a value is stored in a location of A, both the 256 initial values, and the value
stored in A(q) each time a subkey byte is generated, the following procedure is performed:
Let p be the value being stored in the array A, and let q be the index in A of where it is being
stored.
If B(q) equals p, then we are finished.
Otherwise:
Store the value of B(q) in v.
Swap element q and element C(p) of array B. (Element C(p) of array B will equal p.)
Store the value of C(p) in w.
Store q in C(p) (since B(q) now has p stored in it), and store w in C(v) (since our swap placed
v, the former value of B(q), in B(w) which originally contained p).
Once all the subkeys are generated, starting from the first (most significant) byte of subkey 1,
and ending with the last (least significant) byte of subkey 12, the contents of the array B are
used as the key-dependent S-box.
Test Vectors
The following is output from a short BASIC program which implements four-round Quadibloc
S.
Keys and the block are shown as sequences of bytes, from first to last, represented as decimal
numbers from 0 to 255, for simplicity in programming.
Encipherment of an all-zero block with a four-byte all-zero key.
Subkeys for the given key are:

1 ) 98 96 250 128
2 ) 239 154 244 76
3 ) 131 160 14 28
4 ) 0 255 116 10
5 ) 215 163 226 153
6 ) 64 16 220 185
7 ) 239 162 182 164
8 ) 127 62 65 112
9 ) 102 221 47 175
10 ) 0 0 255 159
11 ) 21 0 136 184
12 ) 241 165 38 64
The key-dependent S-box contains:

255 63 67 102 181 6 238 9
231 139 89 59 13 253 208 134
66 250 230 254 241 22 246 118
75 170 236 240 200 234 195 148
46 7 74 114 131 50 68 152
92 78 100 202 117 247 227 90
73 141 218 130 164 104 201 179
15 91 228 105 84 190 43 160
21 18 26 232 58 251 83 166
169 226 199 119 177 115 244 77
111 162 137 204 8 248 189 154
38 159 187 225 132 71 39 161
165 198 217 125 110 194 41 155
11 153 51 35 86 25 184 72
252 135 101 211 235 85 23 203
167 242 5 168 120 133 172 124
31 213 107 109 223 140 149 147
122 47 245 49 20 69 237 150
210 174 196 197 138 145 193 54
206 82 99 81 17 129 126 30
188 29 171 96 144 1 128 37
123 176 14 10 143 151 219 3
142 79 16 60 45 221 182 209
76 183 34 94 27 93 70 175
121 65 61 156 19 186 173 28
214 205 103 229 2 192 52 88
56 215 108 220 157 55 243 136
44 207 42 113 180 116 249 32
33 98 106 158 212 222 163 146
185 178 112 53 4 36 62 95
57 12 87 233 239 97 127 40
216 80 224 64 24 0 48 191
Plaintext block is:

0 0 0 0 0 0 0 0
Right half after first subkey is:

98 96 250 128
Right half after first S/P stage:
42 72 142 117
Right half after second subkey is:
197 210 122 57
Right half after second S/P stage:
174 235 31 169
Right half after third subkey is:
45 75 17 181
f-function output:
247 119 250 221
Block after round 1 is:
0 0 0 0 247 119 250 221
247 136 142 215
250 22 190 199
45 181 92 94
43 0 180 25
107 16 104 160
f-function output:
35 66 11 188
247 119 250 221 35 66 11 188

204 224 189 24
55 146 122 31
72 172 59 111
150 191 152 23
240 98 183 184
f-function output:
57 217 209 76
35 66 11 188 206 174 43 145

206 174 212 14
32 81 143 194
53 81 7 122
110 12 227 37
159 169 197 101
f-function output:
30 176 186 194
Enciphered block is:
61 242 177 126 206 174 43 145
Encipherment, with the same 32-bit key of all zeroes, of the

64-bit block
0000000000000000000000000000000000000000000000000000000000000001
Plaintext block is:

0 0 0 0 0 0 0 1

98 96 250 129
26 64 140 245
245 218 120 185
154 185 226 46
25 25 236 50
f-function output:
170 170 4 218
0 0 0 1 170 170 4 218

170 85 112 208
52 64 47 151
227 227 205 14
39 0 195 243
103 16 31 74
f-function output:
155 66 148 199
170 170 4 218 155 66 148 198

116 224 34 98
79 157 125 61
48 163 60 77
27 65 178 232
125 156 157 71
f-function output:
133 17 129 166
155 66 148 198 47 187 133 124

47 187 122 227
140 227 55 41
153 227 191 145
215 41 195 194
38 140 229 130
f-function output:
68 20 222 107
223 86 74 173 47 187 133 124
Encipherment of an all-zero block with the key

00000000000000000000000000000001
Subkeys for the given key are:

1 ) 113 110 181 254
2 ) 123 250 8 142
3 ) 80 161 177 11
4 ) 56 251 144 61
5 ) 73 225 29 205
6 ) 181 16 190 1
7 ) 123 179 56 142
8 ) 222 26 255 191
9 ) 67 237 3 76
10 ) 242 175 217 77
11 ) 0 27 125 190
12 ) 222 139 114 248
The key-dependent S-box contains:

15 5 43 125 188 7 209 68
60 63 193 19 221 102 40 2
175 150 159 85 70 146 184 251
151 246 232 104 26 87 157 34
233 243 215 203 95 162 59 56
136 211 164 208 52 0 16 244
35 4 140 99 69 235 30 107
90 138 72 122 117 212 36 83
88 191 49 134 121 183 42 75
222 169 39 163 119 135 62 132
155 128 67 118 80 82 130 247
3 120 139 194 133 160 105 181
1 97 223 57 214 170 110 17
6 154 248 114 38 230 24 237
148 255 54 89 166 147 53 115
204 20 200 219 64 210 152 71
224 182 174 93 185 220 201 250
149 37 179 171 143 186 156 41
58 73 196 234 161 131 213 86
92 245 207 11 231 81 45 153
189 98 126 55 218 195 27 238
112 44 65 111 100 48 18 167
12 10 29 124 47 91 101 226
46 216 252 253 78 206 198 187
144 22 127 173 108 199 14 165
229 239 61 141 9 76 28 225
113 142 84 177 241 197 94 236
137 116 217 66 109 31 190 129
254 106 240 79 202 25 180 178
50 33 205 13 228 21 176 51
74 249 123 227 242 172 145 168
96 192 77 23 8 32 158 103
Plaintext block is:

0 0 0 0 0 0 0 0

113 110 181 254
171 207 58 116
208 53 50 250
181 120 192 147
229 217 113 152
f-function output:
25 116 255 92
0 0 0 0 25 116 255 92

33 143 111 97
109 240 44 94
36 17 49 147
158 76 216 205
43 92 102 204
f-function output:
208 133 110 9
25 116 255 92 208 133 110 9

171 54 86 135
238 34 203 94
48 56 52 225
50 141 65 164
113 96 66 232
f-function output:
255 1 49 50
208 133 110 9 230 117 206 110

20 218 23 35
130 158 232 13
130 133 149 179
14 74 147 130
208 193 225 122
f-function output:
113 22 106 200
161 147 4 193 230 117 206 110
Next
Start of Section
Table of Contents
Main Page
Quadibloc VII
Quadibloc VII is an attempt to embody the principles found in the Large-Key
Brainstorm within the compass of a block cipher.
The subkey material it uses consists of:
● Two S-boxes, each containing 256 entries, each entry being 16 bits in length;
(1024 bytes)
● Thirty-two subkeys, four for each of eight rounds, each 16 bits in length; (64
bytes)
● Ninety-six subkey pools, each one containing 16 subkeys, each subkey being 16
bits in length, (3072 bytes)
for a total of 4,160 bytes of subkey material.
The Rounds
The first two rounds of Quadibloc VII look like this:

In Quadibloc VII, the 128-bit block is divided into four quarters, of 32 bits each, each
of which is further divided into two 16-bit halves. Each round of Quadibloc VII
consists of four Feistel rounds performed on each of these pairs of 16-bit halves.
The XOR of the two halves of the first 32-bit quarter after two Feistel rounds is used to
control, for each of the four Feistel rounds performed on the next quarter, which of
sixteen possible subkeys are used.
After every odd-numbered round, the eight 16-bit subblocks are permuted to the
following order (expressed in terms of a list of the sources of the subblocks after the
permutation):
7 6 1 8 3 2 5 4
thus, the left halves move to the next later quarter, and the right halves move to the
corresponding position in the other half of the entire block.
After every even-numbered round except the last, the eight 16-bit subblocks are
permuted to the following order (expressed in terms of a list of the sources of the
subblocks after the permutation):
7 4 1 6 3 8 5 2
thus, the left halves move to the next later quarter, and the right halves move to the
next earlier quarter.
This diagram illustrates, by color-coding, how the pieces of the block move during the
8 rounds of Quadibloc VII:
and here is a table showing this in text form:
(1) [2] 3 4 5 6 7 8
7 6 (1) 8 3 [2] 5 4
5 8 7 [2] (1) 4 3 6
3 4 5 6 7 8 (1) [2]
(1) 6 3 8 5 [2] 7 4
7 2 (1) 4 3 6 5 8
5 4 7 6 (1) 8 3 [2]
3 8 5 [2] 7 4 (1) 6
The paths of the first left half and the first right half are indicated by brackets. Note that
the first left half, 1, is enciphered:
with right half in rounds

2 1, 4
4 3, 6
6 5, 8
8 7, 2
thus ensuring that the blocks affect the other blocks by being enciphered with them in
the small Feistel rounds, in addition to affecting them by modifying their encipherment
through the use of the subkey pools.
The f-function is merely the XOR of the value in S10 indexed by the leftmost half of
the input with the value in S11 indexed by the rightmost half of the input.
The Key Schedule
While the round structure of Quadibloc VII is impressive, as is to be expected given the
large amount of subkey material it consumes, as there are only two S-boxes in the
cipher, both of them key-dependent, the cipher is still only as good as its key schedule.
Initially, the subkeys will be filled in the following order: first the 96 subkey pools,
then the two S-boxes (first S10, then S11, from entry 0 to entry 255 each), then the 32
fixed subkeys. And they will be initially filled by means of almost the same key
generation method as used in Quadibloc S:
The key consists of two or more bytes.
The key is expanded to prevent a key that is long and of all zeroes in whole or in part
from causing poor results as follows: a key of n bytes is expanded to one of 3n+1
bytes, the last byte of which is a byte equal to the inverse, the bitwise negation, or one's
complement, of the XOR of all the bytes of the original n byte key. The first 3n bytes
of the key alternate between a byte from each of the following sources:
● The n bytes of the original key, in order.
● One of the possible byte values, starting from 127, and incrementing by one
each time.
● The bytes of the original key, in reverse order, inverted, and with 1, 2, 3, and so
on added to them.
Thus, if the original key is 0 128 255, after expansion the key becomes 0 127 1 128 128
129 255 129 2 128.
Bytes are then generated from the key by chain addition. This means that a byte is
generated as follows: the sum, modulo 256, of the first two bytes of the key is the
generated result; and it is also appended to the end of the key, whose first byte is then
removed. (Note that the cipher itself uses XOR only, and not addition modulo 256.)
The method of producing subkey bytes is a degenerate form of the MacLaren-

Marsaglia generator. An array with 256 byte positions, called A(0) to A(255), is filled
by generating 256 bytes by means of chain addition.
Once all the subkeys have been filled by this method, the quantity
01F253A435C607F859AA3BCC0DFE5FA0 is to be enciphered with the temporary
subkeys thus calculated, for the first four rounds of a normal Quadibloc VII
encipherment.
This output is now used as the key from which bytes are generated by chain addition. It
is expanded, but not in the same fashion as the original key: it is only doubled in
length, and the bytes of the key alternate with the bytes of the key in reverse order,
inverted (but without anything added to them). Since 32 is not a number of the form 3n
+1 (unlike 16, which is such a number), both keys are ensured to be different in length.
Then, the degenerate MacLaren-Marsaglia procedure is to be repeated, with the bytes

produced by it XORed with the subkey bytes in order.

Next
Start of Section
Table of Contents
Main Page
Quadibloc VIII
Quadibloc VIII is a design reminiscent of Quadibloc II and Quadibloc III. With a
simple and uniform round structure, it still attempts to make the algorithm itself, not
just the subkeys applied, variable.
Because of the variability in the algorithm, it is not suited to smart card applications, as
it is not resistant to attacks based on timing or power consumption. Also, there could be
weak keys, both because some keys might cause short sequences in the shift registers
used for producing subkeys, and because some keys might lead to duplicate entries in
S10 and S11. The byte interchange between rounds might be questioned. However, I
am of the opinion that the same factors which seem to contribute these weaknesses also
contribute more in strength than they remove, and that the design prevents potential
weaknesses such as these from being exploitable.
It may be noted that this design has drawn inspiration from many quarters. It uses the
bit swap under mask of ICE, and the XOR with subkeys of the left-hand quarter of
each half was inspired by LOKI-97, as was the manner of minimally alternating
between two S-boxes in the f-function in the left half to avoid a rotational symmetry.
The concept of having initial and final mixing and whitening phases, even though the
phases themselves may not much resemble those of MARS, is due to that cipher, and
the notion of placing the algorithm under the control of the key owes something to
FROG. Using the initial mixing and whitening phases to vary where each bit goes in
the algorithm is somewhat similar to the method used in FROG to achieve algorithmic
variability. The basic regular round structure consists of two Feistel rounds, each one
operating between two quarters of the block within one half of the block; RC6 has a
similar basic round structure, but with one important difference: in RC6, the block,
viewed as LRLR, modifies each R portion based on a function involving both its own
L portion and the other one, so that each R portion depends on both L portions. In
Quadibloc VIII, although the block also has an LRLR form, and the first L portion is
transformed in an invertible manner that depends only on the key (instead of being left
alone as in the original Feistel structure), the first R portion depends only on the first L
portion, while the second R portion depends on both L portions, and even the second L
portion is transformed in a way that depends on the first L portion.
Overview of Quadibloc VII
Quadibloc VIII consists of sixteen rounds, with a brief whitening and mixing phase at
the beginning and end of the cipher.
For the purpose of a round, a block is divided into two halves, each half being further
subdivided into two quarters. In each half, the left quarter is used as the input to an f-
function, basically the f-function from Quadibloc S and Quadibloc II and others, and
the output is XORed with the right quarter.
Before and after being used as the input to the f-function, the left quarter is put through
one of two keyed transformations. The same is done with the right quarter before and
after being XORed with the output from the f-function.
The left quarter only, at the beginning and end of the round, is XORed with subkey
material.
For the left half only, an extra output is derived from the calculation of the f-function.
This extra output supplies bits which have a nonlinear effect on transformations applied
to the right quarter of the left half, and to both quarters of the right half.
● The Standard Rounds

● The Mixing and Whitening Phase
● The Key Schedule
● The Rationale of the Design
Next
Start of Section
Table of Contents
Main Page
The Standard Rounds

The basic round of Quadibloc VIII consists of two connected Feistel rounds, each performed on one half of the
block. Every effort has been made to supply a complete description of the algorithm in the text, but reference to
the illustrations may make it easier to understand. Also, if any ambiguity is left, it should be understood that this
cipher was conceptualized according to big-endian conventions; in all cases, the leftmost bits of any byte or word
correspond to its most significant bits when it is considered as a number.
The left half

The following diagram illustrates the part of a Quadibloc VIII round that acts on the left half of the block:
The left quarter of the left half
The left quarter of the left half of the block is first modified by being XORed with a 32-bit subkey (in the case of
the first round, this is subkey 49, and the number is advanced by 2 with each round). Then it is subjected to one
of two possible transformations: either it is divided into four bytes, and each pair of bytes is enciphered through a
two small-scale Feistel rounds, using key-dependent S-box S8 as the f-function, or it is divided into two 16-bit
portions which are enciphered by two Feistel rounds.
The result of that transformation is used as the input to the f-function.
Then, the other of the two possible transformations is performed on the left quarter of the left half of the block,
and finally another 32-bit subkey is XORed with it (subkey 50 in the first round, advanced by 2 for each
succeeding round).
The two small transformations of a 32-bit quarter of the block are, in detail, as follows:
In the first transformation, numbering the bytes from 1 to 4 from left to right, first byte 2 of the block is
changed by being XORed with the byte of S8 indicated by byte 1 of the block XORed with byte 1 of the subkey,
and at the same time byte 4 of the block is changed by being XORed with the byte of S8 indicated by byte 3 of
the block XORed with byte 2 of the subkey. (These XORs, and those in the next paragraph, may be changed to
modulo-256 addition, under circumstances to be noted below.)
Subsequently, byte 1 of the block is changed by being XORed with the byte of S8 indicated by byte 2 of the
block (in its current modified state) XORed with subkey byte 3, and at the same time byte 3 of the block is
changed by being XORed with the byte of S8 indicated by byte 4 of the block (in its current modified state)
XORed with subkey byte 4.
Thus, the block is divided into two halves; each half is subjected to two Feistel rounds in place, and the input to
the f-function comes first from the byte on the left, and then in the second round from the byte on the right. The
key-dependent S-box provides the f-function.
In the second transformation, the 32-bit block is split into two 16-bit halves. Two Feistel rounds take place,
with the left half initially supplying the input to the f-function. The f-function begins with the input being
XORed to 16 bits of subkey (the left half in the first round, the right half in the second, of a 32-bit subkey); then,
the left half of the result is used to index into key-dependent S-box S10, and the right half of the result is used to
index into key-dependent S-box S11. The two items found are then added (with the left byte being the most
significant), and the result is the f-function output. The round is completed by modifying the target half of the
block by XORing it with the f-function output.
Considering 32-bit subkey 721 as being composed of bits numbered from 1 to 32 from left to right, bit 1, if it is a
1, changes all the XORs in the first transformation when it is applied to the left quarter of the left half of the 128-
bit block in the first round to additions, both those where the subkey is XORed to the index into S8, and where
the output from S8 is XORed to a byte of the block.
This is done by bits 2 through 16 in rounds 2 through 16.
Bit 17, if it is a 1, causes the second of the two transformations, the one which acts on 16-bit halves of the 32-bit
quarter, to take place first, in the first round. Bits 18 through 32 do this for rounds 2 through 16.
The f-function
The f-function used in Quadibloc VIII is essentially the same f-function as seen in Quadibloc II and Quadibloc S,
except with the use of different S-boxes and, in the case of the left half, an intermediate result is taken, which is
not the same as the one taken in Quadibloc III, which also uses an otherwise similar f-function.
The f-function consists of three general types of phase: S, for substitution, P, for bit-permutation, and X, for the
XOR of subkey material. The f-function used here is of the type XSPXSPXS. By having two full SP layers,
changing a single bit of the input always affects the entire f-function output, and therefore the avalanche property
of Quadibloc S is considerably stronger than that of DES; in return for a slower f-function, a single bit change in
the input block propagates to the whole block after only four rounds instead of eight.
The first S phase uses S-boxes 1, 1, 1, and 2 in order from left to right, and the second uses S-boxes 1, 2, 2, and 2
from left to right. S1 and S2 are as described in the description of previous ciphers in the Quadibloc series,
having been generated from Euler's constant.
The bit permutation used is a straightforwards one, where the first (leftmost) two bits of each byte remain in
position, the next two bits are rotated one byte to the right, the third pair of bits rotated 16 bits, and the last
(rightmost) two bits of each byte are rotated one byte to the left. Again, this is given in the description of the
original Quadibloc cipher.
The third S-phase replaces all the bytes with their substitutes in key-dependent S-box S8.
The subkeys XORed with the f-function input are subkeys 1, 2, and 3 in the first round, and the subkey numbers
are offset by 3 with each succeding round (thus, subkeys 4, 5, and 6 are used in round 2).
An auxilliary result is also produced from the f-function for the left half of the block. This result is the XOR of
the current values in the f-function after, of the complete f-function, in the form XSPXSPXS, the parts from the
beginning labelled XSP and the parts XSPXSP have been done.
For the remaining three quarters of the block, the auxilliary result will be used to control the order of the two
transformations applied to a single quarter, and whether, for the transformation of the first kind (which may be
done first or second) XORs or single-byte additions are used, in the fashion that subkey 721 controlled this for
the first quarter. Other bits of the auxilliary result will be used to select subkeys for use in subsequent
encipherment from a set of four possible values, and to select S-boxes from two possibilities for the f-function
used in the right half of the block.
The right quarter of the left half
First, the right quarter of the left half is subjected to one of the two available transformations. If the bits of the
auxilliary output of the f-function are numbered from 1 to 32 from left to right, bit 28, if it is 0, indicates that the
transformation of the first type, using S8 as the f-function, is done first; if it is 1, it indicates that the
transformation with a 16-bit wide f-function is done first. Bit 27 indicates, if it is a 1, that the XORs in the
transformation of the first type uses bytewise additions instead of XORs.
Bits 9 and 10 indicate, as a two bit number, bit 9 being more significant, which of the subkeys 145, 289, 433, or
577 is used for the transformation of the first type (whether it is done first or second), and bits 11 and 12
similarly indicate whether subkey 146, 290, 434, or 578 is used for the transformation of the second type. (In the
next round, and each time one progresses from one round to the next, the number of each subkey in each of these
groups of four subkeys is advanced by 9.)
After the first transformation is performed, the f-function output is XORed with the right quarter of the left half
of the block. Then, the second transformation is performed.
The right half

This diagram illustrates the part of a Quadibloc VIII round that acts on the right half of the block:
In the upper left corner of this diagram, the 32-bit auxilliary output from the f-function in the right half is shown.
As can be seen from comparing the two diagrams, the operations that take place on the right half of the block are
very similar to those which apply to the left half of the block. The main difference is that the 32-bit auxilliary f-
function output came from the left half, and it is used extensively in modifying the encipherment of the right half
(only six of its 32 bits were used to affect the transformations which applied to the right quarter of the left half).
The left quarter of the right half
Here, subkey 113 is first XORed with this quarter. This subkey number advances by 1 with each round, not by 2
as for the left half. Bit 30 of the auxilliary f-function output from the left half controls whether the transformation
of the first type (if 0) or of the second type (if 1) is done first, and bit 29, if 1, selects the use of bytewise addition
in the transformation of the first type.
Again, as before, the value between the two transformations is used as the f-function input. Bits 13 and 14 of the
auxilliary f-function output select the subkey (from 147, 291, 435, and 579) to use for the transformation of the
first type, and bits 15 and 16 select the subkey (from 148, 292, 436, and 580) to use for the transformation of the
second type.
After both transformations, subkey 129 is XORed with this quarter.
The f-function
Again, the same XSPXSPXS structure is used. For the first two S stages, S-boxes 3 and 4 in the sequence
generated from Euler's constant are used. Bits 1 through 8 of the auxilliary f-function output from the left half
determine (0=S-box 3, 1=S-box 4) which S-box is used, for the four bytes of the f-function input in order from
left to right, first in the first stage and then in the second. The third S phase again just substitutes bytes from S-
box S8.
The three subkeys used are selected (in the first round, and advanced by 9 for each succeeding round as
previously noted) from subkeys 149, 293, 437, and 581 for the first XOR, guided by bits 21 and 22 of the
auxilliary f-function output; from subkeys 150, 294, 438, and 582 (in the first round) for the second XOR by bits
23 and 24; from subkeys 151, 295, 439, and 583 (in the first round) for the third XOR by bits 25 and 26.
The right quarter of the right half
Again, here we have two transformations, with the XOR of the f-function output in the middle. Bit 32 controls
which transformation comes first, and bit 30 controls whether XOR or addition is used in the transformation of
the first type. The transformation of the first type uses, in the first round, a subkey from subkeys 152, 296, 440,
and 584, as selected by bits 17 and 18 of the auxilliary output of the f-function in the left half, and the
transformation of the second type uses a subkey from subkeys 153, 297, 441, and 585, as selected by bits 19 and
20 of the auxilliary output of the f-function from the left half.
Byte Interchange
After each round of Quadibloc VIII, except round 16, the 16 bytes of the block are rearranged from being in the
order
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
to being in the order:
16 8 5 6 12 10 3 1 13 15 7 14 4 2 11 9
Next
Start of Section
Table of Contents
Main Page
Mixing and Whitening

The mixing and whitening phase on entry to the cipher is illustrated below:
Since mixing consists of Feistel round operations on pairs of bytes, ICE-style bit
swapping is first applied to move half the bits from the left to the right side of that
operation (and vice versa).
Then, after two rounds of mixing, an ICE-style swap moves half the bits from the left
half of the block to the right half of the block (and vice versa), making it uncertain
whether any bit is in the left-hand side simple Feistel round or in the right-hand side
controlled Feistel round to begin with.
Finally, after two more rounds of mixing, and ICE-style swap moves bits between the
left and right quarters of each half, randomizing what side of the f-function they start
out on.
On exit from the cipher, the masks M4, M5, and M6 are applied in order, and the
Feistel rounds applied to pairs of bytes still use the left byte as input to the f-function
first, as illustrated below:
The masks are produced by applying a 4 of 8 code to subkey material, guaranteeing

that exactly four of the eight bits in any byte are swapped in each swapping step.
Next
Start of Section
Table of Contents
Main Page
The Key Schedule

The key material used by Quadibloc VIII consists of:
● Six 64-bit swap masks, M1 through M6, each produced from 48 bits of normal subkey
material (specifically, the least significant 6 bits of each byte of 64 bits of normal
subkey material) by the use of a 4 of 8 code;
● One key-dependent S-box, S8, consisting of a permutation of the numbers from 0 to
255;
● Two key-dependent S-boxes, S10 and S11, each consisting of 256 16-bit values;
● Seven hundred and twenty-one 32-bit subkeys, organized as follows:
❍ 48 subkeys, from K1 through K48, used with the f-function in the left half;
❍ 32 subkeys, from K49 through K80, used to XOR with the left quarter of the
left half of the block at the beginning and end of each round;
❍ 16 subkeys, from K81 through K96, used as input to the transformation of the
first type applied to the left quarter of the left half of the block;
❍ 16 subkeys, from K97 through K112, used as input to the transformation of the
second type applied to the left quarter of the left half of the block;
right half of the block at the beginning of each round;

right half of the block at the end of each round;

❍ 144 subkeys, from K145 through K288, serving as the first of four entries in
each of nine subkey pools per round;

❍ 144 subkeys, from K289 through K432, serving as the second of four entries in

❍ 144 subkeys, from K433 through K576, serving as the third of four entries in

❍ 144 subkeys, from K577 through K720, serving as the fourth of four entries in

❍ One subkey, K721, which determines the order of transformations, and the use
of XOR or byte-wide addition in the transformation of the first kind, for the
left quarter of the left half of the block in each round.
The key, which must be a multiple of 32 bits in length, is expanded into four different strings
of bytes as follows:
1. The first string consists of the key, with the one's complement of the modulo 256 sum
of all the bytes in the key appended.
2. The second string consists of the bytes in the key in normal order, alternating with the
one's complement of the bytes of the key in reverse order.
3. The third string consists of the bytes of the key in normal order, alternating with
consecutive numbers starting with 1, and with the bytes of the key in reverse order,
except that the last byte this would produce (a copy of the first byte of the key) is
omitted.
4. The fourth string consists of the bytes of the first half of the key, alternating with the
one's complement of the bytes of the second half of the key, alternating with
consecutive numbers starting with 128, alternating with the one's complement of the
bytes in the first half of the key in reverse order, but with the last byte this would
produce omitted.
Thus, four strings of different length are produced, and the bytes of the key are distributed
through these strings with different spacings. Also, no string can be all zeroes.
For example, given a key consisting of eight bytes with the values 1 2 3 4 5 6 7 8, the four
strings will be
1 2 3 4 5 6 7 8 219
1 247 2 248 3 249 4 250 5 251 6 252 7 253 8 254
1 1 8 2 2 7 3 3 6 4 4 5
5 5 4 6 6 3 7 7 2 8 8
1 251 128 250 2 252 129 249 3 253 130 248 4 254 131
Each of these four strings is used to produce bytes by chain addition. A cycle of chain
addition proceeds as follows: The modulo-256 sum of the first two bytes of the string is
calculated. This value is the current output from the process. The string is modified by having
its first byte removed, and the calculated sum appended to the end of the string.
A source of subkey bytes is set up as follows:
● 256 bytes are produced by chain addition from the first string. These fill 256-byte
buffer 1. 256 bytes are produced by chain addition from the second string. These fill
256-byte buffer 2.
● When bytes are produced, the four strings, from first to fourth, will be rotated between
the designations of string A, B, C, and D in the following pattern, which repeats for
each four bytes generated:
❍ A: first, B: second, C: third, D: fourth
❍ A: second, B: first, C: third, D: fourth
❍ A: first, B: second, C: fourth, D: third
❍ A: second, B: first, C: fourth, D: third
● To produce a byte of subkey material, string B is subjected to chain addition, and the
value it produces is used as an index into buffer 1. The value in buffer 1 at that point
is removed, and called output X. String A is subjected to chain addition, and the value
it produces replaces the value removed from buffer 1. (This is, of course, the classic
MacLaren-Marsaglia technique.) Similarly, string D is subjected to chain addition,
and the value it produces is used as an index into buffer 2. The value at this point is
removed, and becomes output Y, and is replaced by the output from subjecting string
C to chain addition.
● The XOR of outputs X and Y is used as the desired byte of subkey material.
At this point, the bytes of subkey material are subjected to a further operation during key
revision, to be described below.
The required subkey material is produced from this byte generator as follows:
● 1024 bytes are generated, to form the contents of S10 and S11.
● A permutation of the bytes from 0 to 255 is produced from generator output, in a
fashion to be described below, and this permutation will be called P.
● 2884 bytes are generated, forming the 721 32-bit subkeys.
● Another permutation of the byte values from 0 to 255 is produced. This permutation is
called Q. The S-box S8 can now be calculated, and satisfies the equation Q(S8(x)) = P
(x). Thus, it is produced by applying the inverse of Q to P.
● Six groups of eight bytes are calculated. The first two bits of these bytes are ignored;
the last six bits are used to index into the 4 of 8 code used with Quadibloc, and thus
the masks M1 through M6 are formed. (The original bytes used as input to the 4 of 8
code must be retained if a subsequent key revision phase is to be performed.)
The first byte generated is always used to fill the leftmost byte of a multi-byte subkey.
Here is the 4 of 8 code used for producing the masks:
55 56 59 5A 65 66 69 6A 95 96 99 9A A5 A6 A9 AA
35 36 39 3A C5 C6 C9 CA 53 5C 63 6C 93 9C A3 AC
4D 4E 71 72 8D 8E B1 B2 17 1B 27 2B D4 D8 E4 E8
1D 1E 2D 2E D1 D2 E1 E2 47 4B 74 78 87 8B B4 B8
The basic procedure for generating a permutation, used to produce permutations P and Q
from generator output, is, as used with Quadibloc II, the following:
● Begin with three arrays of 256 numbers, the first of which is filled with the numbers
from 0 to 255 in order. The arrays must also be able to hold the value -1. The second
and third arrays are filled with -1.
● For each of 256 bytes produced by the generator: let the value of the byte be called N,
and let I be a counter which starts at 0 for the first byte, incrementing with each byte
used, and ending at 255.
● Then, for each byte:
❍ If element N of the first array is not -1, set element N of the first array to -1,
and set element I of the second array to N.

❍ Otherwise, store N in the first unused position (the first position containing -1)
in the third array.

● Once this has been done, if the third array contains any numbers other than -1,
proceed as follows:
● If there is only one filled (not equal to -1) element in the third array, then there is only
one remaining element in the first array, and one element of the second array equal to -
1, so fill the second array with the one available byte, and finish.
● If there are only two filled elements in the third array, take the least significant bit of
the first filled element. If it is zero, fill the -1 elements of the second array with the
remaining elements of the first array in order; if it is one, do so in reverse order, and
finish.
● If there are less than 256 filled elements in the third array, repeat them over and over
to fill the array. Then, generate an additional 256 bytes (thus, 512 bytes are used
except when the first 256 bytes contain two or fewer duplicate bytes) and XOR them
with the bytes of the third array.
● Now, use the third array to complete the second array by doing the following for II
from 0 to 255:
❍ Let the value of element II of the third array be XX.
❍ Swap elements II and XX of the first array.
● Then, scan through the second array. When an element of the second array is -1, fill it
with the corresponding element of the first array (if it is not also -1) and set that
element of the first array to -1.
● If there are any -1 elements left in the second array, fill them with the elements of the
first array that are not -1 in order.
Whether the procedure finishes after 256 bytes, or after 512 bytes, from the generator are
used, the contents of the second array when the procedure is concluded are the permutation
produced.
Key Augmentation
There are ten intermediate results within a round that can be used for key augmentation.
These are:
1. The left quarter of the left half of the block, after being subjected to the first of the two
possible alternate operations, and as serves as the input to the f-function;
2. The intermediate result of the left half f-function after the first S-P layer, and before
the XOR of the second subkey input to the f-function;
3. The intermediate result of the left half f-function after the second S-P layer, and
before the XOR of the thirs subkey input to the f-function;
4. The left half f-function output;
5. The right quarter of the left half of the block, after being subjected to the first of the
two possible alternate operations, and before being XORed with the f-function output;
6. The left quarter of the right half of the block, after being subjected to the first of the
two possible alternate operations, and as serves as the input to the f-function;
7. The intermediate result of the right half f-function after the first S-P layer, and before
the XOR of the second subkey input to the f-function;
8. The intermediate result of the right half f-function after the second S-P layer, and
before the XOR of the thirs subkey input to the f-function;
9. The right half f-function output;
10. The right quarter of the right half of the block, after being subjected to the first of the
two possible alternate operations, and before being XORed with the f-function output;
After a key is set up using the key schedule as previously described, the 721 32-bit subkeys
can be modified through key augmentation steps.
A key augmentation step consists of the following:
With the subkey array in whatever state is to be subjected to augmentation:
Encrypt the 128-bit block
00FF0F0F333355550123456789ABCDEF
using Quadibloc VIII, normally, but during each round retain the ten intermediate results
listed above. After the round is concluded, XOR the ten intermediate results, in the order
given, with ten successive subkeys, starting with subkey K145 in the first round. Thus, the
ten intermediate results from the first round are XORed with subkeys K145 through K154,
the ten intermediate results from the second round are XORed with subkeys K155 through
K164, and so on.
After the block encryption is complete, move the subkeys backwards 160 positions in the list
of subkeys. Thus, the former subkeys K1 through K160 become subkeys K562 through
K721; the former subkeys K161 through K721 become subkeys K1 through K561.
Although five key augmentation steps are required to modify all the subkeys, a single key
augmentation step ensures that subkeys K1 through K144, as well as K721, are among the
160 subkeys modified by being XORed with intermediate results, these subkeys being the
most critical, as they are the ones not contained in a group of four subkeys, any one of which
may be used in a given encipherment.
Quadibloc VIII with one key augmentation step is to be called Quadibloc VIII A1, and with
five key augmentations steps, the other standard number, Quadibloc VIII A5.
Modified Key Augmentation
With 721 regular subkeys, including the 1024 bytes contained in the two key-dependent S-
boxes S10 and S11, which are the equivalent of 256 additional subkeys, in what is modified
by key augmentation is not, in fact, impractical.
A modified key augmentation step proceeds exactly as a regular key augmentation step,
except that the buffer moved backwards by 160 subkeys now consists of the 721 subkeys K1
through K721 followed by the 256 entries in S-box S10, where each consecutive pair of
entries forms a subkey, the earliest entry being leftmost, followed by the 256 entries in S-box
S11 in the same form.
Seven key augmentation steps are now required to modify all the subkey material now
exposed to change, and this leads to the variant of Quadibloc VIII to be called Quadibloc
VIII M7. (Alternating regular and modified key augmentation rounds is possible; any pattern
of the form aMMaaaaa where M is a modified key augmentation round, and a is either
regular or modified key augmentation, will result in all the subkey material being fully
modified.)
Also, Quadibloc VIII M3 is sufficient to modify the fixed subkeys K1 through K144, the
subkey K721, and all of S10 and S11. (Again, Quadibloc VII A M2 would suffice for this as
well.)
Key Revision
Because modifying the other portions of subkey material is not simple enough to be done
during a process such as key augmentation, a further process of subkey modification is
provided, called key revision. A key revision step, which is optional, may only be performed
immediately following a key augmentation step. The 128-bit output from the block
encipherment performed to provide a key, which is then used as input to a slightly modified
version of the normal initial key generation process for Quadibloc VIII.
The key used as input for the modified key generation process is the following:
● For the first key revision step, the key is the 160-bit quantity consisting of the 128-bit
block cipher output from the immediately preceding key augmentation step, followed
by its first (leftmost) 32 bits repeated, unless the original key was 160 bits long, in
which case the 128-bit block cipher output is used without being lengthened;
● For the second key revision step, the key is the 192-bit quantity consisting of the 128-
bit block cipher output from the immediately preceding key augmentation step,
followed by its first (leftmost) 64 bits repeated, unless the original key was 192 bits
long, in which case the 128-bit block cipher output is used without being lengthened;
● For the third key revision step, the key is the 224-bit quantity consisting of the 128-bit
block cipher output from the immediately preceding key augmentation step, followed
by its first (leftmost) 96 bits repeated, unless the original key was 224 bits long, in
which case the 128-bit block cipher output is used without being lengthened;
● For the fourth key revision step, the key is the 256-bit quantity consisting of two
repetitions of the 128-bit block cipher output from the immediately preceding key
augmentation step, unless the original key was 256 bits long, in which case the 128-bit
block cipher output is used without being lengthened;
● For the fifth key revision step, the key is the 288-bit quantity consisting of two
repetitions of the 128-bit block cipher output from the immediately preceding key
augmentation step, followed by its first (leftmost) 32 bits repeated, unless the original
key was 288 bits long, in which case the 128-bit block cipher output is used without
being lengthened;
and so on. This ensures that, if multiple key revision steps are performed, each key revision
step uses a key which is different in length both from the original key and from the key used
in all other key revision steps.
With this key, the procedure for initial Quadibloc VIII is followed, except for these changes:
Since a value for the S-box S8 now exists, the bytes generated by the subkey byte generator
are additionally subjected to the following encipherment step before being used, and the
bytes being used begin with that corresponding to the third byte of output from the original
subkey byte generator:
For each byte of output from the original subkey byte generator, the preceding two bytes of
output are enciphered using a two-round Feistel cipher which uses S8 as the f-function. First,
a counter, initialized at 1 and incrementing by 1 is is XORed with the eldest byte, the result
being used to index into S8, and the value found in S8 is XORed with the immediately
preceding byte, modifying it. Then, a counter, initialized at 0 and incrementing by 1, except
that the value 255 is skipped, is XORed with the immediately preceding byte, as modified,
and the result is used to index into S8, and the value found in S8 is XORed with the eldest
byte, modifying it.
The current byte is then used to produce the byte to be used in subkey generation as follows:
● It is replaced by its substitute from S8.

● The modified eldest byte is added to it, modulo 256.
● The modified immediately preceding byte is added to it, modulo 256.
This is as illustrated below:
Thus, the keystream is enciphered in essentially a simple form of CFB mode, except that the
block cipher used is really a stream cipher, since its subkeys are continually changing.
The subkey bytes thus generated are used to modify the existing key schedule, instead of to
replace it, as follows:
● The first 1024 bytes generated are XORed with the contents of S10 and S11.
● A permutation called P is again produced from generator output.
● The next 2884 bytes generated are XORed with the bytes of the 721 32-bit subkeys.
● A permutation called Q is again produced from generator output.
● Six groups of eight bytes are calculated. These are XORed with the raw mask value,
before 4 of 8 coding, left by either the original key schedule or by the previous key
revision step, and then subjected to 4 of 8 coding to provide the six 64-bit mask values
M1 through M6.
● The permutations P and Q are then used to produce the new S8 permutation, S8'(x),
from the previous one, S8(x), such that the following equation is true: S8'(Q(x))=S8(P
(x)). This can be done as follows: for each byte x from 0 to 255, use x as an index into
P; use the result as an index into S8; store the result in the location within S8' found
by using x as an index into Q.
Quadibloc VIII with one key augmentation step, followed by one key revision step, is to be
called Quadibloc VIII A1 R; Quadibloc VIII with seven modified key augmentation steps,
the last of which is followed by a key revision step, is to be called Quadibloc VIII M7 R;
Quadibloc VIII with seven modified key augmentation steps, each of which is followed by a
key revision step, is to be called Quadibloc VIII MR7. Quadibloc VIII with five key
augmentation steps, the last of which is followed by a key revision step, is to be called
Quadibloc VIII A5 R; Quadibloc VIII with five key augmentation steps, each of which is
followed by a key revision step, is to be called Quadibloc VIII AR5.
The key schedule of Quadibloc VIII A1 R should be entirely satisfactory; the more lengthy
variants should not be required for security, although Quadibloc VIII M7 R has, at least, the
argument in its favor that its key schedule tends towards that of Blowfish (which, of course,
however, used only the result of a complete encipherment to modify subkeys, rather than
intermediate results within each round).
Next
Start of Section
Table of Contents
Main Page
Design Rationale
Quadibloc VIII was designed to be a strong cipher not only against attacks which are
currently understood, but also to be likely to be resistant against attacks which might be
discovered in the future. It has been designed very conservatively; a full 16 rounds
have been used, despite the fact that each round is considerably more elaborate than a
single round in more conventional block ciphers: thus, its security does not depend on
the merit of the somewhat unconventional measures I have included in the algorithm in
hopes of achieving a very high level of security.
Such things as medical records, or other information related to the personal privacy of
individuals, may be required to remain confidential for 50 or even 100 years. Because
the speed and power of computers has been increasing at a fast pace for some time, it is
very difficult to make a firm prediction of how powerful computers might be at such a
distant time.
Although some fundamental physical limits, as well as physical laws which even limit
the performance of quantum computers, do appear to imply that one can specify a key
size that will leave one's messages forever immune to brute-force searching, it is even
harder to predict what new and surprising discoveries may be made in the field of
mathematics or in cryptanalysis that may allow attacks taking less time than a brute-
force search (trying every possible key).
Hence, I felt that it was justified to attempt to design a cipher which, while remaining
constrained to some extent to operate within limits at least comparable with those of
more conventional designs, was still aimed at providing a very high level of security
without attempting to justify the security aimed at as necessary. As with all the ciphers
in the Quadibloc series, ease of implementation is another important consideration, and
it is execution speed which has taken a back seat.
The most important step taken in the design of Quadibloc VIII to achieve the apparent
potential for very high security was to, in every round, subject the 32-bit quarters of the
block to two different transformations, making it variable which of those two
transformations occurred first. As well, in one of those transformations, whether XOR
or modulo-256 addition is used is variable.
This does create vulnerability to attacks based on monitoring the power consumption of
a device carrying out this algorithm. Simultaneously (in hardware) or in a fixed order
(in software) carrying out both possible operations, the one used and the one not used,
is a measure that could be used to avoid this.
To achieve greater resistance to differential and linear cryptanalysis, key-dependent S-
boxes are used. With the contents of the S-boxes unknown, characteristics cannot be
found for the f-function in the normal manner used for simple differential
cryptanalysis. This increases the amount of memory required to carry out the
algorithm, again limiting its usefulness. The multi-stage nature of the f-function, in
addition to giving this cipher a strong avalanche characteristic, also improves resistance
to differential and linear cryptanalysis.
There are three basic possible ways in which weak keys could occur in the algorithm:
● A key could cause one or more of the four chain addition sequences used to
generate subkey material to have a short period;
● The key-dependent S-box S8, or either of the key-dependent S-boxes S10 and
S11, might, by accident, consist of bytes in an ordering that is, or that
approaches, a linear or affine function of its input;
● The key-dependent boxes S10 and S11 might contain duplicate entries.
But I tend to view the threat from at least the second and third of these as negligible.
With 16 rounds, and an f-function that has not one, but two SP stages based on fixed S-
boxes, as well as the fact that there are two different groups of key-dependent S-boxes,
both of which act on the entire block in every round, it should not be possible for an
attacker to effectively exploit, or detect, a weakness in any one key-dependent S-box
should it occur.
Some of the individual steps in the algorithm can also be further examined:
Algorithmic Variability
In each round, the algorithm can take one of 16 shapes by the interchange of two
transformations applied to the 32-bit quarters of the block. In addition, there are 16
possibilities of using either XOR or bytewise addition in one of those transformations.
These 256 possibilities in each round are the product of four possibilities for the
leftmost quarter of the block, which are key-dependent, and 64 possibilities for the
remaining three quarters of the block, which are data-dependent.
It might be suggested that more of the variability in the algorithm ought to be key-
dependent, since in this way, it could be said that only 2^32 different algorithms are
used, and this number is susceptible to brute-force search, if there were some rapid way
to solve the rest of the cipher.
However, data-dependence does seem to be stronger than key-dependence, so this does

not appear to be a strong objection.
If one ignores the choice between four subkeys in various portions of the round, and
the extra algorithmic variation caused by switching between addition or XOR, and only
counts the sixteen possibilities in each round, for each of the four quarters of the block,
of doing either of two 32-bit transformations first, then the key-dependent part of that
involves only 2^16 possibilities. While it might be possible to simply ignore them, by
trying an attack based each possibility, as there are 2^48 possibilities for the data-
dependent part of that, it would seem that a conventional differential attack (actually,
that is a misnomer, as other aspects of the design would require some extension to the
original techniques of differential cryptanalysis) would require one to compare known
plaintext-ciphertext pairs where the same one of the 2^48 possible algorithms was used.
Of course, as long as a characteristic is strong enough that its chance of occurring by

accident is less than one in 2^48, even this is not totally impossible, and the identity of
the pairs in which it is seen would then provide additional information.
Byte Interchange
As noted in the description of the algorithm, after each round of Quadibloc VIII, except
round 16, the 16 bytes of the block are rearranged from being in the order
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
to being in the order:
16 8 5 6 12 10 3 1 13 15 7 14 4 2 11 9
This particular rearrangement was carefully designed. It has the following properties:
● It is a cyclic permutation of the numbers from 1 to 16; hence, each byte of the
block will be moved to each of the possible positions during the 16 rounds of
the cipher.
● Each byte continuously alternates between being in the left and the right
quarters of either half. That is, if a byte is in the left quarter of one half in one
round, it will be in the right quarter of either the same half, or the other half, in
the next round.
● The alternation between halves, if only odd numbered rounds or only even
numbered rounds are considered, (or if only rounds where the byte is in the left
quarter of its half, or only rounds where the byte is in the right quarter of its half
are considered, which is equivalent from the preceding property) follows the
pattern R L L R L R R L or a cyclic permutation thereof.
Since the main feature of the cipher is a Feistel round within each half of the block,
parts of the block alternate regularly between being on the left and right sides of the f-
function as in any normal Feistel cipher.
An irregular pattern of alternation between left and right halves of the block is used, so
that for each round, bytes will be brought together in different combinations.
Thus, let us consider byte 5, and where it appears in odd-numbered rounds only, when
it is on the right quarter in its half, and thus on the recieving end of the f-function. Let
us depict, with the bytes identified by their positions in round 1, the input and output of
the f-function, but rotating both by corresponding amounts so that byte 5 appears first
on the right quarter, so we see what it looks like from the viewpoint of byte 5.
1 2 3 4 5 6 7 8 Round 1: left half

12 10 9 1 5 16 14 15 Round 3: left half
12 1 10 3 5 6 15 16 Round 5: right half
4 1 3 10 5 8 6 16 Round 7: left half
3 2 1 4 5 6 8 7 Round 9: right half
10 12 1 9 5 14 15 16 Round 11: right half
1 12 3 10 5 15 16 6 Round 13: left half
4 10 3 1 5 6 8 16 Round 15: right half
While this only brings the bytes together in four distinct possible configurations,
although in different orders in each of the two times, that is still about as irregular as is
possible given that the only device available in this uniform and consistent permutation
between rounds to bring different bytes together is dispatching them to the other half of
the block for differing periods of time.
These are the positions of the bytes in the 16 rounds of Quadibloc VIII:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
16 8 5 6 12 10 3 1 13 15 7 14 4 2 11 9
9 1 12 10 14 15 5 16 4 11 3 2 6 8 7 13
13 16 14 15 2 11 12 9 6 7 5 8 10 1 3 4
4 9 2 11 8 7 14 13 10 3 12 1 15 16 5 6
6 13 8 7 1 3 2 4 15 5 14 16 11 9 12 10
10 4 1 3 16 5 8 6 11 12 2 9 7 13 14 15
15 6 16 5 9 12 1 10 7 14 8 13 3 4 2 11
11 10 9 12 13 14 16 15 3 2 1 4 5 6 8 7
7 15 13 14 4 2 9 11 5 8 16 6 12 10 1 3
3 11 4 2 6 8 13 7 12 1 9 10 14 15 16 5
5 7 6 8 10 1 4 3 14 16 13 15 2 11 9 12
12 3 10 1 15 16 6 5 2 9 4 11 8 7 13 14
14 5 15 16 11 9 10 12 8 13 6 7 1 3 4 2
2 12 11 9 7 13 15 14 1 4 10 3 16 5 6 8
8 14 7 13 3 4 11 2 16 6 15 5 9 12 10 1
Mixing and Whitening
In addition to complicating analysis by swapping the two basic operations of a two-

round Feistel cipher between 16-bit subblocks and a pair of two-round Feistel ciphers
between 8-bit bytes, the mixing and whitening phase of the cipher is designed to ensure
that without knowledge of the key, it is not possible to determine the path of a single
bit through the cipher.
But does this provide blanket protection against differential and linear cryptanalysis?
No, I cannot claim that. But because differential and linear cryptanalysis attacks are
often only small improvements on brute-force cryptanalysis, even making them only
slightly more difficult is worthwhile.
The example given in David Kahn's book The Codebreakers of an amateur cipher that
might be wrongly claimed unbreakable may indicate the danger here: it was a form of
fractionation, where letters were translated to pairs of digits from 1 to 5 by a Polybius
square, and then back to letters after a single digit of padding is added to the beginning.
It might be thought impregnable, because nothing is left for the cryptanalyst to grasp.
Yet, a Playfair cipher in its most common case consists of switching the column
coordinates of a pair of letters, so it can be seen that this cipher is actually similar in
difficulty.
If we consider a block cipher with a strong differential characteristic, and then precede
and follow it by ICE-style bit swaps, but without the small-scale Feistel rounds also
used in Quadibloc VIII, a differential cryptanalysis attack can still be mounted.
If blocks that are identical, except for bit 21 being inverted, on input lead to a particular
difference between output blocks that is more likely, then with bit swaps before and
after, simply use pairs of blocks that differ only in one bit, but with all possible bits that
could be swapped to position 21. The output result would also be jumbled, but the fact
that a difference between pairs of output blocks would be the same, even if its shape
could not be predicted, would show that the fact about the key indicated by the
characteristic was likely to be true.
And, of course, the way in which the characteristic was jumbled would give
information about the swap used, which gives additional information about the subkeys.
The use of a MacLaren-Marsaglia construct as the basis for subkey generation,

however, makes it difficult to use one or more subkeys as a basis to deduce information
about other subkeys.
It should also be noted that the primary design goal of the mixing and whitening phase
was to ensure uncertainty about which portion of the algorithm any particular bit would
be subjected to, not to provide diffusion, since the conventional rounds provide strong
diffusion themselves.
After the first bit swap and mini-Feistel layer, the 16 bytes of the block can be thought
of as divided into the following eight independent groups:
1 1 2 2 3 3 4 4 5 5 6 6 7 7 8 8
After the second bit swap and mini-Feistel layer, the number of groups decreases to
four:
1 1 2 2 3 3 4 4 1 1 2 2 3 3 4 4
and after the third layer, to two:
1 1 2 2 1 1 2 2 1 1 2 2 1 1 2 2
so two groups of 64 bits go through this phase without in any way affecting each other.
Since the normal rounds deal with the block in four quarters, the last two bit swaps are
sufficient to place an input bit in any part of the normal round; the first bit swap creates
a corresponding uncertainty for the mini-Feistel rounds in the mixing and whitening
phase itself.
The Key Schedule
Because I aimed at a high level of security for Quadibloc VIII, I tried to ensure that the
key schedule was strong. Yet, I still wanted to keep the process of key generation
relatively simple.
Thus, from the key, I first produced initial values for four simple shift registers of
different lengths. Although there is no guarantee that chain addition will produce a
maximal period, the amount of subkey material to be generated, while large, is still
limited.
As can be seen from the description of the key schedule, measures were taken to ensure
that even with an all-zero key, no shift register would start out with all-zero contents,
or contents uniform in other ways.
By using the XOR of the output of two MacLaren-Marsaglia generators, I hoped to

make it difficult to use the subkeys to draw any useful conclusions about the shift
register contents and hence other subkeys. Using four shift registers, and alternating
their roles, also helps to limit the consequences if, for some key, one of the shift
registers begins producing a sequence of poor quality.
However, the key augmentation and key revision phases were added to provide a key
schedule that should be completely safe.
Next
Start of Section
Table of Contents
Main Page
Quadibloc IX
Quadibloc IX is a block cipher that obtains its security through the principle of indirection. It has only four
rounds. However, each round involves performing a form of the basic Quadibloc f-function ten times. Hence, the
f-function is represented in a schematic form:
a box, bearing on it the numbers of the two S-boxes used within it, from the standard Quadibloc set (note that
they are used so to avoid a symmetry involving rotating each 32-bit subblock by an integer number of bytes), has
an input and an output, and in addition, three subkeys as input, and two intermediate results as output. Note also
that the key-dependent S-box is noted here as S9, since the first eight of the standard Quadibloc S-boxes are used.
This compact schematic notation allows the Quadibloc IX round to be illustrated in a compact fashion:
and the round, in essence, is composed of the following elements:

● The first and second 32-bit subblocks of the 128-bit block are enciphered by means of two Feistel rounds
involving the version of the Quadibloc f-function used here.
● The four intermediate results produced during this encipherment are enciphered in two pairs by means of
two Feistel rounds with the same f-function.
● The result of this encipherment is used as the source of the subkeys for an encipherment of two subkeys
as a 64-bit block through two Feistel rounds. Additionally, two of the subkeys used are derived from
intermediate results produced during this encipherment; this is shown in a dark green color in the
diagram above.
● The following three items are used as the subkeys for each f-function in an encipherment, by two Feistel
rounds, of the third and fourth 32-bit subblocks of the 128-bit block.
❍ The results of the previous encipherment;
❍ as shown in a light blue color in the diagram above, so that the principal part of the round is more
clearly visible, additional intermediate results from the encipherment which produced that
encipherment's subkeys as well as intermediate results from the previous encipherment, combined
by XOR;
❍ one of two fixed subkeys.
After each round except the last, the 64-bit halves of the block are swapped.
Since each round contains two Feistel rounds for each half of the block, four such rounds involve only eight
Feistel rounds, but the F-function is of the SPSPS type instead of the SP type.
The number of rounds, therefore, might be barely enough to provide a degree of security even without
considering the cipher's main feature. Because the intermediate results from the left half are first enciphered, and
then used as subkeys for encipherment, it is difficult to work backwards from known plaintext and ciphertext for
a single round to determine the subkeys for the round. The use of a key-dependent S-box further frustrates
differential cryptanalysis and related techniques.
The key material used in this cipher consists of 88 subkeys, each 32 bits long, and one S-box containing the 256
bytes from 0 to 255 in a scrambled order.
In the detailed description of the cipher which follows, should there be any appearance of ambibuity, please
remember that I consistently use big-endian conventions; that is, the most significant bit or byte of a word is
always the first one, the leftmost one, and the one with the lowest number.
The f-function
The f-function used here is essentially as illustrated with Quadibloc VIII.
● First, the 32-bit input is XORed with the first 32-bit subkey.
● Then, the first three bytes of the result are replaced by their equivalents in the first of the two S-boxes
selected for this f-function from among those described in the section Euler's Constant and the Quadibloc
S-Boxes which, for this cipher, may be either S-box 1, 3, 5, or 7, and the fourth byte of the result is
replaced by its equivalent in the subsequent S-box from that selection.
● Then, the bits of the result of the substitution are transposed, from the order 1, 2, 3,... 32 to the order
1 2 27 28 21 22 15 16
9 10 3 4 29 30 23 24
17 18 11 12 5 6 31 32
25 26 19 20 13 14 7 8
● The current value constitutes the first intermediate result generated by the f-function.
● Now, the 32-bit value is XORed with the second 32-bit subkey.
● The four bytes of the result are replaced by their equivalents in the S-boxes used before, but this time only
the first byte is replaced by its equivalent in the first of those S-boxes, and the last three bytes are replaced
by their equivalents in the second S-box.
● The bits undergo the same transposition as before.
● The current result is now the second intermediate result availible from this f-function.
● The 32-bit value is now XORed with the third 32-bit subkey used with this f-function.
● The four bytes of the result are replaced by their equivalents in the key-dependent S-box, which for
Quadibloc IX is designated S-box 9.
● The result is now the output from the f-function.
The Round in Detail
A round of Quadibloc IX encipherment consists of the following steps:
● The first quarter of the block is used as input to an f-function using S-boxes 1 and 2, with subkeys which
are subkeys 1, 5, and 9 in the first round, and which increase in number by 1 in each subsequent round (as
do all subkeys used in a round of Quadibloc IX). The two intermediate results produced shall be
designated D and C. The output of the f-function is XORed to the second quarter of the block,
permanently modifying it.
● The second quarter of the block is used as input to an f-function using S-boxes 1 and 2, with subkeys
which are subkeys 13, 17, and 21 in the first round, and so on. The two intermediate results produced
shall be designated B and A. The output of the f-function is XORed to the first quarter of the block,
permanently modifying it.
● Intermediate results B and C shall form one 64-bit block, and intermediate results D and A shall form a
second 64-bit block, each of which shall be enciphered by means of two Feistel rounds, proceeding as
follows:
❍ B is used as input to an f-function using S-boxes 3 and 4, with subkeys 37, 41, and 45 in the first
round. The two intermediate results produced will be designated E and U. The output of the f-
function is XORed to C, permanently modifying it.
❍ C is used as input to an f-function using S-boxes 3 and 4, with subkeys 61, 65, and 69 in the first
round. The two intermediate results produced will be designated G and W. The output of the f-
function is XORed to B, permanently modifying it.
❍ The following two Feistel rounds proceed independently from the two previously described.
❍ D is used as input to an f-function using S-boxes 3 and 4, with subkeys 25, 29, and 33 in the first
round. The two intermediate results produced will be designated F and V. The output of the f-
function is XORed to A, permanently modifying it.
❍ A is used as input to an f-function using S-boxes 3 and 4, with subkeys 49, 53, and 57 in the first
round. The two intermediate results produced will be designated H and X. The output of the f-
function is XORed to D, permanently modifying it.
● Two subkeys, subkeys 73 and 77 in the first round, shall form one 64-bit block, and this block will be
enciphered by means of two Feistel rounds, as follows:
❍ The left half of the block formed by the two subkeys shall be used as input to an f-function using S-
boxes 5 and 6. The subkeys used as input to this f-function shall be, in order:
■ A, as modified by the preceding step in which A, B, C, and D were enciphered;
■ The XOR of intermediate results F and G from the preceding step;
■ C, as modified by the preceding step.
❍ The two intermediate results produced will be designated P and R. The output of the f-function
will be XORed to the right half of the block formed by the two subkeys, permanently modifying it.
(That is, the right half of the block is permanently modified for the remainder of the round
computation in which it is used. The subkey itself is not modified for subsequent encipherments, as
this is a block cipher, containing no state which is preserved between encipherments, other than
that which is wholly dependent on the key alone.)
❍ The right half of the block formed by the two subkeys shall be used as input to an f-function using
S-boxes 5 and 6. The subkeys used as input to this f-function shall be, in order:
■ D, as modified by the preceding step;
■ The XOR of intermediate results E and H from the preceding step;
■ B, as modified by the preceding step.
❍ The two intermediate results produced will be designated Q and S. The output of the f-function
will be XORed to the left half of the block formed by the two subkeys, permanently modifying it.
● The third quarter of the block is used as input to an f-function using S-boxes 7 and 8. The subkeys used as
input to this f-function shall be, in order:
❍ The right half of the block formed from subkeys 73 and 77 as enciphered by the preceding step;
❍ A 32-bit subkey, which is subkey 81 in the first round;
❍ The XOR of the following four intermediate results from the preceding step and the step which
preceded it: X, U, P, S.
● The intermediate results are not used. The output of the f-function is XORed to the fourth quarter of the
block, permanently modifying it.
● The fourth quarter of the block is used as input to an f-function using S-boxes 7 and 8. The subkeys used
as input to this f-function shall be, in order:
❍ The left half of the block formed from subkeys 73 and 77 as enciphered by the preceding step;
❍ A 32-bit subkey, which is subkey 85 in the first round;
❍ The XOR of the following four intermediate results from the preceding step and the step which
preceded it: W, V, Q, R.
● The intermediate results are not used. The output of the f-function is XORed to the third quarter of the
block, permanently modifying it.
After each round, the halves of the block, the first half being composed of the first and second 32-bit quarters of
the block, and the second half being composed of the third and fourth 32-bit quarters of the block, are swapped.
The Key Schedule
As noted, this block cipher uses 88 subkeys, each one 32 bits long, numbered from 1 to 88, and one 256-byte key
dependent S-box designated S9.
The key must be a multiple of 16 bits in length.
Two strings of bytes will be produced from the key.
If the length of the key is a multiple of 32 bits in length, then let that multiple be N, where the key is 4*N bytes
in length. In that case, the first string shall be 14*N-1 bytes in length, and the second string shall be 14*N+1
bytes in length.
If the length of the key is an odd multiple of 16 bits in length, then let that multiple be M, where the key is 2*M
bytes in length. In that case, the first string shall be 7*M-2 bytes in length, and the second string will be 7*M
bytes in length.
In other words, the second string shall be initially three and one half times as long as the key, and the first string
shall be initially one byte shorter than the second string, and if the number of bytes in the first string is even, it
shall be shortened by one byte, but if instead the number of bytes in the second string is even, it shall be
lengthened by one byte.
The first string shall be filled with repetitions of the following material, up to its length: the key itself, followed
by a single byte containing the one's complement of the XOR of all the bytes of the key together.
The second string shall be filled with repetitions of the following material, up to its length: the one's complement
of the key, followed by the bytes of the key in reverse order.
The 88 subkeys, each one four bytes in length, shall be formed in order, one byte at a time, starting with the most
significant and leftmost byte of the first subkey.
Each string will be called upon to produce output bytes by the process of chain addition. A chain addition step
consists of calculating the sum, modulo 256, of the last two bytes in the string. This sum shall be the output byte
from the step. The string will then be modified as follows: the last byte of the string shall be removed, and the
output byte shall be appended to the string before the first byte, with the result that the bytes in the string shall
advance one position.
Each string has associated with it a 256-byte buffer. Before beginning to generate subkey material, each string
shall generate 256 bytes, and these bytes will be placed in the cells of this buffer, beginning with cell 0 and
ending with cell 255.
Producing a byte of subkey material proceeds as follows:
● The first string will generate a byte, which shall be called A.

● The second string will generate a byte, which shall be called B.
● The contents of cell B of the buffer associated with the first string shall be called X, and then cell B of
that buffer will have the value A stored in it.
● The first string will generate a byte, which shall be called C.
● The second string will generate a byte, which shall be called D.
● The contents of cell C of the buffer associated with the second string shall be called Y, and then cell C of
that buffer will have the value D stored in it.
● The XOR of X and Y shall constitute the byte of subkey material generated.
An additional 256 bytes of subkey material shall be generated after all the required subkeys are generated. This
subkey material, along with the buffers associated with the two strings, shall be used to generate the key-
dependent S-box S9 as follows:
● Let the extra 256 bytes of subkey material be kept in an array designated P, and the 256-byte buffers
associated with the first and second strings be designated Q and R respectively. In addition, initialize a
256-byte buffer S with zeroes. A buffer designated T will also be used, which may contain the value -1 in
its cells in addition to the numbers from 0 to 255. As well, there will be two buffers of unsigned 16-bit
quantities, called QQ and RR.
● For each number from 0 to 255 in order, called c (for counter): consider the element of P indicated by that
number, and call it x; that is, set x to be P(c). If S(x) is zero, set S(x) to be 1, and set T(c) to be x. If S(x) is
not zero, set T(c) to be -1.
● Count the elements of S that are equal to zero. If none are, then skip the next step. If one is, then exactly
one element of T(c) will be -1; set that element to the index of the zero element of S, and skip the next
step. Otherwise, continue.
● Scan the arrays S and T from beginning to end, independently. Look for zero elements in S, and the value -
1 in T. When one of these is found in one array, wait for the corresponding item in the other array. Then
replace the value -1 in T by the index of the zero element in S. Once this step is complete, the array T will
contain one copy of every value from 0 to 255.
● Fill the array QQ with 16-bit quantities consisting of the element of the array Q at the same index times
256, plus the index. Fill the array RR with 16-bit quantities consisting of the element R at the same index
times 256, plus the index.
● Sort arrays QQ and RR.
● AND each element of QQ and RR with 255, masking out all but the least significant byte of each element.
● For each number from 0 to 255 in order, called c, perform the following calculation: set element RR(c) of
P to element QQ(c) of T; that is, P(RR(c))=T(QQ(c)).
● The contents of array P are to be used as S-box S9.
Decipherment
To decipher a block encrypted in Quadibloc IX, it is necessary to modify the round, as well as to perform the
four rounds in reverse order. The modified round for decryption involves performing the two Feistel rounds
acting on the first and second quarters of the block, and the two Feistel rounds acting on the third and fourth
quarters of the block, in reverse order in each case, while retaining all designations of subkeys used and
intermediate values output.
Next
Start of Section
Table of Contents
Main Page
Quadibloc X
The block cipher Quadibloc X operates on a 128-bit block divided into four 32-bit subblocks. All four subblocks
are modified in each round, and three different types of cipher step are used to modify the various subblocks.
Overview of the Quadibloc X Round
The leftmost subblock is modified directly in one piece, using a method somewhat reminiscent of SAFER. Two
subrounds of this method are applied to it during each round of Quadibloc X. The intermediate value of that
subblock between the two subrounds is used as a master nonlinear control input for the cipher steps applied to
the remaining subblocks. Because the number of these rounds is even, an interchange of the two middle bytes of
the subblock in a round does not interfere with the swap of 16-bit subblock segments between Quadibloc X
rounds.
The two middle subblocks are modified by means of Feistel rounds using the Quadibloc f-function. Three Feistel
rounds are applied. Because the number of these rounds is odd, the swap of 16-bit subblock segments between
Quadibloc X rounds is simplified, since each Quadibloc X round can be treated as a single Feistel round.
The rightmost subblock is modified through both XOR and addition of intermediate results of the Feistel rounds
applied to the middle two subblocks. Between each application of an intermediate result, a substitution is
performed of a type that leads to this modification of the subblock approximating decorellation. Four
intermediate results are used, and the operations are, in order, XOR, bytewise addition modulo 256, bytewise
addition modulo 256, and XOR.
Between each pair of Quadibloc X rounds, the 128-bit block is considered to be divided into eight 16-bit
subblock segments, and these are permuted from the order
1 2 3 4 5 6 7 8
to the order
7 4 1 6 3 8 5 2
so that the left halves of each subblock move to the next rightmost subblock between rounds, and the right halves
of each subblock move to the next leftmost subblock between rounds.
The Leftmost Subround Type
The subround applied to the leftmost subblock twice in a Quadibloc X round is illustrated below:
● First, in the modification step, the subblock is XORed with a 32-bit subkey.
● Then, in a substitution step, the bytes of the subblock are replaced with their equivalents in either S-box
S5 from the set generated from Euler's constant and used with other Quadibloc ciphers or S-box S10, to
be described in the section concerning the transformation applied to the rightmost subblock, and chosen to
produce decorrelation. The S-boxes are used in the order S5, S10, S5, S10.
● Third, in another modification step, the individual bytes of another 32-bit subkey are added to the
individual bytes of the subblock modulo 256.
● Then, the four bytes of the block operate on each other in the unification step.
❍ First, each two bytes enter into two mini-Feistel rounds, using the key-dependent S-box S8 as the f-
function. The left byte is used as the index into S8, and the result is added to the right byte modulo
256. Then, the right byte is used as the index into S8, and the result is XORed with the left byte.
❍ Then, of the four bytes, the two middle ones are swapped.
❍ Third, each pair of bytes again goes through two mini-Feistel rounds; this time, the operations used
are first XOR and then subtraction modulo 256.

● Fifth, in another modification step, the individual bytes of another 32-bit subkey are added to the
individual bytes of the subblock modulo 256.
● Another substitution step is used, this time using S-block S5 and S-block S11 in the order S11, S11, S5,
S5. Because of the byte swap in the middle of the unification step, bytes that went through S10 before
now go through S5, and bytes that went through S5 before now go through S11, so each byte goes once
through a 'random' S-box and once through a 'decorrelative' S-box.
● Finally, a 32-bit subkey is XORed with the subblock in the last modification step.
Two such subrounds are performed on the leftmost subblock in each round of Quadibloc X, and the value of the
leftmost subblock between those two subrounds is used as the nonlinear control word for the remaining part of
the round.
The Central Feistel Rounds
The Feistel subround which operates on the central two 32-bit subblocks of the 128-bit block is illustrated below.
On the left is shown one byte from the 32-bit nonlinear control word derived from the encipherment of the
leftmost subblock. For the three Feistel subrounds performed in a Quadibloc X rounds, the first, second, and
third bytes, from the left of that word, are used for the three rounds in order.
The second subblock is used as the input to the F-function.
The F-function proceeds as follows:
● XOR one 32-bit subkey with the input.

● Use the bytes of the result to index into either S-box S1 or S-box S2 of those generated from Euler's
constant under the control of the bits of the first nybble of the control word byte used for this subround. (0
indicates S1, 1 indicates S2.)
● Permute the 32 bits of the result so that the first two bits of each byte remain in the same position with
that byte, the next two advance to the next byte, the next two are swapped in those in the byte two places
before or after, and the last two are moved to the preceding byte. This is the permutation used elsewhere
with the standard Quadibloc F-function.
● At this point, we have the first intermediate result from this F-function.
● XOR a second 32-bit subkey with the current value.
● Use the bytes of the result to index into S-boxes S3 or S4 under the control of bits of the second nybble of
the byte of the control word in use.
● Perform the bit transposition again.
● The second intermediate result from this F-function is now available.
● XOR a third 32-bit subkey with the current value.
● Replace each byte with its substitute in key-dependent S-box S8.
The Feistel round is then completed when the F-function output is XORed with the third subblock.
Of the three subrounds performed, the the first intermediate result of each round will be known as IR5, IR6, and
IR7, respectively, and the second intermediate result of each round will be known as IR1, IR2, and IR3,
respectively. These intermediate results will be used in the modification of the rightmost subblock.
After the first two of the three Feistel subrounds performed in a Quadibloc X round, the second and third
subblocks of the 128-bit block will be swapped, these being the right and left halves of the block on which those
Feistel subrounds operate.
The Decorrelated Modification of the Rightmost Subblock

Finally, the last step in the Quadibloc X round is illustrated in the diagram below:
Four quantities, derived from the intermediate results produced from the three Feistel rounds applied to the
middle two subblocks, are applied to the rightmost subblock.
The quantities IR4A and IR4B are defined as follows:
IR4A = IR5 xor IR6 xor IR7

IR4B = IR5 + IR6 + IR7
where + in the equations above refers to bytewise addition modulo 256.
The assignment of intermediate results from the Feistel rounds to the four inputs to this modification step is
determined by the last four bits of the last byte of the nonlinear control word according to the following table,
which uses 16 of the 24 possible arrangements, when each intermediate result is only used once, and IR4B,
created by addition, is always used as input to an XOR step, and IR4A, created by XOR, is always used as input
to an additon step:
IN1 IN2 IN3 IN4

0000 IR4B IR1 IR2 IR3
0100 IR2 IR4A IR3 IR1
1000 IR1 IR2 IR4A IR3
1100 IR1 IR2 IR3 IR4B
The S-boxes S10, S11, S6, and S7 used in this step are ones specifically designed to produce decorrelation. Since
only addition modulo 256 is used, the decorellation is only approximate.
The S-box S11 contains successive powers of 3, under Galois Field multiplication using the polynomial x^8 +
x^6 + x^5 + x^3 + 1 (cancellation binary string 101101001) as used with Twofish, except that the last entry in
the S-box is 0. The S-box S10 is the inverse of an S-box containing successive powers of 3, under Galois Field
multiplication using the polynomial x^8 + x^4 + x^3 + x + 1 (cancellation binary string 100011011) as used with
Rijndael, except that the last entry in the S-box being inverted is 0.
Thus, these S-boxes (and their inverses, as required for deciphering) are as follows:
S-box S11:
1 3 5 15 17 51 85 255
104 184 161 138 247 112 144 217
2 6 10 30 34 102 170 151
208 25 43 125 135 224 73 219
4 12 20 60 68 204 61 71
201 50 86 250 103 169 146 223
8 24 40 120 136 241 122 142
251 100 172 157 206 59 77 215
16 48 80 240 121 139 244 117
159 200 49 83 245 118 154 199
32 96 160 137 242 127 129 234
87 249 98 166 131 236 93 231
64 192 41 123 141 254 107 189
174 155 196 37 111 177 186 167
128 233 82 246 115 149 214 19
53 95 225 74 222 11 29 39
105 187 164 133 230 67 197 38
106 190 171 148 213 22 58 78
210 31 33 99 165 134 227 76
212 21 63 65 195 44 116 156
205 62 66 198 35 101 175 152
193 42 126 130 239 88 232 81
243 124 132 229 70 202 55 89
235 84 252 109 183 176 185 162
143 248 97 163 140 253 110 178
191 168 145 218 7 9 27 45
119 153 194 47 113 147 220 13
23 57 75 221 14 18 54 90
238 91 237 94 226 79 209 26
46 114 150 211 28 36 108 180
181 182 179 188 173 158 203 52
92 228 69 207 56 72 216 0
The inverse of S-box S11:

255 0 16 1 32 2 17 204
48 205 18 125 33 215 220 3
64 4 221 119 34 153 141 216
49 25 231 206 236 126 19 145
80 146 20 164 237 107 135 127
50 98 169 26 157 207 232 211
65 74 41 5 247 120 222 182
252 217 142 61 35 38 161 154
96 155 162 133 36 250 180 39
253 30 123 218 151 62 143 229
66 175 114 75 185 6 42 88
173 183 223 225 248 94 227 121
81 194 90 147 57 165 21 44
8 128 136 102 238 187 198 108
13 212 233 116 158 71 77 208
51 68 54 99 177 27 170 85
112 86 171 92 178 131 149 28
52 83 11 69 196 100 55 192
14 202 46 213 139 117 234 23
167 209 78 105 159 59 245 72
82 10 191 195 130 148 91 111
201 45 22 138 58 244 104 166
189 109 199 242 239 240 241 188
9 190 110 129 243 103 137 200
97 168 210 156 106 134 163 79
73 40 181 246 37 160 60 251
24 230 144 235 152 140 118 63
254 15 203 31 214 219 124 47
29 122 228 150 249 179 132 95
174 113 87 184 93 226 224 172
67 53 84 176 70 76 115 12
193 89 43 56 186 197 101 7
The inverse of S-box S10:

1 3 5 15 17 51 85 255
26 46 114 150 161 248 19 53
95 225 56 72 216 115 149 164
247 2 6 10 30 34 102 170
229 52 92 228 55 89 235 38
106 190 217 112 144 171 230 49
83 245 4 12 20 60 68 204
79 209 104 184 211 110 178 205
76 212 103 169 224 59 77 215
98 166 241 8 24 40 120 136
131 158 185 208 107 189 220 127
129 152 179 206 73 219 118 154
181 196 87 249 16 48 80 240
11 29 39 105 187 214 97 163
254 25 43 125 135 146 173 236
47 113 147 174 233 32 96 160
251 22 58 78 210 109 183 194
93 231 50 86 250 21 63 65
195 94 226 61 71 201 64 192
91 237 44 116 156 191 218 117
159 186 213 100 172 239 42 126
130 157 188 223 122 142 137 128
155 182 193 88 232 35 101 175
234 37 111 177 200 67 197 84
252 31 33 99 165 244 7 9
27 45 119 153 176 203 70 202
69 207 74 222 121 139 134 145
168 227 62 66 198 81 243 14
18 54 90 238 41 123 141 140
143 138 133 148 167 242 13 23
57 75 221 124 132 151 162 253
28 36 108 180 199 82 246 0
S-box S10:
255 0 25 1 50 2 26 198
75 199 27 104 51 238 223 3
100 4 224 14 52 141 129 239
76 113 8 200 248 105 28 193
125 194 29 181 249 185 39 106
77 228 166 114 154 201 9 120
101 47 138 5 33 15 225 36
18 240 130 69 53 147 218 142
150 143 219 189 54 208 206 148
19 92 210 241 64 70 131 56
102 221 253 48 191 6 139 98
179 37 226 152 34 136 145 16
126 110 72 195 163 182 30 66
58 107 40 84 250 133 61 186
43 121 10 21 155 159 94 202
78 212 172 229 243 115 167 87
175 88 168 80 244 234 214 116
79 174 233 213 231 230 173 232
44 215 117 122 235 22 11 245
89 203 95 176 156 169 81 160
127 12 246 111 23 196 73 236
216 67 31 45 164 118 123 183
204 187 62 90 251 96 177 134
59 82 161 108 170 85 41 157
151 178 135 144 97 190 220 252
188 149 207 205 55 63 91 209
83 57 132 60 65 162 109 71
20 42 158 93 86 242 211 171
68 17 146 217 35 32 46 137
180 124 184 38 119 153 227 165
103 74 237 222 197 49 254 24
13 99 140 128 192 247 112 7
The S-box S6 contains successive powers of 19 in multiplication modulo 257, except that 256, when it occurs, is
replaced with zero, and the S-box S7 is the inverse of S6. Hence, the contents of these S-boxes are as follows:
S-box S6:
1 19 104 177 22 161 232 39
227 201 221 87 111 53 236 115
129 138 52 217 11 209 116 148
242 229 239 172 184 155 118 186
193 69 26 237 134 233 58 74
121 243 248 86 92 206 59 93
225 163 13 247 67 245 29 37
189 250 124 43 46 103 158 175
241 210 135 252 162 251 143 147
223 125 62 150 23 180 79 216
249 105 196 126 81 254 200 202
240 191 31 75 140 90 168 108
253 181 98 63 169 127 100 101
120 224 144 166 70 45 84 54
255 219 49 160 213 192 50 179
60 112 72 83 35 151 42 27
0 238 153 80 235 96 25 218
30 56 36 170 146 204 21 142
128 119 205 40 246 48 141 109
15 28 18 85 73 102 139 71
64 188 231 20 123 24 199 183
136 14 9 171 165 51 198 164
32 94 244 10 190 12 228 220
68 7 133 214 211 154 99 82
16 47 122 5 95 6 114 110
34 132 195 107 234 77 178 41
8 152 61 131 176 3 57 55
17 66 226 182 117 167 89 149
4 76 159 194 88 130 157 156
137 33 113 91 187 212 173 203
2 38 208 97 44 65 207 78
197 145 185 174 222 106 215 230
S-box S7:
128 0 240 213 224 195 197 185
208 170 179 20 181 50 169 152
192 216 154 1 163 142 4 76
165 134 34 127 153 54 136 90
176 233 200 124 138 55 241 7
147 207 126 59 244 109 60 193
149 114 118 173 18 13 111 215
137 214 38 46 120 210 74 99
160 245 217 52 184 33 108 159
122 156 39 91 225 205 247 78
131 84 191 123 110 155 43 11
228 222 93 235 44 47 177 196
133 243 98 190 102 103 157 61
2 81 253 203 95 151 199 12
121 234 198 15 22 220 30 145
104 40 194 164 58 73 83 101
144 16 229 211 201 186 36 66
168 232 17 158 92 150 143 70
106 249 140 71 23 223 75 125
209 130 189 29 231 230 62 226
115 5 68 49 175 172 107 221
94 100 139 171 27 238 251 63
212 3 206 119 77 97 219 167
28 250 31 236 161 56 180 89
117 32 227 202 82 248 174 166
86 9 87 239 141 146 45 246
242 21 65 188 237 116 187 254
79 19 135 113 183 10 252 72
105 48 218 8 182 25 255 162
6 37 204 132 14 35 129 26
88 64 24 41 178 53 148 51
42 80 57 69 67 96 85 112
The Complete Round
Thus, the entire Quadibloc X round looks like this:

and, as previously noted, 16-bit subblock halves are rotated after each round except the last from the order:
1 2 3 4 5 6 7 8
to the order
7 4 1 6 3 8 5 2
as illustrated in the diagram below:

which shows clearly that the left half of each subblock is rotated one place to the right, and the right half of each
subblock is rotated one place to the left.
Normally, ar least 8 rounds of Quadibloc X are used for encryption. Ideally, 12 or 16 rounds would be preferable.
32 rounds allow the four bits per round that alter the algorithm fundamentally (by changing the order in which
the intermediate results of the three Feistel rounds are applied decorellatively to the fourth subblock) to total to
128 bits, thus the algorithm can no longer be brute-force searched; this allows Quadibloc X to realize its full
potential.
One round is definitely insecure, since the first 32-bit subblock is essentially subjected to a block cipher with a
32-bit block size. Two rounds are already an interesting problem for the cryptanalyst, and four rounds might
possibly be secure, but cannot be recommended.
The Key Schedule
Quadibloc X uses the following key material: 17 subkeys, each 32 bits long, per round, and one key-dependent S-
box, S8, containing the bytes from 0 to 255 in a shuffled order. The subkeys used by the first round are K1
through K17, as shown in the diagram, and those used by the second round are K18 through K34, and so on.
The key will be a multiple of four bytes in length.
Subkey generation proceeds as follows:
Initialization
Three strings of bytes of different length are produced from the key.
The first string consists of the key, followed by one byte containing the one's complement of the XOR of all the
bytes of the key.
The second string consists of the one's complements of the bytes of the key in reverse order, with three bytes
appended containing the following three quantities:
● The sum, modulo 255, of the bytes of the key, incremented by one by normal addition. (Thus, this
produces a number from 1 to 255.)
● The XOR of all the bytes at odd numbered positions in the key, where the first byte in the key is
considered to be byte 1, and odd.
● The one's complement of the XOR of all the bytes at even numbered positions in the key.
The third string consists of alternating bytes, taken from the bytes of the key in reverse order, and then from the
bytes of the one's complement of the key, and then that string is followed by the one's complements of the first
four bytes of the key.
Thus, if the key is:
128 64 32 16 8 4 2 1 1 2 3 4 5 6 7 8
then the strings generated from it are as follows:
First string:
128 64 32 16 8 4 2 1
1 2 3 4 5 6 7 8
8
Second string:
247 248 249 250 251 252 253 254
254 253 251 247 239 223 191 127
37 170 93
Third string:
8 127 7 191 6 223 5 239
4 247 3 251 2 253 1 254
1 254 2 253 4 252 8 251
16 250 32 249 64 248 128 247
127 191 223 239
Given that the length of the key is 4n, the lengths of the three strings are 4n+1, 4n+3, and 8n+4, and hence all
three are relatively prime, since both 4n+1 and 4n+3 are odd, and 8n+4 is two times 4n+2.
Two buffers are filled by generating bytes from the first and second strings by chain addition.
Chain addition applied to a string is defined as follows:
The sum, modulo 256, of the last two bytes in the string is calculated. This sum is the output of the chain
addition step. Also, the last byte of the string is removed, and the sum is appended to the beginning of the string.
Both buffers contain 256 bytes. The first buffer, called buffer A, is filled with 256 successive bytes generated
from the second string by chain addition. The second buffer, called buffer B, is filled with 256 successive bytes
generated from the first string by chain addition.
Subkey Byte Generation
Once the setup is complete, subkey material is generated one byte at a time, the first byte generated being the
leftmost byte of subkey K1, and so on.
A subkey byte is generated as follows:
● A byte is generated from the first string by chain addition.

● The byte at the position in buffer A indicated by this value is taken, and called P.
● A byte is generated from the third string by chain addition. Its value is placed in buffer A, replacing the
value taken.
● A byte is generated from the second string by chain addition.
● The byte at the position in buffer B indicated by this value is taken, and called Q.
● A byte is generated from the third string by chain addition. Its value is placed in buffer B, replacing the
value taken.
● The subkey byte generated is the XOR of P and Q.
Note that this procedure, since it exercises the two strings used to select bytes, rather than the string used to
generate values, results in a small change in the key resulting in large changes in the subkeys from the very
beginning.
Permutation Generation
Once all the required 32-bit subkey words are generated, the key-dependent S-box S8 must be generated. This is
done as follows:
● 256 bytes are generated following the same procedure as for subkey byte generation, and these bytes are
placed in a 256-byte buffer called buffer C.
● A 256-byte buffer called buffer D is filled with the numbers from 0 to 255 in order.
● For every i from 0 to 255, if element i of buffer C (hereinafter called C(i)) is not equal to i, swap elements
i and C(i) of buffer D.
● For every i from 0 to 255, if B(i) is not equal to i, swap elements i and B(i) of buffer D.
● For every i from 0 to 255, if A(i) is not equal to i, swap elements i and A(i) of buffer D.
The resulting contents of buffer D are used as S-box S8. Note that this is a much more straightforwards
procedure than used previously to produce S8 in other ciphers in this series.
Advanced Key Schedule
With the complexity of the Quadibloc X round, its two kinds of subkeys, and the lack of unused intermediate
values, it would be difficult to propose a key augmentation procedure for this cipher as used with some other
block ciphers in the Quadibloc series. Instead, a different method of providing an improved key schedule, which
makes use of the existing logic of Quadibloc X encipherment, is proposed.
Two keys are required, a primary key and a secondary key. The primary key is used to create a key schedule,
including a key-dependent S-box S8, for single-round Quadibloc X encipherment. Then, using buffers A and B
as they stand (generating S8 does not change them), additional key bytes are generated by the same process as
used for the subkeys to produce two more values: a 96-bit seed value, and a 96-bit initial counter value.
Then the secondary key is used to generate the bytes to be used in the key schedule for the actual Quadibloc X
encipherment desired. However, after each four bytes are generated, they are enciphered in an unusual stream
cipher mode of single-round Quadibloc X, as illustrated below.
The first four bytes are enciphered as follows:
The 128 bit value composed of the 96-bit seed value and the 32-bit group of four bytes generated by the
MacLaren-Marsaglia-based technique used for subkey generation are encrypted in single-round Quadibloc X,
using the key schedule derived from the primary key.
The rightmost 32 bits of the result are the encrypted four keystream bytes.
Successive groups of four bytes are encrypted by following these additional steps:
The first 96 bits of the result are divided into six 16-bit subblock halves, and they are permuted from:
1 2 3 4 5 6
to:
5 4 1 6 3 2
After being permuted, the counter value is added to them, and the result of that addition will be used as the new
seed value for input along with the next 32 bits to be encrypted.
The counter value is incremented by one.
Note that when the final step of creating the key-dependent S-box S8 is taken, the contents of buffer C, being
ordinary output, will have gone through this encryption step, but the contents of buffers A and B will not have.
Deciphering
In deciphering, it is necessary to replace S-boxes S10, S11, and S5 by their inverses, switch addition and
subtraction modulo 256 as appropriate, and perform the steps within the round in reverse order as appropriate,
leaving steps within f-functions unaffected.
Next
Start of Section
Table of Contents
Main Page
Towards the 128-bit Era: AES Candidates

Improvements in the speed and power of microprocessor chips have meant that the
Data Encryption Standard with its 56-bit key is subject to brute-force attacks that can
be carried out by organizations of moderate size.
Although some branches of the Government of the United States, including its Chief
Executive, have been pursuing policies such as export restrictions and the "Clipper
chip" initiative, based on perceived dangers of the spread of strong encryption, the
National Institute of Standards and Technology, another branch of the U. S.
Government, has sought public submissions of an improved block cipher which would
serve the specific purpose of protecting the unclassified communications of the U. S.
Government, but which would also, no doubt, serve the public sector as well.
The block cipher that is accepted will be called the AES, for Advanced Encryption
Standard.
Since this was written, on

October 2, 2000, the cipher
that will serve as the
Advanced Encryption
Standard has been
announced, and that cipher is
Rijndael, designed by
Vincent Rijmen and Joan
Daemen.
Because block cipher modes

give block ciphers the
flexibility of also serving in
applications which can make
use of stream ciphers, a
block cipher was sought. A
block length of 128 bits,
making dictionary attacks
more difficult, is specified,
and key lengths of 128, 192,
and 256 bits are to be
allowed for in the designs
submitted.
A larger block length also
increases the speed of
encipherment, by allowing
more text to be enciphered at
once. Where a 56-bit key
does not provide enough security at present, it is possible to use Triple-DES
(enciphering in DES three times over, using either two or three different keys - and
with the middle encipherment done in deciphering mode for compatibility reasons) and
therefore one of the goals to be met by any submitted cipher is that it be faster than
Triple DES.
An idea that might occur upon first hearing about the AES effort: could a simple
construction like the following, operating at speeds only slightly slower than those of
single DES, provide adequate strength:
|
XOR <---
_ _ _ _ _ _ _ _|_ _ _ _ _ _ _ _
|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|
| |
|-------------> +
+ <-------------|
| |
----------- -----------
| DES | | DES |
----------- -----------
| |
|-------------> +
+ <-------------|
| |
_ _ _ _|_ _ _ _ _ _ _ _|_ _ _ _
|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|_|
|
XOR <---
|
or, in graphical form:

one might ask. However, while it seems that the series of byte substitutions, followed
by a Pseudo-Hadamard Transform, mixes together the two halves of the block well
enough, attacks are possible against this type of construction that make it not much
stronger than normal DES, at least in theory. If the Pseudo-Hadamard Transform,
however, is replaced by something better, such as the mask-driven bit swap used in the
cipher ICE, where a mask selects bits to be swapped between a pair of words, and we
further enhance it by using a 4 of 8 code to ensure each byte includes both swapped
and non-swapped bits, one might have something usable. The additional XOR
whitening is applicable, if otherwise all sixteen bytes go through the same byte
substitution.
With a better initial mixing step, and a willingness to go to double-DES speeds,

though, this approach could lead to something adequate.
As block ciphers like Blowfish demonstrate, it is possible to do better than DES at

faster speeds, and DES is designed for hardware implementation, and is unnecessarily
slow in software. Thus, something that is designed for fast software encryption, with
the required security, will be more optimal if it comes from a fresh design process.
Also, it should be noted that this illustration of how DES could be used as the basis of a
128-bit block cipher is not terribly original with me; whitening has been proposed
many times before, and the use of some sort of mixing before and after using DES to
increase the block size is part of Terry Ritter's Fenced DES design.
This design is not perfect: since the expression for one of the outputs of a PHT has a
factor of two in it, one can, using chosen plaintexts where only the least significant
byte of one particular half is varied, uncover some facts about the S-boxes used, for
example. This, among other weaknesses, was noted by Bryan G. Olson. Since keeping
one block the same still changes the complete output, because the other DES
encipherment is different, not 256 chosen plaintexts, but a larger number, are required,
but an attack is still possible.
All the AES candidate algorithms have been disclosed. I have written up descriptions
of some of them in my own words, with diagrams, that may be helpful to some in
understanding the algorithms. In some cases, my descriptions are not complete; for
example, in several cases I omit a description of the key schedule. It may also be noted
that links to the descriptions of the algorithms are available at the Block Cipher Lounge
as well as at the official AES site.
Since this page was originally developed, on August 9, 1999, five algorithms were
announced as those chosen for consideration in Round 2 of the AES selection process.
All five of those algorithms are among those described here, and they are indicated in
the list below:
● The Advanced Encryption Standard (Rijndael)

● Twofish (finalist)
● Serpent (finalist)
● RC6 (finalist)
● DEAL
● MARS (finalist)
● SAFER+
● FROG
● LOKI-97
● CAST-256
● Magenta
● DFC
Next
Chapter Start
Table of Contents
Main Page
The Advanced Encryption Standard (Rijndael)

The block cipher Rijndael is designed to use only simple whole-byte operations. Also, it provides extra
flexibility over that required of an AES candidate, in that both the key size and the block size may be
chosen to be any of 128, 192, or 256 bits. (During an early stage of the AES process, a draft version of
the requirements would have required each algorithm to have three versions, with both the key and block
sizes equal to each of 128, 192, and 256 bits. This was later changed to make the three required versions
have those three key sizes, but only a block size of 128 bits, which is more easily accomodated by many
types of block cipher design.)
The original description of Rijndael is available at: http://www.esat.kuleuven.ac.be/~rijmen/rijndael/.
However, the variations of Rijndael which act

on larger block sizes apparently will not be
included in the actual standard, on the basis
that the cryptanalytic study of Rijndael during
the standards process primarily focused on the
version with the 128-bit block size.
Rijndael is a relatively simple cipher in many

respects.
Rijndael has a variable number of rounds. Not

counting an extra round performed at the end
of encipherment with one step omitted, the
number of rounds in Rijndael is:
● 9 if both the block and the key are 128

bits long.
● 11 if either the block or the key is 192
bits long, and neither of them is longer
than that.
● 13 if either the block or the key is 256
bits long.
To encipher a block of data in Rijndael, you

first perform an Add Round Key step (XORing
a subkey with the block) by itself, the regular
rounds noted above, and as already noted, the
final round with the Mix Column step, as
described below, omitted.
The Rounds
Each regular round involves four steps. First is

the Byte Sub step, where each byte of the
block is replaced by its substitute in an S-box.
The specification for Rijndael only provided an
explanation of how the S-box was calculated:
the first step was to replace each byte with its
reciprocal in the same GF(2^8) as used below
in the Mix Column step, except that 0, which
has no reciprocal, is replaced by itself (since it
isn't anything's reciprocal either, it is the only value not used, so that makes sense) then a bitwise modulo-
two matrix multiply was used, and finally the hexadecimal number 63 is XORed with the result. (Not C6,
x7 is the MSB, if the diagram in the specification appears confusing.)
The S-box is:
99 124 119 123 242 107 111 197

48 1 103 43 254 215 171 118
202 130 201 125 250 89 71 240
173 212 162 175 156 164 114 192
183 253 147 38 54 63 247 204
52 165 229 241 113 216 49 21
4 199 35 195 24 150 5 154
7 18 128 226 235 39 178 117
9 131 44 26 27 110 90 160
82 59 214 179 41 227 47 132
83 209 0 237 32 252 177 91
106 203 190 57 74 76 88 207
208 239 170 251 67 77 51 133
69 249 2 127 80 60 159 168
81 163 64 143 146 157 56 245
188 182 218 33 16 255 243 210
205 12 19 236 95 151 68 23
196 167 126 61 100 93 25 115
96 129 79 220 34 42 144 136
70 238 184 20 222 94 11 219
224 50 58 10 73 6 36 92
194 211 172 98 145 149 228 121
231 200 55 109 141 213 78 169
108 86 244 234 101 122 174 8
186 120 37 46 28 166 180 198
232 221 116 31 75 189 139 138
112 62 181 102 72 3 246 14
97 53 87 185 134 193 29 158
225 248 152 17 105 217 142 148
155 30 135 233 206 85 40 223
140 161 137 13 191 230 66 104
65 153 45 15 176 84 187 22
Note that 63 in hexadecimal is 3 plus 6*16, or 36+60 or 96, and that is 99, as begins the table.
Next is the Shift Row step. Considering the block to be made up of bytes 1 to 16, these bytes are
arranged in a rectangle, and shifted as follows:
from to
1 5 9 13 1 5 9 13
2 6 10 14 6 10 14 2
3 7 11 15 11 15 3 7
4 8 12 16 16 4 8 12
Blocks that are 192 and 256 bits long are shifted like this:
from to
1 5 9 13 17 21 1 5 9 13 17 21
2 6 10 14 18 22 6 10 14 18 22 2
3 7 11 15 19 23 11 15 19 23 3 7
4 8 12 16 20 24 16 20 24 4 8 12
and
from to
1 5 9 13 17 21 25 29 1 5 9 13 17 21 25 29
2 6 10 14 18 22 26 30 6 10 14 18 22 26 30 2
3 7 11 15 19 23 27 31 15 19 23 27 31 3 7 11
4 8 12 16 20 24 28 32 20 24 28 32 4 8 12 16
Note that in the 256 bit case, the rows are shifted 1, 3, and 4 places to the left, instead of 1, 2, and 3
places as for the other two block sizes.
Next comes the Mix Column step. Matrix multiplication is performed: each column, in the arrangement
we have seen above, is multiplied by the matrix:
2 3 1 1
1 2 3 1
1 1 2 3
3 1 1 2
However, this multiplication is done over GF(2^8). This means that the bytes being multiplied are treated
as polynomials rather than numbers. Thus, a byte "muliplied" by 3 is that byte XORed with that byte
shifted one bit left.
If the result has more than 8 bits, the extra bits are not simply discarded: instead, they're cancelled out by
XORing the binary 9-bit string 100011011 with the result (shifted right if necessary). This string stands
for the generating polynomial of the particular version of GF(2^8) used; a similar technique is used in
cyclic redundancy checks.
The final step is Add Round Key. This simply XORs in the subkey for the current round.
Although a three-dimensional color diagram of the round has already appeared at the beginning of the
page, the Rijndael round can also be illustrated in a more conventional manner:
The extra final round omits the Mix Column step, but is otherwise the same as a regular round.
Thus, the sequence of steps in Rijndael is:
ARK
BSB
SR
MC
ARK
BSB
SR
MC
ARK
...
BSB
SR
MC
ARK
BSB
SR
ARK
Because it begins and ends with an ARK (Add Round Key) step, there is no wasted unkeyed step at the
beginning or end. The sequence of operations is important for facilitating decipherment, as well.
Although the sequence is not symmetrical, the order of some of the steps in Rijndael could be changed
without affecting the cipher. The Byte Sub step could just as easily be done after the Shift Row step as
before it.
That would change
A BSMA BSMA ... BSMA BSA
to
A SBMA SBMA ... SBMA SBA
If, on the other hand, we reversed the original sequence, we would get
ASB AMSB ... AMSB AMSB A
Although these look similar, except for the different positions of the spaces, which just mark what are
termed "rounds" in the algorithm, wherever the sequence "MA" appears in the modified, but equivalent,
algorithm, the sequence "AM" appears in the reverse sequence, required for decryption.
Of course, the steps also need to be reversed as well: ARK is an XOR, so that is its own inverse, but the
matrix in the Mix Column step needs to be replaced with its inverse, and the S-box in the Byte Sub step
needs to be replaced with its inverse for decryption as well.
What about the switch between "MA" and "AM", though? Do we need to change the order of operations
for decryption?
No; with matrix multiplication, the distributive property also applies, so the round keys involved in such
a reversal merely need to be multiplied by the (inverse) Mix Column matrix, and then they can be
XORed in at the same time (of course, in reverse order) as was used for encryption. (XOR corresponds to
addition in GF(2^8), which is where the multiplications are performed.)
The matrix for the inverse Mix Column step is:
14 11 13 9
9 14 11 13
13 9 14 11
11 13 9 14
as can quickly be verified by making use of its symmetry, and once the answer is known:
1110 1011 1101 1001 01 00 00 00

1001 1110 1011 1101 00 01 00 00
1101 1001 1110 1011 00 00 01 00
1011 1101 1001 1110 00 00 00 01
111 101 110 100 01 01 00 00

110 100 111 101 00 00 01 01
1100 1000 1110 1010 00 00 10 10
1011 1101 1000 1110 01 01 10 10
0 0 1 0 01 01 10 11
The Key Schedule

For keys 128 and 192 bits in length, the subkey material, which consists of all the round keys in order,
consists of the original key, followed by stretches, each the length of the original key, consisting of four-
byte words such that each word is the XOR of the preceding four-byte word and either the corresponding
word in the previous stretch or a function of it. For the first word in a stretch, the word is first rotated one
byte to the left, and then its bytes are transformed using the S-box from the Byte Sub step, and then a
round-dependent constant is XORed to its first byte.
The round constants are:
1 2 4 8 16 32 64 128
27 54 108 216 171 77 154 47
94 188 99 198 151 53 106 212
179 125 250 239 197 145 57 114
228 211 189 97...
which are, in binary:
00000001 00000010 00000100 00001000 00010000 00100000 01000000 10000000

00011011 00110110 01101100 11011000 10101011 01001101 10011010 00101111
01011110 10111100 01100011 11000110 10010111 00110101 01101010 11010100
10110011 01111101 11111010 11101111 11000101 10010001 00111001 01110010
11100100 11010011 10111101 01100001...
the successive powers of 2 in the representation of GF(2^8) used. Successive powers of 3, unlike 2,
include all the values from 1 to 255, and thus several implementations of Rijndael use tables of the
powers of 3, and the inverse table giving the discrete logarithm in that field, to facilitate calculations, but
the round constants are still the powers of 2. (I'm not entirely sure why one needs log and antilog tables
when all one is doing is muliplying by 2 and by 3, but doubtless there is a nonobvious way to implement
Rijndael with greater efficiency that makes use of them. The inverse of the matrix used in the Mix
Column step has the values 9, 11, 13, and 14 as its coefficients, however, so this could simply serve to
limit the number of tables needed for both enciphering and deciphering, replacing six tables by two.)
For keys 256 bits in length, in addition, the S-box from the Byte Sub step alone is applied to the word
from the preceding stretch for the fifth word in a stretch in addition.
Attacks on Rijndael
Although this page (and the preceding one)

already have several diagrams of Rijndael, I've
included yet another one, one even more
simplified than the one appearing on the
previous page, to make it easier to "see the
forest for the trees", and see both that the Mix
Column step indeed only mixes columns, and
is the only place where that happens, and how
the Shift Row step works with the Mix Column
step to ensure that all parts of the block
impinge on each other.
The standard techniques of differential and

linear cryptanalysis can be adapted to be used
against Rijndael. Because of the way matrix
multiplication works, and because in GF(2^8),
all the coefficients of the Mix Column matrix
(as indeed all numbers from 1 to 255) have
reciprocals, a specific attack, originally
developed for use against its predecessor
Square, called the "Square attack", can be used
as well.
If one uses 256 blocks of chosen plaintext,

where every byte but one is held constant, and
that one is given all 256 possible values, then
after one round of Rijndael, four bytes will go
through all 256 possible values, and the rest of
the bytes will remain constant. After a second
round, sixteen bytes will each go through all 256 possible values, without a single duplicate, in the
encipherment of the 256 blocks of chosen plaintext. (For a 128-bit block, this is every byte; for larger
blocks, the rest of the bytes will remain constant.) This interesting property, although not trivial to
exploit, can be used to impose certain conditions on the key when one additional round, before or after
the two rounds involved, is present.
The possibility of this attack was first noted by the developers of Square and Rijndael themselves, and
was noted in the paper that initially described Square.
Comments
The availability of different block sizes with Rijndael permits a cute variant of the "bricklaying" mode
proposed for Triple-DES to be used with it:
Here, each vertical line represents 32 bits, and the three layers use the 128, 192, and 256 bit block sizes in
order.
Despite the fact that Rijndael has a very different structure from that of DES, and in some ways could be
said to more closely resemble SAFER, because the Byte Sub step directly alters the bytes to be
encrypted, and the Mix Column step causes every byte in a column to affect every other byte there,
somewhat as the PHT stage in SAFER involves the whole block, it is still possible to relate the
fundamental steps in Rijndael to parts of DES based on the function they perform in contributing to the
step of the overall cipher.
The Add Round Key step clearly corresponds to the XOR of subkey material with the input to the f-
function.
The Mix Column step is where the different bytes interact with each other, so it corresponds to the XOR
of the f-function output with the left half of the block in DES.
The Byte Sub step contributes the nonlinearity in Rijndael, and so it corresponds to the f-function itself.
The Shift Row step ensures that the different bytes of each row do not only interact with the
corresponding byte in other rows. Thus, it corresponds to permutation P within DES.
In drawing an analogy between Rijndael and DES, it is very easy, based on a superficial glance at
Rijndael, and the appearance of the Shift Row step, to view it as corresponding to the swapping of halves
of the block within DES. In fact, Rijndael does not require a step with this function, because the Mix
Column step in Rijndael causes every byte in a column to alter every other byte in the column, so no step
is needed that swaps rows.
This subtle point is actually quite important. The number of regular rounds in Rijndael is always an odd
number; without a Mix Column step, the last round involves no interaction between bytes, so it makes
sense not to count it as a "real" round. Thus, it is not a multiple of the number of columns, which is 4, 6,
or 8, depending on the size of the block.
Differential cryptanalysis attacks on DES become quite a bit easier for variants of DES with an odd
number of rounds. Thus, if the Shift Row step in Rijndael had corresponded to swapping halves of the
block, this would have possibly been an important weakness in Rijndael. It may still be a slight flaw, but
existing cryptanalytic results against Rijndael do not seem to exhibit a pattern indicating this.
The key schedule for Rijndael can be carried out equally well with keys that are 160 or 224 bits long,
since it only requires that the key size be a multiple of 32 bits. Even block sizes of 160 and 224 bits are
possible as well. A revised version of the Rijndael specification includes these as extensions, and the rule
for the number of rounds to use is based on the larger of the block size and the key size, with 10 regular
rounds (11 rounds in total) corresponding to 160 bits, and 12 regular rounds (13 rounds in total)
corresponding to 224 bits.
Thus, one can obtain 12 regular rounds, which I view as desirable for the 128-bit and 192-bit block sizes,
by specifying a key of 224 bits. As a nice bonus, the number of 32-bit words in 224 bits is seven, which
is relatively prime to either four or six, which appears, at least from a naïve point of view, as if it might
improve the key schedule at least slightly as well.
This chart, showing the number of rounds for different block sizes and key sizes, also indicates when
these apparently desirable properties are obtained:
* : number of regular rounds is a multiple of the

number of 32-bit words in a block
+ : number of 32-bit words in the key is relatively
prime to the number of 32-bit words in a block
Key Block
128 160 192 224 256
128 10 11 12 13 14 10 is a multiple of 5
+ * + 4 is relatively prime to 5 and 7
160 11 11 12 13 14 10 is a multiple of 5
+ * + + + 5 is relatively prime to 4, 6, 7, and 8
192 12 12 12 13 14
+ + 6 is relatively prime to 5 and 7
224 13 13 13 13 14 12 is a multiple of 4 and 6

+ * + + * + 7 is relatively prime to 4, 5, 6, and 8
256 14 14 14 14 14
+ + 8 is relatively prime to 5 and 7
288 15 15 15 15 15 14 is a multiple of 7
+ + + * + 9 is relatively prime to 4, 5, 7, and 8
320 16 16 16 16 16 15 is a multiple of 5
* + 10 is relatively prime to 7
352 17 17 17 17 17 16 is a multiple of 4 and 8

+ * + + + + * 11 is relatively prime to 4, 5, 6, 7, and 8
Thus, there is at least one "ideal" key size for every possible block size:
Block
size Ideal key sizes
128 224 352
160 128
192 224
224 288
256 352
once again, I reiterate, this is only significant if these essentially minor concerns, as seen from a naïve
point of view, have any validity.
Incidentally, for a block size of 224 bits, the Shift Row step is again altered, but not in quite the same
way as for a 256-bit block. Only the last row, not the last two rows, is shifted by an extra byte position.
Also, the additional Byte Sub step noted for 256-bit keys is added to the key schedule for all key sizes
greater than 192 bits, so it applies to the 224-bit key as well as to all key sizes greater than 256 bits.
That the design of the S-box involves the same GF(2^8) as the Mix Column step might also appear to be
a concern. However, the Rijndael S-box is nearly ideal in resistance to differential cryptanalysis, and is
also excellent in avoiding any approximations in GF(2^8) usable in the GF(2^8) equivalent of linear
cryptanalysis.
The choice of Rijndael over the other finalist algorithms, also believed to be highly secure, was based
primarily on its efficiency and low memory requirements; this, coupled with the fact that existing
cryptanalyses of Rijndael are based on reduced-round variants somewhat close to the actual cipher
(although the results close to the actual number of rounds are quite impractical to exploit) means that
some controversy, even if not the intense controversy surrounding DES, may haunt the new AES as well.
Rijndael was preceded by the block cipher Square, which was somewhat similar. However, instead of a
Shift Row step, a transpose of the square matrix of bytes was used; in effect, this meant that diffusion
over the whole block was obtained by alternating Mix Column steps with Mix Row steps. Specific
attacks were found against Square, against which Rijndael was strengthened.
Finally, I will propose a minor variation to Rijndael that might make cryptanalysis more difficult.
Instead of subjecting all the columns of the block to the same operation in the Mix Column step, every
second column, instead of being subjected to a matrix multiplication, could instead be subjected to a
scaled-down version of the PHT stage in SAFER. Since only four bytes are involved, this would mean
two stages of PHT operations, and the bytes in the second and third rows would be swapped between the
stages. To avoid major changes to the shift row step, the pattern of operations should be MPMP for two
rounds, and then PMPM for two rounds; also, the bytes in the second and third rows should be swapped
back after the second PHT stage (or the PHT operations would be performed "in place", which is
equivalent). By using two completely unrelated operations, but both of which completely mix all the
bytes in a column, resistance to analysis should be improved.
However, although this is a different form of mixing, and will thus block the Square attack, it is also a
weaker form of mixing, and thus would need to be combined with an increase in the number of rounds.
Next
Chapter Start
Table of Contents
Main Page
Twofish
Developed by Bruce Schneier as a successor to his 64-bit Blowfish block cipher, the Twofish specification has
been released, and is available at http://www.counterpane.com//twofish.html in both Adobe Postscript format and
Adobe Acrobat .PDF format.
How Twofish Works
Twofish uses 40 32-bit subkeys. The first eight are used for whitening, four at the beginning and four at the end
are XORed with the entire block. Each round uses two of the remaining 32 subkeys, and so Twofish has sixteen
rounds.
The division of the 128-bit block into four 32-bit quarters is done using the "little-endian" convention, which
presumably means the leftmost quarter is the earliest one, but the least significant numerically. I will denote the
quarters as Q0 through Q3.
The Twofish Round
A round of Twofish proceeds as follows:
Q3 is rotated one bit left.
Q0, and Q1 rotated left 8 bits, are each submitted to four key-dependent S-boxes with 8-bit inputs and outputs.
These key-dependent S-boxes are equivalent to the use of fixed S-boxes with 8-bit inputs and outputs alternating
with the XOR of subkey material, and the fixed S-boxes are themselves constructed from smaller S-boxes with
four-bit inputs and outputs.
Then, the bytes in each are combined by means of matrix multiplication with the following matrix (called the
MDS matrix):
01 EF 5B 5B
5B EF EF 01
EF 5B 01 EF
EF 01 EF 5B
(needless to say, the entries are in hexadecimal notation) over the Galois Field of 2^8 with the modular
polynomial x^8 + x^6 + x^5 + x^3 + 1.
This means that when a byte is multiplied by an element of the matrix, instead of actual multiplication being
performed, which can be thought of as shifting the input byte, and adding it to the total whenever its last bit is over
a 1 bit of the number in the matrix, a similar operation is performed, but an XOR instead of addition is performed.
Thus, in effect, one is multiplying polynomials (one cannot carry, since one doesn't know what x is) with
coefficients that are either 0 and 1, handled according to modulo-2 arithmetic.
The result of this "multiplication" is a 16-bit number. It is then reduced to an 8-bit number as follows: the modular
polynomial, considered to be the binary string 101101001, is shifted left until its first bit coincides with the first 1
bit of the result. It is then XORed with the number, and shifted right until its first bit coincides with the first
remaining 1 bit, and this is repeated until the number is 8 bits long or less.
Finally, the two resulting 32-bit quantities are mixed with each other through a Pseudo-Hadamard Transform; the
one formed from Q1 is added to the one formed from Q0, then the one formed from Q0 is added to the one formed
from Q1.
Then, the first subkey for the round is added to the one formed from Q0, and the result is XORed to Q2. The
second subkey for the round is added to the one formed from Q1, and the result is XORed to Q3.
Finally, Q2 is rotated one bit right, and the two halves of the block are swapped (Q0 is swapped with Q2, and Q1
is swapped with Q3).
As in DES, the halves are not swapped after the last round.
Note that the matrix multiplication, since it involves an XOR (rather than addition) of the individual products, can
be precomputed, making the S-box entries 32 bits wide rather than 8.
The Key Schedule
This description of the key schedule is not quite detailed enough to permit implementation at this time, but it
outlines all the required steps, and should help in understanding the original documentation.
Key generation begins by deriving three key vectors each half the length of the original key.
The first two are formed by splitting the key into 32-bit parts. Numbering these parts starting from zero, the even-
numbered ones become M(e), and the odd-numbered ones become M(o).
The third one is formed by dividing the key into 64-bit parts, and producing one 32-bit part of the key vector by
multiplying each 64-bit part by this matrix (called the RS matrix):
01 A4 55 87 5A 58 DB 9E
A4 56 82 F3 1E C6 68 E5
02 A1 FC C1 47 AE 3D 19
A4 55 87 5A 58 DB 9E 03
over the Galois Field GF(2^8) with the modular polynomial x^8 + x^6 + x^3 + x^2 + 1, which means that after an
XOR-multiplication the bit pattern 101001101 is used to fit the result back into eight bits this time.
The reason that both fields are referred to simply as "GF(2^8)" is because, except that the same roles will now be
performed by different numbers from 0 to 255, no matter which modular polynomial is used, there is really only
one Galois Field for any prime power. Changing the modular polynomial changes which number does what,
which is an isomorphism, but it does not change the underlying mathematical structure of the field. However, that
doesn't mean that changing the modular polynomial serves no purpose here: it is essentially a way to get an S-box
for free.
The resulting 32-bit words are then placed in reverse order into the key vector called S.
The fixed S-boxes with eight bit inputs and outputs, called q(0) and q(1), are each constructed from four S-boxes
with four bit inputs and outputs. For q(0), the S-boxes are:
Input 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
------------------------------------------------
T0 8 1 7 13 6 15 3 2 0 11 5 9 14 12 10 4
T1 14 12 11 8 1 2 3 5 15 4 10 6 7 0 9 13
T2 11 10 5 14 6 13 9 0 12 8 15 3 2 4 7 1
T3 13 7 15 4 1 2 6 14 9 11 3 0 8 5 12 10
And, for q(1), the S-boxes, again given the same designations, are:
Input 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
------------------------------------------------
T0 2 8 11 13 15 7 6 14 3 1 9 4 0 10 12 5
T1 1 14 2 11 4 12 3 7 6 13 10 5 15 9 0 8
T2 4 12 7 5 1 6 9 10 0 14 13 8 2 11 3 15
T3 11 9 5 1 12 3 13 14 6 4 7 15 2 0 8 10
Each S-box is formed as follows:
● The input byte is split into its most significant and least significant halves, A and B.
● The new value of A is the XOR of the old values of A and B.
● The new value of B is the XOR of the old value of A, B rotated right one bit, and 8 if the old value of A
was odd.
● A and B are then replaced by their substitutes in the 16-bit S-boxes T0 and T1 respectively.
● The new value of A is the XOR of the old values of A and B.
● The new value of B is the XOR of the old value of A, B rotated right one bit, and 8 if the old value of A
was odd.
● A and B are then replaced by their substitutes in the 16-bit S-boxes T2 and T3 respectively.
● A and B are then combined in reverse order to form the result byte.
The four key-dependent S-boxes are formed from the 32-bit elements of the key vector S as follows:
If the key is 256 bits long, the key vector S has four 32-bit elements, S(0), S(1), S(2), and S(3). In that case, the
four key-dependent S-boxes are equivalent to performing the operations:
output = q(0)(S(0,0) xor q(1)(S(1,0) xor q(1)(S(2,0) xor q(0)(S(3,0) xor q(1)
(input))))
(input))))
(input))))
(input))))
where S(2,1) means byte 1 of word 2 in the key vector S.
When the key is 192 bits long, the S-box definitions are simplified to:
output = q(0)(S(0,0) xor q(1)(S(1,0) xor q(1)(S(2,0) xor q(0)(input)))

and when the key is only 128 bits long, the S-box definitions are simplified to:
output = q(0)(S(0,0) xor q(1)(S(1,0) xor q(1)(input))

The subkeys which are actually added to the function outputs before they are XORed to another quarter of the
block are produced by a process very similar to a Twofish round, but with key-dependent S-boxes derived from
the key vectors M(e) and M(o) instead of from the key vector S. The inputs are the round number times 2, plus 1
on one side, in all four bytes of a word, and the rotate left step takes place after the function instead of before: an 8-
bit rotate left before the PHT, and a 9-bit rotate left after.
Next
Chapter Start
Table of Contents
Main Page
SERPENT
Developed by Eli Biham, the originator of differential cryptanalysis, SERPENT is a block-cipher
algorithm which, like SAFER, is a "straight-through" algorithm, rather than using Feistel rounds.
The original form of its description is available at http://www.cs.technion.ac.il/~biham/Reports/
Serpent/. It is simple in appearance, using plain 4-bit-wide S-boxes without additional inputs (like
GOST) and standard computer logic operations. It also includes an initial permutation and an
inverse initial permutation, so that the S-boxes can be implemented with logic operations instead of
table lookups; this is possible because the eight S-boxes used by the algorithm are used in sequence
rather than in parallel.
Considering the 128 bit block as consisting of bits 0 to 127, from left to right, but with bit 0 the
least significant, the first operation performed is the initial permutation. The sources of the bits
resulting from that permutation are, in order, as follows:
0 4 8 12 16 ... 124
1 5 9 13 17 ... 125
2 6 10 14 18 ... 126
3 7 11 15 19 ... 127
SERPENT has 32 rounds. The last one has a slightly different sequence of operations than the other
rounds.
In a normal round, the first step is to XOR the current round's subkey with the 128-bit-wide block.
Then, the entire block is transformed, nybble by nybble, according to the current S-box for the
round. The S-boxes are numbered from S0 to S8, and are used in order repeatedly; S0 for rounds 1,
9, 17, and 25; S1 for rounds 2, 10, 18, and 26; and so on.
Then, the block goes through a series of mixing operations so that the different nybbles of the block
interact. The process consists of ten steps, which can be thought of as being organized into five
phases.
This process proceeds, in bitslice mode, as follows; for the normal mode described here, this series
of steps must be preceded by the inverse of the initial permutation and followed by the initial
permutation to be correct:
Considering the block as being divided into four 32-bit quarters, Q0, Q1, Q2, and Q3, from left to
right, the operations are:
Rotate Q0 13 bits left, and rotate Q2 3 bits left.
Modify Q1 by XORing Q0 and Q2 to it. Modify Q3 by XORing Q0 shifted left 3 bits, and Q2 (left
alone) to it.
Rotate Q1 1 bit left, and rotate Q3 7 bits left.
Modify Q0 by XORing Q1 and Q3 to it. Modify Q2 by XORing Q1 shifted left 7 bits, and Q3 (left
alone) to it.
Rotate Q0 5 bits left, and rotate Q3 22 bits left.
In the final round, the mixing operations are omitted.
After the 32nd round, the bits are subjected to what is called in SERPENT the final permutation,
which is the inverse of the initial permutation, and the sources of the bits resulting from it are as
follows:
0 32 64 96 1 33 65 97 2 34 66 98 3 35 67 99
4 36 68 100 5 37 69 101 6 38 70 102 7 39 71 103
8 40 72 104 9 41 73 105 10 42 74 106 11 43 75 107
12 44 76 108 13 45 77 109 14 46 78 110 15 47 79 111
...
28 60 92 124 29 61 93 125 30 62 94 126 31 63 95 127
The following diagram may be of some help in understanding Serpent, although it doesn't show
either the full width of the cipher or all its details.
The Key Schedule
128 and 192 bit keys are first transformed to 256 bit keys. All short keys are padded to 256 bits by
having 000...001 appended to them at the most significant end, which is apparently on the right as
things are defined here.
A 256 bit key is handled as follows: it is divided into eight 32-bit words. The first one is considered
the oldest, and new words are generated as follows:
Word(n) = Word(n-1) XOR Word(n-5) XOR Word(n-8) XOR X'9E3779B9' XOR n
where the first generated word is considered to be word zero - so the 256 bit key consists of words -
8 through -1.
128 words are generated. Then, these words are taken in groups of four to produce the round
subkeys, by being put through the S-boxes. A different S-box is used, though, than the one which
will be used during that round; the S-boxes are used in the sequence S3, S2, S1, S0, S7, S6, S5, S4,
repeated four times.
Next
Chapter Start
Table of Contents
Main Page
RC6
Devised by Dr. Ronald C. Rivest, of RSA fame, RC6 is based on Feistel rounds; but
not Feistel rounds operating between the two halves of the block. Instead, the Feistel
rounds operate between pairs of quarters of the block, and they are interlocked by the
exchange of some data. Circular shifts the extent of which is controlled by data, and a
quadratic function applied to 32-bit integers are the nonlinear elements which provide
the security of this block cipher.
The design of the block cipher is such that the number of rounds, the size of the key,
and the size of the block, are all flexible. It is based on the previous RC5 block cipher,
which is patented by RSA Laboratories, but instead of being RC5 expanded to a larger
block size, it is designed to limit the width of registers required to handle large blocks.
It will be described here only with the specific number of rounds and blocksize
proposed for the AES, and I am not yet including a description of the key schedule.
The original description of RC6 is available at http://theory.lcs.mit.edu/~rivest/

publications.html.
RC6 uses 44 subkeys, numbered S0 to S43, each one 32 bits long. The block to be
enciphered is divided into four 32-bit integers, A, B, C, and D. The first four bytes
enciphered form A, and the convention is little-endian; the first byte enciphered
becomes the least significant byte of A.
RC6 begins with an initial whitening step; B is XORed with S0, and D is XORed with
S1.
Each round of RC6 uses two subkeys; the first one uses S2 and S3, and successive
rounds use successive subkeys.
A round of RC6 proceeds as follows:
The result of subjecting B to function f, which is defined as f(x) = x(2x+1), is rotated

left 5 bits, and then XORed to A.
The result of subjecting D to function f, which is defined as f(x) = x(2x+1), is rotated

left 5 bits, and then XORed to C.
The least significant 5 bits of the quantity XORed to A (function f of B circular left
shifted 5 bits) specifies the extent to which C is circular left shifted.
The least significant 5 bits of the quantity XORed to C (function f of D circular left
shifted 5 bits) specifies the extent to which A is circular left shifted.
Since all this leaves B and D unchanged, it is invertible.
Then the first subkey for the round is XORed to A, and the second subkey for the
round is XORed to C.
Then, the four quarters of the block are rotated as follows: the value of A is placed in
D, the value of B is placed in A, the value of C is placed in B, and the (original) value
of D is placed in C.
After the 20th round is complete, an additional whitening step takes place: A is XORed
with S42, and C is XORed with S43.
Next
Chapter Start
Table of Contents
Main Page
DEAL
Designed by Richard Outerbridge, who developed a construction for using a block
cipher with one block size to create a new one with a larger block size, DEAL is a
Feistel round cipher with a small number of rounds that uses DES as its f-function. Its
description is available at http://www.ii.uib.no/~larsr/newblock.html
The block is divided into two 64-bit halves. In each round, the right half of the block is
XORed with the left half of the block after encryption under DES with the current 64-
bit round key with parity bits (the least significant bit of each byte) ignored as the key.
Eight rounds are recommended for use with a 256-bit key; with a 128-bit key or a 192-
bit key, six rounds are used, which gives DEAL essentially exactly the same speed as
Triple-DES.
The halves of the block are swapped after every round, including the last one.
The key schedule
For all key generation, the encryption or convolution step used is encryption with DES,
using the constant key X'0123456789ABCDEF'.
For a 128-bit key, keys are generated as follows:
The 128-bit key is considered to consist of two 64-bit blocks, K1 and K2.
The first round key is K1 encrypted.
The second round key is (K2 xor the first round key), encrypted.
The third round key is (K1 xor the second round key xor X'8000000000000000'),
encrypted.
The fourth round key is (K2 xor the third round key xor X'4000000000000000'),
encrypted.
The fifth round key is (K1 xor the fourth round key xor X'1000000000000000'),
encrypted.
The sixth round key is (K2 xor the fifth round key xor X'0100000000000000'),
encrypted.
The third round key is (K3 xor the second round key), encrypted.
The fourth round key is (K1 xor the third round key xor X'8000000000000000'),
encrypted.
encrypted.
encrypted.
The third round key is (K3 xor the second round key), encrypted.
The fourth round key is (K4 xor the third round key), encrypted.
encrypted.
encrypted.
The seventh round key is (K3 xor the sixth round key xor X'1000000000000000'),
encrypted.
The eighth round key is (K4 xor the seventh round key xor X'0100000000000000'),
encrypted.
Next
Chapter Start
Table of Contents
Main Page
MARS
MARS is the IBM's entrant into the AES competition. As IBM is the company that designed DES, this
alone makes this entry of particular interest. Note, incidentally, that as the AES process only requires
companies to allow free use of the proposed algorithm if it is selected as the successful candidate, some
AES candidates are protected by patents, both to retain control of the cipher itself if it is not selected, and
to control the basic technology on which the cipher is based, so that licensing would still be required for
larger variants of the cipher, for example. Among the entrants I have examined so far, this applies to RC6
and it had also applied to MARS, but IBM later made MARS available for licensing free of charge.
The document describing MARS, accessible at http://www.research.ibm.com/security/mars.html, notes

that "little-endian" conventions, with the "first" byte of a 32-bit word being its least significant byte, are
used in the cipher. Unlike the documentation of some of the other little-endian designs, the MARS
documentation makes it completely clear and unambiguous which byte goes where.
As the little-endian case is difficult to describe, I am going to use big-endian conventions consistently in
my description of MARS. Essentially, this means that the very first thing one does when starting MARS as
I describe it is divide the 128-bit block of plaintext into four words of four bytes, and reverse the order of
the four bytes in each word. The same has to be done on exit.
Overview
The overall structure of MARS is as follows:
First, key material is XORed with the whole block.
Then, eight rounds of a transformation similar to DES are

applied, but that transformation is fixed, and without any part
that is affected by a key. (Note that if not for the initial XOR of
key material, this transformation would be a waste of time.)
Then, there are sixteen rounds (the last eight are called
"reverse" rounds, with a rationale somewhat like the one seen
in Skipjack) which constitute the "cryptographic core" of the
cipher. One 32-bit word is used to modify the other three, by
being split into three copies of itself, and subjected to various
manipulations, including one multiplication by key material,
one S-box lookup, and two data-dependent rotations.
Then we have another unkeyed transformation, and another

XOR of key material.
There are 40 32-bit words of subkeys, which are generated by

a kind of shift-register method from the key.
As its documentation points out, the design of MARS is

oriented around having structures that are secure, but which
can also be analyzed, so that it is possible to be confident of
the security the cipher posesses. Hard-to-analyze structures
that might offer more security, but which would be hard to be
certain of, were specifically avoided. The unkeyed rounds of
mixing at the start and end of the cipher were, in a way, an
exception to that rule; this is why they were left unkeyed
(although that may well seem bizarre and wasteful), to ensure
that they didn't form, in some sense, a "real" exception to that
rule. (It would seem to me that if the key schedule of MARS
were very strong, i.e., like that of Blowfish, or if the key used
for the outer rounds, presumably to XOR with the inputs to the
S-boxes, were independent of the key for the rest of the cipher,
there would also be no concern to prevent doing this. And the
encrypting speed of MARS would not be affected
significantly, either.)
Detailed Structure of MARS
The diagrams I will use here show the words of the block with
the first word on the left, and with the most significant byte of
each word on the left. Thus, before starting, and after finishing,
the bytes of the block being enciphered must be transposed to
the following order, if considered as numbered from 0 to 15:
3 2 1 0 7 6 5 4 11 10 9 8 15
14 13 12
to convert between little-endian to big-endian. With this

conversion applied, the procedure I am describing in big-
endian form will be correct.
The first step in MARS encipherment is to XOR the first four

subkey words, K0 to K3, with the four words of the block. (Of
course this can be thought of as the 128-bit XOR of a single
128-bit subkey, but this keeps the notation for subkeys
consistent.)
The four bytes of the first word in the block, W0, are used as
inputs to the two fixed S-boxes used by this cipher with eight
bits of input and 32 bits of output. The second word is XORed
with the word in S0 chosen by the least significant byte of the
first word and then the word in S1 chosen by the third, or
second least significant, byte of the first word is added to it.
The word in S0 chosen by the second byte of the first word is
added to the third word. The fourth word is XORed with the
word in S1 chosen by the first byte of the first word.
In the first and fifth round of this, the fourth word is added to
the first word, and in the second and sixth round of this, the
second word is added to the first word. This additional
complication is intended to protect against differential
cryptanalysis.
Then the words are rotated, so that the old first word becomes
the new fourth word, and the other words are moved to the
position immediately preceding their old position.
This is shown clearly in the diagram of MARS that has been

on the right side of this page above, which outlines the general
structure of MARS.
Also on this diagram are the next sixteen rounds, which constitute the "cryptographic core" of MARS. The
E function produces three 32-bit outputs from the first word of the block and two 32-bit subkeys. The 13-
bit circular left shift shown as being applied to the first word would be duplicated inside the E-function if it
really recieved only one input; that oversimplication is avoided in the following diagram,
which shows one of the forward core rounds (which I have chosen to label as type D in the first diagram
for ease of reference) in detail.
The final eight rounds of MARS are the inverse, in the sense of the operations performed, of the first eight
rounds of unkeyed mixing; subtraction replaces each addition, and the rounds are performed in reverse
order. However, the direction in which the four words are rotated after each round is not reversed, so these
rounds are not an exact inverse of the first four rounds in an overall sense.
S(0,1) in the diagram stands for an S-box with nine input bits and 32 output bits which is merely the
concatenation of S0 and S1.
The S-boxes in MARS are as follows (no, I didn't type them in myself; I must gratefully acknowledge the
C implementation of MARS by Brian Gladman as my source):
S-box 0:
09D0C479 28C8FFE0 84AA6C39 9DAD7287 7DFF9BE3 D4268361 C96DA1D4

7974CC93
85D0582E 2A4B5705 1CA16A62 C3BD279D 0F1F25E5 5160372F C695C1FB
4D7FF1E4
AE5F6BF4 0D72EE46 FF23DE8A B1CF8E83 F14902E2 3E981E42 8BF53EB6
7F4BF8AC
83631F83 25970205 76AFE784 3A7931D4 4F846450 5C64C3F6 210A5F18
C6986A26
28F4E826 3A60A81C D340A664 7EA820C4 526687C5 7EDDD12B 32A11D1D
9C9EF086
80F6E831 AB6F04AD 56FB9B53 8B2E095C B68556AE D2250B0D 294A7721
E21FB253
AE136749 E82AAE86 93365104 99404A66 78A784DC B69BA84B 04046793
23DB5C1E
46CAE1D6 2FE28134 5A223942 1863CD5B C190C6E3 07DFB846 6EB88816
2D0DCC4A
A4CCAE59 3798670D CBFA9493 4F481D45 EAFC8CA8 DB1129D6 B0449E20

0F5407FB
6167D9A8 D1F45763 4DAA96C3 3BEC5958 ABABA014 B6CCD201 38D6279F
02682215
8F376CD5 092C237E BFC56593 32889D2C 854B3E95 05BB9B43 7DCD5DCD
A02E926C
FAE527E5 36A1C330 3412E1AE F257F462 3C4F1D71 30A2E809 68E5F551
9C61BA44
5DED0AB8 75CE09C8 9654F93E 698C0CCA 243CB3E4 2B062B97 0F3B8D9E
00E050DF
FC5D6166 E35F9288 C079550D 0591AEE8 8E531E74 75FE3578 2F6D829A
F60B21AE
95E8EB8D 6699486B 901D7D9B FD6D6E31 1090ACEF E0670DD8 DAB2E692
CD6D4365
E5393514 3AF345F0 6241FC4D 460DA3A3 7BCF3729 8BF1D1E0 14AAC070
1587ED55
3AFD7D3E D2F29E01 29A9D1F6 EFB10C53 CF3B870F B414935C 664465ED

024ACAC7
59A744C1 1D2936A7 DC580AA6 CF574CA8 040A7A10 6CD81807 8A98BE4C
ACCEA063
C33E92B5 D1E0E03D B322517E 2092BD13 386B2C4A 52E8DD58 58656DFB
50820371
41811896 E337EF7E D39FB119 C97F0DF6 68FEA01B A150A6E5 55258962
EB6FF41B
D7C9CD7A A619CD9E BCF09576 2672C073 F003FB3C 4AB7A50B 1484126A
487BA9B1
A64FC9C6 F6957D49 38B06A75 DD805FCD 63D094CF F51C999E 1AA4D343
B8495294
CE9F8E99 BFFCD770 C7C275CC 378453A7 7B21BE33 397F41BD 4E94D131
92CC1F98
5915EA51 99F861B7 C9980A88 1D74FD5F B0A495F8 614DEED0 B5778EEA
5941792D
FA90C1F8 33F824B4 C4965372 3FF6D550 4CA5FEC0 8630E964 5B3FBBD6 7DA26A48

B203231A 04297514 2D639306 2EB13149 16A45272 532459A0 8E5F4872
F966C7D9
07128DC0 0D44DB62 AFC8D52D 06316131 D838E7CE 1BC41D00 3A2E8C0F EA83837E
B984737D 13BA4891 C4F8B949 A6D6ACB3 A215CDCE 8359838B 6BD1AA31
F579DD52
21B93F93 F5176781 187DFDDE E94AEB76 2B38FD54 431DE1DA AB394825 9AD3048F
DFEA32AA 659473E3 623F7863 F3346C59 AB3AB685 3346A90B 6B56443E
C6DE01F8
8D421FC0 9B0ED10C 88F1A1E9 54C1F029 7DEAD57B 8D7BA426 4CF5178A
551A7CCA
1A9A5F08 FCD651B9 25605182 E11FC6C3 B6FD9676 337B3027 B7C8EB14 9E5FD030
S-box 1:
6B57E354 AD913CF7 7E16688D 58872A69 2C2FC7DF E389CCC6 30738DF1

0824A734
E1797A8B A4A8D57B 5B5D193B C8A8309B 73F9A978 73398D32 0F59573E
E9DF2B03
E8A5B6C8 848D0704 98DF93C2 720A1DC3 684F259A 943BA848 A6370152
863B5EA3
D17B978B 6D9B58EF 0A700DD4 A73D36BF 8E6A0829 8695BC14 E35B3447
933AC568
8894B022 2F511C27 DDFBCC3C 006662B6 117C83FE 4E12B414 C2BCA766
3A2FEC10
F4562420 55792E2A 46F5D857 CEDA25CE C3601D3B 6C00AB46 EFAC9C28
B3C35047
611DFEE3 257C3207 FDD58482 3B14D84F 23BECB64 A075F3A3 088F8EAD
07ADF158
7796943C FACABF3D C09730CD F7679969 DA44E9ED 2C854C12 35935FA3
2F057D9F
690624F8 1CB0BAFD 7B0DBDC6 810F23BB FA929A1A 6D969A17 6742979B

74AC7D05
010E65C4 86A3D963 F907B5A0 D0042BD3 158D7D03 287A8255 BBA8366F
096EDC33
21916A7B 77B56B86 951622F9 A6C5E650 8CEA17D1 CD8C62BC A3D63433
358A68FD
0F9B9D3C D6AA295B FE33384A C000738E CD67EB2F E2EB6DC2 97338B02
06C9F246
419CF1AD 2B83C045 3723F18A CB5B3089 160BEAD7 5D494656 35F8A74B
1E4E6C9E
000399BD 67466880 B4174831 ACF423B2 CA815AB3 5A6395E7 302A67C5
8BDB446B
108F8FA4 10223EDA 92B8B48B 7F38D0EE AB2701D4 0262D415 AF224A30
B3D88ABA
F8B2C3AF DAF7EF70 CC97D3B7 E9614B6C 2BAEBFF4 70F687CF 386C9156
CE092EE5
01E87DA6 6CE91E6A BB7BCC84 C7922C20 9D3B71FD 060E41C6 D7590F15

4E03BB47
183C198E 63EEB240 2DDBF49A 6D5CBA54 923750AF F9E14236 7838162B
59726C72
81B66760 BB2926C1 48A0CE0D A6C0496D AD43507B 718D496A 9DF057AF
44B1BDE6
054356DC DE7CED35 D51A138B 62088CC9 35830311 C96EFCA2 686F86EC
8E77CB68
63E1D6B8 C80F9778 79C491FD 1B4C67F2 72698D7D 5E368C31 F7D95E2E A1D3493F
DCD9433E 896F1552 4BC4CA7A A6D1BAF4 A5A96DCC 0BEF8B46 A169FDA7
74DF40B7
4E208804 9A756607 038E87C8 20211E44 8B7AD4BF C6403F35 1848E36D
80BDB038
1E62891C 643D2107 BF04D6F8 21092C8C F644F389 0778404E 7B78ADB8
A2C52D53
42157ABE A2253E2E 7BF3F4AE 80F594F9 953194E7 77EB92ED B3816930

DA8D9336
BF447469 F26D9483 EE6FAED5 71371235 DE425F73 B4E59F43 7DBE2D4E
2D37B185
49DC9A63 98C39D98 1301C9A2 389B1BBF 0C18588D A421C1BA 7AA3865C
71E08558
3C5CFCAA 7D239CA4 0297D9DD D7DC2830 4B37802B 7428AB54 AEEE0347
4B3FBB85
692F2F08 134E578E 36D9E0BF AE8B5FCF EDB93ECF 2B27248E 170EB1EF
7DC57FD6
1E760F16 B1136601 864E1B9B D7EA7319 3AB871BD CFA4D76F E31BD782
0DBEB469
ABB96061 5370F85D FFB07E37 DA30D0FB EBC977B6 0B98B40F 3A4D0FE6
DF4FC26B
159CF22A C298D6E2 2B78EF6A 61A94AC0 AB561187 14EEA0F0 DF0D4164 19AF70EE
The Key Schedule
The key for MARS may be from 4 to 39 words in length. These words are considered to be little-endian in
format, so the first byte of the key is the least significant byte of the first word.
To generate the key, we use an array of words which is considered to have subscripts ranging from -7 to
39. The first seven words of this array, numbered from -7 to -1, are filled with the first seven words in the
S-box (or the first seven words in S-box zero).
Then, words 0 to 38 of the array are initialized in order with the following quantity:
The XOR of the following four items:
● The word in the position of the array seven places earlier

● The word in the position of the array two places earlier, shifted three bits left
● A word of the key (starting with the first word, and using the words of the key in rotation)
● The number of the array word being calculated (from 0 to 39)
Word 39 of the array is loaded with the number of words in the external key.
At this point, we forget words -7 through -1 of the array, and treat the array as containing only words 0
through 39.
Then, seven times over, starting from word 1 of the array, add to each word of the array the S-box entry
indicated by the most significant nine bytes of the preceding element of the array. Note that word 39 is
considered as preceding word 0, the last word to be modified by this loop.
Finally, word i of this temporary array, for i from 0 to 39, becomes subkey (7 * i) modulo 40.
A proposed change to the definition of MARS is to replace this key generation procedure, which
generates 40 subkey words in one step, with four instances of the following, each of which generates 10
subkey words:
To generate the key, we use an array of words which is considered to have subscripts ranging from 0 to
14. The key is placed in the array starting with word 0, the word in the array immediately following the
last word of the key is filled with the number of words in the key, and the remainder of the array is filled
with zeroes.
What follows is done four times, each time producing 10 words of subkey.
Then, words 0 to 14 of the array are initialized in order with the following quantity:
The XOR of the following five items:
● The word at the current position of the array.

● The word in the position of the array seven places earlier (modulo 15, so that word 8 is seven
places earlier than word 0)
● The word in the position of the array two places earlier (again modulo 15), shifted three bits left
● The number of the array word being calculated (from 0 to 9) shifted two bits left
● The number, from 0 to 3, of the instance of this procedure. (That is, 0 when we are generating the
first 10 subkey words, 1 when we are generating the second group of 10 subkey words.)
Then, four times over, starting from word 1 of the array, add to each word of the array the S-box entry
indicated by the most significant nine bits of the preceding element of the array. Note that word 14 is
considered as preceding word 0, the last word to be modified by this loop.
Finally, word (4 * i) modulo 15 of this temporary array, for i from 0 to 9, becomes subkey i plus 10 times
the iteration number (in the first iteration, considered iteration number zero, we generate subkeys 0
through 9, in the second iteration we generate subkeys 10 through 19, and so on).
Subkeys 5, 7, 9, 11, ... to 35 are used to multiply the first word of the block within the E function. These
subkey values are modified if necessary to ensure that they are good values for multiplication.
The method of correcting these subkeys is somewhat involved, and goes as follows:
Call the original value of the subkey SR.
Let SM be SR or 3.
Let IX be SR and 3.
Create MA such that only those bits in MA corresponding to a run of ten or more bits in SM are ones,
excluding the first and last bit of each run. (If MA is zero, SR does not need to be altered, so you can quit.)
Originally, the reference code implementing this procedure left the first bit of MA equal to one if the first
bit of SM was zero. A proposed modification to MARS is to change this to conform to the written
description.
Let MA be MA and FFFFFFFC - that is, set its last two bits to zero.
Use IX to select an element from this array (containing four values from the S-boxes):
0: A4A8D57B
1: 5B5D193B
2: C8A8309B
3: 73F9A978
then rotate the value right by the amount indicated by the element three places ahead
The proposed modification changes this to one place back. (Since only odd-numbered subkey words are
modified, this will always lead to a word in the same group of 10 words as the one being modified.)
in the array of words of internal key, and then modify the current key word by XORing it with that result
ANDed with MA.
Comments
As noted above, the unkeyed mixing rounds of MARS seemed to me to be somewhat wasteful. However, I
was one of what seemed to be only a few people who liked MARS, thinking it one of the likeliest
candidates to remain secure for a considerable time to come. Originally, I could not think of a good way to
modify the key schedule to produce keys for the mixing rounds. Once the key schedule was modified,
however, I saw a natural way to do this, which I described in a comment to Round 2 of the AES process.
However, a second comment in which I made a correction to that proposal got garbled.
My proposal, as corrected, is:
Using the new key schedule, after generating subkeys 30 to 39, the process that is applied to the array of
15 words to generate a batch of 10 subkeys is to be performed once again. Once this is done, the contents
of that array, the elements of which are known as T[0] through T[14], are to be modified as follows:
T[0] = T[0] xor subkey 6

...

The intent of this is to cause the contents of the array T to be a non-invertible function of the key. This is
done by XORing the contents of T after an iteration of the invertible transformation function with values
generated from it previous to that iteration.
The values chosen are all values used as subkey values, so that additional memory is not required to retain
other information to be used for this purpose. For that reason, the subkeys that were modified in order to
be used for the multiplication portion of the E function in the cryptographic core rounds of MARS are also
avoided.
Then, two additional iterations of the process previously used to generate a set of 10 subkey words are
performed, but from each of them only eight subkeys are now taken. Each subkey is used to provide four
bytes to XOR to the values used to index into the MARS S-boxes in one of the mixing rounds.
Because there are now seven, rather than four, instances of the procedure to modify the contents of the
array T, the number of the array word being calculated, when XORed with the contents of that word,
should be shifted three bits left instead of two bits left.
In my proposal, I did not specify how to take eight subkeys from each of the last two key generation
phases. I now suggest that, instead of choosing the subkeys based on (7 * i) mod 15, for each of these last
two phases, the eight subkeys taken should simply be from words T[8], T[9], ... T[14], T[0], thus always
using the last ones modified, and being different from the scheme used for the rest of MARS. However, if
the subkeys used for the first group of mixing rounds are subkeys 40 to 47 in order, and for the second
group 48 to 55 in order, the words taken from these rounds should be allocated to the subkeys as follows:
T[8] T[9] T[10] T[11] T[12] T[13] T[14] T[0]

Iteration 6 48 46 50 44 52 42 54 40
Iteration 7 47 49 45 51 43 53 41 55
Next
Chapter Start
Table of Contents
Main Page
SAFER+
SAFER+ is the proposal of Cylink Corporation for the Advanced Encryption Standard,
and its description is available at http://www.cylink.com/internet/library.nsf/pages/
SAFER/. It is very similar to the original 64-bit block cipher SAFER.
The following diagram shows one round of SAFER+:
it uses the same S-boxes as SAFER in the same way. Instead of the regular "butterfly"
formation of Pseudo-Hadamard Transforms used in the original SAFER, a slightly
irregular arrangement is used, so that the net result of the operations, given in the
document as the matrix M (it stated that that matrix could be realized by a four-layer
PHT network similar to the three-layer one in SAFER, but did not give the network;
thus this diagram rectifies the omission) has certain desirable properties.
One other improvement in SAFER+ over SAFER is that after matrix M is applied in
the last round, one extra subkey is applied to the block, using the same sequence of
alternating XORs and additions as is used for the first subkey in a round. This means
that the final application of matrix M is not a waste of time in terms of cryptographic
security.
For a key length of 128 bits, 8 rounds are used; for 192 bits, 12 rounds; and for a 256-
bit key, SAFER+ has 16 rounds.
The Key Schedule
The key schedule of SAFER+ is quite simple. The key, whatever its length, has one
byte appended to it, equal to the XOR of all the bytes in the key.
The first subkey consists of the first 16 bytes of the key. For each remaining subkey,
first rotate the expanded key left 11 bits, then take the first 16 bytes of the result, and
use them after XORing them with a constant. I am not reproducing the constants here;
the paper describing SAFER+ gives them, but in decimal form.
Next
Chapter Start
Table of Contents
Main Page
FROG
FROG is another block cipher which is based on whole-byte operations. In structure, it
has a slight resemblance to NewDES. The original description of it is available at http://
www.tecapro.com/aesfrog.htm.
A weakness has been uncovered in it, but a minor modification would correct that: of
its eight rounds, the last four could be performed in deciphering mode. (An appropriate
rearrangement of bytes between the first four rounds and the last four would ensure
against the possibility of a key existing that would cause the last four rounds to undo
the work of the first four.)
It does, however, require a considerable amount of RAM to store an unusually large

amount of subkey material.
Each round consists of sixteen steps, one for each byte of the block. Each round has the
following subkey material:
● 16 bytes of conventional subkey.

● One key-dependent invertible S-box with 8 inputs and 8 outputs.
● A sequence of the numbers 0 through 15 having certain properties.
In each step, one does the following:
● XOR that byte with one subkey byte.

● Take the result, and replace it by its substitute in the current round's S-box.
● Take that result, and (in addition to using it as the new value of that byte; the
previous two steps modify the byte, and are not an f-function) XOR it with the
next byte in the block (cyclically, of course, so byte 0 comes after byte 15).
● Also take that result, and XOR it with one other byte in the block, as indicated
by the sequence of numbers from 0 to 15.
The sequence of numbers from 0 to 15 is generated so that it is a permutation of the

numbers from 0 to 15 with a single cycle. This ensures that no number is its own
substitute. Then, if any number has itself plus 1 as its substitute, that number is
incremented (modulo 16) to avoid cancelling the fixed XOR.

Next
Chapter Start
Table of Contents
Main Page
LOKI97
Designed by Dr. Lawrie Brown, of the Australian Defence Force Academy with assistance
from Dr. Josef Pieprzyk (who designed the S-boxes) and Dr. Jeniffer Seberry, and named after
the Norse god of trickery and cunning, LOKI97 is a successor to the 64-bit block ciphers
LOKI89 and LOKI91. (Fittingly enough, Dr. Brown spent part of the sabbatical year during
which he designed it at a University in Norway!)
A paper (in Adobe Postscript format) describing LOKI97 is available at
http://www.adfa.oz.au/~lpb/research/loki97/
but a full description is also presented here, for the convenience of those without a convenient
means to view or print items in Postscript form.
LOKI97 is an iterative block cipher with 16 modified Feistel rounds.
In each round, two 64-bit subkeys are added (yes, using normal 64-bit addition including
carries) to the right half of the 128-bit block. Its value, after the first subkey is added, but
before the second subkey is added, is used as the input to the f-function for that round. This is
a nicely symmetrical way of both modifying the input to the f-function and modifying the right
half of the block as well.
A third 64-bit subkey is used as an input to the f-function; it is not directly added or XORed to
the right half of the block or a transformed version of it, but instead controls the f-function's
nonlinearity. For purposes of the key schedule, this 64-bit subkey is the second one; the two
added to the right half are the first and third, respectively. The output of the f-function is, as in
DES, XORed to the left half of the block.
The f-function
Unlike the f-function in DES, which includes the step of XORing the 48-bit subkey with the
right half of the block after the expansion permutation, the addition of subkeys to the right half
of the block is, in LOKI97, performed outside the f-function, as we have seen.
The first step in the f-function involves applying the least significant and rightmost (numbered
from 31 to 0 in the convention used in the paper describing LOKI97) 32 bits of the subkey
input (the entire 64-bit subkey input is called input B to the f-function) to the current value of
the right half of the block (after one of the two additions, as noted above, and which is called
input A to the f-function) as follows: a 1 bit in the 32 bits of subkey input used indicates that
corresponding bits of the two halves of the right half of the block are to be swapped. A bit
swap of this nature can be easily implemented by means of AND and OR instructions, and was
earlier used in the ICE block cipher.
LOKI has two distinct S-boxes; S1 contains 8192 values from 0 to 255, and S2 contains 2048
values from 0 to 255. After the expansion permutation which is the next step, these S-boxes
will be used in the order:
S1, S2, S1, S2, S2, S1, S2, S1
to produce a 64-bit output.
So the expansion permutation will produce groups of 13, 11, 13, 11, 11, 13, 11, and 13 bits
corresponding to each byte output from the bit-swapping step.
This is done by appending to the beginning of each byte either 5 or 3 bits, as needed, from the
least significant part of the preceding byte (going around the circle to append the least
significant 5 bits of the last byte to the front of the first one). This is simpler than the
expansion permutation of DES, which augmented each nybble of the input with one bit taken
from each of the two adjacent nybbles.
The output of the expansion permutation is then input to the S-boxes.
The output of the S-boxes, considered as consisting of bits 63 to 56 from the first S-box, bits
55 to 48 from the second S-box, and so on, is then permuted by the following permutation P:
7, 15, 23, 31, 39, 47, 55, 63, 6, 14, 22, 30, 38, 46, 54, 62,
5, 13, 21, 29, 37, 45, 53, 61, 4, 12, 20, 28, 36, 44, 52, 60,
3, 11, 20, 27, 35, 43, 51, 59, 2, 10, 18, 26, 34, 42, 50, 58,
1, 9, 18, 25, 33, 41, 49, 57, 0, 8, 16, 24, 32, 40, 48, 56
where this listing is of the output bits, each number showing from which input bit that output
was obtained. (Remember, the input bits are numbered from 63 down to 0 here.)
Finally, the 32-bit result is again submitted to the S-boxes, but this time in the following order:
S2, S2, S1, S1, S2, S2, S1, S1
with the additional five or three more significant bits of input required for each S-box supplied
by the leftmost or most significant half of the subkey input to the f-function. (One starts from
the left, and takes the leftmost bits of the subkey input for this purpose.)
The S-box contents
Each entry in the two S-boxes is equal to the cube of the one's complement of that entry's
position, modulo a polynomial in the Galois fields GF(2^13) for S1 and GF(2^11) for S2.This
technique is more familiar from calculating cyclic redundancy checks; a binary number, such
as 1101, is considered to be a polynomial:
1 * x^3 + 1 * x^2 + 0 * x + 1
in this case, the coefficients of which are modulo 2 numbers that can only be either 0 or 1.
For S1, the polynomial is 10100100010001, and for S2 the polynomial is 101010100111. In
each case, the polynomial is one bit wider than the S-box inputs, so it can be used, shifted to
the right if necessary, to XOR away every bit by which the cube extends past the width of the
S-box input. After that is done, only the last 8 bits of the result are used as the S-box entry, but
the reduction from either 13 or 11 bits to 8 is done by simple chopping.
Subkey generation
Subkeys for LOKI97 are generated by a modified version of the cipher itself.
The input to the subkey is considered to be composed of four 64-bit pieces, called K4, K3,K2,
and K1. When a 256-bit key is used, its first 64 bits become K4, its second K3, and so on.
A 192-bit key is converted to a 256 bit key as follows: the given key becomes the first 192 bits
of the 256-bit key to be used, and the last 64 bits are calculated by using the LOKI97 f-
function, with the first 64 bits acting as input A (the "righthalf" input) and the second 64 bits
acting as input B (the "subkey" input).
A 128-bit key is converted to a 256 bit key as follows: the given key becomes the first 128 bits
of the 256-bit key to be used, the third group of 64 bits (K2) is the f-function of the second 64
bits submitted as input A and the first 64 bits submitted as input B, and the fourth group of 64
bits (K1) is the f-function calculated with the first 64 bits submitted as input A and the second
64 bits as input B, exactly as in the 192-bit case.
Once the input key is in 256-bit form, as K4, K3, K2, and K1, the 48 subkeys used are
calculated as follows:
The LOKI97 f-function is calculated with the following inputs: the A input is K1 plus K3 plus
the hexadecimal constant 9E3779B97F4A7C15 multiplied by the number of the subkey
generation round (from 1 to 48), and the B input is K2.
K4 is XORed with this result, and the result of this XOR is the subkey generated as well.
Then, before the next f-function calculation, the subkeys are rearranged: the old K1 value
becomes the new K2 value, K2 goes to K3, K3 goes to K4, and K4, after the XOR (the same
as the subkey value) goes to K1.
For round 1, subkey 1 is what is first added to the right half of the block; subkey 2 is the B
input to the f-function, and subkey 3 is what is added secondly to the right half of the block.
This pattern continues with the remaining subkeys for theremaining rounds.
For decryption, subkey 1 becomes the additive inverse of subkey 48, subkey 2 becomes
subkey 47, subkey 3 becomes the additive inverse of subkey 46, and this repeats for each
group of three subkeys.
Analysis
LOKI97 was the first submission to the Advanced Encryption Standard process to be publicly
disclosed by its authors. Unfortunately, it was also the first one to be found to have flaws.
The fixed S-boxes, which took 11 or 13 bits of input, consisting of three or five supplemental
bits "borrowed" from the previous byte, plus the eight bits of the byte for which they provided
a substitute, simply consisted of apparently random bits. While their contents were designed to
have some good properties, the fact that the S-boxes did not contain eight or thirty-two
successive permutations of the numbers from 0 to 255 meant that the S-box output was biased.
An attack was found by Vincent Rijmen and Lars Knudsen that exploited this. (Note that a key-
dependent S-box, like that of Blowfish, does not need to be composed of bijections. Wide
fixed S-boxes, as used in CAST-128 and MARS, also don't appear to face that constraint.)
The structure of the S-boxes was only a problem because in the second S-box stage, the extra
bits of input to the S-boxes came only from the subkeys, so the biases in the S-boxes would
tend to leak those subkey bits.
In DES, additional efficiency can be gained by storing a table of the S-box values after they
have gone through permutation P. Here, the same S-box goes into the one fixed permutation,
after the first S-box stage, at different places, and then the second S-box stage is not followed
by a permutation. This complicates implementation, and loses the additional diffusion an extra
permutation layer (which would be available "for free", if identical) would provide.
Next
Chapter Start
Table of Contents
Main Page
CAST-256
CAST-256 is the Canadian entry in the competition for the new Advanced Encryption
Standard. It takes its name from the original CAST cipher, designed by Carlisle Adams
and Stafford Tavares; they and others worked on the design of CAST-256. The original
paper describing the cipher is at this location:
http://www.entrust.com/resources/pdf/cast-256.pdf
Unless it is chosen as the AES, licensing is likely to be required to use this submission
as well as some others.
It uses an f-function that produces a 32-bit output from a 32-bit input, and each round
consists of modifying one 32-bit quarter of the block by XORing it with the f-function
of another 32-bit quarter of the block. There are 48 rounds in CAST-256.
The rounds are organized in groups of four, called quadrounds. CAST-256 begins with
six forwards quadrounds, and then continues with six reversed quadrounds, which are
reversed exactly as would be required for decipherment. Thus, to perform CAST-256
decipherment, it is only necessary to change the order in which the subkeys are used.
Each round uses two subkeys, a "mashing" subkey 32 bits in length, and a rotation
subkey 5 bits in length. A reverse quadround is reversed to the extent that the four
rounds within it actually use their subkeys in reverse order; thus, the rounds of CAST-
256 use their subkeys in this order:
0 1 2 3 ... 22 23
27 26 25 24 31 30 29 28 35 34 33 32
39 38 37 36 43 42 41 40 47 46 45 44
The f-function in CAST-256 comes in three different flavors, with the positions in
which the operations of addition, XOR, and subtraction are used changed. In the first
type of f-function, the input first has the current mashing key added to it. Then, the
result is given a circular left shift the extent of which is given by the current rotation
key. Then, each of the four bytes of the result are used to select entries from one of the
four S-boxes. The entries in the S-boxes are 32 bits wide. The entry in S1, selected by
the first byte, first has the S2 entry selected by the second byte XORed to it, then the
S3 entry selected by the third byte subtracted from it, then the S4 entry selected by the
fourth byte added to it.
In the f2 function, the mashing key is XORed, the S2 entry is subtracted, the S3 entry
is added, and the S4 entry is XORed.
In the f3 function, the mashing key is subtracted, the S2 entry is added, the S3 entry is
XORed, and the S4 entry is subtracted.
The following diagram illustrates the operation of a forwards quadround:

The block is divided into four 32-bit segments. First, an f1 f-function of the fourth
segment is XORed to the third segment, then an f2 f-function of the third segment is
XORed to the second segment, then an f3 f-function of the second segment is XORed
to the first segment, and finally an f1 f-function of the first segment is XORed to the
fourth segment.
The Key Schedule
An operation called an "octave" is used to generate the CAST-256 key schedule. An

octave is just like a forwards quadround, except it operates on a 256-bit block, and
comprises eight rounds; first, an f1 f-function of the eighth segment is XORed to the
seventh segment, and so on until an f2 f-function of the first segment is XORed to the
eighth segment at the end.
CAST-256 may have a key that is 128, 160, 192, 224 or 256 bits long, providing two
additional key lengths besides those required for an AES candidate. The 256-bit input
to the first octave consists of the key padded with zero 32-bit words in the rightwards,
later positions.
The subkeys used for the octaves are as follows: the first mashing subkey is 5A827999
in hexadecimal, and the first rotation subkey is 19 in hexadecimal.
Subsequent subkeys are formed by adding 6ED9EBA1 to the previous round's mashing
subkey, and adding 17 (again, hexadecimal) to the previous round's rotation subkey.
Needless to say, the two additions are modulo 2^32 and 2^5, respectively.
The value of the block after each octave supplies enough subkey material for one
quadround of the cipher. The eight 32-bit segments of the 256-bit block supply KR0,
KM3, KR1, KM2, KR2, KM1, KR3, and KM0 in order: that is, the first segment
supplies the first rotation key for the quadround (all but the last five bits are ignored),
the second segment supplies the last mashing key for the quadround, and one proceeds
onwards, forwards through the rotation keys and backwards through the mashing keys.
Since CAST-256 has 48 rounds in 12 quadrounds, twelve octaves are required to

produce all the subkey material needed.
Next
Chapter Start
Table of Contents
Main Page
Magenta
Magenta is a block cipher with a complex and deeply nested design. However, the S-
box has a simple structure, and there are also weaknesses in the key schedule. This led
to cryptanalytic results being obtained against it shortly after it was disclosed.
Although it has been claimed that there are other weaknesses in the design, it still
seems to me that the design contains some useful principles.
The S-box used in Magenta is the following:
1 2 4 8 16 32 64 128 101
202 241 135 107 214 201 247 139 115
230 169 55 110 220 221 223 219 211
195 227 163 35 70 140 125 250 145
71 142 121 242 129 103 206 249 151
75 150 73 146 65 130 97 194 225
167 43 86 172 61 122 244 141 127
254 153 87 174 57 114 228 173 63
126 252 157 95 190 25 50 100 200
245 143 123 246 137 119 238 185 23
46 92 184 21 42 84 168 53 106
212 205 255 155 83 166 41 82 164
45 90 180 13 26 52 104 208 197
239 187 19 38 76 152 85 170 49
98 196 237 191 27 54 108 216 213
207 251 147 67 134 105 210 193 231
171 51 102 204 253 159 91 182 9
18 36 72 144 69 138 113 226 161
39 78 156 93 186 17 34 68 136
117 234 177 7 14 28 56 112 224
165 47 94 188 29 58 116 232 181
15 30 60 120 240 133 111 222 217
215 203 243 131 99 198 233 183 11
22 44 88 176 5 10 20 40 80
160 37 74 148 77 154 81 162 33
66 132 109 218 209 199 235 179 3
6 12 24 48 96 192 229 175 59
118 236 189 31 62 124 248 149 79
158 89 178 0
Start with 1, and shift one position left to obtain the next entry: when 1 is shifted out,
XOR the contents with 101. This obtains the first 255 entries of the table; use 0 as the
last entry.
In the Magenta documentation, f(x) is defined as entry x in this S-box. On that basis,
other functions are defined in a step by step manner:
A(x,y) = f(x xor f(y)) [x and y are both bytes]
PE(x,y) = (A(x,y),A(y,x)) [that is, PE(x,y) is A(x,y) catenated with A(y,x)]
pi(x(0), x(1), ... x(15)) = ( PE(x(0),x(8)), PE(x(1),x(9)), PE(x(2),x(10)), ... PE(x(7),x

(15)) )
To help keep track of where we are so far, this diagram illustrates how pi(X) operates
on a 16-byte bit string:
T(w) = pi(pi(pi(pi(w)))) [where w is a 16-byte vector]
S(x(0),x(1),x(2),...x(15)) = (x(0),x(2),x(4),...x(14),x(1),x(3),x(5),...x(15))
Our last preparatory definition is that of C(n,w), where n is a number, and w a 16-bit
vector, as the following:
C(1,w) = T(w)
C(n+1,w) = T(w xor S(C(n,w)))
Note that n is not a piece of the key or of the block being encrypted; it is a parameter
giving the depth of recursion used.
Finally, with all these definitions, Magenta is a Feistel cipher.

Each Feistel round is expressed as taking (X(1),X(2)), where each X is half the block,
64 bits in length, and replacing it with (X(2),X(1) xor F(X(2),SK(n))), where n is the
round number, and SK(n) the n-th subkey.
The F function equals the first eight bytes of S(C(3,(X(2),SK(n)))).
Thus, a round of Magenta may be pictured as follows:

The key schedule is as follows:
● for a 128-bit key, the key is divided into parts, K1, K2, and the subkeys for the
six rounds in order are K1, K1, K2, K2, K1, K1.
● for a 192-bit key, K1, K2, K3, K3, K2, K1.
● for a 256-bit key, K1, K2, K3, K4, K4, K3, K2, K1.
It appears that, except for swapping halves, Magenta is reciprocal. The first paper
giving a cryptanalysis of Magenta incorrectly gave the key schedule as K1 K2 K1 K1
K2 K1, it appears.
Originally, the F function was going to be the first eight bytes of S(C(7,(X(2),SK(n)))),
but the number of rounds inside the f-function was reduced because of a possible
weakness. Even so, Magenta is deeply nested with complexity.
Next
Chapter Start
Table of Contents
Main Page
The Decorrelated Fast Cipher

The Decorrelated Fast Cipher is an eight-round Feistel cipher with a somewhat
different f-function. It uses one S-box, with bits taken from the expansion of e, having
64 entries, each 32 bits long.
The original version of its specification is available on its designer Serge Vaudenay's
web site.
The arrangement of the Feistel rounds is like that of DES, with halves swapped after all
rounds but the last one.
The f-function has two steps.
First, two 64-bit subkeys (considered as two halves of a single 128-bit round subkey)
are applied to the right half of the block by multiplication and addition, modulo 2^64
+13. Then the last 64 bits of the result are used.
Then, the right and left halves of the 64-bit result are swapped. The new left half has an
S-box entry, chosen by the rightmost 6 bits of the new right half, XORed to it. The new
right half is only XORed with a constant.
Finally, the 64-bit result has a 64-bit constant added to it.
Although this description is short and simple, using multiplication with an odd
modulus in the f-function ensures that every bit of the f-function output depends on
every bit of its input.
More importantly, the use of both multiplication and addition has an important
property, which explains the meaning of the word 'decorrelation' in the name of this
cipher, and which also is connected with the use of Galois field multiplication in some
other ciphers in this section, such as Rijndael and Twofish.
Because of the distributive property involving both multiplication and addition, that
a*x + a*y = a*(x+y), thus multiplication distributes over addition, the following is true:
Let us suppose the input p produces the output q, and r produces the output s, after
being first multiplied by a and then having b added to it. If you change a, and then
change b so that p still produces q, r can produce anything, because the difference
between q and s is proportional to the multiplier a.
This also works when Galois field multiplication is used, with XOR taking on the role
of addition. This subject is more extensively discussed in a section entitled A Note on
the Importance of the Galois Field.
In the case of multiplication modulo 2^64+13, followed by truncation to 64 bits, the

property is only followed approximately, and with Galois field multiplication, one
cannot include zero as a multiplier.
Using two additions, separated by an S-box corresponding to a permutation

corresponding to wiring a rotor by the interval method seems like it might work, since
a somewhat similar property is involved. But the property is not the same, since it
involves adding something to one of the two values considered instead of to both.
However, note that multiplication under a prime modulus is isomorphic to addition, so
there are S-boxes that would approximate this property for two additions.
Next
Chapter Start
Table of Contents
Home Page
Block Cipher Modes

At the same time that DES was brought to public attention, a number of ways of using DES were recommended.
The obvious way of using DES is simply to apply it directly to plaintext, transforming each 64-bit block of
plaintext. This is called ECB, or Electronic CodeBook mode.
There are two reasons this mode might not be found satisfactory. If the same message is sent twice, with the same
key, its enciphered form will also be identical. Also, one needs to have eight bytes of plaintext available before
performing encipherment. Thus, other ways of using DES were proposed. None of them strengthened the basic
cipher, or added to the size of the key.
Cipher Block Chaining (CBC)
CBC, for Cipher Block Chaining, is one of the most popular modes. It addresses the first of the two problems with
ECB mode. Each plaintext block, before being encrypted normally by DES (as in ECB mode) is XORed with the
previous ciphertext block. The first plaintext block is XORed with a random 64-bit block, called the initialization
vector, which is transmitted in the clear. This mode looks like this:
Plaintext
| |
--->XOR -------->XOR
| | |
----------- | -----------
| DES | | | DES |
----------- | -----------
| | |
| | |
|--------- |-----
| |
| |
Ciphertext
The useful properties of CBC mode can be illustrated by means of the following short demonstration:
Let's imagine a block cipher that operates on three-letter groups, and uses Vigenere instead of XOR...
Plain: BIL LNE EDS MON EYX

Previous cipher: ZQT MNM VTI UTU LKE
--- --- --- --- --- Vigenere step
AYE XAQ ZWA GHI PIB
=== === === === === Block cipher step
Cipher: ZQT MNM VTI UTU LKE MRV
Now, if we change the message at the beginning, everything changes all the way through, because information
indeed keeps getting propagated:
Plain: MIK ENE EDS MON EYX

Previous cipher: ZQT RJY QEI RMQ LVI
--- --- --- --- --- Vigenere step
LYD VWC UHA DAD PTF
Cipher: ZQT RJY QEI RMQ LVI SZR
But if, instead, it is the original message that is sent, and a transmission error takes place, so that instead of
recieving
ZQT MNM VTI UTU LKE MRV
the reciever gets
ZQT MKM VTI UTU LKE MRV
then only two blocks are destroyed. Since each ciphertext block was a function of the plaintext block and the
previous ciphertext block, each plaintext block is a function of the ciphertext block and the previous ciphertext
block. As long as those two ciphertext blocks are right, the rest of the message is irrelevant.
Cipher: ZQT MKM VTI UTU LKE MRV

=== === === === === Inverse block cipher step
PQK XAQ ZWA GHI PIB (1)
Previous cipher: ZQT MKM VTI UTU LKE (2)
--- --- --- --- --- Inverse Vigenere ((1)-(2))
Plaintext: QAR LPE EDS MON EYX
In this decipherment example, the first plaintext block is totally garbled, because the erroneous ciphertext block is
the input into the block cipher; the second plaintext block only has an error which matches that of the plaintext
block, because the erroneous block is used in a Vigenere calculation after the block cipher.
Thus, someone could even note that ...EDSMONEY is probably NEEDSMONEY, and work out that LPE should
become LNE. That would allow MKM to be corrected to MNM, and the message recovered.
Propagating Cipher Block Chaining (PCBC)
A mode somewhat similar to CBC, called PCBC, for Propagating Cipher Block Chaining, XORs each plaintext
block, before being encrypted normally by DES, with both the previous ciphertext block and the previous
plaintext block. Since on decipherment, the DES decryption is done first with both XORs taking place afterwards,
if two ciphertext blocks are swapped, while they will decrypt incorrectly, succeeding blocks will again decrypt
normally. As this mode was intended to take the place of the use of a checksum for guaranteeing message
integrity, this characteristic was considered a flaw, and led to this mode's being abandoned in favor of ordinary
CBC when Kerberos, the one well-known place where it was used, went from version 4 to version 5.
Output Feed Back (OFB)
OFB, for Output FeedBack, addresses both the first and second problems noted earlier that exist with ECB mode.
An initialization vector is again sent in the clear. It is repeatedly encrypted by DES, and the result of doing so is
XORed with the successive blocks of the plaintext.
This mode has two problems of its own. The plaintext itself is only subjected to an XOR. This means that if the
plaintext is known, another plaintext can be substituted by inverting the same bits of the ciphertext as one would
need to invert of the plaintext to do so. This is called a bit-flipping attack. And there is always the possibility,
admittedly a slim one, that one might choose a key and an initialization vector such that the successive blocks
generated might repeat in a short loop.
Cipher Feed Back (CFB)

A mode which seems to avoid most of the problems so far encountered is CFB, for Cipher FeedBack. Here, a
plaintext block is enciphered by being XORed to the DES encryption of the previous ciphertext block. For the first
plaintext block, an initialization vector again takes the role of the first plaintext block. This mode can be illustrated
as follows:
Plaintext
| |
| |
--->XOR |---| -------->XOR
| | | | |
| | D | | |
|-----| E |---- |-----
| | S | |
| | | |
| |---| |
Ciphertext
A bit-flipping attack will garble subsequent blocks, and so if one takes care that messages have checksums,
straddle more than one block, and so on, that is prevented despite the fact that the plaintext is only subjected to an
XOR at the time of being enciphered. Since the plaintext modifies what is used to XOR later parts, there is no
problem of a generator falling into a short loop.
This mode limits the propagation of transmission errors to the same extent as CBC mode. Once again, this can be
illustrated using an alphabetic cipher as an example. To simplify matters, the same block cipher key and the same
plaintext are used as in the previous example, and this will show that these two modes are very closely related.
Previous cipher: QXD AYE XAQ ZWA GHI

Enciphered previous: ZQT MNM VTI UTU LKE
Plain: BIL LNE EDS MON EYX
--- --- --- --- --- Vigenere step
Cipher: QXD AYE XAQ ZWA GHI PIB
Now, if we change the message at the beginning, everything changes all the way through, because information
indeed keeps getting propagated:
QXD LYD VWC UHA DAD

Enciphered previous: ZQT RJY QEI RMQ LVI
Plain: MIK ENE EDS MON EYX
--- --- --- --- --- Vigenere step
Cipher: QXD LYD VWC UHA DAD PTF
But if, instead, it is the original message that is sent, and a transmission error takes place, so that instead of
recieving
QXD AYE XAQ ZWA GHI PTB
the reciever gets
QXD AYE XCQ ZWA GHI PTB
then only two blocks are destroyed. Since each ciphertext block was a function of the plaintext block and the
previous ciphertext block, each plaintext block is a function of the ciphertext block and the previous ciphertext
block. As long as those two ciphertext blocks are right, the rest of the message is irrelevant.
Previous cipher: QXD AYE XCQ ZWA GHI

Enciphered previous: ZQT MNM JRP UTU LKE (1)
Cipher: QXD AYE XCQ ZWA GHI PTB (2)
--- --- --- --- --- Inverse Vigenere ((2)-(1))
Plaintext: BIL LPE QFL MON EYX
In this decipherment example, the first plaintext block only has an error which matches that of the plaintext block,
but the second block is totally garbled, because the erroneous ciphertext block went through the block cipher
before being applied to the plaintext.
This mode has variants that involve performing DES encryptions more often, such as once for each bit or byte.
Some problems have been claimed with these variants, and they require more computation without increasing
security.
Triple-DES
A common way to increase the security of DES is to apply DES to a block three times. Using DES twice is
avoided, because of the possibility of an attack which reduces the security of double-DES almost to the level of
single-DES; this attack, called the meet-in-the-middle attack, requires a very large quantity of memory.
Usually, Triple-DES is done by encrypting with one key, decrypting with another, and then encrypting again with
either the first key or a third one. This way, if all three phases are done with the same key, interoperability with
regular single DES is possible. This is called EDE mode, for Encrypt-Decrypt-Encrypt.
If one is going to use DES three times, one can be more elaborate.
If one is going to use Triple-DES, one can also increase the effective block size of DES through something called
an Outerbridge construction. The image below illustrates a generalization of that construction to quadruple, rather
than merely double, the block size, and to increase the effective key size as well. The 64-bit blocks are considered
to be divided into four 16-bit parts, which are distributed between DES operations.
And here is the same diagram in ASCII graphics format:

------------ ------------ ------------ ------------
| K1 | | K2 | | K3 | | K4 |
------------ ------------ ------------ ------------
| | | | | | | | | | | | | | | |
| | | | | | | \ | / | | | | | |
| | | | | | \ ----- |/ | \ | / | |
| \ \ \ | | \ \| | --- -|- / |
| \ \ ----------------------------------- \/ | / |
| \ ---------------------- / |\ | \ /\ | / |
| -------- | | \ \ | ----|---- \ / / |
| \/ | \/ \/ | \/ \/ \/ |
| /\ | /\ /\ | /\ /\ /\ |
| -------- | | / / | ----|---- / \ \ |
| / ---------------------- \ |/ | / \/ | \ |
| / / ----------------------------------- /\ | \ |
| / / / | | / /| | --- -|- \ |
| | | | | | / ----- |\ | / | \ | |
| | | | | | | / | \ | | | | | |
| | | | | | | | | | | | | | | |
------------ ------------ ------------ ------------
| K5 | | K5 | | K5 | | K5 |
------------ ------------ ------------ ------------
| | | | | | | | | | | | | | | |
| | | | | | | \ | / | | | | | |
| | | | | | \ ----- |/ | \ | / | |
| \ \ \ | | \ \| | --- -|- / |
| \ \ ----------------------------------- \/ | / |
| \ ---------------------- / |\ | \ /\ | / |
| -------- | | \ \ | ----|---- \ / / |
| \/ | \/ \/ | \/ \/ \/ |
| /\ | /\ /\ | /\ /\ /\ |
| -------- | | / / | ----|---- / \ \ |
| / ---------------------- \ |/ | / \/ | \ |
| / / ----------------------------------- /\ | \ |
| / / / | | / /| | --- -|- \ |
| | | | | | / ----- |\ | / | \ | |
| | | | | | | / | \ | | | | | |
| | | | | | | | | | | | | | | |
------------ ------------ ------------ ------------
| K1 | | K2 | | K3 | | K4 |
------------ ------------ ------------ ------------
If only the keys for the four middle operations were different, a meet-in-the-middle attack could reduce the
security of this to that of ordinary Triple-DES, but varying the keys on the outside genuinely lengthens the key.
(However, varying them on the inside may be a good idea too, as there may be other types of attack possible.)
Another suggestion for modifying Triple-DES to encipher a large block of text was made by Carl Ellison. What
was suggested was the following: in addition to enciphering an input text by means of ECB mode three times,
twice, between each pair of DES encryptions, the bytes of the entire message would be transposed. The
transposition would not depend on any secret key, but instead the number of times each possible byte value from 0
to 255 occured in the text being transposed (which, of course, is not changed by transposition) would provide the
"key" for the transposition.
But a chosen-plaintext attack on this scheme was found by Paul Crowley.
The attack works like this: encipher a message consisting of the same block repeated over and over.
After the first DES encryption, the result will also consist of a single block repeated over and over. So, after the
first unkeyed transposition, the result will be a message consisting of at most eight different byte values in
scrambled order.
If the message is long enough, it will be very likely that the result of the first unkeyed transposition will include
two identical blocks, while this would still be very unlikely in any other case. This will result in two identical
blocks being found in the output of the second DES encryption.
Now, it becomes possible, using the actual ciphertext produced by encrypting the chosen plaintext, to perform a
brute-force search on the key of the third DES encryption stage only. After decrypting the ciphertext by a trial
key, one can then reverse the second unkeyed transposition stage. This obtains a possible intermediate text which
will, or will not, include a repeated block in it.
By using more than one chosen plaintext of repeated identical blocks, one can check if such a possible key is
correct.
Then, a brute-force search on the key for the first DES stage is possible, because different keys would, by
producing different inputs to the first unkeyed transposition stage, result in repeated blocks at different locations
in the message. Finally, with both the first and third DES keys known, the inputs and outputs to the second DES
stage are known, and so that key can be searched for independently.
Clearly, it is easy to frustrate this specific attack. The second DES stage could use a chaining mode of encryption,
which would completely conceal any repeated blocks which it recieved as input.
As well, if a system using such a cipher were vulnerable to a chosen-plaintext attack, it could be constructed so as
to use a separate session key for each message, with only the random session key being enciphered by a
permanent key that could be used to read other messages.
If the transposition stages used a large secret key, in addition to being varied by the byte frequencies, then the
search for the key for the third DES stage would become much more difficult, although it is possible that
transposed bytes of a message with repeated blocks would still be distinguishable, particularly if a sufficiently
large number of chosen plaintexts is used.
However, this result is still relevant, because it illustrates how easily a measure which one might think would
make triple-DES more secure, by mixing the bytes of a message together in an unknown way, would actually
reduce security by allowing the keys of the three DES layers to be searched for independently of one another.
Other Modes
Also, another way in which to get more mileage out of a block cipher would be to use it as the heart of a sort of
nonlinear shift-register. Instead of using a shift register whose cells contain bits, however, the cells of the shift
register would contain entire 64-bit (or larger) blocks.
An example of what such a mode might be like is shown in the diagram below:
Plaintext
|
-------
| DES |
-------
|
XOR<---------ADD<----ADD<---
| | | |
------- | | |
| DES | | | |
------- -------------------
| | | | | | | | | | |
|-------->| | | | | | | | | |
| | | | | | | | | | |
------- -------------------
| DES |
-------
|
Ciphertext
Three layers of DES are shown; the first and the last are in ECB mode, and serve to keep the contents of the shift
register hidden.
The middle layer of DES is the one operating in an unusual mode. Its output is saved in a shift register. The output
blocks produced 2, 4, and 7 blocks previously are added together (with normal arithmetic addition, including
carries, so that the shift register actually contains 64-bit quantities, instead of merely being effectively 64 single-
bit wide shift registers in parallel), and the result is XORed with the input to the middle DES operation. This is
essentially a variation on cipher block chaining (CBC) mode.
A mode like this:
Plaintext
| |
--->XOR -------->XOR
| | |
----------- | -----------
| DES 1 | | | DES 1 |
----------- | -----------
| | |
--->XOR |---| |-------->XOR
| | D | | |
| | E | | |
|-----| S |---- |-----
| | | |
| | 2 | |
| |---| |
Ciphertext
based on a different mode devised by Matt Blaze of AT&T, illustrates how additional security may be achieved by
using DES twice for each block encrypted. (Unlike Matt Blaze, though, I got things at least slightly wrong: with
2^32 known plaintexts, which may be hard to obtain under many circumstances, a birthday attack can provide the
necessary information for permitting a meet-in-the-middle attack on the mode shown here.)
Just encrypting each block twice in a row is usually not done; instead, if that type of mode is desired, encryption is
performed three times in a row.
This is because, with a stretch of both plaintext and ciphertext known, it is possible to try each possible key on the
plaintext and ciphertext separately, and then look for matches. This approach, called the meet-in-the-middle attack,
does require a large amount of memory. However, even if that attack is more theoretical than real, the fact that one
theoretical weakness exists indicates the possibility of other, more exploitable, weaknesses that may also exist
even if they are not known at present.
Ron Rivest, one of the inventors of the RSA public-key algorithm, noted that because of the desirable properties
of DES, it is possible to obtain a genuine increase in its key size simply by XORing the input to DES, and the
output from DES, each by an additional 64 bits of key material. This form of enhanced DES is called DESX.
Other enciphering modes that provide a genuine improvement in the security of DES are possible. For example,
here is a single-DES mode with variable whitening:
Plaintext
| | |
---SS1-->XOR ---SS1-->XOR ---SS1-->XOR
| | | | | |
| --------------- | --------------- | ---------------
|->| | | | | | | | | |->| | | | | | | | | |->| | | | | | | | |
| --------------- | --------------- | ---------------
| | --| | --| |
|---SS2-->XOR | |---SS2-->XOR | |---SS2-->XOR
| | | | | | | |
---------->XOR --------------->XOR --------------->XOR
| | | | | | | | | |
| |---------->XOR | |---------->XOR | |-----
| --------- | | | --------- | | | ---------
| | DES | | | | | DES | | | | | DES |
| --------- | | | --------- | | | ---------
| --------------------- | --------------------- | --------------
| | | | | | | | | | |
--- |----------------- |----------------- |-----
| | | | | |
|---SS3-->XOR |---SS3-->XOR |---SS3-->XOR
| | | | | |
| --------------- | --------------- | ---------------
|->| | | | | | | | | |->| | | | | | | | | |->| | | | | | | | |
| --------------- | --------------- | ---------------
| | | | | |
|---SS4-->XOR |---SS4-->XOR |---SS4-->XOR
| | |
Ciphertext
The DES layer in the middle uses CBC mode, so as to provide an additional source of random variation.
Before and after DES encryption, a 64-bit value is used to choose one of four whitening quantities to XOR with
the message, four times, and is used twice to choose one of eight invertible substitutions for each byte of the
block. Thus, this consumes 4+24+4+4+24+4 bits. Since each side is "guarded" by only a 32 bit unknown quantity,
the XOR of the input to DES for the previous block and the output from DES for the block before is used.
This 64 bit quantity could also be the output of another DES encryption, perhaps one operating in OFB or counter
mode, or the DES encryption of the previous ciphertext block as in CFB.
Similar concepts are explored in the section on the Large-Key Branstorm.
Next
Chapter Start
Table of Contents
Main Page
Cryptanalytic Methods for Modern

Ciphers
Block ciphers like DES are intended to be very hard to break, and they are largely
successful in achieving this. Having even copious quantities of corresponding plaintext
and ciphertext, it is intended that the fastest way to discover the key, so as to be able to
decrypt other messages, would be a brute-force search, that is, trying every possible
key until the right one is found.
Many block ciphers appear to meet this condition. Two cryptanalytic methods that can
do slightly better with some of the earlier block ciphers, such as DES and LUCIFER,
are differential cryptanalysis and linear cryptanalysis.
Other techniques, which are of interest against weaker ciphers, and which partially
account for the fact that DES has sixteen rounds, instead of eight, such as hill-climbing
techniques and genetic algorithms, are discussed in the next section.
In the book The Hut Six Story, Gordon Welchman first revealed one of the innovations
used with the Bombe in connection with the cryptanalysis of the German Enigma. He
also noted that it embodied a general principle which made present-day ciphers weaker
than they might be expected to be.
● Differential and Linear Cryptanalysis

❍ Extensions of Differential Cryptanalysis
❍ The Boomerang Attack
● Cryptanalysis, Almost by Aimlessly Thrashing About

● Hidden Markov Methods
Next
Chapter Start
Table of Contents
Home Page
Differential and Linear Cryptanalysis

Multi-round ciphers such as DES are clearly very difficult to crack. One property they
have is that even if one has some corresponding plaintext and ciphertext, it is not at all
easy to determine what key has been used.
Differential Cryptanalysis
However, if one is fortunate enough to have a large quantity of corresponding plaintext

and ciphertext blocks for a particular unknown key, a technique called differential
cryptanalysis, developed by Eli Biham and Adi Shamir, is available to obtain clues
about some bits of the key, thereby shortening an exhaustive search.
After two rounds of DES, knowing both the input and output, it is trivial to determine
the two subkeys used, since the outputs of both f-functions are known. For each S-box,
there are four possible inputs to produce the known output. Since each subkey is 48 bits
long, but the key is only 56 bits long, finding which of the four possibilities is true for
each group of six bits in the subkeys is a bit like solving a crossword puzzle.
Once the number of rounds increases to four, the problem becomes much harder.
However, it is still true that the output depends on the input and the key. For a limited
number of rounds, it is inevitable, without the need for any flaws in the S-boxes, that
there will be some cases where a bit or a combination of bits in the output will have
some correlation with a simple combination of some input bits and some key bits.
Ideally, that correlation should be absolute with respect to the key bits, since there is
only one key to solve for, but it can be probabilistic with respect to the input and output
bits, since there need to be many pairs to test.
As the number of rounds increases, though, the simple correlations disappear.

Differential cryptanalysis represents an approach to finding more subtle correlations.
Instead of saying "if this bit is 1 in the input, then that bit will be 0 (or 1) in the output",
we say "changing this bit in the input changes (or does not change) that bit in the
output".
In fact, however, a complete pattern of which bits change and do not change in the
input and in the output is the subject of differential cryptanalysis. The basic principle of
differential cryptanalysis, in its classic form, is this: the cipher being attacked has a
'characteristic' if there exists a constant X such that given many pairs of plaintexts A,
B, such that B = A xor X, if a certain statement is true about the key, E(B,k) = E(A,k)
xor Y for some constant Y will be true with a probability somewhat above that given
by random chance.
Linear Cryptanalysis
Linear cryptanalysis, invented by Mitsuru Matsui, is a different, but related technique.

Instead of looking for isolated points at which a block cipher behaves like something
simpler, it involves trying to create a simpler approximation to the block cipher as a
whole.
For a great many plaintext-ciphertext pairs, the key that would produce that pair from
the simplified cipher is found, and key bits which tend to be favored are likely to have
the value of the corresponding bit of the key for the real cipher. The principle is a bit
like the summation of many one-dimensional scans to produce a two-dimensional slice
through an object in computer-assisted tomography.
● Extensions of Differential Cryptanalysis

● The Boomerang Attack
Next
Chapter Start
Table of Contents
Main Page
Extensions to Differential Cryptanalysis

Several powerful methods of cryptanalysis have been developed that start from
differential cryptanalysis, and deal with block ciphers that, while resistant to
conventional differential cryptanalysis as originally conceived, can still be attacked
using more subtle developments from that principle.
Truncated differentials
It is of course possible that some of the bits of E(A,k) xor E(B,k) will be more likely to
match those of Y than others. If one can, in addition, ignore some of the bits of A and
B, one has a truncated differential for the cipher being attacked, and this technique, due
to Lars R. Knudsen, has been found to be very powerful. (Being able to ignore some
bits of A and B may allow two or more truncated differentials to be used together, and
this is why it is important.)
Higher-order Differentials
Another important addition to the available techniques deriving from differential

cryptanalysis is the use of higher-order differentials, which first appeared in a paper by
Xuejia Lai.
A differential characteristic of the type described above, where for a large number of
different values of A, B equals A xor X, and the encrypted versions of A and B for a
given key, k, are expected to have the relation E(A,k) = E(B,k) xor Y, if a target
statement about the key k is true, can be made analogous to a derivative in calculus,
and then it is termed that Y is the first derivative of the cipher E at the point X.
A second-order derivative would then be one involving a second quantity, W, such that
E(A,k) xor E(B,k) = E(C,k) xor E(D,k) xor Z is expected to be true more often than
would be true due to chance, where not only is B = A xor X, but C = A xor W and D =
B xor W. In that case, Z is the second derivative of the cipher E at the point X,W. Since
xor performs the function of addition and subtraction, the four items encrypted for any
A are just lumped together in this case, but if differential cryptanalysis were being
performed over another field where the distinction is significant, then Y=E(A+X,k)-E
(A,k) and Z=(E(A+X+W,k)-E(A+W,k))-(E(A+X,k)-E(A,k)) would be the appropriate
equations to use. This technique is important because a second order derivative can
exist at a point for the first coordinate of which no first order derivative exists, or is
probable enough to be useful.
And similarly, a third order derivative is derived from the difference of two second
order derivatives, based on another constant difference, and so on.
Next
Chapter Start
Table of Contents
Main Page
The Boomerang Attack

Recently, a means of improving the flexibility of differential cryptanalysis was
discovered by David A. Wagner. Called the boomerang attack, it allows the use of two
unrelated characteristics for attacking two halves of a block cipher.
This diagram shows how the attack might work if everything goes perfectly for a
particular initial block. The numbered points in the diagram show the steps involved in
the attack.
1. Start with a random block of plaintext. Based on the characteristic known for
the first half of the cipher, if we XOR a certain vector with it, called d1 (equal
to 00100000 in the diagram), the result after half-enciphering the two plaintext
blocks, before and after the XOR, will differ by c1 (equal to 00110110 in the
diagram), if what we wish to learn about the key happens to be true.
2. Since the characteristic applies only to the first half of the cipher, the results
after the whole block cipher won't be related. Take those two results, and XOR
each one with d2 (equal to 01001011 in the diagram), which is the vector
corresponding to the characteristic for the second half of the cipher. In each
case, XORing d2 with a ciphertext block is expected to change the result after
deciphering halfway by c2 (equal to 00010000 in the diagram), again, if
something is true of the key.
3. With two intermediate results that differ by c1, if each one has c2 XORed to it,
the two results of the XOR will still differ by c1. Since this difference now
relates to the first half characteristic, it can be seen in the final output, thus
indicating the truth or otherwise of two hypotheses about the key.
This increases the potential effectiveness of differential cryptanalysis, because one can
make use of characteristics that do not propagate through the complete cipher. Also,
certain kinds of added complexities, such as a bit transpose in the middle of the cipher,
do not serve as a barrier to this method, since two values differing by an XOR with
some value merely differ by an XOR with some other value after a bit transpose.
However, it has its limitations. It only produces a result if both characteristics are
present; it does not allow testing for each characteristic independently. Even so, it
seems to double the number of rounds a cipher needs to be considered secure.
Since at one end of a sequence of rounds, the precise difference between blocks that is
required for the characteristic must be input, it isn't possible directly to cascade this
method to break a block cipher into four or more pieces.
Note that any single Feistel round has a large family of "characteristics" that is 100%
probable, but which tells nothing about the key, since any pattern that involves leaving
the half that is input to the F-function unchanged, but involves an XOR to the half that
is XORed with the output of the F-function applies, so one of the things this method
can do is allow the use of attacks against the first or last 15 rounds of DES against 16-
round DES. Hence, if by some other trick a block cipher with 16 rounds could be
broken into 16 pieces like this, one could test for an informative characteristic which
applied to any single round.
The Boomerang Amplifier Attack
A technique called the boomerang amplifier attack works like this: instead of
considering the pairs of inputs, differing by the XOR required for the characteristic of
the first few rounds, as completely independent, one could note that it would be quite
likely that somehow, taking two such pairs at a time, one could obtain any desired
XOR difference between two such pairs by the birthday paradox. This allows a
boomerang attack to be mounted with only chosen plaintext, instead of adaptive chosen
ciphertext as well.
I wondered if one could use the boomerang amplifier technique noted above to allow
breaking a block cipher up into three pieces instead of two.
First, you start by enciphering a large number of chosen plaintext pairs, differing by the
XOR amount required for the characteristic of the first piece. By the birthday paradox,
there will be a good chance of some pair of two of those pairs, somewhere among that
number, which differ by the right amount to engage the differential characteristic of the
middle piece.
I then take all the outputs of this process, and XOR them by the quantity required to
engage, upon decipherment, the characteristic of the third piece.
Doing so ensures that the corresponding two pairs of blocks also has the XOR amount
for the characteristic of the middle piece, this time in the reverse direction, as can be
seen more clearly when we look at the following diagram of the upwards journey by
itself.
Unfortunately, though, the thing about a differential characteristic is that it only refers
to the XOR between two blocks, and not the values of the blocks.
If a characteristic implies that A xor B equals X xor Y, and equals the characteristic,
then it is true that A xor X and B xor Y are equal, but the value to which both of them
are equal could have any value. Hence, we have not preserved any structure that
implies that we will have the correct differential for the first piece, during
decipherment.
Well, we can still apply the differential for the first piece, and then continue in the
reverse order again.
But we run into the same problem; we have no characteristic preserved on output. So it
appears that breaking a block cipher into three parts is hopeless. But then we notice
that, by iterating in this fashion over our large number of input pairs, we can
indefinitely preserve the characteristic in the middle.
This would only work if the characteristics involved had probability one, or very nearly
one. Assuming that somehow this could be overcome, though, since one has produced
a large number of pairs, in the same spot within our large number of pairs, that have the
middle differential activated, if one of the elements of each of two pairs differs from
the same element in another cycle by the right amount for the top differential, then the
one connected with it by the middle differential will also match, not the other member
of the same pair, and this is how the two pairs involved with the middle differential can
finally be distinguished.
But because the birthday paradox just says that, to find two matching values for a block
having N values, you only need a number of blocks proportional to the square root of
N. Using the birthday paradox twice means that the complexity of this attack is
proportional to the square root of N times itself, in other words, to N, and so this attack,
even if it were possible, has a complexity equivalent to that of the codebook attack: just
use as chosen plaintext every possible input block, and record the result.
Next
Chapter Start
Table of Contents
Main Page
Cryptanalysis, Almost by Aimlessly

Thrashing About
Cryptanalysis is hard work, requiring a willingness to endure many false starts, and a
painstaking attention to detail. It requires intelligence to see subtle patterns in
incomprehensible ciphertext.
Automated aids to cryptanalysis come in many forms. Some collected statistical

information about ciphertexts, thus removing one bit of drudgery from human
shoulders. Others, such as the Bombe used in attacking the German Enigma, or the
DES cracker built by the Electronic Frontier Foundation, or the converted unit record
equipment (punched card machines) which compared Japanese code messages to one
another at various displacements to find messages with overlapping superencipherment
groups, work by trying thousands, or millions, of possibilities, one after another.
Neither of these techniques is adequate to deal with many cipher systems, particularly
modern ones. A well-designed cipher will not offer a simple opportunity to try different
possibilities to find partial information about the key, and will have a key large enough
to make trying every possible key hopeless. Nor is ordinary statistical information
about the frequencies and contacts of bytes in the ciphertext likely to be much use.
Thus, approaches taken from the field of AI (artificial intelligence) have been tried. In
these approaches, it is attempted to combine the speed of the computer with steps that
at least slightly move towards the skill and judgement of a human cryptanalyst.
Hill-climbing
Because the individual bits of the subkeys in DES are actual bits taken from the 56-bit
DES key, an approach like the following to recover a DES key must have occurred to
many people.
Given a block of known plaintext, and its corresponding ciphertext, starting with a
random 56-bit possible key, do the following:
● Encipher the known plaintext with that key, and with every one of the 56 other
keys obtained by inverting one bit of that key.
● Compare the resulting ciphertext to the actual ciphertext.
● In those of the 56 cases where the flipped bit results in the ciphertext produced
differing in fewer bits from the actual ciphertext than that produced by the
original trial key, invert that bit of the trial key to obtain the next trial key.
This is a simple example of a hill-climbing algorithm, where the number of bits by

which a trial encipherment differs from the actual ciphertext are a measure of one's
(lack of) altitude.
It would, however, never work against DES. That is because of the avalanche property
of DES; changing a single bit in a DES key results in every bit of the block being
enciphered being changed randomly after only a few rounds.
Thus, even attempting to improve the hill climbing algorithm above by, for each trial,
enciphering the known plaintext for eight rounds with the trial key, and deciphering the
actual ciphertext for eight rounds with the trial key, and then determining the number
of bits by which these two results differed would not be enough to help.
Another idea would be to choose two rounds of DES, and by determining the input to
those rounds by enciphering the known plaintext by the previous rounds, and the
required output from those rounds by deciphering the actual ciphertext by the following
rounds, examine the two 48-bit subkeys for the rounds, and, by examining the four
possibilities for each group of 6 bits in those subkeys to produce the required change in
each half of the block, find those which are consistent with the origin of those two
subkeys from the original 56-bit key, and then try the resulting new 56-bit key or keys
on the basis that it or they might be improvements over the preceding trial key.
Genetic Programming
A thesis by A. J. Bagnall described the ciphertext-only solution of some simple rotor

machines by means of the technique of genetic programming.
Genetic programming is a method by which a computer produces an answer to a

question, or even a computer program to perform a task, by mimicing the process of
natural selection. As noted in the thesis, and in the book Artificial Life by Stephen
Levy, this technique was originated by John Holland in the mid-1960s, and his student
David Goldberg was one of the first to refine the technique so that it could be used in
practice with real problems of importance.
It can be thought of as a special case of the hill-climbing algorithm, in that a

quantitative measure of how "warm" the computer is in approaching the desired
solution is required.
Programs or answers must be in the form of a chain of discrete elements, such that
there is at least a reasonable likelihood that a chain formed by taking one chain, and
replacing a span of elements within it by the corresponding elements from another
chain, will "make sense". (This may be noted as the second major use of sex for the
purpose of obtaining the codes of foreign powers.)
Random mutations are also usually used, although genetic crossover has been found to
be much more important.
Starting with a random selection of solutions, those that work best are retained, and
used as the parents of the next generation of solutions to be tried. Often, this retention
is also randomized, so that better solutions have a higher probability of being retained.
One type of mutation that happens in real life has not, to my knowledge, been used for
genetic programming yet. Occasionally, plants and animals will increase the size of
their genetic inheritance by duplicating part of it. Thus, a finite state machine could
mutate by becoming a machine with twice as many states. It might be useful to make
provision for this where a problem might be more complex to solve than initially
realized.
Next
Chapter Start
Table of Contents
Home Page
Hidden Markov Models

The use of hidden Markov models is a powerful modern statistical technique that has
been applied to many subject areas, from predicting political crises to the
reconstruction of DNA and the recognition of speech. It has been claimed that this
technique is of some relevance to cryptanalysis, and this may very well be true,
considering its nature.
The September 1964 issue of Scientific American illustrated a Markov chain by

showing two containers with numbered balls in them. Numbered slips of paper were
drawn repeatedly, with replacement, from a third container, and each time, the ball
whose number was drawn was transferred to the one of the first two containers other
than the one it was in.
The number of balls in the first container, which initially contained all of them, would
typically decline in a fashion that resembled exponential decay to containing only half
of the balls. This modelled the physical process of allowing two chambers, containing a
gas at different levels of pressure, previously separated, to be connected.
This illustrated the basic feature of a Markov process. It involves probability. But in
addition to a random event, the final result, in this case the number of balls in the first
container, also depended on the 'memory' of the system.
This particular example, however, involves a system with a large number of states,
although all the states with the same number of balls in the first container can be
considered equivalent due to symmetry. In the formulation of hidden Markov models,
each state is referred to individually, and thus illustrative examples of these models
have a small number of states.
In a hidden Markov model, then, a system has a number of states, S(1) to S(n). The
probability that the system, if it was in state i on one turn, will be in state j in the next
turn, is called P(i,j). The states of the system are not known, but the system does have
one observable value on output, which has m possible values from 1 to m. For the
system in state i, the probability that output value v will be produced is called O(i,v).
Note that the transition probabilities depend only on the state, not the output.
The following example involves a state which depends on the output:
Someone with two dice, one red and one blue, the red die marked with H on two faces,
and T on the other four, and the blue die marked with H on four faces, and T on the
other two, is providing you with a sequence of H and T produced by the dice, based on
the rule that whenever H comes up, the red die is thrown next time, and whenever T
comes up, the blue die is thrown next time.
This produces a sequence of heads and tails that has each output equally often, but
which favors alternations over repetitions.
Such models can be transformed into models which depend only on the state by
including the previous output in the following state. This example, though, can't form
part of a hidden Markov model, since the previous output completely specifies the
following state.
But it can form the basis of a somewhat more elaborate example.
A Hidden Markov Model Example
Let us think of five dice, with colors and faces as follows:
orange htTTTT purple HHHHht

red HhtTTT blue HHHhtT
green HHhtTT
where the lowercase letters indicate circled uppercase letters on the faces of the dice, as
illustrated below:
and the exact rules for using these dice will be given below.
But it will be easier to understand those rules if we think of this set of dice having been
gradually built up starting from just the red and blue dice, using simpler rules.
The red die favors T, and the blue die favors H. One way to produce a sequence of H
and T with the dice would be to always throw a die that favors the symbol opposite to
the one previously thrown.
Then we add a second set of dice, orange and purple. As with the red and blue dice, the
orange die favors T, and the purple die favors H. But with this pair of dice, the
favoritism is stronger.
So, now, we add some rules. When throwing the red or the blue die, if we get the result
that is not favored, thus throwing a second H or T in a row, we switch on the next turn
to the pair of dice with stronger favoritism. When throwing the orange or the purple
die, if we get the result that is favored, we relax, and switch to the less biased red and
blue dice. With the additional dice, a throw of H always implies we use one of the dice
that favor T, but now either the red die or the orange die is possible, and similarly for
the blue and purple dice and a throw of T.
Then we extend the model to bring in a green die, that is 'below' the red and blue dice
in the same way that the orange and purple dice are 'above' the red and blue dice. Now,
a favored result with the red and blue dice moves down to the green die. Results on the
green die are always treated as if they were not favored, resulting in a move to
increased bias with the red and blue dice.
But to allow some variation in how the model moves from state to state, even given the
previous state as well as whether an H or a T was thrown, I then added the circled H
and T, which cause one to stay with the dice having the current level of bias.
Thus, the exact rules are:
● On each turn, one die is thrown. The output from that turn will be either H, if H
or h is thrown, or T, if T or t is thrown.
● When H (or h) is thrown, the die thrown next turn will be one of (orange, red,
green); when T (or t) is thrown, the die thrown next turn will be one of (purple,
blue, green).
● When either h or t is thrown, the die used on the next throw will belong to the
same rank as the die used on the previous throw, where the ranks are (orange,
purple), (red, blue), and (green).
● When the less probable value, for the particular die thrown, of H or T is the
result (not h or t: the consequences of those results has already been dealt with,
and is not described in what follows) of a throw of the (red, blue) die, the next
throw will be of (orange, purple).
● When the only available value, for the particular die thrown, among the two
alternatives of H or T is the result of a throw of (orange, purple) dice, (red, blue)
dice will be used on the next turn.
● When the more probable value, for among the two alternatives of H or T is the
result of a throw of the (red, blue) die, the green die will be used on the next
turn.
● If either H or T (not h or t) thrown with the green die, the next throw will be of
(red, blue).
This does not have the proper form for a hidden Markov model as it stands, because the
next state depends on the output from a state as well as the previous state. If we take
the probability of the next state, interpreted as the color of the die being thrown, and
the probability of the two outputs H and T from each state, these probabilities are not
independent.
In order to consider this situation with a hidden Markov model, we need to do two
things. The first thing is to shift the outputs in time: to consider that the output from
throwing the red die is always H, based on the face that turned up in the previous throw
of the dice. This lets the random event of the die throw show up once only, in the state
transition, and not in two separate places where it is not independent.
The second thing is to divide the state of throwing the green die into two states, HG
and TG, indicating whether H (or h) or T (or t) was face up on the previous throw, so
that this forwards assignment of the output can work.
This can be analyzed as a hidden Markov model by thinking of six states: O, P, R, B,

and HG and TG, as follows:
Next State, Face Showing

State Output O P R B HG TG
O H 1h 1t 4T
P T 1h 1t 4H
R H 1H 1h 1t 3T
B T 1T 1h 1t 3H
HG H 2H 2T 1h 1t
TG T 2H 2T 1h 1t
The numbers in the state transition matrix are chances out of six.
From Model to Behavior
Knowing the details of the model, we can ask the question of how it will behave. This
is essentially a trivial question, because it can be solved by what is almost simple
arithmetic, and what is standard algebra.
One must find a set of probabilities for the states such that, when these probabilities are
fed into the state transition matrix, the same probabilities will come out. Since
probabilities must add up to 1, this problem is equivalent to finding the eigenvectors of
a matrix (vectors, that when multiplied by a matrix, produce the same vector, possibly
multiplied by a constant).
Here, it is obvious that each of O, R, and HG will have the same probability as its
counterpart P, B, and TG, and we can just consider the scaled-down matrix
OP RB G
OP 2 4
RB 1 2 3
G 4 2
giving the three equations
a' = 1/3 a + 1/6 b

b' = 2/3 a + 1/3 b + 2/3 c
c' = 1/2 b + 1/3 c
in which we can promptly replace a', b', and c' by a, b, and c. (If a is the probability of
OP at time t, a' stands for its probability at time t+1, but we are looking for solutions
where the probability is constant.)
Thus, these equations simplify to:
2/3 a = 1/6 b
2/3 b = 2/3 a + 2/3 c
2/3 c = 1/2 b
and the first and third equations are enough to tell us that
4a = b
4c = 3b
so a, b, and c are in the proportions 1:4:3, making the equilibrium probabilities that
each color of die will be used:
orange 1/16
purple 1/16
red 1/4
blue 1/4
green 3/8
Incidentally, without circled letters, except that the lone H on the orange die, and the
lone T on the purple die would still behave as if circled, the steady state probabilities
would instead work out to:
orange 3/31
purple 3/31
red 15/62
blue 15/62
green 10/31
from the simplified matrix
OP RB G
OP 1 5
RB 2 4
G 6
Calculating the probability of an individual sequence of outputs from such a model can
be performed by straightforward arithmetic. Knowing the initial state, let us say that we
began by throwing the green die, what is the probability of throwing HTH?
On the first throw, the chance of throwing H or h is 1/2.
On the second throw, our chance of using the green die again (having thrown h) is 1/3,
and the chance of throwing T or t with it is 1/2. Our chance of using the red die (having
thrown H) is 2/3, and our chance of throwing T or t with it is 2/3. So our total chance of
throwing T or t is 1/6 + 4/9, or 11/18.
On the third throw, our chance of using the green die is equal to the sum of 1/3 (our
chance of having used the green die on the last turn) times 1/3 (our chance of throwing
t with it, given that we threw T or t) and 2/3 (our chance of having used the red die on
the last turn) times 3/4 (our chance of throwing T with it, given that we threw T or t).
Using the green die, our chance of throwing H or h is 1/2.
Our chance of using the blue die, similarly, is equal to the sum of 1/3 times 2/3 and 2/3
times 1/4. Using the blue die, our chance of throwing H or h is 2/3.
Calculating these probabilities in a naive fashion, however, leads to a large amount of

multiplication due to the constantly expanding tree of probabilities. The method known
as the forward calculation avoids this: what must be done is to remember to keep
adding together all the probabilities of using a particular color of die in a given step,
instead of each time multiplying them all out from the beginning.
From Output to States
A more advanced problem is this: given a particular sequence of outputs, can we

determine the set of internal states that most likely gave rise to it?
The method used for solving this problem is called the Viterbi algorithm. (You may
have already heard this name in connection with the patented technique of Viterbi
decoding applied to error-correcting codes.)
We could assume that the color of die used for the first throw is selected according to
the equilibrium probabilities calculated above; but a Markov process does not need to
start at equilibrium, as our other example showed. So let us assume that the first throw
is of the green die.
If the sequence of outputs is as follows: HTHHTTHTHTHHTT, then for a particular

sequence of colors of dice, we can, as Viterbi proved, simply assign a weighting value
to that sequence based on multiplying together the individual probabilities of each state
transition, and each output given the assumed state. So the sequence with the highest
weight is the most probable.
In this example, though, each state produces a specific output with probability 1.
Having circled letters on the dice does mean at least that the (following) output and the
state do not together strictly determine the following state.
Because of this, to allow the Viterbi algorithm to be more properly illustrated, I will
complicate the model slightly more, by adding a white die with five blank faces, and
one marked with an X. If the face marked with an X turns up, the output will be
inverted, so that it will be H in the next turn when either T or t turns up in the current
turn, and T in the next turn when either H or h is thrown on the die.
Thus, if for the sequence of outputs
H T H H T T H T H T H H T T
TG R TG R O B P R TG R TG R O B
is assumed as the sequence of states, the weighting for that particular sequence of states
would be calculated like this:
Given state TG, the probability of state R on the next turn is 1/3 overall, but given that
we know we will have an output of H, the weight of this particular sequence is 1/3 *
5/6, the overall probability of state R times the probability it will be associated with an
output of H in our more complicated model.
Note that when the white die is thrown doesn't really matter, again, in a sense we're
throwing it a turn early.
Then, given state R, the overall probability of state TG on the next turn is 1/2. The
probability that this state will be associated with an output of T is once again 5/6.
It is clear that for any sequence of outputs and states, a weighting can be calculated.
But for a given long sequence of outputs, there is an immense number of possible
sequences of states to choose from in order to find the most probable. This is what the
Viterbi algorithm helps to deal with.
If we consider the possibilities for the first n states, we retain not just the set of states
with the highest weight, but also the set of states with the highest weight for all other
possibilities for the state at time n in addition to the one in the set of states with overall
highest weight.
Then, to obtain the set of states with overall highest weight for the first n+1 states, and
also the set of states with highest weight for any possible state at time n+1, we only
need to consider possibilities involving the sets of states from time 1 to time n that we
previously retained.
From Output to Model
This is the most complicated of the problems. Here, we assume that the model has one
or more variable parameters in its description, and we are looking for the values of
those parameters which would make an observed sequence of outputs the most likely.
Two major methods are used. One, the segmental K-means method is used for
obtaining an initial approximation to the model, and involves assuming that a particular
set of states accompanies the known outputs. The Baum-Welch estimation algorithm is
then used to obtain the best fit of the model to the output sequence considering all
possible sequences of states that could have produced the known output.
One of the statistical concepts used in carrying out these methods is the Kullback-
Leibler distance measure, used to compare two probability distributions. And yes, that
is Solomon Kullback, from among the team of cryptanalysts who solved PURPLE.
Next
Chapter Start
Table of Contents
Home Page
Stream Ciphers
Two methods of generating pseudo-random bits, both in themselves very weak from a
cryptographic point of view, because they are based on recurrence relations of a linear
nature, are still at the root of most stream ciphers. The same simple mathematical
properties that make them vulnerable to cryptanalysis at least ensure that they will
generate sequences with a long period.
One is the linear feedback shift register, most often used in hardware designs.
Another is the mixed congruential pseudorandom number generator, usually used in

software.
The first section following will deal with stream ciphers based strictly on single-bit
shift registers; the second section will deal not only with linear congruential
pseudorandom number generators, but with other techniques, including a byte-wide
shift register.
Although one usually thinks of pseudo-random number or bit generation when one
thinks of stream ciphers, the cipher produced by a rotor machine, which is a changing
substitution (as opposed to a changing displacement, as produced by a Hagelin lug and
pin machine) is still classed as a stream cipher. Also, even if the plaintext is modified
by a simple XOR, the value used, instead of being generated by a process that feeds
back only on itself, or which produces a function of a counter value, could be produced
by a function of the last few bytes of plaintext or ciphertext, thus giving a cipher of the
autokey type.
In general, autokey ciphers have poor error-propagation characteristics. However, a

stream cipher which uses the last few ciphertext bytes only to determine how the next
plaintext byte is to be enciphered is called a self-synchronizing stream cipher, because
it can recover after an error, even if the error is a sufficiently long burst that even the
count of the number of bytes recieved is lost.
The Cipher Feedback (CFB) mode of DES is an example of this class of cipher,
although in that case one would need to know the boundary between 8-byte blocks to
recover.
Another, more elaborate, example would work like this:

---
| | Plaintext
---
|
(sub)
|
---> XOR
| |
| (sub)
| |
|---> XOR
| |
| (sub)
| |
|---> XOR
| |
--- | (sub)
| | | |
|D| |---> XOR
| | | |
--|E|-| (sub)
| | | | |
| |S| |---> XOR
| | | | |
| --- | (sub)
| | |
| |---> XOR
| | |
| | (sub)
| | |
| |---> XOR
| | |
| | (sub)
| | |
| ---> XOR
| |
| (sub)
|
--- --- --- --- --- --- --- --- ---
| | | | | | | | | | Ciphertext
--- --- --- --- --- --- --- --- ---
| | | | | | | |
---------------------------
|
| |
|___|
in which the preceding eight bytes of ciphertext are fed back into DES encryption, and
then the eight output bytes from the DES encryption are XORed to the plaintext byte,
between eight byte-substitution stages (each one using a key-dependent permutation of
the 256 values from 0 to 255).
This produces a highly secure cipher, but takes eight times as long as conventional
DES encryption.
● Shift-Register Stream Ciphers

❍ An Illustrative Example
❍ Other Constructions
❍ More Realistic Examples
● Other Stream Ciphers

❍ Panama
● A Note on the Importance of Galois Fields
Next
Chapter Start
Table of Contents
Home Page
Shift-Register Stream Ciphers

The linear feedback shift register, most often used in hardware designs, is the basis of the stream ciphers we will
examine here. A string of bits is stored in a string of memory cells, and a clock pulse can advance the bits one
space in that string. The XOR of certain positions in the string is used to produce the new bit in the string for
each clock pulse. It is possible to choose the positions in the string to XOR so that, as long as the memory cells
are not initially loaded with all zero bits, the period of the sequence of bits produced by that XOR is 2^n-1,
where n is the number of cells in the string.
The following diagram illustrates an LFSR associated with the polynomial
x^10 + x^6 + 1
---------------------------------------------------------------------
| | | | | | | | | | |
-->| x | x^2 | x^3 | x^4 | x^5 | x^6 | x^7 | x^8 | x^9 | x^10 |
| | | | | | | | | | | |
| ---------------------------------------------------------------------
| | |
----------------------------------------XOR--------------------------
The x^10 and x^6 terms in the polynomial correspond to the two tapped cells in the shift register shown; the 1 in
the polynomial does not correspond to a tap. If the polynomial to which an LFSR corresponds is primitive, which
means that in addition to being irreducible (a property similar to the property of being prime for an integer) it
satisfies some additional mathematical conditions, the LFSR will have its maximum possible period, which is
(2^n)-1 where n is the length of the shift register in cells. Because an LFSR works by taking the XOR of selected
bits in its internal state, any LFSR containing all zero bits will never move to any other state, and so that one
possible state must be excluded from any cycle of more than one state.
An LFSR with maximum period always has an even number of taps. Also, the cell with the oldest bit in the shift
register is always tapped. This rule is very general, and applies even to nonlinear shift registers, for a simple
reason that can be seen in the following diagram:
the sequence produced from a shift register whose last few cells are not tapped is identical to that produced by a
shift register otherwise identical from which those cells are omitted, except for a delay.
(Note that some popular references on cryptography erroneously show the x^n term in an LFSR's characteristic
polynomial, which is always present, as corresponding to the cell with the newest bits, and show the x term,
which is not always present, as corresponding to the cell with the oldest bits, which in fact must always be
tapped. This is a result of diagrams that show the bits in the LFSR as moving in the wrong way.)
It should be noted, however, that primitive polynomials have a reversal property that does allow an alternative
way of matching the terms in a polynomial to the possible taps in a shift register, as illustrated below:
but in the reverse case, the cell with the oldest bits corresponds to the always-present 1 term (thus, the
equivalents only go up to x^(n-1), and x^n does not correspond to a possible tap), not to the x term, which need
not be present in the polynomial.
The reversal property is this: the polynomial
x^n + x^p + x^q + x^r + ... + 1
is primitive if and only if the polynomial
x^n + ... + x^(n-r) + x^(n-q) + x^(n-p) + 1
is also primitive.
Well-known Polynomials
Incidentally, just as it is unwise to use a very well-known word or phrase as a key, some primitive polynomials
modulo 2 are also "well-known", since they have been used in common systems.
Some examples are:
Used in Cyclic Redundancy Check codes:
12 11 3
CRC-12: x +x +x +x+1
16 15 2
CRC-16: x +x +x +1
16 12 5
CCITT: x +x +x +1
32 26 23 22 16 12 11 10 8 7 5 4 2
AUTODIN II: x +x +x +x +x +x +x +x +x +x +x +x +x +x+1
Permitted (under regulations which are now out of date) for use in generating spread-spectrum sequences by
radio amateurs:
7
7-bit: x +x+1
13 4 3
13-bit: x +x +x +x+1
19 5 2
19-bit: x +x +x +x+1
Originally alleged as used in the A5 European cellular telephone algorithm:
19 5 2
x +x +x +x+1
22 9 5
x +x +x +x+1
23 4 3
x +x +x +x+1
Actually used in the A5 cellular telephone algorithm, according to more recent information:
19 5 2
x +x +x +x+1
22
x +x+1
23 15 2
x +x +x +x+1
17 5
x +x +1
Used by GPS satellites:
10 3
x +x +1
10 9 8 6 3 2
x +x +x +x +x +x +1
Note that the A5 polynomials (in the older version, at least) are used with the x^n-1 to 1 convention, and
feedback is concentrated on the older bits in the shift register. (This, and not the x^n to x convention, going the
other way, may well be the usual one.)
Also, while all LFSRs, used directly, are insecure, LFSRs with many taps (not having "sparse" feedback
polynomials) produce a sequence that seems more random, and when used in a system that combines several
LFSRs, combined in a way that achieves cryptosecurity, they are better. Presumably, that feature is also useful
when LFSRs are used in performing CRCs; note especially the AUTODIN II (AUTODIN is a U.S. military
communications system) polynomial above.
The Galois Configuration
In addition to the conventional configuration, where each new bit input to the shift register is the XOR of several
bits in the register, a shift register may also be implemented in Galois configuration, where the single bit shifted
out of the register is XORed with several bits in the shift register.
The following diagram illustrates the relation between the conventional configuration and the Galois
configuration of a shift register:
In the conventional configuration, the bits moving through the shift register are also bits in the sequence it
generates as output. Hence, each new bit entered into the register is the XOR of several previous bits in the
sequence.
In the Galois configuration, generated bits are also the XOR of previous bits in the sequence, but in this case as
the oldest bit included in that XOR moves through the shift register, it is XORed one at a time with the other bits
as it reaches the appropriate positions in the shift register.
The Galois Field
Speaking of Evariste Galois, the reason that primitive polynomials modulo 2 are important is that by using them
as the modular polynomial in polynomial multiplication, one can create a Galois Field of order 2^n with a
polynomial beginning with x^n.
A field is an algebra with both addition and multiplication, the elements of which form a group under the
addition operation, and in which the multiplication operation, over all the elements of the field except zero, also
creates a group. Thus, addition and multiplication modulo a prime create a finite field.
The term Galois Field is used to refer to finite fields, because Galois proved that the only finite fields were either
those whose order was a prime, and were of the type described above, or those whose order was a power of a
prime, and whose elements were treated as polynomials, the coefficients of which were modulo that prime, the
polynomials themselves being modulo a modular polynomial which was not merely irreducible (not factorable
into smaller polynomials) but also primitive; the kind of polynomial that can produce a shift register.
Here is one representation of the Galois Field of order 8 (or 2^3):
+ 0 1 2 3 4 5 6 7 * 0 1 2 3 4 5 6 7
---------------- ----------------
0 | 0 1 2 3 4 5 6 7 0 | 0 0 0 0 0 0 0 0
1 | 1 0 3 2 5 4 7 6 1 | 0 1 2 3 4 5 6 7
2 | 2 3 0 1 6 7 4 5 2 | 0 2 4 6 3 1 7 5
3 | 3 2 1 0 7 6 5 4 3 | 0 3 6 5 7 4 1 2
4 | 4 5 6 7 0 1 2 3 4 | 0 4 3 7 6 2 5 1
5 | 5 4 7 6 1 0 3 2 5 | 0 5 1 4 2 7 3 6
6 | 6 7 4 5 2 3 0 1 6 | 0 6 7 1 5 3 2 4
7 | 7 6 5 4 3 2 1 0 7 | 0 7 5 2 1 6 4 3
This particular representation of that field is the one which uses x^3+x+1 as the modular polynomial. Thus, the
bits in the binary representation of the numbers in these tables are treated as the coefficients of polynomials.
Since polynomial addition deals with each coefficient independently, and it is done here modulo 2, the addition
table should look familiar: it is the table for the bitwise XOR operation.
The field illustrated can be denoted as GF(2^3) or GF(8). The group which multiplication, exclusive of zero,
forms is isomorphic to addition modulo 7; that is, it is the cyclic group of order 7. In general, this is true for any
Galois field; for GF(n), the multiplicative group is the cyclic group of order n-1. While the table looks different,
this means that it can be made identical to that for addition modulo 7 by replacing each of the numbers from 1 to
7 by another number from 0 to 6.
There is further discussion of Galois Fields in the description of the Decorrelated Fast Cipher, the description of
Rijndael, and on a page specifically about that topic.
Finding Maximum-Period LFSRs
We have seen above how to construct a shift register from its corresponding polynomial. And it is noted that the
polynomial must be primitive for the shift register to have maximum period.
How does one construct primitive polynomials?
One way is to construct arbitrary polynomials which correspond to the properties of the shift register sought, in
length and in number of taps, and test them. This, at least, can be done fairly simply.
If the polynomial is of the form x^n + ... + 1, that is, of degree n, then (for a polynomial whose coefficients are
modulo 2) the condition that must be met is that x^(2^n-1) must be equal to 1 modulo the polynomial, but x^
(2^n-1)/p for any prime p which divides 2^n-1 must not be equal to 1 modulo the polynomial.
If the coefficients of the polynomial were modulo 3, we would use 3^n-1, and so on.
Let us take the polynomial x^7+x+1. This corresponds to the binary string 10000011. 2^7-1 is 127, and is the
maximum period of a shift register built from a polynomial of degree 7. x^127 modulo x^7+x+1 is what the
binary string consisting of a 1 followed by 127 zeroes would become, after being XORed with 10000011 shifted
as far left as necessary to zero out its first digit, repeated until one obtains a 7-bit string. Doing that is exactly
equivalent to running the shift register in the Galois configuration, and so the reason for the condition is now
obvious: if the shift register has maximum period, the 0000001 state will recur at the end of that period; and if it
does so recur, this recurrence mustn't be a repeated occurrence. The only possibilities to eliminate to exclude that
are the periods of which the maximum period is a multiple, and dividing the maximum period by its prime
factors alone eliminates them all: the state 0000001 might recur more often, but it won't miss having one of those
numbers as a multiple of the period.
Of course, applying 10000011 to 1 followed by 127 zeroes would be somewhat slow, and for a much longer shift
register, 2^n-1 would be an enormous number. However, finding x^n by polynomial multiplication can be done
by repeated squaring, just as that technique can be used to speed up taking numbers to powers, it can be used for
exponentiation in other domains as well.
When n is composite, 2^n-1 has some obvious factors. That's because 111111 is equal to 111 times 1001, and it's
also equal to 11 times 10101. That's as true in binary notation as in decimal notation. This doesn't mean that
there aren't other factors of 2^n-1, though. Thus, when n is prime, 2^n-1 is not always prime. Sometimes it is,
though, and then 2^n-1 is called a Mersenne prime. If the degree of the polynomial to be tested is a value of n for
which 2^n-1 is a Mersenne prime, it is simpler to test if the shift register polynomial is primitive. However,
doing the extra tests is not too great a problem; it's factoring 2^n-1 which, in general, might be the difficult step.
Using LFSRs to Build Secure Ciphers
The output from an LFSR is often strengthened by using another LFSR to control how often it is stepped. This
technique can be applied in the same ways that were used with pinwheels in the chapter on telecipher devices.
Another technique, the Geffe generator, uses three LFSRs with different periods. One is used to choose which of
the two other ones has its output used. Although a simple Geffe generator is still not secure, more elaborate
constructions using that principle may be effective.
Here is a diagram showing one such construction:
--------
|LFSR 1|----------------------------
-------- |
|
-------- |
|LFSR 2|---------------------- |
-------- | |
| |
-------- | |
|LFSR 3|---------------- | |
-------- | | |
| | |
-------- | | |
|LFSR 4|---------- | | |
-------- | | | |
--- --- | |
-------- \ \ / / | |
|LFSR 5|-------->| | | |
-------- / / \ \ | |
--- --- --- ---
| | \ \ / /
| ----->| |
| / / \ \
| --- ---
| |
| |
--------------->(XOR)
|
--- output
The generator pictured uses five LFSRs. One is used to choose which of two other LFSRs is used for two
purposes (each one is used for one of those purposes, the bit only swaps them):
● choosing which of two other LFSRs is used to contribute to the output, and
● being XORed with the output of the chosen LFSR.
If only four shift registers are used, so that we XOR the output of one shift register with the output of a Geffe
generator, then we still have the same weakness that the Geffe generator alone had. That is because the XOR of
two LFSRs, by itself, is a linear construct, and thus is as vulnerable to attack as an LFSR of the length of the two
combined. So, since the one Geffe generator means that the first LFSR is XORed to one of two others, we have
two alternating possibilities, both weak, which the output bitstream matches 75% of the time.
The design as given, however, provides the XOR of two shift registers, both of which can be either of two
possibilities. So would the XOR of the outputs of two Geffe generators.
The design above has the advantage of requiring one fewer input. Is it secure? As noted above, the XOR of two
LFSRs is no more secure than the output of a single longer LFSR. The output of this construct will agree with
the XOR of LFSR 1 and LFSR 4, for example, 75% of 75% of the time, which is 56.25%: for each of the two
inputs to the final XOR, as for a Geffe generator, 50% of the time the correct LFSR is used, and 25% of the time,
the wrong LFSR agrees with the right one. So there is still an output bit stream which is biased towards matching
an easily solved bit stream, but at least the bias is fairly weak.
As a nonlinear function of the bits in an LFSR can produce any series of output bits produced by any other
device with the same period (proof: use all the bits in the LFSR's state as an address to find a bit in a ROM
containing the desired sequence in a suitable order), and an LFSR has a maximum period of 2^n-1, which is only
one less than that of any other device with n bits of internal state, it seems it is not necessary to pursue
developing the theory of nonlinear feedback shift registers with known period.
Thus, one way of using a shift register to create a series of pseudorandom bits is to take some of its bits, and use
circuitry to produce a nonlinear function of them, as illustrated at right.
● An Illustrative Example
● Other Constructions
● More Realistic Examples
Next
Chapter Start
Table of Contents
Main Page
An Illustrative Example
Symbols used:
illustrates various ways in which shift registers can be used to produce pseudorandom
bits, combining them in an elaborate construction.
The device is based primarily on the Kinetic Protection Device, a stream cipher device
produced by a defense contractor which has been openly described. But I have
modified it significantly; in some ways to improve security, in others to reduce the
number of components to fit into a reasonably sized diagram. And I have added
sections illustrating other stream cipher principles, one based on a claimed cellular
telephone cipher algorithm.
The output bitstream of the main portion of the device is XORed to a bitstream
produced by a combination of two different constructs.
The first of these, illustrated in section E of the diagram, is based mainly on the A5
cellular telephone algorithm, but made simpler to draw by replacing its self-clocking
principle by that of the T-52. The second, in section F illustrates the use of J-K flip-
flops to combine shift registers nonlinearly.
The Kinetic Protection Device generated an 8-bit output each time the shift register in
it was clocked. A shift register of 61 stages was used, and the feedback polynomial
applied was selected from a set of 1024 such polynomials stored in ROM. Eight
different nonlinear functions, each taking six bits of input from six stages of the shift
register, were used to produce the eight bits of output.
The design pictured here uses a 44 stage shift register, with a ROM having only 256
feedback polynomials in it. The main part of this circuit is section A of the diagram.
The modified Geffe generator, here found in section D, shown earlier on this page in
ASCII graphics, takes five inputs from five stages of the shift register; the newest bit in
the shift register is then XORed to the result. While there is only one nonlinear
function, the five inputs to the modified Geffe generator can each be chosen from eight
sources in the shift register, and this is determined by bits from three other shift
registers in section C. The output of these three shift registers is XORed with signals
produced in other parts of the device for some extra difficulty in analyzing its output.
Thus, the design produces only one bit of output, not eight bits, each time the shift
registers in it are stepped.
Instead of the feedback polynomial of the main shift register being set once as part of
the key, it varies during encipherment. The eight-bit input to the feedback polynomial
ROM is produced by selected bits from two shift registers moving in opposite
directions, XORed together in section B. These shift registers are clocked by the AND
of three bits from a third shift register, so that the feedback polynomial only changes at
intervals. Since all the feedback polynomials in the ROM are maximal period ones, as
long as the initial state of the LFSR stages is nonzero, it will remain nonzero.
That arrangement does have the weakness that all eight output bits are parts of the
same sequence of bits, although at widely separated intervals: the bits produced by
XORing the output of the two shift registers with different periods. (That may not be
strictly true if the periods of the two generators is not relatively prime.) This weakness
is reduced by using the OR of two other bits of the clocking shift register to AND one
of the clock signals, so that the two main shift registers will not be perfectly in step.
The result is, however, still the same sequence of bits being produced on each line, but
a different sequence with a longer period is appearing there, at least. This shows the
merit of the original Kinetic Protection Device design, since, unlike my efforts here, it
does avoid that; however, this circuit is at an earlier position. Thus, we can choose to
stop at any point, as otherwise we get infinite regress, or what one book on computer
graphic displays has called the "wheel of reincarnation".
This output is XORed with the output of a J-K flip-flop, which has as inputs the
bitstreams produced in sections E and F of the diagram. A J-K flip-flop is a good way
to combine two bitstreams for reasons which are explained below, in the description of
the section of the device which illustrates their use.
The first bitstream used is produced by three shift registers which clock each other, in
section E of the diagram. Each one is clocked by the OR of two bits (one inverted)
from each of the other two shift registers. Since each shift register supplies one bit and
the negation of that same bit to the clocks of the two other shift registers, it is never
possible for all three shift registers to stop moving at the same time. Just as the main
part of the schematic is inspired by the Kinetic Protection Device, this part is inspired
by the A5 algorithm used with GSM cellular telephones.
The second bitstream comes from a circuit which includes one element that is very
likely to have been part of the electronic cipher machines of the early 1970s, the J-K
flip-flop. This is section F of the diagram. In the book Basic Methods of Cryptography,
by Jan C. A. van der Lubbe is noted something I really should have recalled from
learning about digital circuitry as an undergraduate: a J-K flip-flop, in addition to being
set if a signal is sent on J alone when it is clocked, or being reset by K alone, is
unaffected if neither is present, and is toggled when both are present. This makes it as
unbiased as an XOR for combining two bitstreams, but its memory makes it nicely
nonlinear.
The circuit supplying the second bitstream consists of four shift registers. Two of them
are used as inputs to both a J-K flip-flop and an XOR gate. Then, the two output
bitstreams resulting are selected by the output of a third shift register. One is used as an
input to another J-K flip-flop, along with the output of a fourth shift register, and the
other output bitstream resulting from the first two shift registers is XORed with the
result.
The following table, showing for two inputs the outputs of a J-K flip-flop and an XOR
gate,
J K J-K flip-flop J xor K

--------------------------------------
0 0 | P | 0
0 1 | 0 | 1
1 0 | 1 | 1
1 1 | ~P | 0
illustrates the property of the J-K flip-flop used here: not only is its output a random
stream if it has two random streams as input, but this output is uncorrelated with the
output of an XOR gate with the same two inputs. So, having a third input choose
between the two modes of combining the first two inputs produces an output hard to
relate to the raw outputs of any of the shift registers involved. The circuit used in
section F of the diagram, as we have seen, begins by using that principle.
In addition to the bits initially loaded into the shift registers of the device, another
possible keying element for such a device is the order in which the shift registers of
different lengths are connected to the different areas which take input from a shift
register. Only those shift registers that are used in a plain fashion, with no values taken
from within the shift register and with no special clocking are shown as being
switchable via plugboard terminals. In practice, a plugboard would not be used; some
circuit with switches would be used instead. The idea of continuously varying the
connections with a rotor machine hardly bears thinking about.
Note that I have generally neglected to show the clock pulses explicitly; essentially, all
the J-K flip flops and shift register stages are clocked by one master clock pulse, with
the exceptions of the shift register gating the clock for the two shift registers used to
address the feedback polynomial ROM, and of an implicit 1/2 clock pulse delay for the
signals by which the three shift registers in section E of the diagram clock each other.
Also, the reason for my use of nonstandard logic symbols here and in other diagrams is
to provide legibility in a small number of pixels (the standard symbols for AND and
OR, for example, look alike).
Next
Chapter Start
Table of Contents
Main Page
[Next] [Previous] [Up] [Index]
Other Constructions
One construction suggested for making use of the properties of the J-K flip-flop is due to Pless: four pairs
of shift registers feed into four J-K flip-flops, and their outputs are used in rotation. This eliminates direct
information about the raw shift register sequences, which can be obtained from two consecutive bits of
their output some of the time.
While attacks on that device have been shown to exist, in practice it would be elaborated upon, and as a
starting point it is not a bad idea. The following diagram:
illustrates a possible elaboration. Instead of four groups of two shift registers, we have four groups of
seven shift registers. Five are grouped in the fashion we saw in the green-background area of the large
diagram above; two feed both a J-K flip-flop and an XOR gate, and these two outputs, together with the
outputs of three other shift registers, are applied to the extended Geffe generator circuit described earlier.
Two additional shift registers are used to control swapping of the outputs from two pairs of shift registers.
Instead of using the outputs of the four segments in sequence, two shift registers select a segment at
random; and that segment is omitted, the outputs of the other three being XORed to produce the final
result.
An interesting, secure, and simple shift-register based design is illustrated within the High-bandwidth
Digital Content Protection System specification developed by Intel:
The XOR of the outputs of four shift registers generate a sequence of bits with a long period. The XOR of
four other taps, one from each shift register, produce another part of that sequence of bits: since these taps
are not all at the same distance from the outputs, that XOR produces a distant part of the same sequence.
Another set of four taps from these shift registers controls four switchable delay or memory cells: each
cell stores two previous inputs, and the control signal determines which of those two values is output. The
new input replaces the value output, but the two values remaining are then also swapped.
Since what this does is buffer the sequence of bits from the four earlier taps, allowing them to be output
after an irregular number of cycles, it is similar to what the MacLaren-Marsaglia random number
generator does. Each bit input to these four cells can take many different numbers of cycles before being
output, and so there is no one sequence of bits similar to those of a shift register which is particularly
likely to match the actual output.
However, it is still true that there is an average amount of time that the bits from the delayed sequence
will take to go through the four delay cells, and so it has been claimed that this might be sufficient to
provide for a correlation attack, such as that used against the Geffe generator.

indicates two simple ways in which this design can be improved to make it considerably more resistant to
such an attack.
The first change is that between each pair of delay cells, another output from the shift registers is XORed
with the bits as they progress. This means that different cases of individual amounts of delay in the four
cells which add up to the same total delay are no longer equivalent.
The second change is that another shift register is used to store several successive outputs from this
generator, and the actual output used is the XOR of four of these outputs. Now, a bit of output will belong
to the 'most likely' case sought by a correlation attack only if the four output bits of the previous part of
the generator all belong to that case.
However, that last bit of the generator, while it does prevent a direct correlation attack, doesn't really add
any security, since the input to that stage can be derived from its output by a very simple process of
deconvolution. So it is not enough to use multiple bits of the output, they must be chosen unpredictably. A
valid design using this principle might look like this:
where three of the old bits are combined by a nonlinear function, and the other one goes through another
variable delay cell. Now, an actual, although modest, gain in security against a correlation attack is
obtained.
However, a simple idea allows the very large gain in security against a correlation attack aimed at by the
first of the extended versions of this design to be achieved. In the following diagram:
the outputs of the main generator are directed alternately to one of two shift registers. The one that
recieves the output is the one that is stepped, and the one from which the XOR of four bits is used. In this
way, the four outputs of the main generator which are used vary over a large number of possibilities.
Since the decorrelator circuit added at the end of the device seems to be so powerful, perhaps we could go
back to taking only the original number of taps from the shift registers:
but replace the variable delay cells of the original design with decorrelator circuits. In this way, the final
output is formed from any of a huge number of possible combinations of the shift register outputs.
Incidentally, it may have occurred to you from viewing the diagrams above that a decorrelator circuit
could as easily be built using the principle of selective recycling used in the delay cells in the original
design, as shown here:
as by using the principle of selective clocking. The XOR of other bits besides the one clocked out could
even include bits from the shift register row not used, as well.
Hence, even if the design shown is not considered perfect, minor changes can strengthen it considerably.
Next
Chapter Start
Table of Contents
Main Page
More Realistic Examples

Since many of the early electronic cipher machines were used as telecipher machines, it is possible they were designed around generating five
bits in a single cycle in parallel. A possible very simple design of that type is illustrated below:
Here, five Geffe generators produce five bits. But the five unused shift register outputs, instead of being discarded, are used to control
swapping the five Geffe generator outputs. Note that the unused bit from one Geffe generator is always used to swap the two outputs of two
other Geffe generators (at least if no preceding swaps take place).
Since electronic circuitry is much faster than the mechanical components of teletypewriters, however, a design like the above will not be
considered for long before the idea of running it five times faster, and producing a serial bitstream from its output, is considered:
Since the circuit that takes five bits of input, and produces one bit of output, involves some swaps of adjacent input bits, and the device
producing those five bits also swapped adjacent bits, the order of the bits has been shuffled before the last combining circuit, so that swaps of
bits not previously subject to exchange will take place instead.
When the signal from a teletypewriter is in serial form, it is accompanied by stop and start bits; the idea might occur to a cipher machine
designer to use this as an opportunity for an extra complication; another shift register could control whether, during the stop and start bits,
when the machine's output is not XORed with the communications signal, the device is clocked. Since the start and stop bits take as much
time as two and a half data bits, 0, 1, or 2 clock ticks could take place without any increase of speed. Double the speed of the device (and, of
course, a tenfold discrepancy between electronic and electromechanical devices is far from unreasonable), and the opportunity arrives to have
either 1 or 2 clock pulses between the data bits in a single character as well.
When this fairly simple stratagem of designing a cipher machine around the characteristics of 5-level code signals is illustrated by a timing
diagram,
along with a block diagram, illustrating the use of each of the timing signals,
(the box with three shift registers in it represents the apparatus with five Geffe generators whose output is combined to produce a single
output bit shown above) it looks quite complicated.
Other constructs, instead of Geffe generators, could be used to generate the bitstreams the device starts with, more than one extra clock pulse
for optional clocks could be used per baud, and, perhaps most important, instead of clocking, or not clocking, all fifteen shift registers in the
cipher assembly during an optional clock pulse, one could instead use more than one tap, or more than one shift register, to control the
clocking of the various shift registers independently during the extra time periods.
Various references have noted that the early electronic cipher machines were often of a self-synchronizing nature. Also, the SKIPJACK block
cipher design was described in the document revealing its design as a kind of shift register, suggesting how a shift register could be used for a
simplified form of block encipherment. Taking these ideas together, one arrives at the following illustrative diagram:
This diagram is scaled down. On the right, the basic characteristics of a self-synchronizing cipher are shown: a shift register without feedback
stores the last several ciphertext bits. A nonlinear function of these bits, which can be varied by a plugboard, is used as the keystream which
is XORed to the plaintext to become the ciphertext.
Such a design, in itself, would have to be made extremely elaborate, with a very large number of logic gates, to offer any security. On the
right half of the diagram is shown how, with a limited number of gates, using a shift register to do block encipherment, more security might
have been obtained.
The area enclosed by dotted lines is clocked differently from the rest of the diagram. It produces a bit to be XORed with the plaintext by a
process that has to be described; it can't be easily shown in the diagram. An attempt has been made, though, with arrows showing the order in
which the paths shown in the diagram are used. First, the bits of old ciphertext are loaded into the feedback shift register inside the dotted
lines; the entire register is filled from the outside. This takes place during cycle 1, as indicated by the first arrow. Then, the feedback shift
register is cycled several times through its entire length. This register is shown as being stepped 40 times, during cycles 2 to 41; since the
shift register contains 16 cells, the bits in it cycle more than twice through its whole length. The final state of the register is then used to
produce the output bit used to XOR with the plaintext, by means of another nonlinear function. This output is taken at the last, during cycle
42.
Note that the state transition function of the feedback shift register is invertible; the oldest bit of it is XORed to a nonlinear function of five
other bits before being recycled. This is invertible for the same reason that a Feistel round is invertible; the five inputs to that function are
only moved, not changed. This doesn't guarantee a long period, but it does mean that after any fixed number of cycles, each different initial
state will result in a different final state. This means that there is no possibility, despite the fact that the shift register has nonlinear feedback,
and therefore many of its properties are hard to understand, that after some large number of cycles a large number of different initial states
will lead to the generator winding up in the all-zero state (or some other degenerate condition) and getting stuck there.
In other words, the state space is incompressible under the state transition function provided by a nonlinear shift register with the property
that the eldest bit is not altered, and is XORed with the output in the last stage of calculating the output. (The usefulness of setting up a
nonlinear shift register in this way was in fact briefly noted in Applied Cryptography, where it is stated that the danger of its sequence dying
out to all zeroes can be "easily cured".)
The nonlinear function applied to the final state includes the newest bit in the shift register as one of its inputs, so that none of the cycles the
shift register went through to produce that state is wasted.
The arrangement of the two plugboards in the diagram is one part of the key; in practice, something less messy than plugboards would have
been used, but not worrying about such details leaves the diagram simple. Another place where key material is used may be during the
stepping of the fast feedback shift register, which may be fed one character of a 40-character key during that stepping.
With known plaintext, if the first shift register, the one without feedback that simply stores old ciphertext bits, is short, a codebook attack on
the cipher is possible as a direct consequence of its self-synchronizing nature. That is, one could make a table of the possible values of the
preceding N ciphertext bits, for increasing N until N reaches the length of that shift register, and find that for each entry, whether the current
plaintext bit is inverted or not is consistent.
It may be noted that this arrangement, although it is greatly simplified, is essentially a scaled down version of operating a block cipher in
Cipher Feed-Back mode, with the addition that the "block cipher" output is further condensed by a nonlinear function of several of its bits.
Although the correlation attack is primarily a problem for designs based on linear-feedback shift-register outputs, the decorrelation circuit
met on the previous page can be combined with this form of design as well. Thus, the block-cipher like stage can generate two bits of output,
one which is decorrelated, and one which controls the decorrelation. It should be noted, of course, that it takes a number of cycles for this
type of decorrelator to be filled with output bits, particularly as the random control of which shift register is filled can mean the time required
is variable. Special circuitry to enable an initial fill mode is possible, just as in the MacLaren-Marsaglia random number scheme, the buffer is
initially filled with a number of consecutive PRNG outputs.
More elaborate constructs are also possible, like the one below:
Here, 30 bits of previous ciphertext are cycled three times through one nonlinear shift register with an incompressible state space, and three
bits of output are produced. One bit is fed into a decorrelator, the second controls the decorrelation, and the third is used for another
decorrelator later in the circuit.
The decorrelated output is again fed into another block-cipher like nonlinear shift register, this time one which acts on a 16-bit block, as in the
previous example. The output of that stage is decorrelated under the control of the third bit used earlier. Here, however, instead of the
decorrelator simply XORing together multiple old output bits, a nonlinear function of old output bits is XORed with the one being shifted out
of the shift register being clocked, making this a nonlinear decorrelator. The five-input nonlinear circuit that I have used throughout these
examples is expanded by making one of its inputs the OR of two ANDs, and another the AND of two ORs; thus, the significance of the bit
that chooses between these two somewhat biased values is increased.
This rather daunting diagram changes to the following

when drawn with standard logic symbols. Of course, since I wished to avoid increasing the size of the diagram, the shift-register flip-flops are
not drawn explicitly. The arrangement involving the shift registers shown as clocked by phase 3 and phase 7 is somewhat involved, and so an
inset for the one clocked by phase 3 shows what is actually going on for each flip-flop in the shift registers. Essentially, phase 2 clocks
loading the entire register from outside, and phase 3 steps the register. Type D flip-flops are shown as being used to build the shift registers
for simplicitly, even if in practice type S-R flip-flops would be used for economy.
Also, in this diagram, it is necessary to make explicit the timing signals used; the following chart:
shows what those signals are.
The leading edge of the phase 1 signal must occur at some time when the previous ciphertext bit is valid; after the trailing edge of the phase 8
signal, the output of the ciruit is valid, so the new ciphertext bit will be valid when the new plaintext bit is valid.
Until such time as the cipher machines of the 1970s become declassified, these imaginative reconstructions of mine may perhaps prove useful
to spy novelists wanting to insert authentic-looking cipher machine plans into their works.
When the real thing is revealed, of course, it will be far more secure than my careless effort. I think my first diagram, the one based on the
Kinetic Protection Device, is likely to be rather more elaborate and complicated than anything actually used, while the first of the two designs
shown on this page, showing five Geffe generators, is probably more straightforwards and simple than anything actually used. As the second
one is based on various public comments concerning the electronic cipher machines of the U.S. during that period, although it is scaled down,
it may illustrate a principle that had actually been used, or, of course, one that we are intended to think was used. In that case, the "real thing"
would have had longer shift registers, and more complicated nonlinear functions (and three different ones) than my simple improved Geffe
generator which I used three times in the diagram. Also, there may have been an attempt to encipher the five bits of a teleprinter character in
parallel. It should also be noted that, for purposes of the illustrative diagrams on these pages, I have not troubled to ensure that all the shift
register polynomials used are actually of maximal period, which would be required in practice.
Next
Chapter Start
Table of Contents
Home Page
Other Stream Ciphers

The mixed congruential pseudorandom number generator, usually used in software, is
one of the basic techniques of producing apparently random bits that we will examine
here. This is the technique used to produce the numbers given by the RND() function in
most dialects of BASIC. Modulo a constant, replace x by a times x plus b, where a and
b are both constants. If a and b are large enough, the behavior of x, particularly its most
significant bits, will seem random. For the maximum period, which is the same as the
modulus, b must be relatively prime to the modulus. So must a, but if the modulus is a
multiple of 4, a must also be equal to 1, not 3, modulo 4.
The most common method used for strengthening a mixed congruential generator is to
use it as part of a MacLaren-Marsaglia random number generator.
Let us suppose that random binary bits are desired. Then, one uses one generator
modulo two to some power, so that one is starting with numbers with a uniform
distribution. Since the most significant bits of the output from such a generator have
the longest period, one might take only the 4 or 8 most significant bits of the output.
A buffer, perhaps with 37 entries, containing 37 bytes or nibbles produced by that

generator is used. Each time some bits are to be produced, a second mixed-congruential
generator, operating modulo 37^n for some n, is used to pick one element from that
buffer, which is used as the output of the full MacLaren-Marsaglia generator. Then the
other mixed-congruential generator is used to supply a replacement value for the buffer
element used.
Again, a simple MacLaren-Marsaglia generator is still not secure, although the paper in
which one was cracked used one where all the bits of the binary MC generator were
used and none were discarded. If only the first few bits are used, and a long binary MC
generator, perhaps one requiring multi-precision arithmetic, is used, there is already a
greater level of security present. But more elaborate constructs are again possible.
But there are many other techniques that can be applied to bytes or words, rather than
bits, to produce a keystream to XOR with plaintext.
Gifford's cipher used only eight bytes of internal state, but produced a cipher that was
only shown to have weaknesses after some very involved analysis.
It actually was a kind of shift-register cipher, but with the shifting being done by byte.
The shift register was eight bytes long. Feedback involved taking three bytes from the
register, and obtaining the new byte by XORing together one of the bytes, the
arithmetic right shift of another byte, and the logical left shift of the third.
The output from the generator is produced by taking four bytes from the register,
forming two 16-bit integers from them, and taking the second least-significant byte of
their product. This output is what is XORed to the plaintext to produce ciphertext.
This diagram illustrates Gifford's cipher:
A stream cipher is any cipher which, like Vigenere, or that produced by a rotor
machine, changes how it behaves during a message. Thus, most block cipher modes,
other than Electronic Codebook Mode, produce stream ciphers.
A stream cipher which does produce pseudorandom bits to XOR with plaintext can be
improved merely by substituting new values for the bytes of the plaintext from a secret
table, both before and after the XOR.
Another way of using the output of a pseudorandom bit generator was developed by
Terry Ritter, which he called Dynamic Substitution.
The principle is very simple. A secret table, with a random sequence of the 256
possible byte values, is used.
A message byte is replaced by its substitute in that table in order to encrypt it.
Then, a byte from the pseudorandom bit generator is taken. The two table entries
corresponding to that byte, and the plaintext message byte, are swapped. In the event
both the plaintext byte and the psudorandom byte are the same, nothing is done.
This is a simple, but secure technique. Every time a table entry is used, it is relocated
somewhere else at random. So, since each table entry is used once and once only, no
useful information about the table seems to be made available.
If one knows some corresponding plaintext and ciphertext, it is true that since you
know that the table entry you encountered when one byte was enciphered was sent to
the byte the PRNG sent it to at that time, and may stay there for a while, if that same
byte turns up shortly after, you can conclude that the PRNG byte in the past is the same
as the plaintext byte when the byte value turned up again.
However, one cannot expect a simple method of applying a keystream to plaintext to

be perfect; this small weakness doesn't contradict the fact that this is a great
improvement over simply XORing the keystream to the plaintext.
The main reason this technique may not become popular even after its patent expires is
because it is an autokey method; the encipherment of plaintext bytes depends in part on
the values of previous plaintext bytes. This is not good for error-propagation, which
need not be a consideration (since once text is encrypted, it can be sent along with
extensive error-correction; and encrypted texts are often compressed, which already
results in wide propagation of any errors) but it is usually considered to be a problem.
The idea of shuffling elements in a table of the 256 different byte values can also be
used to generate pseudorandom bytes.
One very popular stream cipher has been alleged to function as follows:
Using two variables that store one byte each, in addition to the table, generate bytes as
follows:
Start with A and B equal to zero.
Each iteration proceeds in this way:

● Increment A (modulo 256).
● Add the A-th element of the table to B (modulo 256).
● Use as the output byte the element of the table specified by the modulo-256 sum
of the A-th element and the B-th element of the table.
● Exchange the A-th element and the B-th element of the table with each other.
The initial arrangement of the 256-byte table is created by a procedure involving a

second 256-byte table. The table to be used in generating pseudorandom bytes is
initialized to the numbers from 0 to 255 in order. The other table is filled with the bytes
of the key repeated over and over until it is full.
Start again with A and B equal to zero.
Repeat the following steps 256 times:
● Replace B with the sum of B and the A-th element of both tables.
● Increment A.
● Swap the A-th element and the B-th element of the table to be used later,
leaving the one containing the key alone.
One other stream cipher of interest is given its own section.
● Panama
Next
Chapter Start
Table of Contents
Home Page
Panama
Panama is billed as a "cryptographic primitive". Designed by Joan Daemen, also responsible for 3-Way, and one
of the collaborators in the design of Rijndael, Panama is essentially a stream cipher engine with a large state. It
is, however, equally usable as a hash function.
The structure of a Panama iteration is illustrated by the following diagram:
Panama contains two main elements. A shift register, with 32 cells, each containing a vector with eight 32-bit
words, and a recirculating mixing function, resembling the f-function in a block cipher, which operates on a
"state" consisting of seventeen 32-bit words. (While it has been noted that SHA-1 inspired Panama, I do not find
the resemblance obvious.)
There are three fundamental operations that form part of Panama.
● Panama is reset by setting both the 17-word state and the contents of the shift register to all zeroes.
● A vector of eight 32-bit words is fed to Panama through a Push operation. Operations unique to the Push
function are shown by the light dotted lines in the diagram. In a Push operation, the incoming vector is
used as one of the inputs to the state transition function (the other input is the contents of one of the cells
in the shift register), and is also used to XOR with the recirculating values in the shift register.
● A vector of eight 32-bit words is recieved from Panama by means of a Pull operation. The line of
alternating dots and dashes shows the operations unique to the Pull function in the diagram. In a Pull
operation, the 32-bit words numbered 9 through 16 in the state are used as the output, and words 1
through 8 are XORed with the recirculating values in the shift register. The inputs to the state transition
function both come from stages in the shift register, one not used for any special purpose in the Push
operation replacing the input, absent from a Pull operation.
When Panama is used as a stream cipher, first the key is input by one Push operation, and then an initialization
vector is input by a second Push operation. Then, 32 Pull operations are performed, discarding their output, to
allow the internal state of Panama to be fully mixed.
When Panama is used as a hash function, the message to be hashed, followed by a 1 bit and as many zeroes as
are needed to cause the message to occupy an integer number of 256-bit blocks, is input to Panama through a
series of Push operations. Then, after a number of Pull operations with their output discarded, so that the effects
of even the last block of the message are fully diffused, the output from a final Pull operation constitutes the hash.
The state transition function of Panama operates on 17 32-bit words, numbered 0 through 16. Its steps are visible
in the diagram, and are, in order:
● Nonlinearity: each word is XORed with the OR of the previous values of the next word and the
complement of the word after, going around the circle from word 0 to 16 and back to 0.
● Bit Dispersion: first, the words are transposed (by a simple decimation with interval 4), then the words
undergo circular left shifts of different sizes.
● Diffusion: each word is XORed with both the previous values of the next word and the word four
positions ahead, again going around the circle.
● Buffer Injection: Word 0 is XORed with 1; words 1 through 8 are XORed with the first input to the
function, and words 9 through 16 are XORed with the second input to the function.
The huge size of the internal state of Panama makes it look very impressive. Of course, one might want to add an
extra XOR here or there, such as using the state function output during Push cycles. But Panama has been
designed to be very efficient on internally parallel microprocessors, and thus throwing in extra operations would
interfere with that.
However, a closer look at first creates the impression that Panama might be weak instead of strong. The problem
for the cryptanalyst is to discover the internal state of the cipher, both the 17-word state and the shift register
contents. But the state is used as the output of the cipher, and the state transition function has only a single round.
Thus, knowing two successive 17-word states, one can easily discover the two 8-word inputs to the state
transition function.
The only thing that prevents this from happening is that only eight of the seventeen words of the state are used as
the output of Panama. At one point, having mistakenly thought that the first eight words of the state, words 0
through 7, were the output block, I worked out a simple way to find the value, with 75% probability, of one of
the words in the buffer, but Panama does not in fact allow such a simple attack. Thus, the cryptographic strength
of Panama seems to equal that of a two-round version of the state transition function, since just under half the
state is used.
However, that attack involves reconstructing the internal state of Panama from known plaintext, which means
that, knowing part of a message, one can find the rest of that message. What about attacking other messages with
the same key, but a different initialization vector?
Unfortunately, this too is possible. The nonlinearity stage of the state transition function of Panama, resembling
as it does the small S-Box of 3-Way, can be inverted (unlike the nonlinear part of the f-function of DES), so it is
possible to run Panama backwards if one had a full knowledge of its internal state, and obtain the original 8-word
key.
Tracing the path of information through the state transition function of Panama shows that a trivial application of
differential cryptanalysis principles does not suffice to obtain some bits of the buffer by means of a known
plaintext attack on Panama when used as a stream cipher. The following diagram illustrates what happens when
an attack is attempted:
With known plaintext, one knows the value of the output bits from Panama. If one has two successive output
blocks from Panama, tracing through the state transition function leads to the following results:
Initially, words 9 through 16 of the state are known.
After the nonlinearity step, words 9 through 14 of the state are still known for certain. The bits of word 15 which
correspond to 1 bits in the former value of word 16 are known as well, but the other bits of word 6 are unknown.
The bits of word 16 are, with a probability of 75%, the inverses of their former values.
After the bit dispersion step, the words known with certainty are words 2, 4, 9, 11, 14, and 16, and the words
about which partial information is available are words 7 and 12. The right words in the right places are not
available to allow a known or partly known word to exit the diffusion step for comparison with a word known
from the current output block, by which means some buffer contents could be found.
Even so, the fact that it comes this close to solution makes one wary of the danger of a differential attack.
Panama is an impressive and promising design, but because of the superficial appearance that it is close to being
susceptible to a differential attack, I have taken the liberty of proposing variant with a few modifications (so
don't blame Joan Daemen if, instead of making it more secure, I've ruined it) which is illustrated in the
conclusions section of this chapter.
Next
Chapter Start
Table of Contents
Main Page
A Note on the Importance of Galois Fields

In the descriptions of the block ciphers Rijndael and Twofish, we have encountered the
operation of multiplication in a Galois Field.
Looking at other cipher designs, and their effective use of more familiar operations,
such as addition, exclusive-OR, conventional and modular multiplication, and table
lookup in S-boxes, one might be forgiven for wondering if the use of such exotic and
advanced mathematics is really necessary in a symmetric-key cipher.
However, in attempting to answer a question about the simplest way to fully correct a
flaw in a particular type of stream cipher, one can see that Galois fields do have an
important property which is useful in cryptography.
Some stream ciphers operate merely by generating a pseudo-random output, treated as

a keystream, which is merely XORed with the plaintext. Others behave more like rotor
machines, and instead of simply displacing the plaintext a varying amount through a
fixed alphabet, provide a substitution which is different in arrangement for each
symbol enciphered.
In the former case, if one knows the exact plaintext of a message being sent, one could,
by inverting the same bits of the ciphertext as one wishes to invert of the plaintext, alter
a message in any way one likes without knowing any part of the keystream.
This weakness, known as vulnerability to the "bit-flipping" attack, can, of course, be

dealt with by using some form of authentication method.
However, I still found it interesting to investigate the question of what would be the
minimal enhancement to the basic PRNG (pseudorandom number generator) with XOR
stream cipher to obtain a varying alphabet.
More specifically, I sought a combiner (which could be used alone as a variation on the
one-time-pad) with the following properties:
● Input plaintext symbols from an alphabet of N characters are taken to output

ciphertext symbols from the same alphabet, for some N>2;
● The number of possible keystream symbols is some multiple of N, and if all
keystream symbols are equally probable, then for a given plaintext symbol p, all
ciphertext symbols are equally likely to correspond to it, and conversely, for a
given ciphertext symbol q, all plaintext symbols are equally likely to correspond
to it;
● The number of possible keystream symbols is some multiple of N-1, and if, due
to the existence of known plaintext, an adversary is aware that at one point in
the text, plaintext symbol p corresponds to ciphertext symbol q, then, if those
keystream symbols which could produce that result remain equally probable,
altering ciphertext symbol q to any other symbol, q', which is different from q
could produce, upon decipherment, any of the N-1 possible plaintext symbols
which differ from p as the result with equal probability.
The addition table for a simple cipher with these properties, where N=3, is as follows:
Key
| A B C D E F
----------------
P 0 | 0 1 2 0 1 2
L 1 | 1 2 0 2 0 1
N 2 | 2 0 1 1 2 0
Cipher
To scramble plaintext in the fashion of a one-time-pad, it is sufficient to use either the

keystream symbols (A,B,C) or (D,E,F) with equal probability. Because the vertical
columns in the ciphertext run backwards in the second half of the table, for a given
plaintext-ciphertext pair, if the two keystream symbols that could have caused it in the
two halves of the six possibilities are equally probable, changing the ciphertext is
equally likely to give either of the two different plaintexts.
Note that what is happening here is that the one-time-pad effect is produced by adding
0, 1, or 2 to the plaintext to produce the cipher output, while the resistance to the
equivalent of a bit-flipping attack is produced by previously multiplying the plaintext
either by 1 or -1 (equivalent to 2 in modulo-3 arithmetic).
This can also be done for binary data; the minimal way to do so would be to take two
bits at a time, as in the following table.
Key
A B C D E F G H I J K L
------------------------------------------
P 00 | 00 01 10 11 00 01 10 11 00 01 10 11
l 01 | 01 00 11 10 10 11 00 01 11 10 01 00
a 10 | 10 11 00 01 11 10 01 00 01 00 11 10
i 11 | 11 10 01 00 01 00 11 10 10 11 00 01
n Cipher
In the first four columns of the table, using one of keystream symbols {A,B,C,D} is
equivalent to performing an XOR of the plaintext symbol with the respective element
of {00, 01, 10, 11}.
It can be verified by inspection that this table does have the property I am looking for.
Note that keystream symbols {E,F,G,H} and {I,J,K,L} also perform XORs with the
plaintext symbols, after a substitution is performed on them, the substitutions being the
ones in the columns labelled E and I.
The following table:
A E I
00 01 10 11
----------------
00 | 00 00 00 00
01 | 00 01 10 11
10 | 00 10 11 01
11 | 00 11 01 10
shows the three substitutions in use, along with an extra column to make the table
symmetric.
Since any operation involving 00 produces 00, this resembles a multiplication table.
And, indeed, it is the multiplication table for the representation of GF(2^2) with
modular polynomial x^2+x+1.
So, just as with base 3, we obtained the desired property by performing first a
multiplication and an addition, here we performed a Galois Field multiplication,
followed by an XOR, which is the operation corresponding to addition in such a Galois
Field. (Doing the XOR first and the multiplication afterwards, of course, would also
work.)
Is this a general method for obtaining a substitution which has this desired property?
Yes; this is a direct consequence of the distributive property. Multiplication over the
Galois Field, and XOR, behave like multiplication and addition do in ordinary
arithmetic, and thus they will be denoted by * and + respectively below.
Given that (p*B)+A=q and (p*B')+A'=q, if B is not equal to B', then for q' not equal to
q, we wish to prove that (p'*B)+A=q' and (p''*B')+A'=q' implies p' cannot equal p''.
This follows from the distributive property, and a few other basic properties of a field.
If p' did equal p'', but not p, then for p' not equal to p, the difference between (p'*B) and
(p'*B') cannot equal the difference between (p*B) and (p*B'), since the one is p'*(B
+B') and the other is p*(B+B'), and B is not equal to B'. (Here, + is equivalent to -,
because XOR performs both roles.) However, the difference between A and A' hasn't
changed, and so a contradiction results.
Thus, when two operations behave like addition and multiplication, they complement
each other as well as two operations can, and thus using them together provides a result
which, in the particular respect examined here, resembles the result of having a
completely indeterminate permutation.
And to obtain two such operations for symbols that are made up of two or more bits
each, the only choice is Galois Field multiplication along with XOR. If, instead, a set
of symbols with a prime number of elements is used, one can use ordinary modular
multiplication and addition. Thus, this property can be approximated by using, for
example, addition modulo 2^n and multiplication modulo (2^n)+1, with the advantage
that the inputs to both steps can have all 2^n possible values.
This technique is illustrated here as giving the benefit of preventing anything

resembling 'bit-flipping' in a stream cipher, including the one-time-pad. But it is also
useful in the design of block ciphers, where it provides what is referred to as
decorrelation, and thus this point is also referred to in the section on the Decorrelated
Fast Cipher.
Twofish and Rijndael use two different representations of GF(2^8). For 5-level-code
characters, as used in telecipher devices, x^5+x^2+1 is a suitable modular polynomial.
Since GF(2^5) multiplication has the distributive property with respect to XOR, the
following abbreviated multiplication table is sufficient:
| 00001 00010 00100 01000 10000

-------------------------------------
00001 | 00001 00010 00100 01000 10000
00010 | 00010 00100 01000 10000 00101
00100 | 00100 01000 10000 00101 01010
01000 | 01000 10000 00101 01010 10100
10000 | 10000 00101 01010 10100 01101
In the age before inexpensive computers, and ciphers like DES, and hash functions like
MD5, this is a technique, as it involves math that was known quite a long time ago, and
requires circuitry of moderate complexity even if discrete components are used, which
could have been used to protect secure teleprinter links years ago, by using one one-
time-tape in the conventional manner, but also using a second one-time-tape, not
including the all-zero code, for a multiplication operation. (Actually, of course, it
would make more sense to use a special 10-channel one-time-tape.) While it would not
have been as direct a solution as a hash function, but it would not have the failure mode
of a human in the link ignoring a bad checksum and accepting a fraudulent message.
It does not appear that this was used for the Moscow-Washington hot line, but it is not
impossible that it was at least considered.
Also, perhaps such a technique might have something to do with the Soviet cipher
device described as applying a 15-channel one-time-tape to 5-level-code characters.
Next
Chapter Start
Table of Contents
Home Page

The ciphers in this chapter are intricate, and yet they still seem to be lacking something
compared to those we met in Chapter 2 on rotor machines.
In DES, the basic cipher operation is in essence a degenerate form of the autokey. Each
half of the block modifies the other half alternately with several repetitions.
Yet, the number of the repetitions alone at least seems to have the effect of concealing
the key.
Also, the standard modes proposed for using DES all seem to be designed to avoid
increasing its security, except for the removal of trivial vulnerabilities. It would seem
that combining DES with some form of stream cipher, even a fairly poor one, would
also remove those vulnerabilities at little cost, with additional benefits in security.
Also, it is time to note something about fashions in ciphers, adopted for reasons other
than security. Although the reasons are not really quite so whimsical as the term
fashion implies, as they are instead connected to the practicalities of using the ciphers
in the real world.
Stream ciphers are usually viewed as sources of bits which appear random to be
XORed with the plaintext. They are very poor relations to block ciphers at present.
Transposing the bytes of a message, perhaps between two encryptions in DES in ECB
mode, would probably produce a highly secure cipher, especially if the transposition is
both controlled by a secret key, and yet varies with each message. But this is an option
seldom considered.
This is because for many applications it is important that occasional communications

errors, even if they corrupt somewhat larger areas in a message because of the use of
encryption, not totally obliterate the entire message. So, only those encryption modes
and methods that have a limited level of error propagation are considered.
Some of the techniques we have seen in this chapter will now be explored in a number
of conceptual designs, some of them perhaps a bit over-elaborate.
● Modified Panama
● Mishmash
● Combining Two Unrelated Block Ciphers
● A Base Conversion Block Cipher and Other Concepts
● The Large-Key Brainstorm
● The Inner Structure of the Feistel Round
Next Chapter
Chapter Start
Table of Contents
Home Page
Modified Panama
Having noted that in the cryptographic primitive Panama, it looks as if a differential attack only just misses being
possible, I have taken the liberty of proposing variant with a few modifications (so don't blame Joan Daemen if,
instead of making it more secure, I've ruined it) which is illustrated below:
The state transition function is modified:
the first thing I propose to do is to XOR words 0 through 7 of the state with words 9 through 16 of the state. I
also use the least significant three bits of word 8 of the state to determine which of words 9 through 16 is XORed
with word 0 (the remaining ones proceed in succession) to produce what I call "deep nonlinearity".
in Push cycles only, the word of the state that was XORed with word 9 of the state is also XORed with word 8 of
the state. This makes the state transition function not invertible. This is not appropriate for Pull cycles, since it
may lead to short cycling of the state transition function; but Push cycles are limited in number. This prevents
recovery of the key from the state.
Then, one proceeds with the normal nonlinearity and bit dispersion steps.
An extra buffer injection step is added. This also makes it even more difficult to trace words through the state
transition function.
Then, the regular diffusion and buffer injection steps take place.
The output from the state transition function is modified. During Pull cycles, the first eight words of the state are
XORed into the buffer at the start, as before. During Push cycles, words 9 through 16 are also used; this does not
seem to be excessively revealing of the state, and increases the speed of diffusion in the buffer.
During Pull cycles, the output is now only one word, and that word is the XOR of two words in the state, chosen
by other bits of word 8. Limiting the output to one word changes the basic security of Panama from that of two
rounds of the state transition function to that of sixteen rounds. Outputing the XOR of two unknown words
further reduces the usefulness of the output for determining the internal state of the buffer.
Because of the enhanced diffusion and the noninvertibility of the Push cycle, instead of using 32 blank Pull
cycles, I propose replacing the blank Pull with a blank Push - where an all-zero block is Pushed into the system.
Next
Chapter Start
Table of Contents
Main Page
Mishmash
In thinking about ways to give a block cipher the kind of deep nonlinearity found in the
rotor machine SIGABA, one idea I had is the kind of block cipher one round of which
(for obvious reasons, I proposed only four rounds be used in it) is illustrated by the
diagram below, and which I chose (also for reasons to become obvious) to call
Mishmash:
The cipher operates on a 128-bit block, and has a Feistel-like structure of sorts. The
right half of the block is enciphered by four rounds of some block cipher with a 64-bit
block and Feistel rounds, perhaps DES. The four f-function outputs of that process are
also take, put through another f-function (otherwise, their XOR would be equivalent to
the XOR of the two inputs and the two outputs), and XORed together to produce a 32-
bit word that controls the encipherment of the left half of the block.
In a very schematic form, the left half of the diagram illustrates five operations to
which the left half of the block will be subjected:
● Four rounds of Skipjack

● Two rounds of DES
● One round of SAFER
● Two rounds of some other cipher, perhaps Blowfish or QUADIBLOC, with
Feistel rounds
● Two-round IDEA
Since IDEA is protected by patents, one will have to use both Blowfish and
QUADIBLOC, or some other cipher instead for now; IDEA is shown because it has a
unique basic structure.
Since 5! is 120, seven bits of the 32 bit word are sufficient to indicate the order in
which the five operations are to be applied. 25 bits remain; 5 of them can be assigned
to each of the 5 operations to choose one of 32 subkeys for each (there would be four
separate sets of 32 subkeys for each for each of the four rounds of this block cipher as a
whole).
Next
Next Chapter
Chapter Start
Table of Contents
Main Page
Combining Two Unrelated Block Ciphers

Another way of making use of the strength that can be obtained by using two block
ciphers of a completely different type is illustrated below:
Essentially, each round of encryption consists of applying four rounds of DES to the
left half of the block, and two rounds of SAFER to the right half of the block. Six
rounds of encryption are used, alternating with seven stages in which the left and right
halves of the block are combined. (Even four rounds of encryption may be adequate.)
These fencing stages consist of applying a key-dependent S-box (whose inverse will be
required for decryption) to the bytes of the block, and then swapping bits between
halves by using a mask to indicate which bits are to be swapped with their
corresponding bits in the other halves. This method was pioneered in the block cipher
ICE.
To ensure that each bit being encrypted is evenly divided between the two halves of the
block by each fencing stage, a 48-bit subkey, expanded by the use of a 4 of 8 code (as
seen in the definition of QUADIBLOC) is used, so that exactly four bits of each byte
are swapped.
An additional ICE-style swap is used at the beginning of the cipher, so that the use of
byte substitution for whitening is not reduced in effectiveness by the use of the S-box
at the start of the cipher. This swap uses a plain 64-bit subkey for maximum
randomness, since equal division between halves does not serve a purpose in that
position.
The intent of this design is, of course, that since two completely different ciphers are
intimately mixed, analysis to find a weakness is essentially impossible.
For generating the key schedule, both the 48-bit keys for the fencing stages and the 48-
bit DES subkeys are most easily generated in units six bits long; thus, if a source of
bytes is used to produce the subkeys, it might be quickest to take only the least
significant bits of eight bytes to form one of those 48-bit keys.
Next
Next Chapter
Chapter Start
Table of Contents
Main Page
A Base Conversion Block Cipher and Other

Concepts
Block Cipher with Base Conversions
Another interesting idea for a block cipher happens to lead to one with an 80-bit block size,
which has the advantage of being a multiple of five bits as well as eight, for use with characters
in older systems using 5-level code.
Most block ciphers involve using S-boxes that operate on groups of bits, alternating with
transpositions of individual bits, and XORs of subkey material. Some involve other binary
operations.
But if one converts to other number bases from binary, one can shuffle around fractions of a bit,
thus adding another kind of complexity to the design.
The fact that 33 is both 3 times 11 and one more than 32 is used, along with the fact that 9 is
close to 8, and 121 is close to 128. Key-dependent S-boxes (since fixed ones would introduce
bias, which could be exploited) operating in both directions are used, for example, both one with
33 entries consisting of all 32 5-bit combinations plus one duplicate, and one with 32 entries
containing all but one of the 33 combinations of one 3-symbol and one 11-symbol.
The following are the steps that would comprise an f-function for a block cipher based on this
construct:
1) XOR subkey K1 with the 40 bit input.
2) Take the bits of the input, 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 and so on, in groups of five,

and using eight key-dependent S-boxes, turn each one into a 3-symbol and an 11-symbol, the 3-
symbols being called a, b, c, d, e, f, g, and h respectively, and the 11-symbols being called S, T,
U, V, W, X, Y, and Z.
3) Using four key-dependent S-boxes that produce three output bits from two 3-symbols, and
another four key-dependent S-boxes that produce seven output bits from two 11-symbols, use
the following symbol pairs as input:
(a,b) (S,W) (c,d) (T,X) (e,f) (U,Y) (g,h) (V,Z)
4) The binary result of the above step is to recieve an additional bit permutation, as follows:
11 22 33 14 25 36 7 18 29 40 21 32 3 24 35 6 17 28 39 10
31 2 13 34 5 16 27 38 9 20 1 12 23 4 15 26 37 8 19 30
5) Subkey K2 is XORed to the result.
6) Using key-dependent S-boxes that operate in the reverse direction, producing two 3-symbols
from three bits (thus having eight entries with one combination omitted) and two 11-symbols
from seven bits, produce
S' T' a' b' U' V' c' d' W' X' e' f' Y' Z' g' h'
from the current result.
7) Group the symbols into the following pairs to produce, from eight key-dependent S-boxes,
eight groups of five bits:
(a',Z') (b',V') (c',Y') (d',U') (e',X') (f',T') (g',W') (h',S')
8) Apply the following bit permutation to the S-box outputs (numbers represent sources of bits,
and are in the positions of result bits, as in the DES standard):
6 17 23 29 40 11 22 28 34 5 16 27 33 39 10 21 32 38 4 15
26 37 3 9 20 31 2 8 14 25 36 7 13 19 30 1 12 18 24
35
9) XOR subkey K3 to the result.
and the following diagram illustrates this f-function:

If an expansion permutation is desired as part of the f-function, to improve nonlinearity and to
reduce the danger of bias, one logical place to put one would be before the XOR of the first
subkey, making the first set of S-boxes, containing pairs of one 3-symbol and one 11-symbol as
entries, 256 entries in size. This means that the first subkey increases in length, to become 64
bits long.
In generating these S-boxes in this form, it would make sense to first select eight different
symbol pairs to omit in each of the eight permutations of 32 symbol pairs of which such a box
should be composed.
An appropriate expansion permutation might have the form:
40 23 6 1 2 3 4 5 5 28 11 6 7 8 9 10
10 33 16 11 12 13 14 15 15 38 21 16 17 18 19 20
20 3 26 21 22 23 24 25 25 8 31 26 27 28 29 30
30 13 36 31 32 33 34 35 35 18 1 36 37 38 39 40
and a revised diagram with the expansion permutation added

looks like the above.
Fractal Feistel
Another bright idea I had toyed with I discarded as excessively inefficient and probably
insecure; but when the release of Skipjack indicated that the micro-Feistel rounds I used as the
basis of this might actually be secure, I drew the following diagram to illustrate it:
The basic idea behind this has been used before by others, for example in the MISTY block
cipher developed by Mitsuru Matsui of Mitsubishi, and in the block cipher DEAL proposed by
Richard Outerbridge as an AES candidate, that is: using a block cipher with Feistel rounds as the
f-function for a larger block cipher with twice the block size. However, the diagram illustrates
taking this to extremes.
The innermost function operates on a 16 bit block with four rounds, using a 256-byte lookup
table as the f-function; this is the same as the "G permutation" in Skipjack.
That function is used as the f-function for four rounds within a block cipher acting on 32 bit
blocks, which is, in turn, used for four rounds as the f-function of a block cipher operating on 64-
bit blocks.
The diagram only includes one instance of this cipher - acting as the f-function for the actual
block cipher, which operates on a 128-bit block.
Essentially, the Feistel round structure is replicated inside itself repeatedly, creating a block
cipher with a fractal structure.
This design may have serious security flaws, but it is at least interesting to look at.
Another Sketch
illustrates the rounds of a type of cipher that may well be secure even though it tries to be
efficient and though it is limited to operations that are efficient on general-purpose computers.
Feistel rounds using a key-dependent S-box (called "S8" in the diagram, due to Quadibloc II)
but no subkeys are combined with an ICE-style interchange between block halves and a fixed
interchange of bytes designed to cause diffusion different from that provided by the cipher's
other components to form four rounds, consisting of two batches of four mini-Feistel rounds and
one ICE-style interchange, with three fixed byte interchanges between them.
Next
Next Chapter
Chapter Start
Table of Contents
Main Page
The Large-Key Brainstorm

If one hearkens back to the schemes of previous chapters, such as the Hagelin machine, or the Vernam two-tape
system, and allows the use of more key than is needed to achieve a given level of security, one can use the
constructs we have met in this chapter to achieve, I believe, a fairly high level of security.
The diagram above is illustrative of the concept involved.
● Plaintext is encrypted, or ciphertext decrypted, using a block cipher with independent subkeys.
● A separate list of subkey values is used to supply each subkey.
● With each block enciphered, one advances through each of these lists - sometimes by one step, sometimes
by two, three, or four steps.
● Another block cipher with a fixed key, operating in a combination of output feedback and counter modes
(the output is fed back, but XORed with the value in a counter) supplies the bits which determine stepping
through the list of subkeys.
The diagram shows, however, a scaled-down version of the cipher. A more specific description rests on the
following principle: the number of bits used to control the stepping of all the lists must equal or exceed the
number of bits in a block. In this way, the stepping alone is enough, or at least nearly enough, to cause any
plaintext block to become any possible ciphertext block, making it hard to obtain information about the subkeys
in the lists. (In turn, the randomness and secrecy of the list contents make it hard to obtain information about the
stepping sequence.)
A specific construction would run like this:
● DES, but with 32 rounds as well as with independent subkeys, is used as the main block cipher here. In
this way, there are 32 lists, the advance of each of which is controlled by two bits, thus meeting the
important criterion noted above.
● A block cipher with a 128-bit block is used to generate the stepping bits; it operates once for every two 64-
bit blocks enciphered, its output being used a half at a time. This ensures a very long period for the
stepping sequence. As that cipher is not exposed to view, even one with weaknesses with respect to
differential cryptanalysis could be used, such as the original LUCIFER cipher.
With a large key, key management is a problem. The key comes in four main parts:
● The bytes in all the lists of subkey values. Also, the lengths of these lists can be part of the key.
● The key for the block cipher used to generate stepping values.
● The initial value, and the counter value, for the generation of stepping bits.
● The starting positions within each of the lists of subkey values.
The last item on the list is only needed as part of the key if one is going to start up the encipherment operation
several times with the same lists of subkeys, but it is reasonable to do so, since that part of the key is very large
and difficult to set up.
The first two items can be regarded as semi-permanent, while the last two should be changed with every
message. However, the last two must be kept secret, not sent in the clear, otherwise attacks on the contents of the
lists of subkey values can become possible if there is enough traffic for the same values of the first two items in
the key.
With a key too large to send inside a public-key block, and such a high level of security as to be wasted by any
practical method of key distribution, perhaps I have only solved the problem of cryptanalysis for the case when
another solution to that problem already exists! However, one could use a one-time-pad to encipher the key
distribution keys, and use this cipher with those keys for key distribution. That would avoid too great a loss of
security.
The long-term portions of the key need to be couriered, of course, combined with encrypting them by some
other, weaker, method. Sending two different couriers, by two different routes, with an XOR-split key may be
appropriate here.
Although the design above already provides far more security than required for any practical purpose, against the
kind of computing power that exists today, the possibility that a practical quantum computer might be
constructed might be felt to be worthy of consideration. If the obstacles to constructing a quantum computer can
be overcome, such a computer could essentially try all the possible keys to a block cipher at once, in a circuit the
size of the conventional circuit used to apply a single key, and output the value of the key for the one case where
some known plaintext is matched.
To protect against a threat like that, one would like a design that requires an inordinate amount of known
plaintext before any facts about the key can be derived with certainty. A design like what we've just seen is
perhaps a step towards that kind of cipher. This design can certainly be elaborated further, with yet another level
of indirection, where a second block cipher produces the 64 bits that control the subkeys of the block cipher used
to encipher plaintext. Further on, a diagram will show that type of design, but instead of the final block cipher
enciphering plaintext, it will be used to encipher previous ciphertext to produce a 64-bit output used to encipher a
single byte of plaintext.
Perhaps the second block cipher might be 32-round Blowfish, or even a modified Blowfish changed to use 48-bit
subkeys and an expansion permutation along these lines:
23 32 9 18 1 2 3 4 5 6 7 8 31 8 17 26 9 10 11 12 13 14 15 16
7 16 25 2 17 18 19 20 21 22 23 24 15 24 1 10 25 26 27 28 29 30 31 32
so that the four S-boxes can each have 4,096 entries. To keep the time required to generate the S-boxes within
some semblance of reason, though, I propose to use just 4-round Blowfish, rather than 32-round or 16-round
Blowfish, for filling them.
Since I am going to extremes, instead of LUCIFER, let's let the 128-bit block cipher be the 40-round variation of
Quadibloc II, using one of the more complicated variant round types. The stream cipher can consist of the XOR
of the output of an expanded version of Gifford's cipher with the output of an elaborate MacLaren-Marsaglia
construct.
Another preventive measure would be to use an enciphered random initialization vector that modifies the key in
use for the next block of the message with message blocks that are always shorter than the size of the key, so that
there is never enough known plaintext to attack any one key. Of course, the relationship between different
message blocks and their initialization vectors can still be attacked; this device has been tried with simple ciphers
and has not made them invincible. Applied to a sufficiently complex cipher, the gain in difficulty by using that
trick, however, may, just possibly, be enough to provide some resistance to quantum computer attack.
This can be taken still further in the direction of wretched excess, in order to obtain increased security on the
principle of an elephant giving birth to a gnat, by making use of the cipher-feedback principle of stream cipher
design:
Here, we do not gain the advantages of limited error-propagation that a pure cipher-feedback design can offer; in
fact, we not only have a large internal state, but previous ciphertext even influences that state, for the messy
worst case of the autokey.
To encipher a single byte of the plaintext, we use the preceding twenty-four bytes of the ciphertext as input to the
process. Sixteen bytes are XORed to the output of the initial stream cipher, which might as well be something
elaborate, such as Panama or my modification of it; this is recirculated through a 128-bit block cipher.
Half of the result controls the subkeys for a 64-bit block cipher which enciphers the other half of the result.
The output of that cipher then controls the subkeys for another 64-bit block cipher which operates on the
remaining eight bytes of preceding ciphertext.
And finally, that eight-byte output is applied to the one byte of plaintext being enciphered, being alternately
added and XORed to it a byte at a time through eight layers of substitution.
Here we are: a truly secure symmetric-key cipher! And so it is, but it is outrageously excessive and wasteful. But
perhaps the schematic diagram above will brighten a cubicle at the NSA and give some of the people there a
chuckle.
Unless, of course, somebody actually implements this, and they would have liked to decrypt his traffic.
But, as noted, even the fact that this design is likely to produce (once the details are filled in) a genuinely secure
cipher is not, in itself sufficient to mean it is suitable for practical use: a rough estimate of the time enciphering a
message would take by this method is 64 times as long as it would take to encipher it with DES. Presumably,
genuine security can be obtained at a somewhat lesser cost in computational resources.
Although wildly impractical in the specific form shown, before abandoning this design completely, some things
should be noted:
● A scaled-down version of this type of design, not using full-scale block ciphers as its components, and not
involving the somewhat gratuitous use of previous ciphertext (sixteen bytes, in the diagram above) to
affect the very beginning of the encipherment process, and thus to affect large portions of the internal
state, with the attendant consequences for error propagation, not only could be practical, but may even
have been actually used.
● Also, assuming that a cipher of this kind did not evade the scrutiny of a quantum computer due to its sheer
size, it is true that trivially some initial states, and consequently some keys, would produce the same
ciphertext from the same plaintext, since some portions of the subkey pools for the various block cipher
stages might be unused. However, such trivial duplicate keys will not foil quantum computer attack, since
the program could be modified to say "don't think you're the right answer and collapse the wave function
unless all unused parts of the key are zero", hence restoring uniqueness. By enciphering only a single byte
at a time, however, some possibility of nontrivial duplicate keys is created. And certainly the difficulty of
obtaining analytical insights that allow a reduction of effort over that of a brute-force search is increased.
● Finally, it should also be noted that despite the complexity of this kind of cipher, one limitation was
retained. Although each block cipher stage is supplied with a subkey from a pool, at each step only four of
the elements in that pool can be used. Ideally, one would like to use any possible subkey, and to prevent
using the same one twice, use the principle behind the MacLaren-Marsaglia random number generator,
and produce a replacement for each subkey after it is used once. However, that means that if the final
block cipher has 16 rounds and 16 subkeys in each pool (each one, say, 32 bits wide) then the previous
stage, instead of producing 64 bits each time to support a 32-round block cipher, must produce 64 bits to
select subkeys, and 512 bits for use in replacement subkeys.
The Aryabharata Cipher, and Two-Timing Pads
An article in Cryptologia entitled The Aryabharata Cipher discussed the following idea for a cipher:
To encipher a message, generate a random series of letters as long as the message. Encipher the message with
that series of letters by means of Vigenere.
Then, send the random series of letters in enciphered form, and also send the enciphered message, again
enciphered as well.
Since both the pad and the message are sent, the absolute security of the one-time-pad is not obtained. But the
pad and the message can each be enciphered in different ways, and because both are random, the cryptanalyst
can only make progress by working on both together.
Perhaps doing so would be more difficult than cracking a simple double encryption, using the two ciphers
applied to the two pieces of the message as expanded in sequence on the message instead. And perhaps not; it is
hard for me to say for certain.
But it does seem as though forcing the cryptanalyst to relate different messages to crack a cipher creates a
problem, although this happens anyways with modern ciphers of any difficulty. Thus, the scheme is of interest
even if there is some question about whether this is the method referred to in the Indian classic.
Thus, I came up with the following scheme, which prevents progress from being made through attacking a single
message in a different way, which also shows an alternate way of making effective use of a large key.
The following is a schematic diagram of how the scheme operates:
The steps involved in the encryption are described below:
● Two parties wishing to communicate share a secret key which is 12,000 bytes long.
● When sending a message, they use a public-key block to establish 2,048 bits of key, which provides up to
four session keys of 512 bits each.
● Messages consist of message segments, which are limited to a maximum of 4,096 bytes in length.
● To encipher a message segment:
❍ First, one operates on the 12,000 byte secret key to obtain key material for use with that message
segment:
■ The 12,000 byte secret key is subjected to a transposition, governed by 128 bits of the
session key.
■ It is then enciphered in some fashion that results in propagation of the encryption, such as a
block cipher in CBC mode, using another 128 bits of the session key.
■ The last few bytes of the result could then be used as a key to perform additional
encryption. One possibility is another transposition; since quite a bit of key is potentially
available, one could even perform a transposition, then a propagating encryption, then
another transposition. Ending with a transposition seems to have nice properties. A specific
possibility is as follows:
■ The enciphered secret key is divided into two parts, 10,240 bytes to be further
scrambled, and 1,760 bytes to be used as the key for that scrambling.
■ First, all 10,240 bytes of the first part are transposed.
■ Then, they are subjected to a block cipher in CBC mode.
■ Then, the first 9,216 bytes of the first part are transposed, leaving the last 1,024
bytes not affected. (This will result in the keys used to encipher the 128-bit keys
used for plaintext encipherment including the most propagated part of the scrambled
secret key in the XOR that produced them.)
■ The output of that encryption is then divided into two halves, which are XORed together.
This ensures that it is difficult to derive any part of the long secret key from the bits to be
used later.
■ The result of the XOR is divided into a part that is 4,096 bits long, and two small parts that
will be used as keys.

❍ The two small parts of the scrambled long secret key are each used to encrypt one 128 bit portion
of the session key, to produce two encrypted keys to be used in encrypting the message segment.
❍ Then, one encrypts the message segment itself as follows:
■ First, the message segment is encrypted in ECB mode with a block cipher, using the first
encrypted 128 bit part of the session key.

■ Then, the message is XORed with the 4,096 bit part of the scrambled long secret key.
■ Finally, the message segment is encrypted in CFB mode with a block cipher, using the
second encrypted 128 bit part of the session key.
The specific possibility for the additional encryption noted in the steps above is shown explicitly in this
expanded version of the diagram:
and although it is based on a different principle, the same concept that it is more difficult for a cryptanalyst to
correlate multiple messages than to directly solve a single one is used as was used in the Aryabharata cipher. Of
course, the possibility of still performing such correlations is exactly what allows modern ciphers to be attacked,
through such things as differential cryptanalysis. As I propose using block ciphers currently considered secure in
this, I hope it at least compounds the problem they create.
Note, too, that the message segment itself is encrypted first in ECB mode, to ensure that it goes through the block
cipher, then by being XORed with bits that are a function of part of the session key and of the long secret key,
then in CFB mode. So good error-propagation characteristics are still retained for the message segment.
In addition to error-propagation, the modes used mean that, since the encryption of the large shared secret key
can be performed ahead of time, as long as a time lag between session keys and their use is present, and
sufficient processing power is available, this method is not limited to off-line uses such as E-mail, but could be
used on a continuous basis, even for a digital voice transmission or a similar application, since the plaintext need
only be delayed by the simple operations directly performed on it.
Some additional discussion of ideas suggested by the "Aryabharata" cipher is on this page.
This cipher could be developed further. Instead of performing a transposition based on the session key first,
before that, a simple stream cipher could be applied to the shared secret key. This way, a shared secret key with
repeated bytes in it would not be weaker.
Also, a larger shared secret key could be used, so that the result of the encipherment operations performed on it
could be used as input to a cipher like the large-key example which began this page.
If a one-time-pad is not available for transmitting session keys, perhaps something involving a large shared
secret key could be worked out for that. With some further thought, it might be possible to develop a cipher that,
while not posessing true information-theoretic security, might posess some degree of resistance even to attacks
from quantum computers.
Next
Chapter Start
Table of Contents
Main Page
The Inner Structure of the Feistel Round

Many block ciphers are built upon a structure called the Feistel round, named after Horst Feistel of
IBM, who originated this structure for the block cipher LUCIFER.
The block of data to be enciphered is divided into two halves, and in a Feistel round, only one half is
changed, by being XORed with a function of the other half. Since the other half isn't changed, it is still
available after the round is over; thus, even if the function of that half used to XOR with the half that is
changed is not invertible, the round is still invertible.
Thus, one could make some horrible programming error in implementing the f-function in a Feistel
cipher, and the result would still "work" for sending and receiving messages, even if the resulting cipher
was not secure. This is not necessarily a good thing.
It also means that the direct data path from plaintext to cipher only includes XORs, instead of actually
going *through* an S-box whose inverse is then needed for decryption. Just on general principles, this
tended to make some people nervous, at least in the early days of DES.
For an extremely scaled-down version of a Feistel cipher, I have produced a complete table of what it
does for every possible key.
But first, let us examine for comparison the tableaux for some simpler operations.
For modulo-16 addition, we get what resembles a Vigenère tableau:
0 1 2 3 4 5 6 7 8 9 A B C D E F
-------------------------------
0 | 0 1 2 3 4 5 6 7 8 9 A B C D E F
1 | 1 2 3 4 5 6 7 8 9 A B C D E F 0
2 | 2 3 4 5 6 7 8 9 A B C D E F 0 1
3 | 3 4 5 6 7 8 9 A B C D E F 0 1 2
4 | 4 5 6 7 8 9 A B C D E F 0 1 2 3
5 | 5 6 7 8 9 A B C D E F 0 1 2 3 4
6 | 6 7 8 9 A B C D E F 0 1 2 3 4 5
7 | 7 8 9 A B C D E F 0 1 2 3 4 5 6
8 | 8 9 A B C D E F 0 1 2 3 4 5 6 7
9 | 9 A B C D E F 0 1 2 3 4 5 6 7 8
A | A B C D E F 0 1 2 3 4 5 6 7 8 9
B | B C D E F 0 1 2 3 4 5 6 7 8 9 A
C | C D E F 0 1 2 3 4 5 6 7 8 9 A B
D | D E F 0 1 2 3 4 5 6 7 8 9 A B C
E | E F 0 1 2 3 4 5 6 7 8 9 A B C D
F | F 0 1 2 3 4 5 6 7 8 9 A B C D E
And here is the table for the XOR operation.
0 1 2 3 4 5 6 7 8 9 A B C D E F
-------------------------------
0 | 0 1 2 3 4 5 6 7 8 9 A B C D E F
1 | 1 0 3 2 5 4 7 6 9 8 B A D C F E
2 | 2 3 0 1 6 7 4 5 A B 8 9 E F C D
3 | 3 2 1 0 7 6 5 4 B A 9 8 F E D C
4 | 4 5 6 7 0 1 2 3 C D E F 8 9 A B
5 | 5 4 7 6 1 0 3 2 D C F E 9 8 B A
6 | 6 7 4 5 2 3 0 1 E F C D A B 8 9
7 | 7 6 5 4 3 2 1 0 F E D C B A 9 8
8 | 8 9 A B C D E F 0 1 2 3 4 5 6 7
9 | 9 8 B A D C F E 1 0 3 2 5 4 7 6
A | A B 8 9 E F C D 2 3 0 1 6 7 4 5
B | B A 9 8 F E D C 3 2 1 0 7 6 5 4
C | C D E F 8 9 A B 4 5 6 7 0 1 2 3
D | D C F E 9 8 B A 5 4 7 6 1 0 3 2
E | E F C D A B 8 9 6 7 4 5 2 3 0 1
F | F E D C B A 9 8 7 6 5 4 3 2 1 0
Here is the table for the permutations produced by the successive positions of a 16-contact rotor wired
by the interval method. As the rows represent the successive positions of the rotor, their number is first
subtracted from the input, then the rotor substitution is performed, and then that number is added to the
result. Hence, the diagonals running down from left to right show the normal sequence (0, 1, 2, 3, 4, ...
D, E, F) with some starting point.
0 1 2 3 4 5 6 7 8 9 A B C D E F
-------------------------------
0 | 1 C 7 F B 8 6 4 E 0 3 D A 5 2 9
1 | A 2 D 8 0 C 9 7 5 F 1 4 E B 6 3
2 | 4 B 3 E 9 1 D A 8 6 0 2 5 F C 7
3 | 8 5 C 4 F A 2 E B 9 7 1 3 6 0 D
4 | E 9 6 D 5 0 B 3 F C A 8 2 4 7 1
5 | 2 F A 7 E 6 1 C 4 0 D B 9 3 5 8
6 | 9 3 0 B 8 F 7 2 D 5 1 E C A 4 6
7 | 7 A 4 1 C 9 0 8 3 E 6 2 F D B 5
8 | 6 8 B 5 2 D A 1 9 4 F 7 3 0 E C
9 | D 7 9 C 6 3 E B 2 A 5 0 8 4 1 F
A | 0 E 8 A D 7 4 F C 3 B 6 1 9 5 2
B | 3 1 F 9 B E 8 5 0 D 4 C 7 2 A 6
C | 7 4 2 0 A C F 9 6 1 E 5 D 8 3 B
D | C 8 5 3 1 B D 0 A 7 2 F 6 E 9 4
E | 5 D 9 6 4 2 C E 1 B 8 3 0 7 F A
F | B 6 E A 7 5 3 D F 2 C 9 4 1 8 0
Such a tableau is referred to as a Friedman square. From the property of its diagonals, a method
analogous to symmetry of position can be derived for use in the late stages of cracking a rotor cipher.
Since the position, and value, of corresponding equivalents in different rows changes with each row,
however, this only works if one knows the displacement between the two alphabets being compared,
which is unlike the case for conventional symmetry of position. Since in rotor machines, rotors usually
move one step at a time, and in the same direction, this condition can be met.
And here is the tableau for a Feistel round, which, for this example, is two rounds of a cipher that
operates on four bit values with the S-box (3,1,0,2) as the f-function. In this table, the columns represent
the plaintext input, and the rows represent the four-bit value which is the concatenation of the two two-
bit subkeys for the two rounds (which are XORed with the input to the S-box, following DES). I am
using in-place Feistel rounds, and the first round uses the left half of the block as the input to the f-
function.
0 1 2 3 4 5 6 7 8 9 A B C D E F
-------------------------------
0 | B 2 5 C 1 8 F 6 4 D A 3 E 7 0 9
1 | 3 A D 4 9 0 7 E C 5 2 B 6 F 8 1
2 | 7 E 9 0 D 4 3 A 8 1 6 F 2 B C 5
3 | F 6 1 8 5 C B 2 0 9 E 7 A 3 4 D
4 | 5 C B 2 F 6 1 8 A 3 4 D 0 9 E 7
5 | D 4 3 A 7 E 9 0 2 B C 5 8 1 6 F
6 | 9 0 7 E 3 A D 4 6 F 8 1 C 5 2 B
7 | 1 8 F 6 B 2 5 C E 7 0 9 4 D A 3
8 | C 5 2 B 6 F 8 1 3 A D 4 9 0 7 E
9 | 4 D A 3 E 7 0 9 B 2 5 C 1 8 F 6
A | 0 9 E 7 A 3 4 D F 6 1 8 5 C B 2
B | 8 1 6 F 2 B C 5 7 E 9 0 D 4 3 A
C | 2 B C 5 8 1 6 F D 4 3 A 7 E 9 0
D | A 3 4 D 0 9 E 7 5 C B 2 F 6 1 8
E | E 7 0 9 4 D A 3 1 8 F 6 B 2 5 C
F | 6 F 8 1 C 5 2 B 9 0 7 E 3 A D 4
Because only two rounds are performed, the last two bits are only changed by being XORed, for any
key, with a fixed function of the first two bits, as they are on entry. The first two bits are changed by
being XORed, for any key, with a fixed function of the last two bits as they are on exit. This leads to
some of the patterns which are visible in the tableau above.
If, instead, we use the right half as the f-function input first, other patterns become visible (still using
the first part of the row number as the first subkey):
0 1 2 3 4 5 6 7 8 9 A B C D E F
-------------------------------
0 | E 4 1 B 8 2 7 D 5 F A 0 3 9 C 6
1 | C 6 3 9 A 0 5 F 7 D 8 2 1 B E 4
2 | D 7 2 8 B 1 4 E 6 C 9 3 0 A F 5
3 | F 5 0 A 9 3 6 C 4 E B 1 2 8 D 7
4 | 5 F A 0 3 9 C 6 E 4 1 B 8 2 7 D
5 | 7 D 8 2 1 B E 4 C 6 3 9 A 0 5 F
6 | 6 C 9 3 0 A F 5 D 7 2 8 B 1 4 E
7 | 4 E B 1 2 8 D 7 F 5 0 A 9 3 6 C
8 | 3 9 C 6 5 F A 0 8 2 7 D E 4 1 B
9 | 1 B E 4 7 D 8 2 A 0 5 F C 6 3 9
A | 0 A F 5 6 C 9 3 B 1 4 E D 7 2 8
B | 2 8 D 7 4 E B 1 9 3 6 C F 5 0 A
C | 8 2 7 D E 4 1 B 3 9 C 6 5 F A 0
D | A 0 5 F C 6 3 9 1 B E 4 7 D 8 2
E | B 1 4 E D 7 2 8 0 A F 5 6 C 9 3
F | 9 3 6 C F 5 0 A 2 8 D 7 4 E B 1
Note, interestingly, that the columns are also permutations of the hexadecimal digits from 0 to F. This is
a consequence of using an invertible f-function, one without an expansion permutation. It is well known
that DES with only two rounds would be easy to crack.
Could one throw a curve to a cryptanalyst by exchanging the roles of subkey and plaintext in a two-
round Feistel cipher such as this? In other words, can the subkey in this case be produced with a simple
formula?
Yes: if we note our S-box as f(x), and its inverse as F(x), and the two halves of the plaintext as p1 and
p2, the two halves of the ciphertext as c1 and c2, and the two subkeys as s1 and s2, a two round Feistel
cipher becomes:
c2 = p2 XOR f( p1 XOR s1 )
c1 = p1 XOR f( c2 XOR s2 )
To solve for s1 and s2, given both c and p, and having F(x), we first XOR both sides of the equations
with p2 and p1 respectively:
c2 XOR p2 = f( p1 XOR s1 )
c1 XOR p1 = f( c2 XOR s2 )
Then, invert f:
F( c2 XOR p2 ) = p1 XOR s1
F( c1 XOR p1 ) = c2 XOR s2
Then, XOR the two sides of the equations by p1 and c2 respectively:
p1 XOR F( c2 XOR p2 ) = s1
c2 XOR F( c1 XOR p1 ) = s2
In other words, with a two-round Feistel cipher, the f-function output is always the plaintext XOR the
ciphertext, and so the subkey is found by inverting the f-function, and comparing the result to the input,
which is visible in the ciphertext for the second round, and visible in the plaintext for the first round.
With DES, one has four possibilities for the subkey for every nybble, because of the two extra bits due
to the expansion permutation. This can be overcome when one just has two rounds to solve.
QUADIBLOC, on the other hand, has an invertible f-function, but three subkeys, not just one, go into
the f-function.
What would be of concern in connection with the general security of block ciphers would be if one
could easily take two known plaintexts, and solve a four-round Feistel cipher by imposing the constraint
(essentially, on the result after the second round) that both sets of equations simultaneously have the
same subkeys.
Then, if the same process could be repeated and generalized, eight known plaintexts would be sufficient
to crack a cipher like DES but without an expansion permutation.
In this case, then, our equations would be (denoting our two plaintexts and ciphertexts by p and P and c
and C respectively, and using t and T for the intermediate two-round results, and S for the second set of
two subkeys):
s1 = p1 XOR F( t2 XOR p2 ) = P1 XOR F( T2 XOR P2 ) [1]
s2 = t2 XOR F( t1 XOR p1 ) = T2 XOR F( T1 XOR P1 ) [2]
S1 = t1 XOR F( c2 XOR t2 ) = T1 XOR F( C2 XOR T2 ) [3]
S2 = c2 XOR F( c1 XOR t1 ) = C2 XOR F( C1 XOR T1 ) [4]
The number of equations and the number of unknowns is correct for solution. I've labelled the four
equations with the numbers from 1 to 4 for the next step.
But while f is invertible, it is also, in the general case, nonlinear. In our reduced-scale example, because
we used only a four-element S-box, we can't produce a permutation that is neither linear nor affine, but
that ceases to be true as soon as we go to a wider S-box; even one with eight elements that is nonlinear
is possible, as used in the cipher 3-Way.
Does a nonlinear S-box prevent us from going further in solving these equations?
Note that with chosen plaintexts and ciphertexts, it should be possible to crack a four-round cipher if we
can crack a two-round one directly with a single known plaintext, by a variation of David Wagner's
boomerang method; but that method does not generalize to higher number of rounds, and we will
therefore not consider it at this stage. However, if we can get to eight rounds before the equations
become impractically complex, the boomerang attack would get us the rest of the way.
In the equations above, our problem is that t and T are unknown. What we have to overcome this is that
the same key, and hence the same subkeys, are used in both cases.
We can manipulate the equations to get:
t2 = p2 XOR f( p1 XOR P1 XOR F( T2 XOR P2 ) ) [from 1]

= c2 XOR f( t1 XOR T1 XOR F( C2 XOR T2 ) ) [from 3]
t1 = c1 XOR f( c2 XOR C2 XOR F( C1 XOR T1 ) ) [from 4]
= p1 XOR f( t2 XOR T2 XOR F( T1 XOR P1 ) ) [from 2]
Does the fact that t1 and T1, and t2 and T2, are separated from each other by F and f prevent us from
going further, except by trial-and-error methods, which will become useless as more rounds are added,
or can a Feistel cipher fall to this type of analytic attack?
We can certainly substitute for t1 and t2, and also for T1 and T2, since we can reverse the roles of the
two known plaintexts and use the same equations, but that doesn't eliminate unknowns; thus, T1 can be
expressed as a function of known quantities and t1, but that identity is simply the inverse of the one
labelled "from 4" above.
If we apply this inversion to the equations marked "from 3" and "from 2", we do get a set of equations
that appears to fit together:
t2 = p2 XOR f( p1 XOR P1 XOR F( T2 XOR P2 ) )

T2 = C2 XOR f( T1 XOR t1 XOR F( c2 XOR t2 ) )
t1 = c1 XOR f( c2 XOR C2 XOR F( C1 XOR T1 ) )
T1 = P1 XOR f( T2 XOR t2 XOR F( t1 XOR p1 ) )
because now, by substituting, we can eliminate t1 and t2, and just obtain two equations in T1 and T2.
These equations are:

T2 = C2 XOR f( T1 XOR c1 XOR f( c2 XOR C2 XOR F( C1 XOR T1 ) ) XOR
F( c2 XOR p2 XOR f( p1 XOR P1 XOR F( T2 XOR P2 ) ) ) )
T1 = P1 XOR f( T2 XOR p2 XOR f( p1 XOR P1 XOR F( T2 XOR P2 ) ) XOR
F( c1 XOR f( c2 XOR C2 XOR F( C1 XOR T1 ) ) XOR p1 ) )
And it is at this stage that it appears that further simplification is indeed made impossible if f and F are
general S-boxes, and so it appears that Feistel ciphers are safe against a simple attack by algebra.
Next Chapter
Chapter Start
Table of Contents
Main Page
Some Modulus Arithmetic

Modular arithmetic is something you may remember from your schooldays, if you were taught using
what was once called the 'New Math'. However, it may be worthwhile to review it a little here.
Here are addition, multiplication, and exponentiation tables modulo 7:
+ | 0 1 2 3 4 5 6 * | 0 1 2 3 4 5 6
------------------- ------------------- ^ | 0 1 2 3 4 5 6
0 | 0 1 2 3 4 5 6 0 | 0 0 0 0 0 0 0 -------------------
1 | 1 2 3 4 5 6 0 1 | 0 1 2 3 4 5 6 1 | 1 1 1 1 1 1 1
2 | 2 3 4 5 6 0 1 2 | 0 2 4 6 1 3 5 2 | 1 2 4 1 2 4 1
3 | 3 4 5 6 0 1 2 3 | 0 3 6 2 5 1 4 3 | 1 3 2 6 4 5 1
4 | 4 5 6 0 1 2 3 4 | 0 4 1 5 2 6 3 4 | 1 4 2 1 4 2 1
5 | 5 6 0 1 2 3 4 5 | 0 5 3 1 6 4 2 5 | 1 5 4 6 2 3 1
6 | 6 0 1 2 3 4 5 6 | 0 6 5 4 3 2 1 6 | 1 6 1 6 1 6 1
If you remove the row and column from the multiplication table that are filled with zeroes, the six
numbers in each row and column are all different. And, because of that, for every number from 1 to 6,
some number from 1 to 6 will, when multiplied by that number, give 1. This is not always true in
modular arithmetic: it is true here because 7, the modulus, is a prime number.
The exponentiation table repeats when you get to 6 as an exponent. For exponentiation, if the base is a
number modulo 7, the exponent has to be thought of as being modulo 6!
This is true, in general, for all prime bases. What about a base that isn't prime?
If you know the remainder after a number is divided both by 5 and by 7, you can determine (because 5
and 7 are relatively prime, having no common factors) the remainder after that same number is
divided by 35. So the properties of arithmetic modulo 35 are in a way a combination of those of
arithmetic modulo 5 and modulo 7. Therefore, instead of the exponent being modulo 34, it is modulo
24: exponents for modulo 5 arithmetic are modulo 4, and exponents for modulo 7 arithmetic are
modulo 6, and so exponents for modulo 35 arithmetic are modulo 4 times 6, or 24.
This explains (well, okay, only a little bit) the role of the number (p-1)(q-1) in the RSA public-key
method.
Now, here's what an exponentiation table modulo 55 looks like:
^ | 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21
---------------------------------------------------------------------
1 | 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1
2 | 2 4 8 16 32 9 18 36 17 34 13 26 52 49 43 31 7 14 28 1 2
3 | 3 9 27 26 23 14 42 16 48 34 47 31 38 4 12 36 53 49 37 1 3
4 | 4 16 9 36 34 26 49 31 14 1 4 16 9 36 34 26 49 31 14 1 4
5 | 5 25 15 20 45 5 25 15 20 45 5 25 15 20 45 5 25 15 20 45 5
6 | 6 36 51 31 21 16 41 26 46 1 6 36 51 31 21 16 41 26 46 1 6
7 | 7 49 13 36 32 4 28 31 52 34 18 16 2 14 43 26 17 9 8 1 7
8 | 8 9 17 26 43 14 2 16 18 34 52 31 28 4 32 36 13 49 7 1 8
9 | 9 26 14 16 34 31 4 36 49 1 9 26 14 16 34 31 4 36 49 1 9
10 | 10 45 10 45 10 45 10 45 10 45 10 45 10 45 10 45 10 45 10 45 10
11 | 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11
12 | 12 34 23 1 12 34 23 1 12 34 23 1 12 34 23 1 12 34 23 1 12
13 | 13 4 52 16 43 9 7 36 28 34 2 26 8 49 32 31 18 14 17 1 13
14 | 14 31 49 26 34 36 9 16 4 1 14 31 49 26 34 36 9 16 4 1 14
15 | 15 5 20 25 45 15 5 20 25 45 15 5 20 25 45 15 5 20 25 45 15
16 | 16 36 26 31 1 16 36 26 31 1 16 36 26 31 1 16 36 26 31 1 16
17 | 17 14 18 31 32 49 8 26 2 34 28 36 7 9 43 16 52 4 13 1 17
18 | 18 49 2 36 43 4 17 31 8 34 7 16 13 14 32 26 28 9 52 1 18
19 | 19 31 39 26 54 36 24 16 29 1 19 31 39 26 54 36 24 16 29 1 19
20 | 20 15 25 5 45 20 15 25 5 45 20 15 25 5 45 20 15 25 5 45 20
21 | 21 1 21 1 21 1 21 1 21 1 21 1 21 1 21 1 21 1 21 1 21
22 | 22 44 33 11 22 44 33 11 22 44 33 11 22 44 33 11 22 44 33 11 22
23 | 23 34 12 1 23 34 12 1 23 34 12 1 23 34 12 1 23 34 12 1 23
24 | 24 26 19 16 54 31 29 36 39 1 24 26 19 16 54 31 29 36 39 1 24
25 | 25 20 5 15 45 25 20 5 15 45 25 20 5 15 45 25 20 5 15 45 25
26 | 26 16 31 36 1 26 16 31 36 1 26 16 31 36 1 26 16 31 36 1 26
27 | 27 14 48 31 12 49 3 26 42 34 38 36 37 9 23 16 47 4 53 1 27
28 | 28 14 7 31 43 49 52 26 13 34 17 36 18 9 32 16 8 4 2 1 28
29 | 29 16 24 36 54 26 39 31 19 1 29 16 24 36 54 26 39 31 19 1 29
30 | 30 20 50 15 10 25 35 5 40 45 30 20 50 15 10 25 35 5 40 45 30
31 | 31 26 36 16 1 31 26 36 16 1 31 26 36 16 1 31 26 36 16 1 31
32 | 32 34 43 1 32 34 43 1 32 34 43 1 32 34 43 1 32 34 43 1 32
33 | 33 44 22 11 33 44 22 11 33 44 22 11 33 44 22 11 33 44 22 11 33
34 | 34 1 34 1 34 1 34 1 34 1 34 1 34 1 34 1 34 1 34 1 34
35 | 35 15 30 5 10 20 40 25 50 45 35 15 30 5 10 20 40 25 50 45 35
36 | 36 31 16 26 1 36 31 16 26 1 36 31 16 26 1 36 31 16 26 1 36
37 | 37 49 53 36 12 4 38 31 47 34 48 16 42 14 23 26 27 9 3 1 37
38 | 38 14 37 31 23 49 47 26 53 34 27 36 48 9 12 16 3 4 42 1 38
39 | 39 36 29 31 54 16 19 26 24 1 39 36 29 31 54 16 19 26 24 1 39
40 | 40 5 35 25 10 15 50 20 30 45 40 5 35 25 10 15 50 20 30 45 40
41 | 41 31 6 26 21 36 46 16 51 1 41 31 6 26 21 36 46 16 51 1 41
42 | 42 4 3 16 12 9 48 36 27 34 53 26 47 49 23 31 37 14 38 1 42
43 | 43 34 32 1 43 34 32 1 43 34 32 1 43 34 32 1 43 34 32 1 43
44 | 44 11 44 11 44 11 44 11 44 11 44 11 44 11 44 11 44 11 44 11 44
45 | 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45 45
46 | 46 26 41 16 21 31 51 36 6 1 46 26 41 16 21 31 51 36 6 1 46
47 | 47 9 38 26 12 14 53 16 37 34 3 31 27 4 23 36 42 49 48 1 47
48 | 48 49 42 36 23 4 27 31 3 34 37 16 53 14 12 26 38 9 47 1 48
49 | 49 36 4 31 34 16 14 26 9 1 49 36 4 31 34 16 14 26 9 1 49
50 | 50 25 40 20 10 5 30 15 35 45 50 25 40 20 10 5 30 15 35 45 50
51 | 51 16 46 36 21 26 6 31 41 1 51 16 46 36 21 26 6 31 41 1 51
52 | 52 9 28 26 32 14 13 16 7 34 8 31 17 4 43 36 2 49 18 1 52
53 | 53 4 47 16 23 9 37 36 38 34 42 26 3 49 12 31 48 14 27 1 53
54 | 54 1 54 1 54 1 54 1 54 1 54 1 54 1 54 1 54 1 54 1 54
Two things stand out when looking at this table.

Although the column headed 20 isn't entirely filled with ones, the column headed 21 is the same as the
column headed 1; it contains the numbers from 1 to 54 in order. This means that the table repeats with
a period of 20, rather than a period of (5-1)(11-1) or 40. This will always happen when p-1 and q-1
share 2 as a common factor.
Since 55 isn't a prime number, it makes sense that the numbers divisible by 5 and by 11 cannot, by
repeated multiplication, yield anything not divisible by them, such as 1.
Only numbers relatively prime to (p-1)(q-1) can be used as enciphering and deciphering exponents in
RSA. This excludes, in this case, everything divisible by 2 or by 5.
And here we do have valid choices for e and d. 3 and 7 are inverses. So are 13 and 17.
9, 11 and 19 are their own inverses.
Of course, the situation will improve as we move up to larger moduli. And RSA requires the use of
very large moduli to be secure in any case.
Next
Chapter Start
Table of Contents
Home Page
Rivest-Shamir-Adleman
The RSA method, ever since the knapsack method was shown to be insecure, along
with some variants of it, is almost the only "true" public-key method, in that it directly
encrypts messages with the public key.
It was described to the public in August 1977, and was the invention of Ronald Rivest,
Adi Shamir, and Leonard Adleman. However, it was recently revealed that this method
was originally invented in 1973 within GCHQ by Clifford Cocks.
The RSA method is based on the following mathematical facts:
If you raise a number to a power (d), modulo a prime, you can get the original number
by raising the result to another power (e). And it can be easily determined, knowing the
prime modulus, and the one power, what the other power is.
If the modulus (M) is not a prime, there is still another power which reverses
exponentiation by any power. But finding it depends on knowing the factorization of
the modulus, or, which is equivalent, knowing something called the "Euler Totient
Function" of the modulus.
(Actually, although the name "Euler Totient Function" sounds pretty forbidding, it isn't
that bad. For a prime number p, the ETF of it is p-1. For the product of two prime
numbers, p and q, which is the sort of number used as a modulus in RSA, the ETF is p-
1 times q-1.)
Choose for e a number that is relatively prime to (p-1) and (q-1). Then, d is the
reciprocal of e modulo (p-1)(q-1). As long as neither p nor q is 2, (p-1)(q-1)/2 will also
work just as well, and if (p-1) and (q-1) have any other common factors, they too can
be divided out so that they will only appear only once. (The resulting number is called
the Carmichael function of pq. The book Decrypted Secrets from Springer-Verlag is
one of the few references noting this important fact about RSA.)
Actually using RSA, of course, requires more than the brief description of it that we
have already seen. Several questions need to be answered.
How do I choose two very large prime numbers?
How do I calculate reciprocals modulo (p-1)(q-1)?

How do I do exponentiation modulo pq?
● Looking for Primes

● Finding d from e
● Large Number Exponentiation
● Factoring
Next Section
Chapter Start
Table of Contents
Home Page
Looking for Primes

One old way to test a number quickly for primality is based on Fermat's Little
Theorem. If n is a prime number, then for any b between 2 and n-1, b^n must equal 1
modulo n.
Sometimes this will be true for some values of b even if n is not prime. There are even
some numbers, called Carmichael numbers, for which this is true for all values of b,
except those few values of b which are factors of n.
This is the Fermat test. There are two newer probabilistic primality tests which also
involve trying different values of a number which we can still call b to test if n is
prime. There are no values of n which are not prime that will nearly always fool these
tests the way Carmichael numbers pass the Fermat test. These tests are the Solovay-
Strassen and Miller-Rabin tests. The Miller-Rabin test is more complicated to
understand than the Solovay-Strassen test, but it is also somewhat quicker and indicates
the compositeness of some composite n for additional values of b, while never failing
to indicate the compositeness of a value of n that is composite for any b for which the
Solovay-Strassen test will show n to be composite, and is thus superior.
The Solovay-Strassen probabilistic primality test
For the Solovay-Strassen algorithm, one chooses b within the range 1 to n-1. One tests
to see if b is relatively prime to n; if not, clearly n isn't prime; this needs to be tested
since the other half of the test will not work in this rare case. A function of b and n,
called J(b,n), must also equal b^((n-1)/2) modulo n.
J(b,n) is called the Jacobi symbol of b and n. For the values of b and n which we will
be using, where b is less than n, and b and n are relatively prime, J(b,n) will always be
either 1 or -1, and it can be calculated as follows:
J(1,n) is 1 for any n.
If b is an even number, and n is an odd number, J(b,n)=J(b/2,n) * ((-1)^((n*n-1)/8)).
Otherwise, J(b,n)=J(n mod b,b) * ((-1)^((b-1)*(n-1)/4)).
One reference stated that this method for calculating J only worked when n was odd.
Since the third alternative in the recursion process sets n equal to b, and b doesn't have
to be odd, it would break down: instead, the condition that n must be odd needs to be
applied specifically to the second alternative (since n squared minus 1 won't be
divisible by 8 when n is even) where it belongs.
The Miller-Rabin probabilistic primality test
For this test, one chooses b to be between 2 and n-2.
m is equal to n-1 divided by 2 as many times as is possible (thus, m is odd).
Let t be equal to b^m modulo n.
If t is either 1 or n-1, n passes the test for b.
Otherwise, do the following for a maximum of s times, where s is the number of times
n-1 was divided by 2 to get m or until n either passes or fails, set the new value of t to
be t squared modulo n. If t becomes 1 as a result, n fails the test for b; if it becomes n-1
as a result, n passes the test for b, and if neither happens during the s attempts, n fails.
As I understand the references I used, one omits immediate failure when t becomes 1,
and another omits limiting the test to s trials. I have been informed via E-mail that the
limitation to s trials cannot be omitted, as t can loop indefinitely in a sequence
including neither 1 nor n-1.
I cannot claim sufficient expertise to vouch for the accuracy of my attempt at a

description of the Miller-Rabin probabilistic primality test at this time. There is a more
complicated primality test which is still much quicker than factoring which can be used
to make certain that a number is prime.
Another issue to deal with in selecting prime numbers to use with RSA is to make sure
that one chooses them completely randomly; if one's method of search is not random, it
could make it easier for someone else to find the number you are using by some type of
search. (Of course, the numbers involved are so large that a brute-force search for
factors is not a real threat, but possibly knowing something about the primes used
might be used in conjunction with a better factoring algorithm.)
The simplest way to choose a prime at 'random' would be to choose a large number at
random, and then count upwards from it until you come to a prime number, of course
skipping the even numbers.
One can do a bit better than that, by skipping all numbers divisible by 2, 3, 5 and 7 in
blocks of 210 numbers, for example.
But then the chance of choosing a prime number is proportional to the distance
between it and the next lower prime number. This can be avoided as follows: choose a
large number, N, at random, and look for prime numbers of the form 210*N+k, where
the values of k are chosen from a table of the numbers from 0 to 209 that are not
divisible by 2, 3, 5, or 7, shuffled into a random order. One then continues by adding
one to N.
If one is looking for a prime number with special properties, or a very large prime
number, so that these primes are so rare there is less than one of them in every 210
numbers, one can go further yet. One can begin by choosing a random starting point
within the table for the values of k used. And before using a new value of N, one can
encipher its last 64 bits using DES. In that way, one will hop around an area of
numbers 210*(2^64) consecutive numbers in size in an order that is haphazard,
although not truly random. But the fact that one stays in blocks of 210 numbers does
not affect the fact that the first number in the area one is hopping around in that one
picks will be random.
Of course, one must start completely over before looking for the second prime. Also,
two primes very close together are easily factored by a simple method also due to
Fermat. Since (a+b) times (a-b) equals a squared minus b squared, the product of two
numbers close together is equal to a large square number minus a much smaller one.
The method based on this was the first one to be significantly faster than intelligently
applied trial division.
Next
Chapter Start
Table of Contents
Home Page
Finding d from e
As we have seen, d can be the reciprocal of e, modulo (p-1)(q-1). Where p and q are
two large primes, neither one is equal to 2, and so p-1 and q-1 will have 2 as a common
factor. Thus, the reciprocal of e modulo (p-1)(q-1)/2 will also work. If p-1 and q-1 have
other common factors, then they too can be divided out before the reciprocal of e is
calculated; this, however, creates a risk that raising an encrypted plaintext to the e
power again a few times will yield the original plaintext. This is a reason to choose
'strong' primes even if the current fastest methods of factoring do not benefit from
having a prime that is not strong, since weak primes benefit other attacks on RSA.
A common choice for e (or d in the case of a signature key; for whichever exponent is
made public) is one of the following numbers: 3, 5, 17, 257, or 65537, to make
exponentiation (the procedure for which is discussed in the next section) particularly
speedy and convenient.
If p and q have been specifically chosen to both be of the form 2r+1, where r is another
large prime, then if e is any small prime (other than 2) there will be no problem with it
not being relatively prime to (p-1)(q-1)/2. Otherwise, that e and this modulus are
relatively prime will have to be checked. This can be done using Euclid's algorithm.
It turns out that when e is tested against a modulus using Euclid's algorithm, the
information needed to find d is generated. But d itself isn't produced unless extra steps
are taken to put that information to use. And so e will be tested against (p-1)(q-1)/2
even when it is known that they are relatively prime.
Euclid's algorithm for finding the greatest common divisor of two numbers works like
this:
First, let b be the larger of the two numbers, and s the smaller. (In this particular case,
(p-1)(q-1)/2 will be the starting value of b, and e will be the starting value of s.)
Divide b by s, and note the remainder, r. The new b will be the old s, and the new s will
be r. Repeat until r is zero; the value of r in the preceding step will be the greatest
common divisor. If r becomes one, you can stop early, knowing that the two numbers
had 1 as their greatest common divisor, since dividing any integer by 1 will produce a
remainder of zero, which means they were relatively prime.
If two numbers are successfully proven to be relatively prime, the reciprocal of the
original s modulo the original b can be obtained as follows from the intermediate
values encountered in performing Euclid's algorithm:
It is desired to find an equation of the form 1=s(0)*d-b(0)*n, where s(0)=e and b(0)=(p-
1)(q-1)/2, and n is an arbitrary integer.
If it is in step i that dividing b by s yields 1 as the remainder, then that means that b(i)-s
(i)*q(i)=1, where q(i) is the quotient of the division at step i. So, when we use Euclid's
algorithm to determine inverses, we will need to retain not just the values of b and s for
each step, but also the quotient at each step, in an array that we will treat like a stack.
From the outline of Euclid's algorithm above, s(i-1)=b(i); r(i-1)=s(i); and b(i-1)-s(i-1)*q
(i-1)=r(i-1). Therefore, s(i-1)-r(i-1)*q(i)=1, by substituting the previous names for the
values, and s(i-1)-(b(i-1)-s(i-1)*q(i-1))*q(i)=1 by substituting for r(i-1) from the
equation for the previous division step.
Collecting terms, this becomes -q(i)*b(i-1)+(1-q(i)*q(i-1))*s(i-1)=1.
Using s(i-2)=b(i-1), r(i-2)=s(i-1), and b(i-2)=s(i-2)*q(i-2)=r(i-2), we can again

substitute in the equation to obtain 1 as the sum of a multiple of b(i-2) and s(i-2), and
we repeat the process going back to b(0) and s(0) to find our answer.
Next
Chapter Start
Table of Contents
Home Page
Large Number Exponentiation

This is the simplest to explain of the procedures involved in implementing RSA.
One can raise a number, preferably a suitably small one, such as 1.0001, to the 1024th
power on a pocket calculator fairly quickly. Just push the x squared button ten times.
Thus, the algorithm for fast exponentiation resembles a method of multiplication called
"Russian Peasant Multiplication", and proceeds as follows:
Let result=1.
Convert the desired exponent to binary notation, and note its length in bits. Let n be
this length, and store the bits of the exponent in an array, with the least significant bit
in a(1), up to the most significant bit in a(n).
Let base=the number being raised to the power.
For i = 1 to n: ( if a(i)=1 : ( result = result * base ) ; if i < n : ( base = base * base ) )
The methods involved in performing multi-precision arithmetic in the ordinary fashion

are simply scaled-up versions of the decimal hand arithmetic one learned in school, but
using a base just under the square root of the available integer size.
A fancier method of multi-precision arithmetic, known as Schönhage-Strassen

multiplication exists. It is usually practical, though, only for numbers even larger than
those used in performing RSA. If you want to calculate pi to a million digits, you will
need it. Although it shouldn't be needed for RSA, I will still try to explain it a little.
Schönhage-Strassen multiplication involves taking the string of digits that makes up a

number, and subjecting it to a Fast Fourier Transform, and then multiplying (and also
adding) the frequency coefficients of the transform individually. The imaginary as well
as the real components of the transform are retained in the actual Schönhage-Strassen
method.
How on Earth can such a thing work? How can arithmetic still be done with a number
after its digits have been subjected to so frightful an insult?
I will try, at least, to make it plausible by illustrating a somewhat debased form of

Schönhage-Strassen arithmetic.
An old idea of a way to perform addition and multiplication very quickly on large
numbers is called radix arithmetic. If you have, for two numbers, their remainder
modulo a series of relatively prime numbers, then you have uniquely identified each
number modulo the product of all those relatively prime numbers.
And you can add, subtract, or multiply the separate residues independently, and get a
correct result within the range of representable numbers.
An old way of finding the value of a decimal number, modulo 9, is by adding all its
digits together.
The remainder when you divide a number by 11 can be found by subtracting the digits
in even positions (counting the last digit as digit 1) from the digits in odd positions.
Adding all the digits together is, in Fourier-transform terms, taking the DC component
of the digit string; taking the differences of alternating digits is, from that viewpoint,
taking the component with a wavelength of length two digits.
Thus, a number from 0 to 9999 can be uniquely identified by its remainders modulo 99
and modulo 101, which can be found by breaking the number into halves and adding
and subtracting the halves. 99 can be split into 9 and 11 in the same way; since 101 is
bigger than 99, and 10001 is bigger than 9999, the method becomes a little more
complicated than would be nice, but it can still be made to work.
Taking a number apart into its remainders modulo various numbers is easy enough. But
how does one put a number back together from this form?
For example, 1001 is 7 times 11 times 13. So one could identify any three-digit number
uniquely with its remainders after division by 7, 11, and 13.
These remainders are determined by division, but given the remainders, how does one
determine the number?
The answer is as follows:
One uses a linear combination of the various moduli, modulo their product.
For the case where there are three moduli, a, b, and c, and x, y, and z are the
remainders of our number for each of these moduli respectively, the formula for the
original number is:
( ibcx + jacy + kabz ) modulo abc
where i, j, and k are defined as follows:
ibc modulo a = 1
jac modulo b = 1
kab modulo c = 1
The reasoning behind this should be obvious:
● since x is the residue of our number modulo a, it needs to be multiplied by

something that equals 1 modulo a so that the result really has x as its residue
modulo a, and
● since the residue of the result modulo b and c is not affected by the residue
modulo a, the number by which we multiply x must be a multiple of bc (and it
can't be zero, if it is to have a residue of 1 modulo a).
Thus, if we know the residues modulo 7, 11, and 13 of a number (say they are 1, 5, and
6) then the number must be
( i * 143 * 1 + j * 91 * 5 + k * 77 * 6 ) modulo 1001
Since 143 is equal to 3 modulo 7, i must equal 5 (5*3=15, one more than 14=2*7);
since 91 is equal to 3 modulo 11, j must equal 4 (4*3=12, one more than 11); since 77
is equal to 12 modulo 13, k must equal 12 (12*12=144, one more than 143=11*13).
Thus, the number we're looking for must be:
(715 * 1 + 364 * 5 + 924 * 6) modulo 1001

or
(715 + 1820 + 5544) modulo 1001
or
8079 modulo 1001
or
71
And, indeed, 71 is 1 modulo 7 (71 - 7*10 = 1), and 5 modulo 11 (71 - 6*11 = 5), and 6
modulo 13 (71 - 5*13 = 6).
Next
Chapter Start
Table of Contents
Home Page
Factoring
Because d can be derived from e once (p-1)(q-1) is known, factoring M into its prime factors p and q is a way of cracking the
RSA cipher.
Factoring large numbers is difficult. There are ways to improve on dividing a number by every prime number that is smaller
than it is. The first is to note that one only needs to divide by the numbers smaller than the square root of the number to be
factored. But other improvements are possible.
One relatively easy-to-understand improved algorithm for factoring is called Fermat factorization. This makes use of the fact
that
2 2
(a+b)*(a-b) = a -b
So, if a number to be factored is the product of two numbers, both of which are odd, the difference between them will be an
even number, and so these two numbers can be expressed in the form a+b and a-b for two positive integers a and b.
The following diagrams illustrate how one might go about trying to factor the number 319 (which is 11 times 29) by Fermat
factorization:
The square root of 319 is 17.86057..., so 319 is just less than 18

squared. Thus, we see how much is left over when 319 is
subtracted from 18 squared, which is 324, and we see that the
answer is 5. Five is not itself a square number. It is one more than
four, and it is, as shown by the squares outlined in blue in the
diagram, four less than nine.
Thus, we expand our square. We look at 19 squared. Thus, we

expand our square on the outside by one row and one column, as
shown by the yellow squares. This expands the overall square by
37 squares. The empty area on the inside grows by the same
number of squares: so, the squares taken from the inside are also
shown in yellow.
Now, 19 squared minus 319 is 42, which is seven less than 49, as
we see clearly after we finish expanding our test square.
This diagram shows the two changes we have made so far, and an
additional one; now, we have moved to a 20 by 20 square, as
shown by the 39 grey squares on the outside. Removing the same
number of squares on the inside this time produces an empty space
there of exactly 81 squares. So we have found our factors.
This diagram shows why Fermat factorization works, once again.

The difference of two squares produces an L-shaped region, and
since the two arms of the L have the same thickness, the area
shown in red can be rotated by 90 degrees and attached on the side
of the green rectangle to form a longer rectangle.
Thus, in this example, since we have a 20x20 square with a 9x9

bite out of it, we have a 20x11 rectangle, and another 11x9
rectangle, and we can put them together to form a 29x11 rectangle,
which shows that 319 is 29 times 11.
Fermat factorization, however, only works well when the two

factors of a number are close together. This diagram shows the
first few steps involved in attempting to factor 321 using Fermat
factorization. 321 is obviously 3 times 107, and 107 is a prime
number, so there are no other factors.
Because the factors are so very different, Fermat factorization

would continue until an L-shaped area only three squares thick,
three being the smaller factor, is obtained, and that will be found
in a 55x55 square.
Looking at this diagram, one notes that four consecutive regions of different colors in the interior of the square are about two
rows thick. This suggests that it is possible to improve Fermat factorization, to allow one to skip several steps that one can
tell will not be able to produce the final answer.
Improving Fermat Factorization
Let us look at the steps shown in the diagram for factoring 321, to compare Fermat factorization with trial division.
324 - 321 = 3 = 4 - 1 eliminating 16, 17, 18 (18 - 2 is 16)

361 - 321 = 40 = 49 - 9 eliminating 12, 13, 14, 15 (19 - 7 is 12)
400 - 321 = 79 = 81 - 2 eliminating 11 (20 - 9 is 11)
441 - 321 = 120 = 121 - 1 eliminating 10 (21 - 11 is 10)
484 - 321 = 163 = 169 - 6 eliminating 9 (22 - 13 is 9)
529 - 321 = 208 = 225 - 17 eliminating 8 (23 - 15 is 8)
576 - 321 = 255 = 256 - 1 (24 - 16 is 8)
Thus we see that after the first few tries, Fermat factorization has, in this case, lost its advantage over trial division.
However, that is because the regions involved are only two rows thick. For larger numbers, very many tries could still be
required even in all but the very last stages, when Fermat factorization still retains its advantage over trial division.
As noted, four times in a row, the region being shifted outwards was about two rows thick on the inside. This can be used to
speed up Fermat factorization because the differences between consecutive squares are the odd numbers. Thus, not only do
successive L-shaped regions one row thick differ by two in the number of squares they contain, successive regions two rows
thick differ by eight, successive regions three rows thick differ by eighteen, successive regions four rows thick differ by
thirty-two, and so on (each difference being twice the square of the number of rows).
Outside Inside Left Over

361 -> 400 (add 39) 49 -> 81 (add 32) 9 -> 2 (subtract 7)
400 -> 441 (add 41) 81 -> 121 (add 40) 2 -> 1 (add 1)
441 -> 484 (add 43) 121 -> 169 (add 48) 1 -> 6 (add 5)
484 -> 529 (add 45) 169 -> 225 (add 56) 6 -> 17 (add 11)
What we see from this table gives us hope, but also shows that there is a problem. The number left over changes in a
predictable pattern, but that pattern is not linear, it is quadratic.
Extrapolation
How much can this speed up Fermat factorization? And what exactly are the steps involved? To try and see the answers to
these questions, here is a more realistic example. In the book Codebreaker in the Far East, Alan Stripp, who worked as a
British cryptanalyst during the Second World War, noted that his serial number in the Army was for a time 14429743, which
his father informed him was the product of two prime numbers. How fitting that was, of course, would not be known for
decades.
[3799^2] 14432401 - 14429743 = 2658 = [52^2] 2704 - 46 ; 3747 rows with 46 left
[3800^2] 14440000 - 14429743 = 10257 = [102^2] 10404 - 147 ; 3698 rows with 147 left
[3801^2] 14447601 - 14429743 = 17858 = [134^2] 17956 - 98 ; 3667 rows with 98 left
[3802^2] 14455204 - 14429743 = 25461 = [160^2] 25600 - 139 ; 3642 rows with 139 left
So far, the number of rows is changing quickly each time.
But this doesn't mean the optimization noted here is completely useless. The number of rows would change slowly if the
inner square is near to the outer square in size. For a larger square, this would happen before the difference in sizes of the
two squares involves only two rows, so the optimization would become useful while Fermat factorization remained more
powerful than trial division.
Looking at the steps in Fermat factorization, however, long before the number of rows becomes constant over long stretches,
it starts declining by exactly one for step after step. Hence:
[4358^2] 18992164 - 14429743 = 4562421 = [2136^2] 4562496 - 75 ; 2222 rows with

75 left
[4359^2] 19000881 - 14429743 = 4571138 = [2139^2] 4575321 - 4183 ; 2220 rows with
4183 left
[4360^2] 19009600 - 14429743 = 4579857 = [2141^2] 4583881 - 4024 ; 2219 rows with
4024 left
[4361^2] 19018321 - 14429743 = 4588578 = [2143^2] 4592449 - 3871 ; 2218 rows with
3871 left
[4362^2] 19027044 - 14429743 = 4597301 = [2145^2] 4601025 - 3724 ; 2217 rows with
3724 left
...
[4412^2] 19465744 - 14429743 = 5036001 = [2245^2] 5040025 - 4024 ; 2167 rows with
4024 left
[4413^2] 19474569 - 14429743 = 5044826 = [2247^2] 5049009 - 4183 ; 2166 rows with
4183 left
[4414^2] 19483396 - 14429743 = 5053653 = [2249^2] 5058001 - 4348 ; 2165 rows with
4348 left
[4415^2] 19492225 - 14429743 = 5062482 = [2250^2] 5062500 - 18 ; 2165 rows with
18 left
Since the number of rows is changing at a constant rate, this can be handled by a formula as well.
We start with 4183 odd squares left over.
The big square starts at 4359 squares on a side, at the beginning of the uniform stretch. Thus, it grows by 8719 squares, then
8721 squares, then 8723 squares, and so on, two more each time.
The little square starts at 2139 squares on a side, and grows by two rows each time. So it grows by 8560 squares, then 8568
squares, then 8576 squares, and so on, eight more each time.
The number of odd squares left over first changes from 4183 to 4024, for a decrease of 159 squares. Each succeeding time,
this decrease itself decreases (eventually changing to an increase) by six squares each time.
Thus, one has a quadratic equation for the number of squares left over. How do we use it to find out if that number becomes
zero, and to find out when the uniform stretch ends, and a new calculation is needed?
Finding where a quadratic equation yields zero is, of course, easy enough.
2
a x + b x + c = 0
when
________
2 /
-b ± \/ b - 4ac
x = ----------------
2a
as we learned in school.
The stretch ends when the number left over either becomes negative, or exceeds the size of the outermost row of the inner
empty square; the former case is indicated by the roots of the quadratic, and since the second case involves the intersection
of the quadratic with a straight line, subtracting the equation from the straight line from that of the quadratic yields another
quadratic.
This is but the beginning of the ways in which Fermat factorization may be accelerated by extrapolation.
Enlargement
Given that Fermat factorization works best when the factors are equal in size, if the two factors, p and q, of the number being
factored happen to be such that p is about three times as large as q, then trying to factor 3pq would first turn up p and 3q as
the factors.
Thus, one could first try to factor pq. When the L-shaped region has a large enough bite out of it as to indicate factorizations
into two components differing by a factor of three have been reached, one could switch to trying to factor 3pq. Then, when
the two components differ by a ration of 5/3, switch to trying to factor 5pq, and so on.
Where the little square is of side b, and the big square of side a, one is comparing the ratio between a+b and a-b, since those
are the candidates for p and q, to determine what ratio between p and q has been reached.
Since a+b and a-b differ by 2b, we have been only considering the case where p and q are both odd. But this would also
work if they were both even, so one could also, for example, try to factor 8pq; if p were about twice the size of q, twice p and
four times q would turn up early in the search for factors.
The Factor Base Algorithm
If we are now looking for cases where a squared minus b squared equals some multiple of pq, why not simply look for cases
where a squared and b squared are equal modulo pq?
Not all such cases, though, will really factor pq. After all, 107pq can be factored into 107 and pq.
The factor base method works like this: starting with the numbers just after the square root of pq, the number to be factored,
find those numbers which are the product only of numbers from a set of small prime numbers.
Once one has enough such numbers, one can find among them a set of numbers which, when multiplied together, produces a
result with only even powers of those prime numbers. The two products of any two pieces in which you split that set will be
the kind of number you are looking for. (In practice, the number -1 is included in addition to several small prime numbers;
this doubles the chance of dealing with a smaller number, which is more likely to be the product of small primes.)
Instead of looking at all the numbers after the square root of pq, numbers likely to be small modulo pq can be found by the
continued fraction method of factoring. A more complicated method of even more quickly finding numbers worth trying,
which requires a special choice of the small prime numbers, is called the quadratic sieve method. Even more advanced and
efficient methods of factoring now exist.
Next
Chapter Start
Table of Contents
Home Page
Diffie-Hellman
This key-exchange algorithm was invented by Whitfield Diffie and Martin Hellman in
1976, and it too was previously invented within GCHQ in Britain, this time by
Malcolm Williamson in 1974.
Although it is impossible to encrypt any message directly in the Diffie-Hellman

system, it is still useful for sending secret messages. In general terms, it can be thought
of as working like this: two parties, sharing a public key, each think of a number. Both
parties perform a particular type of hash on that number using the public key, and give
the result to the other party. This is useful, because there is a function of one original
number and the special hash that was calculated of the other number that is the same,
regardless of which one of the numbers you have in its original form, and so the two
parties can use that product as a conventional encryption key for communicating. Note
that the number each party thinks of can also be called a secret key, and the hashed
version as a public key.
The Diffie-Hellman method, like RSA, also uses modulus arithmetic, but here the
modulus is just a prime number, which we will call P. Exponentiation is involved as
well. But, while in RSA the encryption function applied to x is x to the d power, which
is inverted as x to the e power, in Diffie-Hellman the function applied is a hash
function, in effect, because it has no inverse: A to the x power, modulo P.
(Of course, with real number arithmetic, that has an inverse, the logarithm of x to the
base A. And the inverse of x to the e power is the e root of x as well. Note that this
does indicate one weakness of RSA: if e happens to be 3, and the encrypted message is
a perfect cube, then the conventional cube root, which is easy to find, is also the cube
root modulo M. This requires both a low exponent and a small number as the message,
and is therefore easily avoided in practice.)
So, in Diffie-Hellman, the two parties each think of a secret random number,
respectively x and y. Each transmits A to that power. So, one party knows x and A^y,
and the other party knows y and A^x. Each party can calculate A^(x*y), since that is
(A^y)^x and it is also (A^x)^y, but an eavesdropper, only knowing A^x and A^y,
cannot do this.
A potential danger when Diffie-Hellman is used is that one could, for some values of
the modulus P, choose values of A such that A^x has only a small number of possible
values, no matter what x is, which would make it easy to find for a value of x that was
equivalent to the original value of x. This can be defended against by using a modulus
P such that P-1 is equal to twice another prime number. This second, smaller prime
number is known as a Sophie Germain prime, after a noted mathematician who was
able to prove Fermat's Last Theorem for the case when the exponent was such a prime.
The Key Exchange Algorithm (KEA) which was used with SKIPJACK in the Clipper
chip, and which was declassified at the same time, uses Diffie-Hellman in an
interesting manner which highlights some of its properties. As in the Digital Signature
Algorithm, the prime modulus P is required to be one such that P-1 has a factor that is
160 bits long. Since P is 1024 bits long, (or 512 to 1024 bits long, in the case of the
Digital Signature Standard) this appears to be less secure than the use of a prime
derived from a Sophie Germain prime. Also, it is somewhat more cumbersome to use:
where f is the 160-bit long prime factor of P-1, A cannot simply be chosen at random;
instead, another number less than P-1, B, is chosen at random, and B^((P-1)/f) is used
as A as long as it is not equal to 0 or 1 (modulo P, of course) and it also requires that
each A^x used be tested to determine that A^(xf) is equal to 1 modulo P.
Although this may be less secure than the use of a Sophie Germain prime, it is certainly
more secure than simply choosing P at random, and making no effort to avoid the
problems that small factors of P-1 could cause.
The protocol involved in KEA is of more interest. The session key is derived by
hashing
(x1*y2) (x2*y1)
A + A
all calculated modulo P, where x1 and x2 came from the first party to the
communication, and y1 and y2 came from the second.
If doing Diffie-Hellman once isn't good enough, what is the point of doing it twice?
The important thing about KEA is the difference between where the x values and the y
values came from.
The first user retains x1 as a persistent private key, and when A^x1 is presented as his
public key, it is accompanied by a digital certificate. Similarly, the second user has a
digital certificate for A^y1 as a public key.
On the other hand, x2 and y2 were random numbers generated at the time of the
communication, and thus A^x2 and A^y2 do not have certificates corresponding to
them. Thus, by involving the four parameters, a persistent and a temporary key from
each user in the procedure, both users prove their identity with a digital certificate, but
the resulting session key is something that is different for every message.
Since the x2 and y2 values are not persistent (they are sometimes called nonces), an
attacker could only obtain them through access to the computers or other equipment of
the parties to the communication at about the same time as the message with which
they are associated is itself present in plaintext form on that equipment. Thus, unlike
persistent private keys, nonces do not contribute to the security burden of key storage.
This means that a passive attacker would need to compromise the persistent private
keys of both parties (if that attacker could not also obtain one of the nonces) to read a
message whose key was generated through KEA. This, however, was not likely to have
been a major design consideration, because additional security against passive attacks
could be gained by making the protocol more elaborate (for example, A^(x2*y2) could
be used in addition in the generation of the session key); but this by itself would not
increase security against an active attack. Although this technique could be combined
with other measures that do combat active attacks, an attacker who could also partially
compromise keys is not only likely to be able to mount an active attack of the "man-in-
the-middle" type, but may even be able to tamper with the encryption hardware or
software being used.
The technique for deriving an 80-bit key for SKIPJACK from the 1024-bit value A^
(x1*y2)+A^(x2*y1) mod P, which value I will call k1, included for completeness, is as
follows:
The 80 most significant bits of k1 are XORed with the 80-bit constant
X'72F1A87E92824198AB0B', and the result of this will be called k2.
The 80 next most significant bits of k1 are split into 64 more significant bits and 16
less significant bits. The 64 more significant bits are encrypted twice in SKIPJACK
with a key of k2. The 16 leftmost bits of the result of the first of these two encryptions
is XORed with the 16 less significant bits. The concatenation of the 64-bit result of the
double encryption with the 16-bit result of the XOR forms the 80 bit key that will
actually be used for the conventional encryption, with SKIPJACK, of the actual
message. The following diagram illustrates this process, and it is similar to a diagram
included in the document describing SKIPJACK and KEA on the occasion of their
declassification:
Since k1 is a number modulo P, where P is a prime that is 1024 bits long, its most
significant digit is somewhat more likely, depending on the choice of P, to be a zero
than a one, and this could be considered a slight weakness in choosing to use the most
significant bits of k1 instead of some other part of it. Note also that the value of the 80-
bit constant used, were it secret, as it was originally, would provide an additional layer
of protection to the actual key used from the values exchanged. Also note that I am
assuming that the convention for taking the 80 most significant bits and the 80 next
most significant bits of k1 and submitting them to SKIPJACK in the form of binary
bytes is a big-endian convention; anything else would be too confusing for me to
attempt to explain.
Also note that the technique used for converting the 80 next most significant bits of k1
to the 80-bit key actually used, while suitable to its purpose here, is not a secure
technique in general for increasing the block size of a block cipher.
● El Gamal
● Digital Signatures Based on Diffie-Hellman
Next
Chapter Start
Table of Contents
Home Page
El Gamal
The Diffie-Hellman key exchange algorithm is usually described as an active exchange
of keys by two parties:
one party chooses x, and transmits A^x mod P,
the other party chooses y, and transmits A^y mod P,
and then both parties communicate using A^xy mod P as their session key.
Nothing, however, prevents the second party placing A^y mod P on file as its public
key, allowing anyone else to send a message which the second party can read by
choosing an x, and sending A^x mod P along with the message, encrypted using A^xy
mod P as the key.
El Gamal could be considered to be a special case of this.
In El Gamal, to send a message to a party whose public key is A^y mod P, we send our
own public key, A^x mod P, and in addition the message is enciphered by multiplying
it by A^xy mod P, the multiplication also being modulo P.
Next
Chapter Start
Table of Contents
Home Page
Digital Signatures Based on Diffie-

Hellman
It is easy and obvious to see how RSA can be used for digital signatures. The two
exponents, e and d, are each related to the other exponent in the same way. Thus,
something enciphered with the public exponent d is something anyone could have
written, but only the individual knowing e can read; something enciphered with the
private exponent e is something anyone can read, but only the individual knowing d
could have written.
To execute a digital signature using the Diffie-Hellman key agreement algorithm as the
basis requires a different approach.
The basis of digital signature algorithms of this type is as follows: the person knowing
x produces a set of two or three numbers that have a relationship to each other such that
they can only be generated knowing x, but the presence of the relationship can be
verified by those who only know A^x.
Thus, one simplified attempt at a discrete log signature algorithm would be to take a
message m, and calculate s such that s = x * m, modulo Q, where P is a Sophie
Germain prime such that P-1 = 2Q. Then, someone knowing only A^x could see that
A^s = (A^x)^m. However, this wouldn't be effective, because a signed document
consists of s and m, and since Q is public, your secret key x could easily be obtained by
dividing s by m.
The signature methods actually used, therefore, involve additional parameters, so that
the signature s is masked in a way that prevents it from giving away the value of x.
In more detail, these algorithms work like this:
Let us, to simplify matters, assume that the modulus P used for our Diffie-Hellman
operations is not only a Sophie Germain prime, and thus
P - 1 = 2 * Q
where Q is also a prime, but in addition, Q is a Sophie Germain prime as well, so that
Q - 1 = 2 * R
for some prime R.
Primes other than Sophie Germain primes can be used; in that case, Q is simply some
large prime factor of P-1. R is not used, but Q should also be a prime such that Q-1 has
at least one large prime factor, since Q is used as a modulus for carrying out Diffie-
Hellman operations as well in the type of algorithm described below.
This means that not only is P suitable as a modulus for securely carrying out Diffie-
Hellman key setup, but so is Q, although Q is smaller.
Someone wishing to sign a document, m, has a permanent secret key x, to which A^x
modulo Q (rather than A^x modulo P) is the corresponding public key. In addition, a
nonce secret key y is generated, for which A^y modulo P, this time, not A^y modulo Q,
is the corresponding public key.
A is chosen so that A^Q is equal to 1 modulo P, thus ensuring that A generates a

sufficiently large portion of the numbers between 1 and P-1. This is relevant to using it
as a base for Diffie-Hellman modulo P.
Also, Y is calculated, where Y equals (A^y modulo P) modulo Q. The message and the
signature are both numbers modulo Q.
The signature s is calculated as a function of X and the message m. Various signature

schemes are possible; all have in common three numbers, a, b, and c, which are defined
in terms of s, Y, and m.
These three numbers satisfy the equation
ax + by = c
modulo Q.
This shows why it's vitally important that a different y is chosen for every signature. a,
b, and c are all public information; so if you have two sets of a, b, and c for the same x
and y, you can solve for the secret keys x and y.
Given s, m, A^x modulo P, and A^y modulo P (in the DSA, only Y is disclosed, but
this makes verifying signatures more difficult; note also that Y can be calculated easily
from this value, and Y is used in signature verification), the relationship between a, b,
and c can be verified using the equation
(A^x modulo P)â * (A^y modulo P)^b = A^c

modulo P.
The possible values for a, b, and c (following a different convention from the one I use
here) are given in Bruce Schneier's book Applied Cryptography as:
1) a=m, b=Y, c=s

2) a=1, b=Ym, c=s
3) a=1, b=Ym, c=ms
4) a=1, b=Ym, c=Ys
5) a=1, b=ms, c=Ys
and the sign convention may be altered; any of a, b, or c may be replaced by its
additive inverse. (All possibilities, of course, can be reached by changing the signs of
only two of them.) The Schnorr signature scheme, subject of a patent which still has a
considerable time to run, is noted as being related to the fifth of these equations in
Applied Cryptography, although elsewhere it is noted that the systems El Gamal and
the Digital Signature Algorithm, based on the fourth of these equations, are special
cases of Schnorr. The first and second equations, which avoid the need for a division to
calculate s, are noted as being related to schemes described in various published papers.
The Handbook of Applied Cryptography, by Menezes, van Oorschot, and Vanstone,

gives six possibilities instead, which are simply:
a=m, b=Y, c=s

a=Y, b=m, c=s
a=s, b=Y, c=m
a=Y, b=s, c=m
a=m, b=s, c=Y
a=s, b=m, c=Y
the three individual elements in every possible order.
Next
Chapter Start
Table of Contents
Home Page
Other Public-Key Methods

The most important alternative public-key method is elliptic curve public-key
cryptography.
One of several possible ways to perform it is a variation of Diffie-Hellman. Instead of

performing Diffie-Hellman on numbers modulo a prime, perform it on polynomials
modulo a polynomial, with the coefficients also being numbers modulo a prime which
can even be 2. However, with elliptic curves, multiplication modulo the polynomial
rather than exponentiation can also be used.
A proposal by Dr. Adi Shamir, called the Shamir three-pass protocol, requires ciphers
that can be applied to a message in either order to produce the same final enciphered
result; that is, ciphers that commute with each other.
With such ciphers, the following can be done:
A wishes to send a message to B. So, A takes the message, and enciphers it in cipher A,
sending the result to B.
B enciphers it in cipher B, sending it back.
A can still decipher in cipher A, and does so, leaving behind the message only
enciphered in cipher B. This is sent back to B.
B reads the message, since it's only enciphered in his cipher.
It was hoped that this method might make public-key cryptography easier, in that it
might be more possible to design ciphers that commute and that are secure in this
protocol. Like public-key cryptography, it allows secure communications without prior
exchange of a shared secret key in a secure manner. However, there is no public "key"
in this protocol, and therefore it is considered to be distinct from public-key
cryptography by some authorities.
However, only the Massey-Omura cryptosystem (and perhaps other essentially similar
ones) is a secure method based on this protocol.
Given an agreed-upon prime modulus M, A sends a message to B by first raising it to

the power A modulo M.
B then raises it to the power B, and sends it back.
A, knowing the value of A, can easily find the corresponding decryption exponent that
takes the A-th root modulo M, and sends back the message, now only raised to the B-th
power.
B then finds the B-th root, using his decryption exponent.
Since the modulus is a prime, finding the decryption exponent from the encryption
exponent is easy for both parties; but the algorithm is secure because neither exponent
can be found from the messages, because the discrete logarithm problem is hard.
A mathematics book once suggested using multiplication by a large prime as the

method of encryption, where the message itself must be a large prime. Since factoring
is hard, the individual messages can't be cracked. However, the three messages in the
system are AM, ABM, and BM, from which M can be found by the simple operation of
division.
Many conventional cryptosystems can be made to commute. For example, if A

performed simple substitution, and B performed transposition, the two operations
would commute with each other. However, those methods aren't secure either: they
basically reduce to A and B each separately encrypting half the message, leaving the
other half alone.
Thus, it appears for now that the Shamir three-pass protocol is only effective when
used with operations such as exponentiation, which are also suitable for use in public-
key ciphers of the conventional type.
A public-key system that has been found to be unsafe, and which is therefore of
primarily historical interest today, is the knapsack method. Unlike RSA and Diffie-
Hellman, this system was based on a mathematical problem which was known to be
NP-complete, and thus one that was tougher to crack than either factoring or the
discrete logarithm problem.
The knapsack problem is this: given a set of numbers, and another larger number which
may be the total of some of them, determine if it is such a total, and if so, of which of
the numbers in the set.
This problem is very hard in general. But if the set of numbers was such that every
number is greater than the sum of all the ones smaller than itself in the set, then solving
the knapsack problem becomes fundamentally no harder (it just requires a tiny bit of
extra arithmetic) than converting a number decimal notation to binary notation.
The knapsack cipher worked as follows: start with a superincreasing knapsack
composed of many large numbers. Then, disguise the knapsack by multiplying all the
numbers in it by some quantity, modulo a limit which must be larger than the sum of
all the numbers in the knapsack.
Then, a message can be sent to you in the form of the sum of selected elements of the
knapsack. (Note that a message needs to have a significant number of both 1 and 0 bits
in it to be secure.)
You then convert the message to be in terms of the undisguised knapsack, by

multiplying it, modulo the limit, by the inverse of the quantity used to disguise the
knapsack. Note that the modulus does not need to be revealed as part of the public key.
Also, it may be noted that while this system only involves addition for sending a
message, it is significantly more cumbersome than most other public key systems,
since the public key, instead of being just one or two very large numbers, might consist
of over 200 such numbers.
Because the knapsack cipher was based on disguising such a set of numbers, called a
superincreasing knapsack as an ordinary knapsack, although solving the general
knapsack problem had been proven to be an NP-complete problem, someone attacking
a knapsack cipher had one piece of information that someone trying to solve the
general knapsack problem did not: that the knapsack to be solved was a disguised
version of a superincreasing knapsack. Thus, the flaw was that the security of the
cipher depended not only on the difficulty of the knapsack problem, but on the security
of the disguise.
Of course, there are ways to improve the knapsack cipher, but they have been broken
too. A knapsack could be disguised twice, modulo two different primes; but the
iterated knapsack was broken too. Instead of starting with a true superincreasing
knapsack, one could start with one that was 'close' to superincreasing, one which
involved one small knapsack problem (or perhaps several) that had to be solved the
hard way; this wouldn't be too impractical, since it is only as an NP-complete problem
becomes large that the time required to solve it becomes excessive; and this would
presumably make an attack more difficult, because the properties of the knapsack
under the disguise would not be as straightforward. Doubtless, though, this too is not
secure.
Next
Chapter Start
Table of Contents
Home Page
The Uses of PKC

The obvious use of public key cryptography is to allow secret communications in the absence of prior secure
contact.
Publish your public key. People can send you messages that no one but you can read.
That's simple enough. But if other people don't really know who you are, why would they send you messages
that need to be encrypted?
A big corporation could put a one-way hash or checksum of its public key on its billboards or its magazine ads,
to make you feel safe about sending your credit card number to it over the Web with that public key. However,
things are usually done a bit differently.
Another use of some public key algorithms, particularly RSA, is digital signatures. Suppose you encrypt a
message using your private key. Then, anyone can decrypt it who knows your public key; but only you could
have encrypted it in the first place. Thus, you've proved that you saw that message, and chose to encrypt it.
So, one of the commonest uses of digital signatures is in key certificates. The company that wrote your web
browser includes, built right into the program, the public key of a company that certifies the ownership of other
public keys. When you visit a site where you want to make a credit card order, your browser can then check that
the public key you will use to encrypt your credit card number really belongs to the company you think you're
ordering from.
Certificates can also be used in a less hierarchial fashion. A program like PGP allows your friends to vouch for
the key of any new person you wish to use PGP to communicate with, and uses a system of weighting to consider
certificates from a friend of a friend; this system is called the 'web of trust'.
Just as a public key algorithm can be used to encrypt the key (for use with a conventional algorithm like DES) by
which a message is encrypted, rather than the whole message, to sign a message you can simply encrypt a good
one-way hash of that message rather than the message itself.
Some types of digital signature don't require public-key cryptography, only hash functions. To prove that you
knew something a year before you're willing to make it public, publish today a one-way hash of what you know,
and a year later, publish what you had hashed then. This technique was used hundreds of years ago; the discovery
that Venus has phases like the moon, and the discovery that Saturn has rings, were both claimed prior to
publication by the act of publishing phrases which were anagrams of the statements of the discoveries.
The Diffie-Lamport signature scheme is closely related to this idea of using a hash of a message to sign that
message in advance of sending it. To be able to sign a single message to be sent in the future, without knowing
its text in advance, generate a pair of DES keys for every bit in the message or a hash of the message. Publish a
plaintext/ciphertext pair of blocks for each of these keys, indicating which two pairs correspond to a given bit in
the message to be signed, and which one corresponds to that bit being a 0, and which one corresponds to that bit
being a 1.
Then, when the time comes to sign the message, release the keys which correspond to the actual values of the
bits in the message, and only those keys.
Note that the signature is 56 times as long as the message. This can be reduced to 7 times, by generating DES
keys in sets of 256, only one of which will be released, corresponding to the actual value of a byte in the message.
Note also that the plaintext/ciphertext pairs of blocks are functioning as a one-way hash of the key, so this
scheme could be implemented equally well if one generated a pair of random messages for each bit of the
message to later be sent and signed, and released their hashes in advance along with the bit values to which they
corresponded, and then released the actual messages corresponding to the actual bits of the message to be signed.
Because the only information released corresponds to the actual bits of the message being signed, it does not
allow other messages to be forged. Thus, the large ensemble of keys or messages that are randomly calculated
can only be used to sign one message.
If only authentication, rather than a signature, is desired, then a very much simplified procedure can be used.
First, make available a random plaintext block, and its encrypted form, again under conditions where that is
known to be authentic. Then, send the message to be authenticated, along with its hash, encrypted by the same
key. Finally, reveal the key. This proves to the recipient that you have sent the message, although it now reveals
enough data to forge messages. Thus, the reciept of the message to be acknowledged has to be securely
confirmed before the key is revealed.
Signing an individual message is one form of authentication; for a user to demonstrate his identity in response to
a challenge, with the assumption that the communications channel used at the time of the challenge will not be
later interrupted with a spurious message, is a less ambitious form of authentication that can more easily be
performed with only classical techniques.
A device like the one illustrated below in the form of a slide:
is more usually used in the form of a disk, with the vertical window showing ten numbers in the diagram in the
form of ten individual holes staggered in a spiral.
In use, the holder of such a device would prove his posession of it by responding "536" to a challenge of VY2 or
CP2, for example.
Such devices have been used as a means of copy protection for computer games, where the letters may be
replaced with the names of items in the game, and the three-digit numbers by numbers of five or six digits.
Devices of a somewhat similar nature were used during World War II to authenticate unencrypted
communications, and apparently this was true of the conflicts in Korea and Vietnam as well.
Next
Chapter Start
Table of Contents
Main Page

Here, we are in a different world.
Before, it was possible to achieve any desired level of security merely by piling
complication on top of complication.
Here, we are dealing with techniques that will not work at all for their intended purpose
unless left in their pristine simplicity.
The only way to increase security is to use larger-sized numbers as keys. And all the
security depends on the difficulty of a specific mathematical problem.
On top of that, these techniques seem only to offer a method of doing something that is
useless and dangerous. They let you encrypt a document, so that its secrets are
protected, which you are able now to send...to a complete stranger. Why else couldn't
you have exchanged a secret key?
It is mainly the slowness of these techniques, and not any security considerations, that
lead to them only being used when they are necessary. But there seem to be good
security reasons to only use public-key methods when all else fails as well.
There are important benefits to public-key cryptography, however.
In the next chapter, it will be noted that in a military environment, if the various parties
that will be communicating with each other are issued "black boxes" that generate
public and secret key pairs, but only divulge the public keys, keeping the secret keys
for internal use, then there are no keys available to betray. Thus, PKC has strengths that
complement those of other forms of encryption and other security measures (such as
tamper-resistant hardware). This will be discussed further in the section entitled
Military Key Management.
A commonly cited advantage of public-key cryptography is that, with N users, only N

keys are required for any pair of these users to communicate privately, while N(N-1)/2
keys (of the order of N^2) are required without public-key cryptography.
This does point to a real advantage of public-key cryptography, but the statement as
commonly encountered needs some amplification to make this clear.
If N people are actively communicating with each other, each one needs to keep on file
the keys of the other N-1 people. This is true whether they are agreed-upon secret keys,
or public keys. But without the use of public-key methods, each person needs to have
keys for communicating with everyone else at the start. With public-key methods, if
each site simply has its own key, plus a certificate with which to demonstrate the
authenticity of its public key, any two sites can later begin secure communications. If
one site acts as a key server, even using conventional secret key methods, each site
would only need initially a secret key to communicate with the key server; however, in
that case, any two sites not having previously communicated would be dependent on
the availability of the server to establish secure communications. It is in this that the
advantage of having fewer keys to contend with actually consists.
Note, therefore, that no significant practical disadvantage is incurred if two sites, after
establishing communications by public-key methods, generate a conventional key to be
used in all future communications, since, unless maintaining a key ring is entirely
avoided, and each site obtains the other site's public key for every transmission, a list of
sites with their keys is already being maintained. Maintaining such a secret key, in
addition to one's own private key, does pose a slight additional security risk, as its
compromise allows both, rather than one, side of communications between oneself and
other parties to be read.
In principle, the information needed to encrypt something in a public-key system is

equivalent to the information needed to decrypt it. Only the relative intractability of the
mathematical problem that separates the private key from the public key makes a
public-key method secure.
This created understandable nervousness on the part of the British authorities, who
feared that a "magic screw" could be uncovered which, once turned, would cause the
whole system to fall apart, or, in other words, would vitiate the security of their
communications if they were to base them upon a public key method. Also, in the time
between the original discovery of those methods and their open discovery, while the
microprocessor revolution was in its early stages, the computing equipment required
for handling large-number arithmetic would still have been bulky and expensive.
Next
Chapter Start
Table of Contents
Home Page
Data Compression
English-language text uses only a fraction of the possible strings of the 26 letters. For example, no one would mistake
xwllygrZPXll mRRtQzryWx
for a portion of normal text.
It is possible to make use of the fact that certain sequences of letters are more common than others to fit a text
document, or a data file of another type, into less than the usual amount of space.
Graphics and audio files can be compressed by specialized techniques. Often, they have long stretches where values
either do not change, which can be dealt with by run-length encoding, or stretches where changes are small, which
can be handled by, for example, replacing a 16-bit number by an 8-bit value showing the difference between the
current number and the previous one belonging to the same family (an image file might contain alternating R, G, and
B pixels, and the three values would be independent, so one compares an R value to the corresponding value in the
previous pixel, that is, the previous R value, not to, say, that pixel's B value), called delta modulation.
Other, more specialized techniques of compression for such files involve Fourier transforms. The most popular such
technique is the Discrete Cosine Transform, used to produce JPEG files. Wavelet compression is another related
technique.
A very popular data compression technique is Lempel-Ziv compression. This is used with general purpose file
compression programs on computers. Its basic principle is that, as a file is read, the part of the file that has already
been processed is used as a dictionary of sequences of bytes likely to occur in that file. When a repeated sequence of
bytes is long enough, a pointer back to the earlier part of the file is shorter than repeating the bytes. While the original
concept of this kind of file compression is not patented, patents cover Lempel-Ziv-Welch compression, and many
other variants which are more practical or efficient than the original form.
Huffman coding is the other major data compression technique applicable to text files.
In the chapter on paper-and-pencil methods of encryption, we met the straddling checkerboard method of converting
letters to digits for easier manipulation:
A T O N E S I R
-------------------
0 1 2 3 4 5 6 7 8 9
-------------------
6 P Q U V W X Y Z
in which the eight most common letters are represented by only a single digit, and the left over two digits begin two-
digit codes for all the other less common letters.
A Huffman code is also a code with variable length equivalents that can be distinguished unambiguously from the
front (which is known as having the prefix property). However, the term 'Huffman code' has a specific technical
meaning that goes beyond this. Even if some effort is made to assign the shorter codes to the more frequent symbols,
one does not necessarily have a Huffman code.
The distinguishing feature of a Huffman code is how the binary codes are assigned to the symbols being encoded. Let
us say that one wishes to encode the 26 letters of the alphabet. Then, one takes the least frequent two letters of the
alphabet, which happen to be Q and Z, and combine them into a single symbol for the next step, recording that the
code for Q will be that symbol's code plus a 0 tacked on the end, and the code for Z will be that symbol's code plus a
1 tacked on the end, thus distinguishing Q from Z.
Repeat that process until the alphabet is reduced to a single symbol, which needs no code, and you have produced a
Huffman code. One might wish to change the binary codes around without changing their length so as to have all the
symbols with four bit codes in alphabetical order, and one still can call the code a Huffman code.
Working from a set of letter frequencies due to Jim Gillogly, based on a famous body of literary work, which are as
follows:
E 12.32 S 6.28 C 2.48 K 0.80

T 9.05 R 5.72 Y 2.11 X 0.15
A 8.17 D 4.31 F 2.09 J 0.10
O 7.81 L 3.97 G 1.82 Q 0.09
I 6.89 U 3.04 P 1.56 Z 0.05
H 6.68 M 2.77 B 1.45
N 6.62 W 2.64 V 1.02
we can link the first few letters together with no uncertainties, since the symbol totalled together from all the previous
letters is either the one with the lowest or the second-lowest frequency remaining:
V 1.02 - 2.21
K 0.80 - 1.19 -
X 0.15 - 0.39 -
J 0.10 - 0.24 -
Q 0.09 - 0.14 -
Z 0.05 -
Then the frequencies stop changing so rapidly, and we make some independent compounds:
P 1.56 - 3.01
B 1.45 -
F 2.09 - 3.91
G 1.82 -
Then Y tacks on to the long sequence we made initially:
Y 2.11 - 4.32
... 2.21 -
and we continue combining one more pair of letters separately:
W 2.64 - 5.12
C 2.48 -
then two letters tack on to what we did above:
M 2.77 - 5.78
P 1.56 - 3.01 -
B 1.45 -
U 3.04 - 6.95
F 2.09 - 3.91 -
G 1.82 -
and then two letters combine directly:

D 4.31 - 8.28
L 3.97 -
and then two chains combine
Y 2.11 - 4.32 --- 9.44

... 2.21 - |
|
W 2.64 - 5.12 -
C 2.48 -
The next letter is added on to a chain:
R 5.72 - 11.50
M 2.77 - 5.78 -
P 1.56 - 3.01 -
B 1.45 -
Then two more pairs of letters are combined separately:
N 6.62 - 12.90
S 6.28 -
I 6.89 - 13.57
H 6.68 -
The next three letters tack on to existing chains:
O 7.81 - 14.76
U 3.04 - 6.95 -
F 2.09 - 3.91 -
G 1.82 -
A 8.17 - 16.45
D 4.31 - 8.28 -
L 3.97 -
T 9.05 - 18.49
Y 2.11 - 4.32 --- 9.44 -
... 2.21 - |
|
W 2.64 - 5.12 -
C 2.48 -
and finally, the most frequent letter of the alphabet, E, joins up with a chain:
E 12.32 - 23.82
R 5.72 - 11.50
M 2.77 - 5.78 -
P 1.56 - 3.01 -
B 1.45 -
At this point, we now have only compound symbols in the running, and our compound symbols have the following
probabilities:
23.82
18.49
16.45
14.76
13.57
12.90
which total to 99.99%, due to rounding error in calculating the individual letter frequencies independently. So, we
haven't forgotten any letters!
Applying the Huffman code rule to these six pseudo-symbols ends up with the following result:
13.57 - 26.47 --- 57.68 ---

12.90 - | |
| |
16.45 - 31.21 - |
14.76 - |
|
23.82 - 42.31 -
18.49 -
and that means we can now put our trees of letters together, and arrive at our Huffman code for the alphabet in the
English language. Here is the complete tree:
I
6.89 - 13.57 --- 26.47 --- 57.68 ---
H
6.68 - | | |
| | |
N 6.62 - 12.90 - | |
S 6.28 - | |
| |
A 8.17 - 16.45 --- 31.21 - |
D 4.31 - 8.28 - | |
L 3.97 - | |
| |
O 7.81 - 14.76 - |
U 3.04 - 6.95 - |
F 2.09 - 3.91 - |
G 1.82 - |
|
E 12.32 - 23.82 --- 42.31 -
R 5.72 - 11.50 |
M 2.77 - 5.78 - |
P 1.56 - 3.01 - |
B 1.45 - |
|
T 9.05 - 18.49 -
Y 2.11 - 4.32 --- 9.44 -
V 1.02 - 2.21 |
K 0.80 - 1.19 - |
X 0.15 - 0.39 - |
J 0.10 - 0.24 - |
Q 0.09 - 0.14 - |
Z 0.05 - |
|
W 2.64 - 5.12 -
C 2.48 -
and we make a code from it by using the two bits 0 and 1 to distinguish between the two branches coming from every
fork on the tree, and so we get our Huffman code as follows:
- 0 --- 0 --- 0 - 0 : I 0000

| | - 1 : H 0001
| - 1 - 0 : N 0010
| - 1 : S 0011
- 1 --- 0 - 0 : A 0100
| - 1 - 0 : D 01010
| - 1 : L 01011
- 1 - 0 : O 0110
- 1 - 0 : U 01110
- 1 - 0 : F 011110
- 1 : G 011111
- 1 --- 0 - 0 : E 100
| - 1 - 0 : R 1010
| - 1 - 0 : M 10110
| - 1 - 0 : P 101110
| - 1 : B 101111
- 1 - 0 : T 110
- 1 --- 0 - 0 : Y 11100
| - 1 - 0 : V 111010
| - 1 - 0 : K 1110110
| - 1 - 0 : X 11101110
| - 1 - 0 : J 111011110
| - 1 - 0 : Q 1110111110
| - 1 : Z 1110111111
- 1 - 0 : W 11110
- 1 : C 11111
Of course, only the length of the symbols is important, so we can re-assign the codes as we like, as long as we keep
the same length. To ensure that every letter can be assigned a code, this is done by assigning codes to the letters with
the shortest codes first, and then converting all the unused codes to longer codes by appending both a 0 and a 1 to
each one, creating two codes for each code that was present before, and then assigning these codes to the letters
whose code is one bit longer. This method can even be used in a computer program to create randomized Huffman
codes.
An algorithm for applying this process might work like this:
● Have available a prepared list of information, giving for each required code length in bits that length and the
number of symbols with that length of code, in order from shorter to longer.
● Start with the shortest length in the list, and call it N.
● Fill a buffer with all possible combinations of N bits.
● For the number of characters that have N bit codes, select for each one an element from the list at random, then
remove that element from the list, making it shorter.
● For each of the remaining code lengths in that list, do the following, starting from the second shortest length
and ending with the longest:
❍ Call the length currently being considered M.
❍ Make 2 to the (M minus N) power copies of each element in the list, and append each of the possible
combinations of M minus N bits to one of the copies of each element.

❍ For the number of characters that have M bit codes, select for each one an element from the list at
random, then remove that element from the list, making it shorter.
❍ Change the value of N by placing the current value of M in it.
This has been proven to be the way to produce the most effective possible binary code for symbols, if you are not
making use of any information except the frequencies of the symbols in isolation. An earlier code of this type, the
Shannon-Fano type of code, worked from the top down instead of the bottom up. This led to some letters starting out
placed with other letters whose frequencies were too far away, leading to slightly clumsy code assignments.
Often, in practice, a Huffman code for one kind of symbol will be mixed with other binary codes that are assigned
based on guesses instead of actual frequencies. Sometimes this is hard to avoid. A Huffman code for the 26 letters of
the alphabet is (well, almost) the best one can do to compress text, after it has been encrypted using a transposition
cipher. Unencrypted text, though, still has other properties besides letter frequencies to exploit.
Fax machines use a clever modification of the Huffman principle. One Huffman code is used to represent stretches of
black on the paper. Usually, these stretches are very short, the width of a line within a printed or typed character.
Another code represents stretches of white. Their lengths vary more widely, and so a different code represents them.
With text, a multi-state code is useful also. Digraph frequencies can be exploited by preparing a separate Huffman
code for the alphabet based on every possible value of the preceding letter in the message. Or one could make things
simpler, by just having a code for letters after vowels, another for letters after consonants, and (if spaces are also
represented somehow) another for letters at the beginning of words.
If text with spaces and punctuation marks is being reproduced, one could add these symbols to a Huffman code. But
more efficiency would be obtained, and more security would be obtained as well, by eliminating the frequent
repetition at almost regular intervals of the code for a space character, by prefixing each word, encoded with a
Huffman code for letters only, with an indicator of the word's length, also Huffman-coded based on the frequency of
words of different lengths.
With this kind of an arrangement, the provision for punctuation marks and digits will probably be ad hoc rather than
based on exact frequency counts. Presumably, the codes for words of different lengths would be accompanied by a
code for switching to punctuation, and the common case of just one punctuation mark followed by a return to normal
text would have a relatively short code.
One can do slightly better than a Huffman code if one uses arithmetic coding. This allows symbols to be assigned a
fractional number of bits, to better fit the frequencies of symbols. There are patents affecting this technique as well,
and it involves quite a bit of extra trouble for a very small improvement.
The principle behind arithmetic coding is illustrated by this example: supposing we have five symbols, with the
following probabilities:
A 1/4 C 1/6
B 1/4 D 1/6
E 1/6
While representing A by 00 and B by 01 would be optimal, one would like to switch, when representing C, D, and E,
from starting with the base-2 digit 1 to a base-3 digit. This could be done, since if one's message were thought of as a
number, then the rule might be:
0 - 0.24999... multiply by 4,
discarding the integer part,
and write A.
0.25 - 0.49999... multiply by 4,

and write B.
0.5 - 0.66666... multiply by 6,

and write C.
0.66666... - 0.83333... multiply by 6,

and write D.
0.83333... - 0.99999... multiply by 6,

and write E.
This is obviously optimal for this particular alphabet. There are algorithms to allow arithmetic coding to be performed
without having to perform arithmetic on one's entire compressed message for every symbol being added to it.
A nomenclator might give two or three digit codes to every item it encodes, whether a single uncommon letter like Z,
or a common three-letter sequence like ENT or ING. This idea, using the unequal probabilities of a source stream to
map variable-length chunks of the source to fixed-length (and therefore convenient to handle) codes was explored in a
thesis by B. T. Tunstall, in which he showed that the following simple algorithm:
● Assign a code to each source symbol.

● Take the code with the highest probability, and remove the source string assigned to it from the list, and
instead assign a code to that source string followed by each possible source symbol.
● Repeat the preceding step until the required number of codes has been assigned.
is optimal if only individual symbol probabilities are taken into account. When other probabilities are taken into
account, by using bigram and trigram frequencies, one has a more accurate value for the probability of each code; but
one also can see that it makes no sense to assign a code to THZ just because one wishes to assign a code to THE:
thus, the proper way of assigning codes is more complicated. (If one has assigned codes for all common cases of a
letter following TH, should one retain a code for TH, or just retain codes for T and H?) The problem of performing
this type of coding optimally for sources with memory is still a current subject of research.
David A. Huffman passed away on October 7, 1999.
● The Representation of Speech

● Semi-Arithmetic Coding
● Character Codes
Next
Table of Contents
Home Page
The Representation of Speech

Historically, the primary use of encryption has been, of course, to protect messages in
text form. Advancing technology has allowed images and audio to be stored and
communicated in digital form. A particularly effective method of compressing images
is the Discrete Cosine Transform, which is used in the JPEG (Joint Photographic
Experts Group) file format.
When sound is converted to an analogue electrical signal by an appropriate transducer

(a device for converting changing levels of one quantity to changing levels of another)
such as a microphone, the resulting electrical signal has a value that changes over time,
oscillating between positive and negative.
A Compact Disc stores stereo musical recordings in the form of two digital audio
channels, each one containing 44,100 16-bit signed integers for every second of sound.
This leads to a total data rate of 176,400 bytes per second.
For transmitting a telephone conversation digitally, the same level of fidelity is not
required. Only a single audio channel is used, and only frequencies of up to 3000
cycles per second (or 3000 Hertz) are required, which requires (because of a
mathematical law called the Nyquist theorem) 6000 samples of the level of the audio
signal (after it has been bandlimited to the range of frequencies to be reproduced,
otherwise aliasing may result) to be taken each second.
For many communications applications, samples of audio waveforms are one byte in
length, and they are represented by a type of floating-point notation to allow one byte
to represent an adequate range of levels.
Simple floating-point notation, for an eight-bit byte, might look like this:
S EE MMMMM
0 11 11111 1111.1
0 11 10000 1000.0
0 10 11111 111.11
0 10 10000 100.00
0 01 11111 11.111
0 01 10000 10.000
0 00 11111 1.1111
0 00 10000 1.0000
The sign bit is always shown as 0, which indicates a positive number. Negative
numbers are often indicated in floating-point notation by making the sign bit a 1
without changing any other part of the number, although other conventions are used as
well. For comparison purposes, the floating-point notations shown have all been scaled
so that 1 represents the smallest nonzero number that can be indicated.
One way the range of values that can be represented can be extended is by allowing
gradual underflow, where an unnormalized mantissa is permitted for the smallest
exponent value.
S EE MMMMM
0 11 11111 11111000
0 11 10000 10000000
0 10 11111 1111100
0 10 10000 1000000
0 01 11111 111110
0 01 10000 100000
0 00 11111 11111
0 00 10000 10000
0 00 01111 1111
0 00 01000 1000
0 00 00111 111
0 00 00100 100
0 00 00011 11
0 00 00010 10
0 00 00001 1
Another way of making a floating-point representation more efficient involves noting

that, in the first case, the first mantissa bit (the field of a floating-point number that
represents the actual number directly is called the mantissa because it would
correspond to the fractional part of the number's logarithm to the base used for the
exponent) is always one. With gradual underflow, that bit is only allowed to be zero for
one exponent value. Instead of using gradual underflow, one could use the basic
floating-point representation we started with, but simply omit the bit that is always
equal to one.
This could produce a result like this:
S EEE MMMM
0 111 aaaa 1aaaa000
0 110 aaaa 1aaaa00
0 101 aaaa 1aaaa0
0 100 aaaa 1aaaa
0 011 aaaa 1aaa.a
0 010 aaaa 1aa.aa
0 001 aaaa 1a.aaa
0 000 aaaa 1.aaaa
Here, the variable bits of the mantissa are noted by aaaa, instead of being represented
as all ones in one line, and all zeroes in a following line, for both compactness and
clarity.
Today's personal computers use a standard floating-point format that combines gradual
underflow with suppressing the first one bit in the mantissa. This is achieved by
reserving a special exponent value, the lowest one, to behave differently from the
others. That exponent value is required to multiply the mantissa by the same amount as
the next higher exponent value (instead of a power of the radix that is one less), and the
mantissa, for that exponent value, does not have its first one bit suppressed.
Another method of representing floating point quantities efficiently is something I call

extremely gradual underflow. This retains the first one bit in the mantissa, but treats the
degree of unnormalization of the mantissa as the most significant part of the exponent
field. It works like this (the third column shows an alternate version of this format, to
be explained below):
S EE MMMMM S M EE MMMM
0 11 1aaaa 1aaaa000000000000000 0 1 11 aaaa
0 10 1aaaa 1aaaa00000000000000 0 1 10 aaaa
0 01 1aaaa 1aaaa0000000000000 0 1 01 aaaa
0 00 1aaaa 1aaaa000000000000 0 1 00 aaaa
S MM EE MMM
0 11 01aaa 1aaa000000000000 0 01 11 aaa
0 10 01aaa 1aaa00000000000 0 01 10 aaa
0 01 01aaa 1aaa0000000000 0 01 01 aaa
0 00 01aaa 1aaa000000000 0 01 00 aaa
S MMM EE MM
0 11 001aa 1aa000000000 0 001 11 aa
0 10 001aa 1aa00000000 0 001 10 aa
0 01 001aa 1aa0000000 0 001 01 aa
0 00 001aa 1aa000000 0 001 00 aa
S MMMM EE M
0 11 0001a 1a000000 0 0001 11 a
0 10 0001a 1a00000 0 0001 10 a
0 01 0001a 1a0000 0 0001 01 a
0 00 0001a 1a000 0 0001 00 a
S MMMMM EE
0 11 00001 1000 0 00001 11
0 10 00001 100 0 00001 10
0 01 00001 10 0 00001 01
0 00 00001 1 0 00001 00
Although usually a negative number is indicated simply by setting the sign bit to 1,
another possibility is to also invert all the other bits in the number. In this way, for
some of the simpler floating-point formats, an integer comparison instruction can also
be used to test if one floating-point number is larger than another.
This definitely will not work for the complicated extremely gradual underflow format
as it is shown here. However, that format can be coded so as to allow this to work, as
follows: the exponent field can be made movable, and it can be placed after the first 1
bit in the mantissa field. This is the format shown in the third column above.
When this is done, for very small numbers the idea of allowing the exponent field to
shrink suggests itself.
Thus, if the table above is continued, we obtain:
S EE MMMMM S MMMMM EE
0 11 00001 1000 0 00001 11
0 10 00001 100 0 00001 10
0 01 00001 10 0 00001 01
0 00 00001 1 0 00001 00
S MMMMMM E
N/A 0.1 0 000001 1
N/A 0.01 0 000001 0
S MMMMMMM
N/A 0.001 0 0000001
Something very similar is used to represent sound signals in 8-bit form using the A-
law, which is the standard for European microwave telephone transmission, and which
is also sometimes used for satellite audio transmissions. However, the convention for
representing the sign of numbers is different.
Also, if this method, with a two-bit exponent, were used for encoding audio signals
with 16 bits per sample, the result, for the loudest signals, would have the same
precision as a 14-bit signed integer, 13 bits of mantissa. Many early digital audio
systems used 14 bits per sample rather than 16 bits. But the dynamic range, the
difference between the softest and loudest signals possible, would be that of a 56-bit
integer.
One problem with using floating-point representations of signals for digital high-
fidelity audio - although this particular format seems precise enough to largely make
that problem minor - is that the human ear can still hear relatively faint sounds while
another sound is present, if the two sounds are in different parts of the frequency
spectrum. This is why some methods of music compression, such as those used with
Sony's MiniDisc format, Philips' DCC (Digital Compact Cassette), and today's popular
MP3 audio format, work by dividing the audio spectrum up into "critical bands", which
are to some extent processed separately.
Transmitting 6000 bytes per second is an improvement over 176,400 bytes per second,
but it is still a fairly high data rate, requiring a transmission rate of 48,000 baud.
Other techniques of compressing audio waveforms include delta modulation, where the
difference between consecutive samples, rather than the samples themselves, are
transmitted. A technique called ADPCM, adaptive pulse code modulation, works by
such methods as extrapolating the previous two samples in a straight line, and
assigning the available codes for levels for the current sample symmetrically around
the extrapolated point.
The term LPC, which means linear predictive coding, does not, as it might seem, refer
to this kind of technique, but instead to a method that can very effectively reduce the
amount of data required to transmit a speech signal, because it is based on the way the
human vocal tract forms speech sounds.
There is a good page about Linear Predictive Coding at this site.
In the latter part of World War II, the United States developed a highly secure speech
scrambling system which used the vocoder principle to convert speech to a digital
format. This format was then enciphered by means of a one-time-pad, and the result
was transmitted using the spread-spectrum technique.
The one-time-pad was in the form of a phonograph record, containing a signal which
had six distinct levels. The records used by the two stations communicating were kept
synchronized by the use of quartz crystal oscillators where the quartz crystals were
kept at a controlled temperature. The system was called SIGSALY, and an article by
David Kahn in the September, 1984 issue of Spectrum described it.
Speech was converted for transmission as follows:
The loudness of the portion of the sound in each of ten frequency bands, on average
280 Hz in width (ranging from 150 Hz to 2950 Hz), was determined for periods of one
fiftieth of a second. This loudness was represented by one of six levels.
The fundamental frequency of the speaking voice was represented by 35 codes; a 36th
code indicated that a white noise source should be used instead in reconstructing the
voice. This was also sampled fifty times a second.
The intensities of sound in the bands indicated both the loudness of the fundamental
signal, and the resonance of the vocal tract with respect to those harmonics of the
fundamental signal that fell within the band. Either a waveform with the frequency of
the fundamental, and a full set of harmonics, or white noise, was used as the source of
the reconstructed sound in the reciever, and it was then filtered in the ten bands to
match the observed intensities in these bands.
This involved the transmission of twelve base-6 digits, 50 times a second.
Since 6 to the 12th power is 2,176,782,336, which is just over 2^31, which is
2,147,483,648, this roughly corresponds to transmitting 200 bytes a second. This uses
only two-thirds of the capacity of a 2,400-baud modem, and is quite a moderate data
rate.
The sound quality this provided, however, was mediocre. A standard for linear
predictive coding, known as CELP, comes in two versions which convert the human
voice to a 2,400-baud signal or to a 4,800-baud signal.
Next
Table of Contents
Home Page
Semi-Arithmetic Coding
It was noted that a method of compression called arithmetic coding allows an
additional amount of compression to be achieved over and above that provided by
Huffman coding, since the effective length of the symbols used may now be in
arbitrary fractions of a bit.
A simplified compression algorithm might be considered, where some fractions of a

whole bit are allowed, but not arbitrary ones, so that the coding of symbols might still
proceed in fixed blocks.
For example, one could design a coding tree such that at each level, either two or three
alternatives existed, so that only base-2 or base-3 digits are used. An example of such a
tree for the 26 letters of the English alphabet might be, based on the letter frequencies
used previously as given by Jim Gillogly, without making any claim for optimality:
e 000 g 01B10 b 1AC10 k 1B11110 i 1CB

t 001 y 01B11 p 1AC11 x 1B111110 n 1CC
c 01AA o 01C a 1B0 j 1B111111A
m 01AB r 1AA d 1B10 q 1B111111B
w 01AC s 1AB f 1B110 z 1B111111C
l 01B0 u 1AC0 v 1B1110 h 1CA
This code, as it is patterned after arithmetic coding, has the additional prefix property
that at any stage one knows whether the next symbol is a two-way branch (0 or 1) or a
three-way branch (A, B, or C).
As 3 to the 5th power is 243, a simple way of encoding five base-3 digits in 8 bits can
be used, following this scheme:
Let us designate our five base-3 digits as pqrst. Then, in the resulting binary code, we
can use QQ, RR, SS, and TT to represent the last four digits, as coded by the scheme:
A 00
B 01
C 10
Then, we might code groups of five base-3 digits to groups of eight bits as follows:
Aqrst QQRRSSTT
BArst 11RRSSTT
BBrst RR11SSTT
BCrst RRSS11TT
CArst RRSSTT11
CBAst 1111SSTT
CBBst 11SS11TT
CBCst 11SSTT11
CCAst SS1111TT
CCBst SS11TT11
CCCst SSTT1111
Thus, the positions of the inadmissible 11 value are used to encode first the first base-3
digit, and then others for which no room is left to directly code. The later section From
47 bits to 10 letters discusses the principle behind this form of coding, and notes that it
was originated by IBM as an efficient way of storing decimal digits on a binary
medium.
Here we are, now: we have a code to convert a sequence of letters into base-2 and base-
3 digits; the codes always begin with a base-2 digit, and we always know what kind of
digit is to come next, and we have a reasonably efficient way of converting base-3
digits into bits.
One way to handle a message compressed in this way would be to decompress it by

taking bytes starting from the beginning of our message as our source of bits, and bytes
starting from the end of the message as our source of base-3 digits. Then, when these
two streams met in the middle, we would know our message had concluded.
An example of coding a message in this way would be:
NOW IS THE TIME
becomes
1CC01C01AC1CB1AB0011CA0000011CB01AB000
which, when separated into bit and base-3 digit streams, becomes
10101110011000001101000 and
CCCACCBABCACBAB
thus, our message begins with the bytes

10101110 01100000 1101000x
where the x indicates a bit to be filled with padding, which, for this example, will be
assumed to be zero, and the base-3 digits, which are converted to bytes which start
from the end of the message, convert to bytes as follows:
CCCAC 00101111
CBABC 11110110
ACBAB 10010001
and so the message becomes, in its final form,
10101110 01100000 11010000 10010001 11110110 00101111
Next
Table of Contents
Home Page
Character Codes
As noted in the page on data compression, text can be represented more efficiently using Huffman coding. Since text is
composed of words having lengths in a relatively narrow range, separated from each other by single spaces, a multi-state
Huffman code, with one set of symbols for word lengths, and another set of symbols for letters, can be used, and it has the
added attraction of obscuring this aspect of the structure of a text document.
Even when it is not intended to perform explicit compression, codes representing characters for transmission can be
designed for efficiency.
ITA 2, 5-level code, or the Murray code, generally known as Baudot, as it is based on his principle, even if it does not
resemble his original code,
uses only five bits to represent a character, but sometimes extra characters are needed to shift between cases.
ASCII requires seven bits per character, and is simpler to use, since no shifts are required:
0 0 0 0 1 1 1 1
0 0 1 1 0 0 1 1
0 1 0 1 0 1 0 1
0000 NUL DLE 0 @ P ` p
0001 SOH DC1 ! 1 A Q a q
0010 STX DC2 " 2 B R b r
0011 ETX DC3 # 3 C S c s
0100 EOT DC4 $ 4 D T d t
0101 ENQ NAK % 5 E U e u
0110 ACK SYN & 6 F V f v
0111 BEL ETB ' 7 G W g w
1000 BS CAN ( 8 H X h x
1001 HT EM ) 9 I Y i y
1010 LF SUB * : J Z j z
1011 VT ESC + ; K [ k {
1100 FF FS , < L \ l |
1101 CR GS - = M ] m }
1110 SO RS . > N ^ n ~
1111 SI US / ? O _ o DEL Delete
But with seven bits per character, the temptation is strong to use a whole 8-bit byte for a character.
Originally, there were many versions of 8-bit ASCII in use, providing extra characters on a number of computer systems.
One common 8-bit ASCII character set found on printers was the one which supported the Japanese katakana syllabary; the
IBM PC, the Macintosh, and the Atari ST all had their own 8-bit character sets. Today, there is a standard; the Amiga was
one of the first computers to use it, but it is also used in most fonts in Microsoft Windows. In this standard, the extra
characters consist of 32 additional control characters, followed by 95 printable characters, most of which are accented
letters for the major European languages. Characters commonly found on typewriters, including a superscript 2 and 3, but
not a complete set of superscripts, for use in typing measurements, are found. Where the OE ligature was originally placed,
the arithmetic symbols for multiplication and division were put in the middle of the accented letters, rather than with the
new graphic symbols (this part of the standard was still undecided when the Amiga was designed, so those two characters
were omitted from its character set; some printers have the original version as a "Unix character set").
Various languages have their own variants of ASCII. Many of them are described and illustrated here, on Roman
Czyborra's web page.
While printers often have their own escape code sequences to switch between some of these character sets, today there are
ambitious proposals to create a single code to encompass nearly all the world's languages.
There is the 16-bit Unicode character set, and the larger 31-bit ISO 10646 character set which includes it.
For transmitting such characters, an elegant (if somewhat inefficient) scheme which represents all 7-bit ASCII characters in
a single byte known as UTF-8 is the current standard.
In UTF-8, characters, considered to have 31-bit values, are encoded as follows:
Character: Representation:
0000000 00000000 00000000 0abcdefg : 0abcdefg
0000000 00000000 00000ABC Defghijk : 110ABCDe 10fghijk
0000000 00000000 ABCDEfgh ijklmnop : 1110ABCD 10Efghij 10klmnop
0000000 000ABCDE fghijklm nopqrstu : 11110ABC 10DEfghi 10jklmno 10pqrstu
00000AB CDEfghij klmnopqr stuvwxyz : 111110AB 10CDEfgh 10ijklmn 10opqrst 10uvwxyz
ABCDEfg hijklmno pqrstuvw xyzabcde : 1111110A 10BCDEfg 10hijklm 10nopqrs 10tuvwxy
10zabcde
The capital letters denote bits that must not all be zero. These bits are showed by areas peppered with dots in the diagram
below:
This coding has many desirable properties, one of which is that is unambiguous which transmitted bytes begin a character,
and which merely continue one. Also, there are no shifted states in the code. This coding also does not affect mechanical
sort order of strings.
However, it allows only 2,048 characters to be encoded in two bytes; yet, many existing codes allow over 8,000 Chinese
characters to have two-byte codes. Also, this means that every letter in a Greek or Hebrew language document will take up
two bytes, and every symbol in a Thai-language document will take three bytes. Being able to shift into a character set
appropriate to the language to be used would seem to be an important property for an efficient coding.
If one is prepared to surrender the desirable properties of this coding, there is sufficient room within it that an efficient
coding could be created that is compatible with it.
One way this could be done is by adding these codes:

110ABCDe 01fghijk
- character ABCDefghijk
- shift into mode where 1pqrstuv means character ABCDpqrstuv
1110ABCD 10Efghij 01klmnop

- character ABCDEfghijklmnop
- shift into mode where 1pqrstuv means character ABCDEfghipqrstuv
and so on. Having the second-last byte, instead of the last byte, of the form 01xxxxxx would indicate shifting into a mode
where two bytes of the form 1xxxxxxx xxxxxxxx indicate a character contained in the same 32,768 character expanse as
the character whose code was thus modified.
Leaving any of these modes would require the use of a control character, perhaps SO (shift out).
And this would still leave room for an additional set of more efficient codes for characters:
10xxxxxx 0xxxxxxx
10xxxxxx 1xxxxxxx 0xxxxxxx
10xxxxxx 1xxxxxxx 1xxxxxxx 0xxxxxxx
and so on.
Next
Table of Contents
Home Page
Base-26 Armor
Since
2^47 = 140,737,488,355,328 and

26^10 = 141,167,095,653,376
ten letters can represent 47 bits with fairly good efficiency. In fact, the information content of 10
letters from a 26-character alphabet amounts to 47.00439718 bits, less than 1/227th of a bit extra.
However, one would like to avoid performing 48-bit multiplications to do the conversion.
A method devised by IBM for representing three decimal digits in 10 binary bits can illustrate a way
in which to do this.
Illustrative Example: Encoding of 3 Digits in 10 Bits
Let ooo (or ppp, qqq) represent a digit from 0 to 7 represented by the following code:
000 0
001 1
010 2
011 3
100 4
101 5
110 6
111 7
and let d (or e, f) represent a digit from 8 to 9 in the following code:
0 8
1 9
then, any three decimal digits can be represented within 10 bits as follows:
0ooopppqqq (3 digits with 3 bits - 1 way)

100dpppqqq (2 digits with 3 bits, 1 digit with 1 bit - 3 ways)
101oooeqqq
110ooopppf
11100deqqq (1 digit with 3 bits, 2 digits with 1 bit - 3 ways)
11101dpppf
11110oooef
1111100def (3 digits with 1 bit - 1 way)
with 24 unused combinations remaining.

This method of encoding was patented by IBM, in U.S. patent 3,842,414. This patent was filed on
June 18, 1973, and granted on October 15, 1974.
It may or may not already be obvious, but the table illustrating the decimal to binary code is based on
ooo, ppp, and qqq representing the first, second, and third digits respectively (if they are from 0 to 7)
and on d, e, and f representing the first, second, and third digits respectively if they are instead either 8
or 9. This same notational convention will be used within the description of the coding that takes 47
bits to ten letters.
Here, we have some binary values left over, so we can go from decimal to binary, but we cannot use
this code to represent arbitrary binary data as decimal digits without some modification.
With the lengths that I am choosing, it will be the other way around for letters; we will use all possible
binary combinations, and still have a few alphabetic combinations left over.
Coding bits as letters
Because the conversion from 47 bits to 10 letters is very efficient, a direct coding, since it would use a
large number of possible codes, would be very complicated. Instead, to derive a coding the description
of which would be reasonable in length, I have chosen to describe a method that has a two-layer
structure.
Shorter codings: the basis
First, we will represent 14 binary bits as three letters.
aaaa (or bbbb, cccc) will represent a letter from the code:
0000 A 0001 B 0010 C 0011 D 0100 E 0101 F 0110 G 0111 H

1000 I 1001 J 1010 K 1011 L 1100 M 1101 N 1110 O 1111 P
iii (or jjj, kkk) will represent a letter from the code:
000 Q 001 R 010 S 011 T 100 U 101 V 110 W 111 X
and m (or n, o) will represent a letter from the code:
0 Y 1 Z
Then, a coding generating three letters from 14 bits looks like the following:
00aaaabbbbcccc (4,4,4: 1 way)

010iiibbbbcccc (3,4,4: 3 ways)
011aaaajjjcccc
100aaaabbbbkkk
1010iiijjjcccc (3,3,4: 3 ways)
1011iiibbbbkkk
1100aaaajjjkkk
11010iiijjjkkk (3,3,3: 1 way)
11011mbbbbcccc (1,4,4: 3 ways)
11100aaaancccc
11101aaaabbbbo
111100mjjjcccc (1,3,4: 6 ways: 4 used here.)
111101mbbbbkkk
111110iiincccc
111111aaaankkk
This shorter coding of 14 bits as three letters is not quite as efficient as the overall coding of 47 bits to
ten letters we will construct using it as a component. 3 times 14 is 42, and so there are five bits left,
which don't quite fit in one letter. If the first five bits represent a number from 0 to 25, then they can
represent a letter, using the codings shown above, in one of the forms 0aaaa, 10iii, or 1100m.
Otherwise, codings which use the combinations of three letters which are not used by the above
coding of fourteen bits to three letters are used. These codings don't encode fourteen bits, since only a
small fraction of the possible combinations of three letters are left.
Other component codes
Some more codings, using the unused letter combinations, are now constructed for use in producing a
coding of 47 bits into ten letters that is manageable to describe, since a direct coding is very long and
complicated.
There are still some possible arrangements of three letters left over, although the number is now rather
small. 10 bits can still be encoded in those which remain, as follows:
00iiibbbbo (1,3,4: 6 ways: 2 remaining for use here)

01aaaajjjo
100mjjjkkk (1,3,3: 3 ways)
101iiinkkk
110iiijjjo
1110mncccc (1,1,4: 3 ways: 2 used here)
1111mbbbbo
And 7 bits can still be encoded in the few now remaining:
0aaaano (1,1,4: 3 ways: 1 remaining for use here)

10mnkkk (1,1,3: 3 ways: 2 used here)
11mjjjo
The remaining combinations make 5:
iiino
and 3 bits:
mno
The code for 47 bits
To encode 47 bits as ten letters, we now proceed as follows, using the codings that we've constructed
so far.
aaaa, iii, or m represent the first of the 10 letters.
The remaining letters are divided into three groups of three, coded using the method above.
For the first group of three, the 14, 10, 7, and 5 bit codings are represented by AAAAAAAAAA,
FFFFFF, PPP, and X respectively; for the second, BBBBBBBBBB, GGGGGG, QQQ, and Y; for the
third, CCCCCCCCCC, HHHHHH, RRR, and Z. The 3 bit coding is not required. Note that the length
of the strings is equal to the length of the coding in bits minus 4, so that the length of the symbols used
here are constant.
47 bits become 10 letters as follows:
0aaaaAAAAAAAAAABBBBBBBBBBCCCCCCCCCC (14,14,14, 1 way)

10iiiAAAAAAAAAABBBBBBBBBBCCCCCCCCCC (14,14,14, 1 way)
1100mAAAAAAAAAABBBBBBBBBBCCCCCCCCCC (14,14,14, 1 way)
11010aaaaFFFFFFBBBBBBBBBBCCCCCCCCCC (10,14,14, 3 ways)
11011aaaaAAAAAAAAAAGGGGGGCCCCCCCCCC
11100aaaaAAAAAAAAAABBBBBBBBBBHHHHHH
111010iiiFFFFFFBBBBBBBBBBCCCCCCCCCC (10,14,14, 3 ways)
111011iiiAAAAAAAAAAGGGGGGCCCCCCCCCC
111100iiiAAAAAAAAAABBBBBBBBBBHHHHHH
11110100mFFFFFFBBBBBBBBBBCCCCCCCCCC (10,14,14, 3 ways)
11110101mAAAAAAAAAAGGGGGGCCCCCCCCCC
11110110mAAAAAAAAAABBBBBBBBBBHHHHHH
11110111aaaaPPPBBBBBBBBBBCCCCCCCCCC (7,14,14, 3 ways)
11111000aaaaAAAAAAAAAAQQQCCCCCCCCCC
11111001aaaaAAAAAAAAAABBBBBBBBBBRRR
111110100aaaaFFFFFFGGGGGGCCCCCCCCCC (11,11,14, 3 ways)
111110101aaaaFFFFFFBBBBBBBBBBHHHHHH
111110110aaaaAAAAAAAAAAGGGGGGHHHHHH
111110111iiiPPPBBBBBBBBBBCCCCCCCCCC (7,14,14, 3 ways)
111111000iiiAAAAAAAAAAQQQCCCCCCCCCC
111111001iiiAAAAAAAAAABBBBBBBBBBRRR
1111110100iiiFFFFFFGGGGGGCCCCCCCCCC (11,11,14, 3 ways)
1111110101iiiFFFFFFBBBBBBBBBBHHHHHH
1111110110iiiAAAAAAAAAAGGGGGGHHHHHH
1111110111aaaaXBBBBBBBBBBCCCCCCCCCC (5,14,14, 3 ways)
1111111000aaaaAAAAAAAAAAYCCCCCCCCCC
1111111001aaaaAAAAAAAAAABBBBBBBBBBZ
11111110101mPPPBBBBBBBBBBCCCCCCCCCC (7,14,14, 3 ways)
11111110110mAAAAAAAAAAQQQCCCCCCCCCC
11111110111mAAAAAAAAAABBBBBBBBBBRRR
11111111000iiiXBBBBBBBBBBCCCCCCCCCC (5,14,14, 3 ways)
11111111001iiiAAAAAAAAAAYCCCCCCCCCC
11111111010iiiAAAAAAAAAABBBBBBBBBBZ
111111110110aaaaPPPGGGGGGCCCCCCCCCC (7,11,14, 6 ways)
111111110111aaaaPPPBBBBBBBBBBHHHHHH
111111111000aaaaFFFFFFQQQCCCCCCCCCC
111111111001aaaaAAAAAAAAAAQQQHHHHHH
111111111010aaaaFFFFFFBBBBBBBBBBRRR
111111111011aaaaAAAAAAAAAAGGGGGGRRR
1111111111000aaaaFFFFFFGGGGGGHHHHHH (11,11,11, 1 way)
1111111111001iiiPPPGGGGGGCCCCCCCCCC (7,11,14, 6 ways)
1111111111010iiiPPPBBBBBBBBBBHHHHHH
1111111111011iiiFFFFFFQQQCCCCCCCCCC
1111111111100iiiAAAAAAAAAAQQQHHHHHH
1111111111101iiiFFFFFFBBBBBBBBBBRRR
1111111111110iiiAAAAAAAAAAGGGGGGRRR
1111111111111mXBBBBBBBBBBCCCCCCCCCC (5,14,14, 3 ways, 1 used)
Attempting to produce a direct coding, using the aaaa/iii/m symbols for individual letters, produces a
very long list of codes. This nested approach is considerably more manageable.
Here is an example, to help illustrate the above.
The 47-bit string
11100011100011100011100011100011100011100011100
will code as follows:
11100 aaaa (14-bits/3 lt) (14-bits/3 lt) (10 bits )

0111 00011100011100 01110001110001 1100011100
H 00aaaabbbbcccc 011aaaajjjcccc 110iiijjjo
H B M I X B R WY
to produce HHBMI XBRWY as its representation.
Next
Table of Contents
Home Page
A Method of Armor-Related Fractionation

In addition to ciphers operating on binary bits and ciphers operating on letters in the
conventional 26-letter alphabet, ciphers operating on base-3 and base-5 strings of
symbols can be applied to the encryption of both bits and letters, but in different ways.
125, which is 5^3, is very close to 128, which is 2^7. And the difference between the
two numbers is 3. On the other hand, 32, which is 2^5, minus 27, or 3^3, is 5. So, if a
string of binary bits is broken into groups of seven and five bits, one can produce base-
3 and base-5 symbols from it; the seven-bit chunks will favor base-5 symbols, and the
five-bit chunks will favor, less strongly, base-3 symbols.
On the other hand, 25 is 5^2, and 27 is 3^3, and they bracket 26 on either side. These
modified alphabets have long been used in manual fractionation systems. An
interesting possibility for a computerized system would be to use the fact that 25*27 is
675, one less than 676, or 26 squared. Except, therefore, for choosing one digraph to be
ignored, a string of letters could be converted into strings of base-5 and base-3 digits.
We have just seen an efficient coding which allows 47 binary bits to be represented as
10 letters. Since both bits and letters can be converted to symbols from an alphabet of 3
and from an alphabet of 5 for fractionation, one could divide a binary message into
blocks of 47 bits, and convert half of them before fractionation and half after based on
a pseudorandom sequence of bits.
The blocks of 47 bits which are still in binary form would be grouped for fractionation
in a number of ways, from 5+5+5+5+5+5+5+5+7 to 7+7+7+7+7+7+5. (Unfortunately,
more equal divisions are not available. However, this can be dealt with by considering
the binary blocks in pairs whenever possible, even if they are not contiguous. A pair
could then be handled as nine groups of five bits and seven groups of seven bits.) As
noted above, the groups of seven bits usually become three base-5 digits, but
occasionally become one base-3 digit, and the groups of five bits usually become three
base-3 digits, but occasionally become one base-5 digit.
The blocks that are in alphabetic form are divided into pairs of letters, and all but one
value would become two base-5 digits and three base-3 digits.
Then, after performing a polygraphic substitution or a transposition on the base-3 and

base-5 digits we have obtained, we reconstitute the alphabetic or binary blocks. The
base-3 digits and base-5 digits are allocated to the groups of 7 or 5 bits, and the groups
of two letters, such that each is of exactly the same type as we started with. Thus, the
information on which groups became the most common combinations of base-3 or
base-5 digits, and which became the less common combinations, is preserved, allowing
reversing the encryption process on those digits to enable the full reversal of the whole
complex encryption step. (Symbol type can be considered to be a separate type of
information as well, also subject to encipherment, but only by transposition, so that the
other information may be placed within the output. Note that on decipherment, symbol
type must be recalculated by repeating the encipherment step, not by attempting to
perform the decipherment form of the transposition, since information on whether a bit
belongs to a group of 5 bits or 7 bits is not present in the message.)
The following is an attempt at an illustration of the procedure.
First, we convert part of the binary message to alphabetic form.
10110100110001001110100101000101111010101111011
00000111010001011111010011010111010111011101101
0aaaa(14 bits/3 lt)(14 bits/3 lt)(14 bits/3 lt)
A11101aaaabbbbo1010iiijjjcccc1011iiibbbbkkk
B HZ T S O V N V
10110001111010001101101110011000001111010111011
Then, we take the message in its mixed form, and convert it to base-3 and base-5
symbols, using the different appropriate methods for its binary and alphabetic parts.
10110 1001100 01001 11010 01010 0010111 1010101 11101 1

CBA 312 BAA ACB CAC 423 153 AAC
AB HZ TS OV NV
24CBC 13AAB 42CCA 51BAC 12ACB
1011 0001111 01000 1101101 1100110 0000111 10101 11011

ACC 451 5 345 122 553 BBB ACC
The base-3 and base-5 components of the message are then separated out, and
enciphered independently. One effective method for doing so is to transpose, substitute,
and then transpose again. The substitution can be done from a table; perhaps one with
625 entries for enciphering base-5 symbols, and one with 243 entries for enciphering
base-3 symbols.
Base 3:
CONTINENTAL
-----------
CBABAAACBCA
CAACCBCAABC
CABACACBACC
BBBACC
CBC CCCB ACC ACCC ACC AABB ABAC CAB BAAB BCAA BAA
CBCCC CBACC ACCCA CCAAB BABAC CABBA ABBCA ABAA
ABACB BACCA CBACB ABACC CABAB ACBAC BABAC ABAA
IMPERIAL
--------
ABACBBAC
CACBACBA
BACCCABA
BACBACBA
BACABAA
ABBBA CBCBA ACBBB BCACA CAAA BAAAA ACCCC BACAB
Base 5:
DELUXE
------
312423
153241
342511
245153
451225
53
313245 154453 31135 23251 42512 24152

3132 4515 4453 3113 5232 5142 5122 4152
1211 3154 2213 3512 4133 2133 1145 3421
PROPINQUITY
-----------
12113154221
33512413321
3311453421
324 232 145 151 133 111 513 233 221 434 11
Then, we complete the fractionation process by reconstituting a mixed binary and

alphabetic message in the same form as the one with which we began, from the
enciphered base-3 and base-5 symbols.
ABB 324 BAC BCB AAC 232 145 BBB

01110 0110100 11001 00011 11101 1001011 1110010 10101 0
15BCA 11CAC 33AAA 11BAA 15AAA

LS TU VR QM NP
CCC 132 3 322 143 411 CBA CAB

0110 1101001 11110 0100100 0011000 1011010 10110 01101
Finally, we convert the remaining binary blocks to alphabetic, thus completing the
armoring step of converting an initially all-binary message to an all-alphabetic form for
transmission. Such a method should truly blur the boundaries between bits and letters.
A Table of Powers, useful for devising other elaborate methods of fractionation

involving symbols from alphabets of different lengths.
Next
Chapter Start
Table of Contents
Home page
Tying Up Loose Ends

This section is about a messy little topic that still has to be handled properly in many encryption applications if
security is to be maintained.
The Armor Scheme for Even Blocks
If every message were an exact multiple of 47 bytes in length, it would be very easy to apply the complicated
fractionation methods outlined in the preceding sections to encryption.
First, take the message, and encrypt it while it is in binary form.
Then, breaking the message up into 47-byte chunks, for each chunk generate six pseudorandom bits. Convert that
into eight bits which include four 1s and four 0s, using a 4-of-8 code.
Four 47-bit segments of the chunk are immediately converted to ten letters each, and four remain unconverted.
The letters are converted to base-3 and base-5 digits in pairs. The bits are converted in groups of 5 bits and groups
of 7 bits, eighteen groups of 5 bits and fourteen groups of 7 bits.
The base-3 and base-5 digits thus produced are independently enciphered independently of each other, then
reconstituted to form bits and letters once again. Then the binary chunks are converted to ten letters each.
At this point, 47 bytes of the original binary compressed plaintext (and this is indeed where the problem comes in:
Huffman compression produces messages that are an arbitrary number of bits in length, not in whole bytes, never
mind exact multiples of 47 bytes) have become 80 letters.
And this number is a multiple of four, so the next step works out evenly as well. Using the following code for the
first letter of a group of four:
A 111 D 121 G 131 J 211 M 221 P 231 S 311 V 321 Y 331

B 112 E 122 H 132 K 212 N 222 Q 232 T 312 W 322 Z 332
C 113 F 123 I 133 L 213 O 223 R 233 U 313 X 323
and using the three digits thus produced to modify the remaining three letters in that group as follows:
ABCDEFGHIJKLMNOPQRSTUVWXYZ
----------------------------
1 %&'()*+,./0123456789:;<=>?
2 ABCDEFGHIJKLMNOPQRSTUVWXYZ
3 abcdefghijklmnopqrstuvwxyz
we now produce a line of 60 characters from an alphabet of 78 characters, suitable for efficient transmission as a
text string. While trying to have a simple ASCII coding, the first set of equivalents is made slightly more
complicated to avoid using the dollar sign ($), which is different in some national versions of ASCII, and to avoid
using the minus sign (-) which has a special meaning at the start of a line for some Internet messages.
Then, an error-correcting code can be applied to the line of 60 7-bit characters. One might produce 28 bits of error-
checking information from four 7-bit accumulators, rotated according to different schemes (one rotated only after
every 49 characters added to the three illustrated in the diagram, so that a single-bit error in the line can be
uniquely located, and with the result that 28 rather than 21 bits of error-checking information are produced).
To keep a correspondence between the bits of the error-checking characters and the bits they encode (so that
single-bit errors in transmission don't propagate in the error-checking part of the code in a way the code was not
designed to handle), and yet use only acceptable characters, the following code which places five bits in a
character might be used:
0 0 1 1
-------
000|P H p h
001|Q I q i
010|R J r j
011|S K s k
100|T L t l
101|U M u m
110|V N v n
111|W O w o
and thus a line might consist of 60 characters from the 78-character alphabet, a space, and six error-checking
characters from this 32-character alphabet, one of which would only take on eight possible values.
Dealing with Incomplete Blocks
But as noted, this is all well and good if the message consists entirely of exact chunks of 47 bytes. What happens
if the last chunk falls short, how can we deal with this?
Dealing with the Incomplete Byte
At the beginning of binary encipherment, just after the message has been compressed, it is reasonable to at least
pad the message to a whole number of bytes, so that the entire encipherment process does not have to
continuously account for an odd number of bits.
For a hash function, a common method of padding is this: append a single 1 bit to the end of the message, and
then append as many 0 bits as required to make the message come out to an even number of blocks.
This is not very suitable for encipherment, as it creates a likelihood that the message will end in a sequence of
zeroes. Here is a method that lets each individual bit of the end of the message be equally likely to be a 1 or a 0.
Consider only the last 6 through 13 bits of the message. (Since this includes eight consecutive values, one of these
values can always be chosen to make the preceding part of the message consist entirely of whole bytes.)
These will be encoded into two bytes which contain the following three fields (the last one may have zero length)
in order:
● Three bits will contain a number from 0 to 7, indicating how many bits of random padding have been
added to the message.
● The 6 through 13 remaining bits of the message.
● From 7 down to 0 bits of random padding.
Terminating Compression
Although this kind of padding does ensure that each bit is equally likely to be a 0 or a 1, it does not complicate a
brute-force search by ensuring that any random bit sequence, after being unpadded, will be one that decompresses
by the compression method used, to a whole number of symbols. This problem can be dealt with by applying
some form of encryption before padding, such as choosing the codes for Huffman coding in a random order.
However, it is possible to address this without introducing bias into the compressed form of the message. The key
insight is that Morse code is an example of a method of encoding binary strings that also takes advantage of length
information, and so if we encode the last symbol in a code similar to Morse code we can ensure that wherever the
message ends, it can decompress to something. However, to avoid ambiguity, we must exclude symbols that start
with one of our Huffman symbols.
For example, for a message composed only of letters, we might try to use the following Huffman and pseudo-
Morse codes:
Letter Huffman Code Letter Pseudo-Morse Code

(1) (2)
E 000 E --- <null string>
T 001 T E 0
A 0100 A T 1
O 0101 O A 00
I 0110 I O 01
H 0111 H I 10
N 1000 N H 11
S 1001 S N 010
R 1010 R S 011
D 10110 D R 100
L 10111 L D 101
U 11000 U L 110
M 11001 M U 111
W 11010 W M 1011
C 11011 C W 1100
Y 11100 Y C 1101
F 111010 F Y 1110
G 111011 G F 1111
P 111100 P G 11101
B 111101 B P 11110
V 111110 V B 11111
K 1111110 K V 111111
X 11111110 X K 1111111
J 111111110 J X 11111111
Q 1111111110 Q J 111111111
Z 1111111111
where, for the last symbol in the compressed ciphertext, column (1) normally applies, but column (2) applies after
Z, ZQ, ZQQ, ZQQQ, and so on.
This is because we have run into trouble. We have run out of available Pseudo-Morse codes before having found
an equivalent for the least frequent letter, Z.
The number of Morse code symbols with four or fewer dots and dashes is 30, and considering the null string, we
obtain 31 symbols, one less than 32, the number of five-bit strings. Since these two different cases of a Morse
code avoiding the symbols in another prefix-property code both have the property that the Morse code has exactly
one symbol less, it becomes interesting to ask if this is always the case.
Surprisingly, the answer is yes.
The minimal case of a pseudo-Morse code and its corresponding Huffman code is:
Huffman code symbols: [0], [1]

Pseudo-Morse code symbols: [<null string>]
In this case, there is one more Huffman code symbol than there are pseudo-Morse symbols.
Any Huffman code can be obtained from the minimal Huffman code by successive transformations of the
following form: replace one symbol in the Huffman code by both itself followed by 0 and itself followed by 1.
Then, the pseudo-Morse code is also modified: the old symbol in the Huffman code that was replaced is added to
it.
Since both codes have exactly one element added to them by this operation, it is still true that the Huffman code
has exactly one more symbol in it than its corresponding pseudo-Morse code. This is therefore always true, by
mathematical induction.
There are a number of ways to deal with this problem, but now that we know that we will always have the
problem, and it will always only involve the least frequent symbol, it becomes easier to see which of them are
most appropriate.
● We could exclude the null string as a possible pseudo-Morse symbol. Then, all the strings which exactly
match a Huffman string would be usable as symbols, so we would always have more Pseudo-Morse bit
strings than Huffman bit strings.
● Or, we could use the Pseudo-Morse symbol for Q to stand for <nothing> and if our message ended in a Q
or Z, we simply end by using its Huffman code followed by the Pseudo-Morse code for <nothing>. In that
case, though, we have two rare symbols following one another.
● This can be improved by having two versions of the Pseudo-Morse code. One is used to follow the
Huffman symbol for any character other than Q or Z, and does not include a symbol for <nothing>, and
therefore does include a symbol for Q (but not Z). The other, following the Huffman symbols for Q and Z,
has a code for <nothing> but not for either Q or Z. In this case, since J is more common than Q and Z
combined, the symbol for <nothing> would still be the longest in the code, but in cases where the tail of the
frequency distribution is flatter, the symbol for <nothing> might move upwards in the code.
● Or, when <nothing> ends a message, assign the shortest Huffman codes to the characters that need to be
followed by it, so that E<nothing> stands for Q, and T<nothing> stands for Z.
● Finally, as actually recommended above, following Z or in a string of "Q"s of any length preceded by Z,
use a second version of the Pseudo-Morse code in which there is no code for Q or Z, but the code for
<nothing> is the shortest character; following anything else, use the normal version of the Pseudo-Morse
code in which there is a code for every letter except Z.
However, the first four methods, of which the fourth is the most efficient, all involve backtracking. Thus, the fifth
method, which is both efficient and which can be implemented without backtracking in either encoding or
decoding, is the most suitable.
Ignoring this detail for the moment, we can illustrate how well this scheme works by an example:
Let our message, using the convention given above, be nnn01010 10101010, where nnn takes on all possible
values from 0 to 7. Does the message have a valid decoding for each value of nnn?
Message: Decoding:
000 01010 10101010 0101 A 0101 A 0101 A 0 T
001 01010 1010101x 0101 A 0101 A 0101 A <null string> E
010 01010 101010xx 0101 A 0101 A 010 S
011 01010 10101xxx 0101 A 0101 A 01 I
100 01010 1010xxxx 0101 A 0101 A 0 T
101 01010 101xxxxx 0101 A 0101 A <null string> E
110 01010 10xxxxxx 0101 A 010 S
111 01010 1xxxxxxx 0101 A 01 I
The basic idea shown here is based on a description by David A. Scott of ideas used in his encryption programs,
but he is not responsible for the details of my proposal/example. Although I believe that this idea has probably
been thought of before, perhaps very early in the development of binary prefix-property codes, I suspect it is
entirely possible that Mr. Scott may well be the originator of the concept of generalizing this principle to
arithmetic coding.
There is even available an encryption program by Matt Timmermans which makes use of his compression
principle as well.
Terminating Block Cipher Use
At this point, we now have a binary message that is a whole number of bytes in length. Such a message is
convenient for encrypting by a large number of techniques. Among one of the techniques we are likely to apply to
a binary message would be a block cipher, such as DES (which is still the best-known one, even if its key is too
short by today's standards).
But we've only ensured that our message is made up of a whole number of bytes, not a whole number of eight-
byte (or sixteen-byte, if we're using one of the AES candidates) blocks!
This is not a problem. We can encipher a message with the "wrong" number of bytes in it as follows:
-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
| 1| 2| 3| 4| 5| 6| 7| 8| 9|10|11|12|13|14|15|16|17|18|19|
-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
| | | | | | | | | | | | | | | | | | |
---------------------- ---------------------- | | |
| DES || DES | | | |
---------------------- ---------------------- | | |
| | | | | | | | | | | | | | | | | | |
| | | | | | | | | | | ----------------------
| | | | | | | | | | | | DES |
| | | | | | | | | | | ----------------------
| | | | | | | | | | | | | | | | | | |
that is, after enciphering as much of the message as possible in whole eight-byte blocks, if there are between one
and seven left-over bytes, then encipher the last eight bytes of the message again, thus including the left-over
bytes with some bytes that have already been enciphered to make a whole block.
Bruce Schneier's justly famed book Applied Cryptography illustrates a somewhat modified technique for
accomplishing this purpose, called ciphertext stealing.
It differs from what is shown in the diagram above by making the extra block, which still contains the three left-
over bytes and the last five already-encrypted bytes, out of the three left-over bytes first, and then the five already-
encrypted bytes afterwards.
It looks like this:
-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
| 1| 2| 3| 4| 5| 6| 7| 8| 9|10|11|12|13|14|15|16|17|18|19|
-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
| | | | | | | | | | | | | | | | | | |
---------------------- ---------------------- | | |
| DES || DES | | | |
---------------------- ---------------------- | | |
| | | | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | -----------------------
| | | | | | | | | | | | | | ----------------------- |
| | | | | | | | | | | | | ----------------------- | |
| | | | | | | | | | | | ---------------------- | | |
| | | | | | | | | | | ----------------------- | | | |
| | | | | | | | | | | | | | | | | | |
| | | | | | | | | | | ----------------------
| | | | | | | | | | | | DES |
| | | | | | | | | | | ----------------------
| | | | | | | | | | | | | | | | | | |
| | | | | | | | | | | ----------------------- | | | |
| | | | | | | | | | | | ---------------------- | | |
| | | | | | | | | | | | | ----------------------- | |
| | | | | | | | | | | | | | ----------------------- |
| | | | | | | | | | | | | | | -----------------------
| | | | | | | | | | | | | | | | | | |
This maintains the alignment of all the bytes of the unencrypted message relative to the blocks in which they are
first enciphered. This seems like a cumbersome method of dealing with some rather strange and obscure
weaknesses some block ciphers might have. (Thanks to the initial permutation, DES certainly does not have any
weakness of the kind this might address.)
However, if we hadn't already padded our message out to a whole number of bytes, or if we were using a block
cipher that was very fast, and consisted of operations on whole 32-bit words in our computer, the alignment-
preserving property of ciphertext stealing could be useful to save computer time.
If only alignment to the byte of a message that is an odd number of bits is desired, one could mix the simple
technique I've outlined with ciphertext stealing, by enciphering, as our extra block, some whole bytes that have
already been enciphered, the whole left-over bytes, and one byte composed of the left-over bits plus the last few
bits of the already-enciphered byte immediately preceding the ones we've already used.
Terminating Alphabetic Armor
Once binary encryption is finished, there is the matter of converting the message, in groups of 47 bits at a time, to
a message consisting of letters.
There is some good news with respect to the elaborate fractionation scheme discussed in the previous section. Any
group of more than 35 bits can be represented by some combination of groups of 5 bits and 7 bits. Thus, as long as
the message is sufficiently long, there will be no problem in converting it entirely to base-3 and base-5 digits for
fractionation. However, particularly if after the last chunk of 47 bytes, there are less than five bytes left, and on
general principles in any case (since transposition and fractionation over too small a block is less secure), the odd
part of the message should be fractionated together with the last whole chunk of the message.
But how will we deal with converting a leftover part of the message, less than 47 bits in length, to letters? Again,
some padding will be required.
In addition to the full conversion of 47 bits to 10 letters, the component coding which converted 14 bits to three
letters:
00aaaabbbbcccc (4,4,4: 1 way)

010iiibbbbcccc (3,4,4: 3 ways)
011aaaajjjcccc
100aaaabbbbkkk
1010iiijjjcccc (3,3,4: 3 ways)
1011iiibbbbkkk
1100aaaajjjkkk
11010iiijjjkkk (3,3,3: 1 way)
11011mbbbbcccc (1,4,4: 3 ways)
11100aaaancccc
11101aaaabbbbo
111100mjjjcccc (1,3,4: 6 ways: 4 used here.)
111101mbbbbkkk
111110iiincccc
111111aaaankkk
is a reasonably efficient method of converting bits into letters. As well, since two to the ninth power is 512, which
is under 676, we can convert nine bits into two letters as follows:
0aaaabbbb (4,4: 1 way)

10iiibbbb (3,4: 2 ways)
11aaaajjj
These charts are, of course, interpreted with the single-letter codings noted in the section on the 47-bit to 10-letter
coding:
aaaa (or bbbb, cccc) will represent a letter from the code:
0000 A 0001 B 0010 C 0011 D 0100 E 0101 F 0110 G 0111 H

1000 I 1001 J 1010 K 1011 L 1100 M 1101 N 1110 O 1111 P
iii (or jjj, kkk) will represent a letter from the code:
000 Q 001 R 010 S 011 T 100 U 101 V 110 W 111 X
and m (or n, o) will represent a letter from the code:
0 Y 1 Z
Using these smaller encodings, the amount of random padding required to convert an arbitrary number of bits to
letters can be reduced.
The amount of padding needed for various numbers of bits can be seen in the following table:
1 to 4 bits [aaaa] with 3 to 0 bits padding

5 to 9 bits [9] with 4 to 0 bits padding
15 to 18 bits [9][9] with 3 to 0 bits padding
29 to 32 bits [14][9][9] with 3 to 0 bits padding
The coding [9][9] is allowed at the end because it produces a number of letters of the form 3n+1, which cannot be
confused with a number of the form 3n, involving only the use of [14] blocks, or a number of the form 3n+2,
resulting from the use of a single [9] block. Thus, the number of letters present uniquely identifies how to convert
the letters to bits, but the bits must then contain information on how many bits of padding are to be ignored (or
this information must be available from somewhere else).
Using the single letter coding [aaaa] once, for the smallest number of remaining bits, allows the maximum
required number of padding bits to be reduced to 4 from 8. This means that only three bits need to be added to the
message to indicate how many bits of random padding are used.
Here, it will be easiest to find the three bits giving the amount of padding if they are the very last three bits
converted, with any padding being between them and the message.
Unfortunately, representing a number of padding bits from 0 to 4 by a three-bit number means that the first bit of
that number has a high probability of being 0. The probability is not a full 80%, as some of the possible lengths
require only from 3 to 0 bits of padding, but it is still a significant source of bias.
One way of solving the problem is to put the information about how much padding is used outside the message,
without encrypting it, since usually the length of the message need not be secret. The only disadvantage of this is
that it complicates the format of messages. In any case, this small quantity of added redundancy should not be a
problem if the alphabetic form of the message is now well-encrypted, and if that encryption includes a
transposition cipher, so that the location of the slight extra redundancy is itself secret.
Terminating 78-character Armor
Once we have finished encrypting the message while it is in alphabetic form, for more efficient transmission, an
armoring of the message was shown above where groups of four letters from the 26-letter alphabet were combined
to form three symbols from a set of 78.
Since no letter as the first letter of a four-letter group coded to 333, a simple way to handle three or fewer leftover
letters is simply by printing the leftover letters all in lowercase. This would permit no confusion to arise.
Note that if one or two letters are left, it is not necessary to print them both in lowercase to remove ambiguity.
They could be printed in any of the three possible encodings, chosen at random. However, that is only useful if
further encryption is performed, and the scheme of 78-character armor was designed to be simple. The absence of
the code 333 during the message introduces bias, and thus if the key for the last encryption step were connected to
the key previously used, a potential weakness is introduced.
Next
Chapter Start
Table of Contents
Home page
Decimal Armor
Since
2^93 = 9,903,520,314,283,042,199,192,993,792 and, of course,

10^28 = 10,000,000,000,000,000,000,000,000,000
twenty-eight digits can represent 93 bits with fairly good efficiency.
The method devised by IBM for representing three decimal digits in 10 binary bits which we
saw previously will serve as part of the basis for doing this.
Encoding 3 Digits in 10 Bits
Let ooo (or ppp, qqq) represent a digit from 0 to 7 represented by the following code:
000 0
001 1
010 2
011 3
100 4
101 5
110 6
111 7
and let d (or e, f) represent a digit from 8 to 9 in the following code:
0 8
1 9
then, any three decimal digits can be represented within 10 bits as follows:
0ooopppqqq (3 digits with 3 bits - 1 way)

100dpppqqq (2 digits with 3 bits, 1 digit with 1 bit - 3 ways)
101oooeqqq
110ooopppf
11100deqqq (1 digit with 3 bits, 2 digits with 1 bit - 3 ways)
11101dpppf
11110oooef
1111100def (3 digits with 1 bit - 1 way)
with 24 unused combinations remaining.

As, again, previously noted, the table illustrating the decimal to binary code is based on ooo,
ppp, and qqq representing the first, second, and third digits respectively (if they are from 0 to
7) and on d, e, and f representing the first, second, and third digits respectively if they are
instead either 8 or 9. This same notational convention will be used in outlining the method to
be explained on this page.
Since 2^10 is 1,024, slightly greater than a power of 10, this method cannot serve directly for
storing binary bits in decimal digits; it is instead useful for performing the reverse task of
storing decimal digits in binary bits.
The coding scheme I propose works as follows:
oAAABBBCCCDDDEEEFFFGGGHHHIII
Here, o represents a digit from 0 to 7, representing the first three bits of the 93 bits to be
represented. AAA through III each represent three digits, from 000 to 999, representing 10 bits
of the 93 bits to be represented, provided that each group of 10 bits belongs to one of the 1,000
codes out of 1,024 that can be so represented.
nnn0BBBCCCDDDEEEFFFGGGHHHIII
nnn1AAACCCDDDEEEFFFGGGHHHIII
nnn2AAABBBDDDEEEFFFGGGHHHIII
nnn3AAABBBCCCEEEFFFGGGHHHIII
nnn4AAABBBCCCDDDFFFGGGHHHIII
nnn5AAABBBCCCDDDEEEGGGHHHIII
nnn6AAABBBCCCDDDEEEFFFHHHIII
nnn7AAABBBCCCDDDEEEFFFGGGIII
nnn8AAABBBCCCDDDEEEFFFGGGHHH
Here, nnn is a series of three digits from 800 to 999. This involves 200 possible values, 192 of
which are used, to represent the 8 possible values of the first three bits of the 93 to be encoded,
times 24 possible values for one of the groups of 10 bits in the remaining 90 bits. The value
will be generated by the formula 800 + 24 * a + b, where a is the value of the first three bits
from 0 to 7, and b is a number from 0 to 23 representing each of the 10 bit codes, which did
not correspond to three digits in the coding of three digits to ten bits given above, in the
numerical order of these codes, as shown in the table below:
0 1111101000
7 1111101111
8 1111110000
15 1111110111
16 1111111000
23 1111111111
Thus, these codes cover the case where exactly one of those groups has one of the 24 values
which is not covered by the first encoding. Once we cover all possible cases where any
combination of those groups, even all of them, can have such a value, we will have our
complete encoding of 93-bit values into decimal digits. Note that the eight nnn values of 992
through 999 are not used so far.
nnn90ppCCCDDDEEEFFFGGGHHHIII (00) nnn95ppAAABBBCCCDDDEEEHHHIII

BBBDDDEEEFFFGGGHHHIII (25) BBBCCCDDDEEEFFFGGGIII
AAADDDEEEFFFGGGHHHIII (50) AAACCCDDDEEEFFFGGGIII
BBBCCCEEEFFFGGGHHHIII (75) AAABBBDDDEEEFFFGGGIII
nnn91ppAAACCCEEEFFFGGGHHHIII nnn96ppAAABBBCCCEEEFFFGGGIII
AAABBBEEEFFFGGGHHHIII AAABBBCCCDDDFFFGGGIII
BBBCCCDDDFFFGGGHHHIII AAABBBCCCDDDEEEGGGIII
AAACCCDDDFFFGGGHHHIII AAABBBCCCDDDEEEFFFIII
nnn92ppAAABBBDDDFFFGGGHHHIII nnn97ppBBBCCCDDDEEEFFFGGGHHH
AAABBBCCCFFFGGGHHHIII AAACCCDDDEEEFFFGGGHHH
BBBCCCDDDEEEGGGHHHIII AAABBBDDDEEEFFFGGGHHH
AAACCCDDDEEEGGGHHHIII AAABBBCCCEEEFFFGGGHHH
nnn93ppAAABBBDDDEEEGGGHHHIII nnn98ppAAABBBCCCDDDFFFGGGHHH
AAABBBCCCEEEGGGHHHIII AAABBBCCCDDDEEEGGGHHH
AAABBBCCCDDDGGGHHHIII AAABBBCCCDDDEEEFFFHHH
BBBCCCDDDEEEFFFHHHIII AAABBBCCCDDDEEEFFFGGG
nnn94ppAAACCCDDDEEEFFFHHHIII
AAABBBDDDEEEFFFHHHIII
AAABBBCCCEEEFFFHHHIII
AAABBBCCCDDDFFFHHHIII
Here, nnn represents the first 3 bits, and the additional combination from the set of 24 from the
first of the two groups of 10 bits that are of that form. pp, a series of two digits from 00 to 99,
has 100 possible values, 96 of which are used to represent the combination from the set of 24
from the second of the two groups of 10 bits, and which of the 4 arrangements of which groups
of 10 bits have these additional codes allocated to the current numeric code is present. The
numbers in parentheses after the first set of four arrangements show the displacements to be
added in the pp field to the number from 0 to 23 containing the information about the second
group with an auxilliary value.
nnn990ppqqDDDEEEFFFGGGHHHIII (00 00)

CCCEEEFFFGGGHHHIII (00 25)
BBBEEEFFFGGGHHHIII (00 50)
AAAEEEFFFGGGHHHIII (00 75)
CCCDDDFFFGGGHHHIII (25 00)
BBBDDDFFFGGGHHHIII (25 25)
AAADDDFFFGGGHHHIII (25 50)
BBBCCCFFFGGGHHHIII (25 75)
AAACCCFFFGGGHHHIII (50 00)
AAABBBFFFGGGHHHIII (50 25)
CCCDDDEEEGGGHHHIII (50 50)
BBBDDDEEEGGGHHHIII (50 75)
AAADDDEEEGGGHHHIII (75 00)
BBBCCCEEEGGGHHHIII (75 25)
AAACCCEEEGGGHHHIII (75 50)
AAABBBEEEGGGHHHIII (75 75)
nnn991ppqqBBBCCCDDDGGGHHHIII
AAACCCDDDGGGHHHIII
AAABBBDDDGGGHHHIII
AAABBBCCCGGGHHHIII
CCCDDDEEEFFFHHHIII
...
nnn995ppqqAAABBBCCCEEEFFFGGG
AAABBBCCCDDDFFFGGG
AAABBBCCCDDDEEEGGG
AAABBBCCCDDDEEEFFF
Now we are dealing with the case where three of the nine groups of ten bits have a
representation from the additional 24 combinations. Together, pp and qq mean that sixteen
different arrangements of these three groups can be indicated. The displacements added to pp
and qq are noted in the parentheses after the first group of 16 combinations. One additional
digit lets us cope with 160 possibilities, but in fact we only need to worry about 84 possibilities.
nnn9990ppqqrrEEEFFFGGGHHHIII (00 00 00)

DDDFFFGGGHHHIII (00 00 25)
CCCFFFGGGHHHIII (00 00 50)
BBBFFFGGGHHHIII (00 00 75)
AAAFFFGGGHHHIII (00 25 00)
DDDEEEGGGHHHIII (00 25 25)
CCCEEEGGGHHHIII (00 25 50)
CCCDDDGGGHHHIII (00 25 75)
...
BBBCCCEEEGGGIII (75 75 75)
nnn9991ppqqrrBBBCCCDDDGGGIII
CCCDDDEEEFFFIII
BBBDDDEEEFFFIII
BBBCCCEEEFFFIII
BBBCCCDDDFFFIII
BBBCCCDDDEEEIII
DDDEEEFFFGGGHHH
...
AAABBBCCCDDDEEE
Here, four of the nine groups of ten bits use one of the additional codes. This involves 126
possibilities. pp, qq, and rr together allow sixty-four combinations to be indicated, so the
additional digit need only be either 0 or 1.
nnn99990ppqqrrssFFFGGGHHHIII
nnn999990ppqqrrssttGGGHHHIII
nnn9999990ppqqrrssttuuHHHIII
nnn99999990ppqqrrssttuuvvIII
nnn999999990ppqqrrssttuuvvww
And there is no problem continuing the encoding, without needing to go back and use the eight
unused nnn values, since we are now dealing with 126, 84, 36, 9, and 1 combinations again,
which we have already seen comfortably fits in the space available, and we now have even
more space with more two-digit fields, each of which contributes a factor of four.
Next
Table of Contents
Home Page
Keystream Base Conversion

In the preceding sections, we have seen ways to convert a message consisting of binary
bits into either base-26 or base-10 for transmission. Since it is intended that the
message ultimately be read by its legitimate recipient, it is necessary that the
conversion be invertible.
People working with simulation problems on computers have developed techniques for
base conversion that are simplified because they do not need to take this constraint into
account.
One could have a standard pseudorandom number generation routine, and it might
produce numbers from 0 to 32,767 each time it is run. And for a particular problem,
one needs uniformly distributed integers from 0 to 922.
The simplest way of doing this is to note that 15 times 923 is 32,305. So, when you
generate a pseudorandom number, if it is from 0 to 32,304, take the remainder when it
is divided by 923 as your number from 0 to 922, otherwise, discard the result.
This isn't invertible, as more than one sequence of numbers from 0 to 32,768 will lead
to the same sequence of numbers from 0 to 922, but that is not a concern for such an
application. But because it throws away information, it is somewhat wasteful:
particularly worrying is the chance of a long run of pseudorandom numbers from
32,305 to 32,767, which could cause delays.
Essentially, when a number is generated, a random number from 0 to 34 is being

thrown away, and when one is not being generated, a number from 0 to 462 is being
thrown away. One can improve the efficiency of the conversion process by keeping
these numbers, and treating them the same way, in essence, as we treated the output of
our binary pseudorandom number generator.
To illustrate this technique with a more useful example:
Let's say you want to convert a stream of random bits into uniformly distributed
numbers from 0 to 999.
Then, you start by taking the bits 10 at a time to give you a number from 0 to 1023. If
that number is less than 1000, you've got a number. (Note that here one does not have a
multiple of 1000, so there is nothing to save when a number is generated. In general,
this will always be true if we start from a stream of bits which we can use in groups of
any size, since if we are using enough bits to give us a number twice as large as the
desired number, we are using one bit too many.)
Otherwise, subtract 1000 from the number, to give you a number from 0 to 23. Treat
that as a base-24 digit, and introduce it into another accumulator (acc = acc*24 +
new_digit) that holds numbers up to 24^3, or 13824.
When this has happened three times, if the number in the accumulator is from 0 to
12999, take the last three digits as your number.
If you want, you can now repeat the process by taking the first few digits, as a number
from 0 to 12, and therefore a base-13 digit, and save them in an accumulator; and, if
you get a result you can't use, a number from 13000 to 13824, you can subtract 13000
and save that result as a base-824 digit.
Since 1000 is a multiple of 8, however, we could simplify the process, at least by

requiring smaller accumulators for the calculations, and thus potentially avoiding
multiprecision multiplications, by modifying it as follows: take the stream of bits seven
bits at a time, and convert it into numbers from 0 to 124, that is, base-125 digits. When
the process has successfully produced such a number, then take three more bits from
the keystream to make it a number from 0 to 999.
The process for that case follows the same scheme as the direct process for producing
numbers from 0 to 999, but because the omitted powers of two change the size of the
numbers involved, an exact analogy between the digit sizes involved breaks down at
later steps.
Take seven bits from the keystream, giving a number from 0 to 127. If that number is
from 0 to 124, it is the result. Otherwise, subtract 125 from the number, giving a
number from 0 to 2. Introduce this base-3 digit into an accumulator that holds numbers
up to 3^5, or 243.
When that accumulator has 5 digits in it, it contains a random number from 0 to 242. If
it is from 0 to 124, accept it as the result. Otherwise, subtract 125, and put the resulting
number, from 0 to 117, in another accumulator, and so on.
Where you want to stop, and just throw away unusable results, depends on how
efficiently you want to convert the random bit stream to a random digit stream.
This can certainly be used in cryptography to allow a binary stream cipher to encipher
a plaintext composed of digits into a ciphertext also composed of digits.
If one is enciphering binary plaintext to binary ciphertext, one could use two keystream
generators, for example, one designed to produce pseudorandom base-7 digits from 0
to 6, and another designed to produce pseudorandom base-23 digits from 0 to 22,
independently converting the outputs of each to, say, base 256 using the technique
given above, and using the XOR of the two converted keystreams on the plaintext. The
use of two different bases to produce binary bits, which are then combined in the
binary world, would make many forms of analysis much more complicated. However,
this type of cryptography is vulnerable to timing attacks and related techniques such as
monitoring the power consumption of a chip, because sometimes extra steps are
required to produce the output in a new base.
Next
Table of Contents
Home Page
Message Blocking
Messages sent by rotor machines were often divided into segments of perhaps 300
letters, each segment being enciphered separately, with its own randomly chosen initial
rotor position.
If one is writing a simple encryption program in a language like BASIC, there is a clear
advantage to doing something like this as well; it allows one to keep an entire block of
the message in an array in memory, instead of doing multiple passes of encryption over
a disk file. It is also particularly useful when transposition ciphers are being used
among the steps in the process. Avoiding saving intermediate results on disk has speed
advantages, and there are security advantages as well, although a discussion of dealing
with swap files (in Microsoft Windows, IBM OS/2, and Linux) is beyond the scope of
this discussion.
With computer encryption, the possibility occurs of turning message blocking into an
additional factor contributing to the difficulty of cryptanalysis. The beginnings and
endings of blocks could be concealed.
Here is a concrete example:
● Let the division of the message into blocks be regulated by a pseudo-random

number generator which outputs 8-bit bytes.
● Let the blocks vary in length from 128 bytes in length (indicated by the value 0)
to 383 bytes in length (indicated by the value 255).
● When the number of bytes remaining in the message, as not yet having been
divided into blocks, is 511 or more, simply generate a pseudo-random byte, and
form a block from the number of characters that it indicates.
● If 383 or fewer bytes remain in the message, take those bytes as the last block.
● Where from 384 to 510 bytes remain in the message, split the message into two
blocks, where the first block is from 128 to 256 bytes in length, based on the
least significant 7 bits of a pseudorandom byte.
These rules are reproducible at the other end. The last rule, though, introduces some
bias into the length of the last two blocks that a more complicated rule could avoid (the
message should be divided into two parts, where the first part and the last part both
have a minimum possible length of 128). One could, if one has the length of the entire
message available initially, first calculate a division of the message into blocks, and
then transpose the block lengths.
A more complicated program could use a different division of the messages into blocks
for each phase of a multi-step encryption. One would simply need a pair of 383-byte
buffers between each stage of encryption. And one might only divide the message into
blocks for transposition phases, since such a division isn't needed for encrypting a
message with a block cipher like DES or with a stream cipher as urgently as it is for
transposition (and fractionation) stages.
Next
Table of Contents
Home Page
Optimized Morse Armor

In an earlier section, I showed how, by an elaborate method, one could convert sequences of
binary bits to sequences of the 26 letters of the alphabet, in batches of 47 bits and 10 letters.
Because 26 to the 10th power was only slightly larger than two to the 47th power, this
conversion added so little redundancy to the message that it seemed like one could perform
further encryption on the resulting stream of letters without too great a danger of
compromising the system. (Ideally, however, an independent key should still be used for
post-conversion encryption to be on the safe side.)
A reason for having messages armored as letters only would be to allow them to be
transmitted using Morse code. The characters of Morse code are different in length, and the
shorter symbols stand for the more common letters of the alphabet.
One could use a Huffman code for the English language to convert bits into letters; the
result then would have a frequency distribution that somewhat resembled English text. But
given that we know the bandwith cost of each Morse symbol, can we devise an optimal
coding into letters that minimizes transmission time of a message in Morse format?
Given that a dot takes one unit of time, a dash three units, and the spaces between dots and
dashes in letters take one unit, the time each letter takes can be calculated. However, since
one consideration in coding is how many letters are produced (if one wants to produce
fewer letters, one would use the ones with longer codes more often), one must also consider
overhead costs; the space between letters takes three units, and spaces between words take
five units. This last, if we are sending our message in five-letter groups, is convenient, since
it lets us avoid fractions, so 4 units of overhead are included in the bandwith cost of each
letter.
A 9 E 5 I 7 M 11 Q 17 U 11 Y 17
B 13 F 13 J 17 N 9 R 11 V 13 Z 15
C 15 G 13 K 13 O 15 S 9 W 13
D 11 H 11 L 13 P 15 T 7 X 15
One way to approach the problem of optimized coding into Morse is to ask this question:
for what set of probabilities p(letter) is Morse an optimal coding? Knowing these
probabilities, one can then construct a Huffman code for such a source of letters, and use
that in reverse to convert bits into letters, approximating, as closely as possible if we restrict
ourselves to such a simple technique instead of something better, such as arithmetic coding,
those probabilities in our stream of letters.
Huffman codes have different lengths; it is immediately obvious that a Huffman code is
optimal if the symbol with a 3-bit code has probability 1/8th, a symbol with a 5-bit code has
probability 1/32nd, and so on. But a variable length coding into digits would give symbols
with the same ratio of lengths probabilities of 1/1000 and 1/100000, which have a different
ratio to each other. Since working out a Huffman code involves adding probabilities, this
would make a difference. So we need to work out the "worth" of one unit of bandwidth cost
in Morse code to do this, for a reason that resembles our need to count the overhead in the
cost of each letter.
Thus, given that there is one symbol (E) with bandwidth cost 5, two symbols (I, T) with
bandwidth cost 7, and so on, we need to solve the equation:
-5 -7 -9 -11 -13 -15 -17

x +2x +3x +5x +7x +5x +3x = 1
in x. This equation is not linear (although, as a polynomial in 1/x, doubtless it can be solved
analytically with the aid of elliptic integrals), but it can be solved using a binary search
method to obtain an approximate value of x. The solution that can be obtained in this
fashion indicates that we should consider each bandwith unit to be a symbol with
1.35999638070642 possible values; in other words, each bandwidth unit contains about
0.4436028 bits of information. Note that this only applies when the transmitted message
consists only of letters, since it derives from that particular set of symbols; the value would
be higher if, for example, we allowed ourselves to send digits by Morse code as well.
Thus, we assign the following probabilities to each letter:
5 E 0.214937 2 bits
7 I T 0.116208 3 bits
9 A N S 0.062829 4 bits
11 D H M R U 0.033969 5 bits
13 B F G K L V W 0.018366 6 bits
15 C O P X Z 0.009930 Four 7-bit codes, one 8-bit code
17 J Q Y 0.005369 8 bits
and when we work out a Huffman code on this basis, it comes out very nicely, with only
one case where we must assign different-length codes to symbols with the same probability.
A possible coding with these symbol lengths would be:
00000 D 0010010 C 00101110 Q 0100 A 101 T

000010 F 0010011 O 00101111 Y 01010 H 11 E
000011 G 0010100 P 001100 K 01011 M
00010 R 0010101 X 001101 L 0110 N
00011 U 00101100 Z 001110 V 0111 S
001000 B 00101101 J 001111 W 100 I
which is the one that results from the tree used to determine the Huffman code; a more
direct one, based on the lengths in the table above, would of course be:
00 E 10110 D 110111 F 1111010 C 11111110 Q
010 I 10111 H 111000 G 1111011 O 11111111 Y
011 T 11000 M 111001 K 1111100 P
1000 A 11001 R 111010 L 1111101 X
1001 N 11010 U 111011 V 11111100 Z
1010 S 110110 B 111100 W 11111101 J
which just assigns symbols in order to the letters in the various length groups.
This particular coding sends an average of 968 bits in 2190 bandwidth units, for an average
of 0.4420091 bits per bandwidth unit, just under the theoretically possible maximum of
0.4436028 bits per bandwidth unit given above.
Next
Table of Contents
Home Page
Steganography
The preceding section described a way of preparing the output from encipherment for transmission. There, the
purpose was simply to allow the text to be transmitted properly.
Another form of ciphertext preparation, which can be considered an encipherment method in itself, is designed to
conceal another secret: that there even is an encrypted message being stored or transmitted.
Many forms of steganography were devised in the era of paper-and-pencil encryption.
● A message could be concealed in the second letter of every word in a cover message, or in the third letter
in the first word of each sentence. ("Accepted your overture. Next Friday, about eleven, come away
anywhere." = Cover blown.)
● One could use a jargon code, where words related to a sensitive topic are replaced by equivalent words
about an innocuous topic. ("Uncle Bill is leaving on Tuesday" = The Saratoga sets sail on Tuesday; "Joe is
in the hospital" = Joe is being held by the police.)
● A series of lists of alternative phrases from which a paragraph can be built can be used, where each choice
of a phrase from a list conceals one letter of a message. This method was published in 1518 in the
Polygraphiae by Johannes Trithemius, but was also still used during World War II, as noted in the recent
book From Silk to Cyanide.
The first method listed above can lead to a stilted cover message that obviously has something wrong with it.
Thus, improved forms of this method that involve concealing something subtler than a letter of the message in
each word of the cover message have been devised.
As we saw in the section on fractionation, one can encode the letters of the alphabet as follows:
A 111 D 121 G 131 J 211 M 221 P 231 S 311 V 321 Y 331

B 112 E 122 H 132 K 212 N 222 Q 232 T 312 W 322 Z 332
C 113 F 123 I 133 L 213 O 223 R 233 U 313 X 323
and so convert a message composed of letters into one composed only of the digits 1 through 3. Then, a word of 1
or 4 or 7 syllables could stand for 1, a word of 2 or 5 syllables for 2, a word of 3 or 6 syllables for 3. This system,
among others, is discussed in Helen Fouché Gaines' [Elementary] Cryptanalysis, which begins by discussing such
systems, continues with transposition ciphers, and only afterwards introduces substitution ciphers. This is, in a
way, a logical order for introducing the subject, since with each step the letters of the original message become
less accessible. (But on the other hand, the case of simple substitution, because it is so familiar, is one that is
attractive to discuss first.)
And, of course, a letter can also be converted into five digits which are all either 0 or 1. Long before Èmile
Baudot, using a and b as his two symbols, Sir Francis Bacon discussed such a representation of the alphabet
specifically for the purpose of steganography.
If we're discussing binary coding, we may as well address the computer era.
The fact that images can be usefully subjected to lossy compression methods has suggested that extra information
could be concealed in them.
One popular format for storing pictures on a computer involves first determining 256 colors, each one expressed
as three one-byte values for each of its Red, Green, and Blue components, which are optimal for rendering the
image with as little change as possible, and then providing first a table of the 256 colors used, and then the image
with one byte indicating the color from that table to be used for each pixel. The image in that form is compressed
using a form of lossless compression.
A popular steganography program conceals a bit in every pixel by ordering the 256 colors so that similar colors
are adjacent to each other in the table, and then modifying each pixel so that the least significant bit of the color
code for that pixel has the right value.
For other forms of image encoding, one might wish to place one's message more directly in the image itself. One
way of doing this might be as follows:
Compress the image using a lossy technique such as JPEG. Then, modify the original image so that the differences
between it and the compressed image, on a pixel-by-pixel basis, contain the message.
Since the idea will be to send only the modified image, it will be necessary to check that the modified image,
when compressed by the same technique, produces a compressed form which has the same differences from the
modified image as the compressed form of the original image did. This requires a coding which does not disturb
the compressed image excessively, and it requires a coding which is flexible, so that different ways of
representing the hidden message are possible.
An example of the kind of coding that might work is noted below. 0 represents an unchanged pixel, + one that is
made brighter, - one that is made less bright.
00000000 null 0000-00+ 00110 000-00+0 01110

0000+00- 01111 000+00-0 01111
000000-+ 00000 0000-0+0 01000 000-0+00 10000
000000+- 00001 0000+0-0 01001 000+0-00 10001
00000-0+ 00010 0000-+00 01010 000-+000 10010
00000+0- 00011 0000+-00 01011 000+-000 10011
00000-+0 00100 000-000+ 01100 00-0000+ 10100
00000+-0 00101 000+000- 01101 00+0000- 10101
0000--++ 00000000 000-0-++ 00000110

0000-+-+ 00000001 000-0+-+ 00000111
0000-++- 00000010 000-0++- 00001000
0000+--+ 00000011 000+0--+ 00001001
0000+-+- 00000100 000+0-+- 00001010
0000++-- 00000101 000+0+-- 00001100
The table is not complete. First, one can choose to leave all pixels undisturbed if necessary, and in that case one
skips that group of eight pixels without encoding any data. If one can alter two pixels, and only combinations
where the net alteration balances out are shown, then there are 56 possibilities, so five bits can be coded. If one
can alter four pixels without altering the compressed form of the image, then there are 420 possibilities, so eight
bits can be coded.
If JPEG compression does not work well to form a baseline image, one can simplify calculations by using a very
simple lossy compression algorithm: averaging adjacent pixels in pairs.
Of the RGB components of an image, the Green component contributes the most to the brightness, and the Blue
component the least, so using the blue part of the pixel to encode information makes sense.
Note that, due to the current interest in watermarking images, it is entirely likely that the technique described
above may be covered by someone's patent at this time.
Table of Contents
Home Page
One-way Hash Functions

For some purposes, including key generation, but especially for digital signatures,
something that is like a checksum of a block of text, but which is secure in the sense
that it is nearly impossible to generate text that will have a given hash function value
when that value is determined in advance, is required. This way, if someone signs a
document by using public-key methods to sign its hash value, an adversary is unable to
generate a document saying something different, and claim that it was this document,
having the same hash, that was signed instead.
Since some block ciphers, including DES, are very secure against someone
determining the key even when the plaintext as well as the ciphertext is known, using a
document somehow as the key to a block cipher like DES rather than as the plaintext
input might allow the ciphertext output to function as a secure hash.
This kind of approach, but used with specially constructed block algorithms which
operate on larger blocks, and with the text being hashed used as a source of subkeys
rather than keys from which keys for multiple rounds are derived, is the common
method of performing secure hash functions. Only one such method, the Secure Hash
Algorithm, an NSA design which is similar to, and based upon, MD4 from RSA
Laboratories (and also similar to MD5 from RSA Laboratories, also an MD4
descendant) will be described here.
In general terms, SHA-1 and MD5 look like a block cipher, operating on a fixed initial
value, with the message being hashed providing the subkeys for the block cipher's
operation. However, they do somewhat more than that, and they must do so, because it
is trivial with DES, for example, to produce any desired value for the final output by
varying the last two subkeys; thus, collisions could be produced essentially at will for a
hash function which operated in that way.
SHA-1, which we will examine in full detail in the next section, expands 16 32-bit
words of message text to 80 32-bit subkey words with a shift-register technique. And,
after 80 rounds of the hash function are applied to the 160-bit value, the original value
and the result value are combined together (using 32-bit addition with no carries
between words) to make the hash operation noninvertible.
Thus, SHA-1 heeds the lessons of work done on using DES or similar block ciphers to
hash messages. The following diagram illustrates the two basic methods of doing that
involving a single encryption for a message block which are believed to be secure, plus
a method using two encryptions per block:
The first method uses the same principle as found in SHA-1: the message block is used
as the key for encrypting the previous hash value, and then both the previous hash
value and the encrypted version are XORed together.
The second method, depicted as three different methods in Applied Cryptography,

involves using the previous hash value as the key to encrypt the message block. But the
previous hash value must also be XORed with the message block on input, or the
enciphered version of the message block on output, or both, for security.
Seeing these methods had inspired me to think of the third structure shown in the
diagram, where the results of encrypting the previous hash value with the message
block as the key and of encrypting the message block with the previous hash value as
the key are XORed together to produce the new hash value.
While that would be an unnecessary complication for a hash using actual block ciphers,
with their complicated key schedules and large number of rounds, this might well be a
useful structure on which to base the design of a new hash function.
But although this method has greater security in some ways, it has one flaw: one can
produce a zero hash result with a message block that equals the preceding hash value,
because it is symmetrical. There might be a way to exploit this to cause hash collisions.
● Description of SHA
Table of Contents
Main Page
Description of SHA-1 and SHA-256

For both SHA-1 and SHA-256, one begins by converting the message to a unique representation of the
message that is a multiple of 512 bits in length, without loss of information about its exact original length
in bits, as follows: append a 1 to the message. Then add as many zeroes as necessary to reach the target
length, which is the next possible length that is 64 bits less than a whole multiple of 512 bits. Finally, as a
64-bit binary number, append the original length of the message in bits.
Description of SHA-1
Expand each block of 512, when it becomes time to use it, into a source of 80 32-bit subkeys as follows:
the first 16 subkeys are the block itself. All remaining subkeys are generated as follows: subkey N is the
exclusive OR of subkeys N-3, N-8, N-14, and N-16, subjected to a circular left shift of one place. (This is
the mysterious circular left shift added after the original version of SHA was released.)
Starting from the 160-bit block value (in hexadecimal)
67452301 EFCDAB89 98BADCFE 10325476 C3D2E1F0
as input for the processing of the first 512-bit block of the modified message,
for each message block, do the following:
Encipher the starting value using the 80 subkeys for the current message block.
Add each of the 32-bit pieces of the ciphertext result to the starting value, modulo 2^32, of course, and
use that result as the starting value for handling the next message block.
The starting value created at the end of handling the last block is the hash value, which is 160 bits long.
The SHA "block cipher" component
The main calculation in SHA enciphers a 160-bit block using 80 32-bit subkeys in 80 rounds. This
calculation is somewhat similar to a series of Feistel rounds, except that instead of dividing the block into
two halves, it is divided into five pieces. An F-function is calculated from four of the five pieces,
although it is really the XOR of a function of three of the pieces and a circular left shift of a fourth, and
XORed with one piece, which is also modified by being XORed with the current round's subkey and a
constant. The same constant is used over each group of 20 rounds. One of the other blocks is also altered
by undergoing a circular left shift, and then the (160-bit) blocks are rotated.
The F-function, as well as the constant, is changed every 20 rounds.
Calling the five pieces of the 160-bit block being "encrypted" a, b, c, d, and e, the rounds of the SHA
"block cipher" component proceed as follows:
● Change a by adding the current constant to it. The constants are, in hexadecimal:
❍ For rounds 1 to 20: 5A827999
❍ For rounds 21 to 40: 6ED9EBA1
❍ For rounds 41 to 60: 8F1BBCDC
❍ For rounds 61 to 80: CA62C1D6
● Change a by adding the appropriate subkey for this round to it.

● Change a by adding e, circular left-shifted 5 places to it.
● Change a by adding the main f-function of b, c, and d to it, calculated as follows:
❍ For rounds 1 to 20, it is (b AND c) OR ((NOT b) AND d).
❍ For rounds 21 to 40, it is b XOR c XOR d.
❍ For rounds 41 to 60, it is (b AND c) OR (b AND d) OR (c AND d).
❍ For rounds 61 to 80, it is again b XOR c XOR d.
● Change d by giving it a circular right shift of 2 positions (or, for consistency, a circular left shift
of 30 places).
● Then swap pieces, by moving each piece to the next earlier one, except that the old a value is
moved to e.
illustrates the operation of the Secure Hash Algorithm.
SHA-256, SHA-384, and SHA-512
New algorithms were announced shortly after the selection of Rijndael as the Advanced Encryption
Standard, SHA-256, SHA-384, and SHA-512. The SHA-384 algorithm is essentially the same as the
SHA-512 algorithm, but with a different starting value, and with the final result truncated to 384 bits.
Although full specifications for the three new algorithms are available here, I thought I might explain
them here as well. (Although I have a description of RIPE-MD available, it was rather too complicated to
easily describe in full.)
The SHA-256 algorithm is very similar in structure to SHA-1, but not only does it use eight, rather than
five, 32-bit subblocks, but there are other ways in which it is not analogous.
For SHA-256, the message is padded, and divided into 512-bit blocks, in the same way as for SHA-1.
From each block, considered as 16 32-bit words, 64 (rather than 80) 32-bit words are produced, the first
16 being the block itself, and the remaining words being the sum, modulo 2^32, of the following
quantities:
● the word 16 words ago;

● the XOR of the following three quantities:
❍ the word 2 words ago rotated right 17 places
❍ that word rotated right 19 places
❍ that word shifted right 10 places;

❍ that word shifted right 3 places.
One round of the part of SHA-256 that looks like a round of a block cipher is performed for each of these
64 words. For the first block, the initial input values to SHA-256 are:
6A09E667 BB67AE85 3C6EF372 A54FF53A

510E527F 9B05688C 1F83D9AB 5BE0CD19
which are the beginnings, in hexadecimal, of the fractional parts of the square roots of 2, 3, 5, 7, 11, 13,
17, and 19.
The round function of SHA-256 is as follows:
An intermediate result is calculated, which is equal to the modulo 2^32 sum of
● The XOR of the following three quantities:

❍ the fifth word in the block rotated right 6 places
❍ that word rotated right 25 places;
● a word consisting of those bits in the sixth word of the block which correspond to bits of the fifth
word of the block that are ones, and those bits in the seventh word of the block that correspond to
bits of the fifth word of the block that are zeroes;
● the current one of the 64 words to which the 16 word block is expanded;
● the current one of 64 constants introduced into this phase.
The eighth word of the block is modified by having this intermediate result added to it modulo 2^32.
The resulting incompletely modified new value of the eighth word in the block is then added to the fourth
word in the block modulo 2^32.
Then, two additional quantities are added to the eighth word in the block modulo 2^32:
● A word whose bits are 1 if and only if two of the corresponding three bits taken from each of the
first, second, and third words in the block are 1;
❍ The first word in the block rotated right 2 bits,
❍ that word rotated right 13 bits,
❍ that word rotated right 22 bits.
Finally, each of the eight words of the block that will ultimately become the hash is moved to the position
of the next word in the block, with the first word in the block being replaced by the modified eighth word
in the block.
The 64 constant words, added to each word in the expanded block, are:
428A2F98 71374491 B5C0FBCF E9B5DBA5 3956C25B 59F111F1 923F82A4 AB1C5ED5

D807AA98 12835B01 243185BE 550C7DC3 72BE5D74 80DEB1FE 9BDC06A7 C19BF174
E49B69C1 EFBE4786 0FC19DC6 240CA1CC 2DE92C6F 4A7484AA 5CB0A9DC 76F988DA
983E5152 A831C66D B00327C8 BF597FC7 C6E00BF3 D5A79147 06CA6351 14292967
27B70A85 2E1B2138 4D2C6DFC 53380D13 650A7354 766A0ABB 81C2C92E 92722C85
A2BFE8A1 A81A664B C24B8B70 C76C51A3 D192E819 D6990624 F40E3585 106AA070
19A4C116 1E376C08 2748774C 34B0BCB5 391C0CB3 4ED8AA4A 5B9CCA4F 682E6FF3
748F82EE 78A5636F 84C87814 8CC70208 90BEFFFA A4506CEB BEF9A3F7 C67178F2
After this has been done 64 times, the final result is the sum, by individual words modulo 2^32, of the
result of this transformation and the original eight-word input.
Thus, one important difference between SHA-256 and SHA-1 is that the nonlinear functions do not
change during the hashing of a block, but instead of having only four constants, each of which is used for
20 words, there are now 64 constants, each used for only one word.
SHA-512 is very similar to SHA-256, but not in the way that SHA-256 is similar to SHA-1. SHA-256
and SHA-1 both operate on 32-bit words, although the former operates on a block of eight of them, and
the latter operates on a block of five of them. On the other hand, SHA-512 operates on eight 64-bit
words, but the procedure it applies to them closely resembles that of SHA-256.
From each block, considered as 16 64-bit words, 80 64-bit words are produced, the first 16 being the
block itself, and the remaining words being the sum, modulo 2^64, of the following quantities:

❍ that word shifted right 6 places;

❍ that word shifted right 7 places.
One round of the part of SHA-512 that looks like a round of a block cipher is performed for each of these
80 words. For the first block, the initial input values to SHA-512 are:
6A09E66713BCC908 BB67AE8584CAA73B
3C6EF372FE94F82B A54FF53A5F1D36F1
510E527FADE682D1 9B05688C2B3E6C1F
1F83D9ABFB41BD6B 5BE0CD19137E2179
which are the beginnings, in hexadecimal, of the fractional parts of the square roots of 2, 3, 5, 7, 11, 13,
17, and 19.
The round function of SHA-512 is as follows:
An intermediate result is calculated, which is equal to the modulo 2^32 sum of

❍ the fifth word in the block rotated right 14 places
❍ that word rotated right 41 places;
● a word consisting of those bits in the sixth word of the block which correspond to bits of the fifth
word of the block that are ones, and those bits in the seventh word of the block that correspond to
bits of the fifth word of the block that are zeroes;
● the current one of the 80 words to which the 16 word block is expanded;
● the current one of 80 constants introduced into this phase.
The eighth word of the block is modified by having this intermediate result added to it modulo 2^64.
The resulting incompletely modified new value of the eighth word in the block is then added to the fourth
word in the block modulo 2^64, and this is the permanent modification of that word for the round.
Then, two additional quantities are also added to the eighth word in the block modulo 2^64:
● A word whose bits are 1 if and only if two of the corresponding three bits taken from each of the
first, second, and third words in the block are 1;
❍ The first word in the block rotated right 28 bits,
❍ that word rotated right 34 bits,
❍ that word rotated right 39 bits.
Finally, each of the eight words of the block that will ultimately become the hash is moved to the position
of the next word in the block, with the first word in the block being replaced by the modified eighth word
in the block.
The 80 constant words used in SHA-512, derived from the fractional parts of the cube roots of the first
eighty primes, are:
428A2F98D728AE22 7137449123EF65CD B5C0FBCFEC4D3B2F E9B5DBA58189DBBC

3956C25BF348B538 59F111F1B605D019 923F82A4AF194F9B AB1C5ED5DA6D8118
D807AA98A3030242 12835B0145706FBE 243185BE4EE4B28C 550C7DC3D5FFB4E2
72BE5D74F27B896F 80DEB1FE3B1696B1 9BDC06A725C71235 C19BF174CF692694
E49B69C19EF14AD2 EFBE4786384F25E3 0FC19DC68B8CD5B5 240CA1CC77AC9C65
2DE92C6F592B0275 4A7484AA6EA6E483 5CB0A9DCBD41FBD4 76F988DA831153B5
983E5152EE66DFAB A831C66D2DB43210 B00327C898FB213F BF597FC7BEEF0EE4
C6E00BF33DA88FC2 D5A79147930AA725 06CA6351E003826F 142929670A0E6E70
27B70A8546D22FFC 2E1B21385C26C926 4D2C6DFC5AC42AED 53380D139D95B3DF
650A73548BAF63DE 766A0ABB3C77B2A8 81C2C92E47EDAEE6 92722C851482353B
A2BFE8A14CF10364 A81A664BBC423001 C24B8B70D0F89791 C76C51A30654BE30
D192E819D6EF5218 D69906245565A910 F40E35855771202A 106AA07032BBD1B8
19A4C116B8D2D0C8 1E376C085141AB53 2748774CDF8EEB99 34B0BCB5E19B48A8
391C0CB3C5C95A63 4ED8AA4AE3418ACB 5B9CCA4F7763E373 682E6FF3D6B2B8A3
748F82EE5DEFB2FC 78A5636F43172F60 84C87814A1F0AB72 8CC702081A6439EC
90BEFFFA23631E28 A4506CEBDE82BDE9 BEF9A3F7B2C67915 C67178F2E372532B
CA273ECEEA26619C D186B8C721C0C207 EADA7DD6CDE0EB1E F57D4F7FEE6ED178
06F067AA72176FBA 0A637DC5A2C898A6 113F9804BEF90DAE 1B710B35131C471B
28DB77F523047D84 32CAAB7B40C72493 3C9EBE0A15C9BEBC 431D67C49C100D4C
4CC5D4BECB3E42B6 597F299CFC657E2A 5FCB6FAB3AD6FAEC 6C44198C4A475817
After this has been done 80 times, the final result is the sum, by individual words modulo 2^64, of the
result of this transformation and the original eight-word input.
As noted above, SHA-384 is identical to SHA-512, except that only the first 384 bits of the hash value
are used, and the starting value to the portion that manipulates an eight-word block is different.
It is:
CBBB9D5DC1059ED8
629A292A367CD507
9159015A3070DD17
152FECD8F70E5939
67332667FFC00B31
8EB44A8768581511
DB0C2E0D64F98FA7
47B5481DBEFA4FA4
Next
Table of Contents
Main Page
Hardware Security
Originally, encryption was carried out using pencil and paper. Some cipher machines,
such as the Enigma and the desktop Hagelin lug and pin machines, had lockable
cabinets. This meant that the machines could be operated by someone who, not having
the key, could not directly access either the rotor wirings or the alphabet ring settings
of the Enigma, or the lug and pin settings of a Hagelin machine.
Today, with microprocessor-based devices being used for encryption, it is possible to

take measures of this type further.
Among the measures it is possible to take with dedicated cryptographic hardware are
the following:
● Opening the box can cut power to internal RAM, in which keys are stored.
● If keys are stored in non-volatile memory, these keys can be encrypted. The
decrypted versions would only be put in RAM, and the master key used to
decrypt them would not be placed in non-volatile memory, but would instead be
entered whenever the device is turned on, and then stored in RAM.
● The device must allow the input of keys, but need not allow their output.
● The device may allow output of keys in encrypted form only, for backup
external storage.
● And at the time of input, a key could be labeled as being for test purposes,
rather than for actual encryption. Such a test key, in addition to being allowed to
be output in plain form, would also allow the output of intermediate results in
the encryption process, for test and validation of the encryption device.
● The device can ask for passwords, allowing only authorized people to set keys
(so that an attacker could not set the device to use a key that he knew), or
perform diagnostic tests, or encipher or decipher with the device. Also, the
device could store several keys, with different users able to use only certain of
these keys, and perhaps for enciphering or deciphering but not both.
● Other measures, such as sealing the device with special labels, or covering
circuitry with a potting compound, can be used to protect the hardware against
tampering, such as attatching bugging devices, or altering the internal programs
to bypass some security features.
Another advantage of special-purpose hardware is that one element missing from the
desktop PC can be added; a hardware source of true random numbers.
Whether one is using a desktop PC or a specialized device, another problem inherent in

using electronics, particularly microprocessors, to encipher a message is that the high-
frequency pulses used to carry information from one part of a computer to another can
also travel through the air as radio signals. Surrounding a device with solid metal
shielding is one preventive measure, and some high-security devices may even use a
masking noise signal as well. Unless one is using battery power, there need to be some
insulating breaks in any metal shielding used. Their permissible size would be
determined by the highest frequency of the radiation that one is concerned about
having leak out. In this connection, it might be noted that square waves have quite a bit
of high odd-harmonic content.
Normally, when a home PC is used for encryption, the result of the encryption process
is a disk file, which is transmitted later, so any electronic leakage is in the form of
unwanted radiation from the computer at the time of encryption. If one is dealing with
special-purpose encryption hardware, however, the output may be an actual electrical
signal which is fed to a radio transmitter or a telephone line. In that case, it is necessary
to be concerned with electrical leakage within the device from wires carrying the signal
containing the plaintext to wires carrying the signal containing the ciphertext.
To prevent this, precautions are taken which are sometimes termed "red/black
separation". The portion of a device that handles the plaintext is termed red, and the
portion that contains only signals which may be sent to the outside world is termed
black. This is accomplished through separating functions on different circuit boards,
using shielding within the device to isolate its separate parts.
When a high level of security is required, since at least when the ciphertext is first
generated, it is generated inside a chip that gets plaintext as input, the possibly
contaminated ciphertext signal can be routed to a shielded area containing a circuit that
re-generates the plaintext waveform, with its own clean clock signal and so on.
Analogous techniques are used to separate the digital and analog areas of high-quality
CD players.
I have recently heard of an idea called "software TEMPEST". The paper by Markus
Kuhn and Ross Anderson deals with this topic in a sophisticated fashion, but I present
here a much more simplistic scheme that may also already be offered for use by
someone out there. While the simplistic scheme allows small characters and the use of
a limited number of colors, it is not something I take too seriously. While measures of
this sort cannot completely prevent electromagnetic eavesdropping, as they do weaken
the easiest method of exploiting such leakage, they might still be as effective as any
simple measure that ordinary computer users are likely to take.
Given that the typical PC uses a monitor with independent signals for Red, Green, and
Blue, rather than a monitor recieving a composite signal for CGA, it is difficult for an
eavesdropper to distinguish between the three colors. However, visually, green is much
brighter than blue, and red, although slightly brighter than blue, is also not as bright as
green.
This can be used to permit text to be displayed like this:
This diagram illustrates both what this scheme is supposed to achieve, and how it may
fall short: the Red, Green, and Blue signals are shown as waveforms, and their sum,
although it is a square wave varying between one signal and two, and even spikes due
to signals crossing with slight time discrepancies are avoided, would still betray the
text on the screen because of real-world variations between the three electron guns in a
CRT. This is shown in the diagram in a very simplified form; a stray inductance causes
ringing in the blue signal, while too much capacitance to ground smears the green
signal.
A truly determined eavesdropper has the options to listen to other signals from your
computer, as well as finding small differences in timing or level between the three
color signals, or even exploiting the fact that the three electron guns in a CRT are
physically displaced from one another.
To avoid leaking any useful information at all, subject to the assumption that the
eavesdropper cannot distinguish between the Red, Green, and Blue signals these rules
are followed in producing text like this:
● In background areas, odd pixels are always purple; even pixels may be red or
blue.
● In foreground areas, odd pixels may be blue-green or yellow; even pixels are
always green.
● A transition between background and foreground only takes place where the
foreground pixel is odd and the background pixel is even. In such a transition,
either the background pixel is red and the foreground pixel is yellow, or the
background pixel is blue, and the foreground pixel is blue-green.
This requires that the text characters always begin and end on an odd pixel; this can
even be done with a 5 by 7 font, provided one allows it to have a chunky, squarish
appearance.
The intent of these rules is to ensure that, between any two pixels, there is always
exactly one of the three additive primaries, Red, Green, or Blue, that changes between
on and off, and furthermore, that the change always alternates between on and off, two
being on for every odd pixel, and one being on for every even pixel.
Here is an illustration of the kind of alphabet required, as well as a sample of the

appearance of this kind of text when it is not enlarged, to show that it can actually be
sort of readable.
And, since web pages are viewed at higher resolutions than is consistent with the
normal use of a 5 by 7 font, here is the same illustration at double size:
which gives a more accurate illustration of how such text might appear in actual use, on
the type of low-resolution eight-color display to which it is suited.
The "software TEMPEST" technology and fonts of Kuhn and Anderson, for which
they hold a patent, involves fonts that are far less bizarre, perhaps looking somewhat
like this:
Their paper also notes that an early proposal for something similar took advantage of
the fact that early video displays needed to return to black after each pixel to prevent
blooming, and so I suppose that would have allowed one to get away with using a font
that looked .
Incidentally, my design for a strange font can be used to provide a fairly transparent
security against another form of interception with a small change: if one exchanges the
roles of the red and green components of the image, the text is no longer readable
normally, but becomes quite legible when viewed with a red filter:
and, of course, techniques for producing altered text with this property are quite old,
having been used in merchandising contests, children's games, and even for
programmed instruction.
It might also be noted while this variant would also provide the same limited protection
against RF interception from a CRT as my original variation, neither would be useful
for that purpose on a laptop, where the second version is most useful against casual
eavesdropping, since laptop displays go through the colors in sequence instead of
simultaneously. The principle of Kuhn and Anderson, on the other hand, can be used
with laptops, but the font needs to be designed for the particular ordering of red, green,
and blue stripes used in a given laptop. The principle required for a laptop, or other
LCD display, is illustrated below:
Of course, sometimes the problem of having electrical emissions or other information

about your enciphering being monitored cannot be solved. An illustration of a way to
deal with this difficult circumstance is provided, although it may not be a practical one.
● When Someone's Looking Over Your Shoulder

Next
Table of Contents
Home Page
When Someone's Looking Over Your

Shoulder
In addition to providing a secure cipher, and retaining any keys securely, a cipher
machine should not leak out, through electromagnetic radiation, information about the
key it is using or the plaintext message it is encoding or obtaining by decryption.
Can anything be done in the extreme case when this is absolutely not possible, and one
knows one's adversary can see everything you type, and everything that appears on
your computer screen?
This system, too complicated, I fear, for practical use, and not actually that highly
secure when an eavesdropper is present (the amount of time that one spends looking at
a particular screen is important side information) I at least think might be suited to the
purposes of a spy novelist who wants to write an exciting story involving a struggle to
decode a message.
Let us say that the individual trying to encode a message uses a computer program
which, using a key and a fancy algorithm, generates random numbers then used to
produce screens like these:
0 YEJTLUNSWRHPFKCQDAMOXBVGIZ
1 KGYQULXIAHZOCBJSTDNFWERVPM
2 ZGUXMLHQPOBYAIFDNJETRSCVKW
3 AVNUYLPSGXORIQFCBZKWTJDHEM
4 PJGAWRUCBLZQKYNSETIDMVXFOH
5 QRTNXSKLWUGBJHEZYOFMVCAPDI
6 ISJQBPAXGTYRWOLNHCMKUFZEDV
7 ZHJMRQCNKTWLXPYEOUBDAVGIFS
8 UNYQKLVAOPFTISRJMEXCHWGBDZ
9 LRCUOWIVGTEYASFPDXBJMQNZKH
7 428 32 901 2654

312 5 4033 171 22
and screens like these which alternate with them:
0123456789
----------
0 9498261073
1 5032717568
2 3187503914
3 4270134132
4 6915325341
5 1766098250
6 7301650687
7 8523972825
8 0649849409
9 2854486796
To make use of these screens, our spy or diplomat or whatever has memorized a secret
number: 563. Also, the acronym PCB, standing for Plaintext/Cipher/Both (instead of
polychlorinated biphenyl) is part of the system.
The first step in enciphering a message letter is to look for the leftmost 3, 5, or 6 (the
three digits of one's current secret number, of course) in a column within the two rows
of digits under the set of alphabets. If none is found, or if both digits in the first column
with one are from that set, the screen is skipped. Also, if a blank rather than a digit
shares the column with our first digit from the set, we skip the screen.
Here, we find a 3 with a 7 above it in the first column. The two digits after the 3 are 12.
(If the two digits after the number found were the same, we would again skip the
screen.)
Since 3 is the third digit of our secret number, "Both" applies: which of the three digits
of the secret number is the one found alone in the two rows of digits determines
whether a Caesar shift of 1 is applied mentally to the plaintext letter, the cipher letter,
or both letters.
Our plaintext letter is T. We bump it ahead in the alphabet (Both includes plaintext) to
U, and look for U in alphabet 1.
X is found before it - we alternate from left to right as we go through our message (as
part of the 'system' and not the 'key', this sort of thing would provide no security, but
other agents could use a different rule) - in alphabet 2. It's changed to Y, since "Both"
includes ciphertext.
Meanwhile, after the 7, the next three digits are 428. These are used to derive the three-
digit secret number used for enciphering the next letter in the message.
On the next screen, we put the digits 428 in at the side, and our secret number 563 is
the key, used at the top. So our new secret number is 239. We only look for a new
secret number if we had not skipped the immediately preceding screen with rows of
letters.
Next
Table of Contents
Home Page
Key Management
In the simplest case, when two individuals wish to communicate secretly, all that is
needed is that they prearrange a key which only they share. If each one generates a
public key, keeping secret the corresponding private key, then only authentication of
the public key, not secrecy, is required to allow the two to correspond securely.
Already, though, we have met one case where things become more complicated than
that. In the conclusions to Chapter 2, it was observed that if two correspondents, or a
larger pool of trusted correspondents, wish to exchange securely a large number of
messages, in a cipher with a limited resistance to cryptanalysis, it is necessary to
change the key that is used on a frequent basis.
The general practice for this has been to divide the key into three parts. One small part
is changed with each message, and may be sent in the clear or encrypted somewhat as
required. Another part is kept secret, and changed each day, from prepared lists issued
monthly. A third part involves secret elements of the cipher system, such as rotor
wirings, that are not practical to change rapidly, but which still can be altered from
time to time.
This illustrates how key management becomes more complicated in order to solve the
problem of limiting the amount of text transmitted with the same key.
We will be examining in this section key management measures intended to solve other
problems.
Looking at the IBM key management scheme outlined in their Journal of Systems and
Development shortly after the announcement of DES, we will see a system designed to
solve the problem of secure communications in a computer system where the operating
system is not fully trusted, and even legitimate users of the same computer system are
not trusted with each others' communications. Hardware with a very limited capacity to
store keys is used to provide the required security.
Kerberos is oriented towards a case where users, rather than terminals, have keys, and
deals with the problem of the initial identification and set-up of a user, in a system
where communication links can be tapped, but some computer systems are trusted to
some extent, and encryption may be performed in software.
The section on military key management discloses no secrets (I don't know anything
secret; if I did, I would not be writing so chatty a web page on so sensitive a topic as
cryptography) but it examines the problem of maintaining the security of
communications in a wide communications network, in the face of compromise of
some of its parts.
The section on "Red Thread" resistance discusses how computer (object) programs and
cryptographic hardware can be rigged, and ways to avoid that danger.
The section on Key Escrow deals with a subject that has aroused controversy; how to
provide supervisory access to encrypted communications without (otherwise)
compromising their security.
● The IBM Key Management Scheme for DES

● Kerberos
● Protocols and Privacy Amplification
● Passwords and Protocols
● Military Key Management
● Red Thread Resistance
● Key Escrow
● Pass Phrases and Randomness
● The Interlock Protocol

Table of Contents
Home Page
The IBM Key Management Scheme for

DES
In the late 1970s, after the Data Encryption Standard stimulated interest in commercial
applications of cryptography, IBM disclosed in a series of papers by its technical
personnel an architecture for a cryptographic facility that could use DES, and could be
incorporated into systems such as their 3278 terminals and their System/370
mainframes.
Encryption was to be performed via special-purpose hardware, attached to terminals

and hosts.
The Terminal Cryptographic Facility
The functions provided by the terminal cryptographic facility were simple enough, and
besides being easy to understand, will make apparent the general thrust of this system.
An authorized person can set up a terminal with a "terminal master key". This is called
the WMK (Write Master Key) operation.
Regular users will, in normal operation, be supplied with session keys by the host
system which will be encrypted with their terminal's master key. Loading such a key
into the terminal cryptographic facility means that it will decrypt that key, using the
terminal master key, and will then store the result as the current working key. This
operation is called DECK (Decipher Key).
No operation will be provided to perform encryption or decryption using the terminal

master key where the result is disclosed, or to reveal either the terminal master key or
the current working key. (Previous working keys will not be retained in the device.)
However, one additional operation can be allowed without compromising security:
LKD (Load Key Direct) allows one to load in an unencrypted working key, so that the
cryptographic system can also be used for DES encryption outside the regular
framework of this secure system.
Once a working key is loaded into the facility, it can be used to encipher and decipher
via the ENC (Encipher) and DEC (Decipher) operations.
One can use an LKD operation, or even a DECK operation, to load the device with an
invalid key to clear the key after one is finished.
The Host Cryptographic Facility
The cryptographic facility at the host is, like that at the terminal, assumed to have only
limited storage for keys. However, it has to communicate with a number of terminals
which is not to be strictly limited. Also, the host is assumed to be a time-shared
computer system. Therefore, the cryptographic facility only retains master keys within
itself, and must be supplied, each time it is used for decryption or encryption, with any
session or terminal key (which may itself be encrypted) to be used for that operation.
(It is noted, however, that an encrypt or decrypt operation may be extended to encrypt
or decrypt multiple blocks for one decryption of the key.)
Like the terminal facility, there is an operation which can only be performed by
authorized personnel, SMK (Set Master Key) which initializes the device by loading
it with its master key. Later, we will see that there are some operations which need, for
security, to be done with master keys differing from each other. However, the
descriptions of this design note that it is possible, without destroying security, to use
variants, obtained by a known method, of the secret master key for those purposes -
even as trivial as the master key XOR 0101010101... in one case, and the master key
XOR 110011001100... in another.
The normal data encrypting and decrypting operations are ECPH (Encipher Data) and
DCPH (Decipher Data). These use the master key to decrypt a submitted session key
in external form, and then use that key to either encrypt or decrypt, respectively, one's
data.
Also available is EMK (Encipher Under Master Key), which enciphers data under
the host master key. This instruction is used to prepare keys for later use with the
ECPH and DCPH instructions.
With the instructions we have seen so far, it is clear how secure communications could
be set up with multiple terminals. Initially, at some time when the computer is secured
from other uses, the terminal master keys of all the terminals are randomly generated.
These keys are then entered into the terminals, using their WMK instructions.
Meanwhile, the host system applies the EMK instruction to all the terminal master
keys, retaining only the encrypted versions.
Later, when communications are to be set up with a terminal, one can proceed as
follows:
The host system will generate randomly a session key. Using the encrypted version of
the terminal's master key in storage, the host system can, using an ECPH instruction,
encipher the session key under the terminal's master key. This encrypted session key
will be sent to the terminal. The terminal can then use a DECK operation to load in the
encrypted session key. Meanwhile, the host computer must also apply an EMK
instruction to the randomly-generated session key to produce a copy of the session key
encrypted with the host master key. Now, when the terminal executes ENC and DEC
instructions with the key it has loaded in, and the host executes ECPH and DCPH
instructions with the encrypted session key, both will be performing DES encryption
and decryption with the original session key, and thus the terminal and host can
communicate.
This does, however, require that the session key be created, and temporarily be stored,
on the host system in clear form. Initially, the terminal master keys were on the host
system in clear form, which is even worse, but this need only be done once, when no
other users are allowed on the system. Additional instructions are present in the host
facility to allow this danger to be avoided.
Also, the session key is sent to the terminal enciphered under the terminal master key.
This can't be changed, but in the present set-up, it's unacceptably dangerous, because
the clear session keys are enciphered under that key using an ECPH instruction. Having
the terminal keys on the host system, enciphered under its master key, means that
someone could intercept the session key in transmission, find the encrypted terminal
master key in storage, and use it to decrypt the session key.
So we wish to keep the terminal master keys on the host system in a safer form, that
can only be used to encrypt session keys, not decrypt them. And we want to avoid
having to have session keys existing in the clear outside the cryptographic facilities at
both ends.
This is achieved by adding an operation called RFMK (Re-encipher From Master

Key) to the system. Given a copy of the terminal master key - enciphered, not under
the regular host master key, but under an auxilliary key, which could even be a variant
of the host master key, as mentioned above - and a copy of the session key, encrypted
under the regular host master key, it produces a copy of the session key encrypted
under the terminal master key. The regular host master key is called KM0, and the
auxilliary key used here is called KM1. The action of RFMK is: given two keys as
inputs, it deciphers the first under KM1, and it deciphers the second under KM0. Then,
it uses the deciphered first key to encipher the deciphered second key to produce the
result.
Initially, to create the copies of the terminal master key enciphered under the auxilliary
key, one can use a copy of KM1 enciphered with itself as the first input to an RFMK
instruction; as the second input, a copy of the terminal master key, encrypted under
KM0 as produced by the EMK instruction is used. The copy of KM1 enciphered under
itself is not left available afterwards, so as to avoid giving users the ability to encrypt
arbitrary values under KM1 - with this ability, they could take any quantity enciphered
under the host master key, and translate it to be enciphered under any key of their
choosing, essentially inverting the EMK instruction, and therefore being able to read
any session keys stored for use on the host system.
The other problem, of generating session keys in the clear, is avoided simply: since we
can now start from a session key enciphered under the host master key, and proceed
directly from it to a session key enciphered under a terminal master key, instead of
using the EMK instruction, when we generate a key as a 64-bit random number, we
consider that to be the session key after encryption under the host master key. (Note
that this means that, when we decipher encrypted keys for use with DES, we have to
ignore the parity bits that are usually used to validate DES keys.)
If instead we were to consider it to be the session key after encryption under the
terminal master key, we could instead use an instruction that deciphers under a terminal
master key and subsequently enciphers under the host master key. Such an instruction
might seem less dangerous, since it doesn't threaten to invert the EMK instruction.
Such an instruction will be examined shortly, for use in maintaining encrypted files.
Since the RFMK instruction is already present, and having an inverse of it available
would be dangerous, a second auxilliary key, KM2, is used with this new instruction.
But using such an instruction for communications security would allow people to take
an intercepted session key (enciphered under the terminal master key, from a
transmission) and make it more useful, by converting it to a form enciphered under the
host master key, with which the DCPH instruction allows them to decode the
transmission.
However, when we examine this objection, we also note that the session key encrypted
with the host master key is retained in the host computer's memory in the former case
as well. If we assume that the operating system on the host computer is not secure, then
plaintext going in to or coming out of the host cryptographic facility can always be
intercepted. Some additional assumptions, regarding how some areas of computer
memory are more secure than others, or that long-term security cannot be guaranteed,
but short-term security is assumed, are required to provide genuine effectiveness.
Possibly the RFMK instruction should be replaced by a variant of the ECPH and
DCPH instructions that takes as input, besides the data to be encrypted or decrypted,
the terminal key encrypted under KM1 and the session key encrypted under the
terminal key, so that the session key encrypted under KM0 need never be visible.
The instruction RTMK (Re-encipher to Master Key) takes as its two inputs a key
(generally, a secondary file key) enciphered under KM2, and another key (generally, a
file key) enciphered under the secondary file key (in its original, unencrypted form),
and produces the file key enciphered under KM0 (in which form, it is available for use
with the ECPH and DCPH instructions).
This allows the enciphered file key to be stored with the file. The secondary file key
unlocks the file, so it appears that this key must be kept secret. Instead, since it does
need to be kept in the computer's memory for later use, the RTMK instruction is made
a privileged instruction. While the SMK instruction may require a physical key to
enable it, the RTMK instruction is privileged in the sense that only the operating
system may use it. The RFMK instruction, since its use is in key management, is
restricted in this way as well.
Other master key variants are later discussed in connection with this protocol: KM3,
for handling communications between hosts; KM4 for random number generation; and
KM5 for authentication. These, however, are not stored in the cryptographic facility,
but are protected by the use of the RTMK and RFMK instructions.
Next
Table of Contents
Home Page
Kerberos
The Kerberos protocol, developed at the Massachussets Institute of Technology as part
of Project Athena, is used to allow users to log in securely to computers which belong
to a network.
This protocol assumes a network of computers, with one trusted computer or several
verifying the identity of users to the computers to which they wish to log in, and
supplying session keys so that the communications between the user and that computer
can be encrypted.
Beginning a session with another computer under Kerberos requires the exchange of
five messages:
● First, a message is sent in the clear to the master security server (also called
Kerberos), consisting of the user's login ID and the identity of the security
server (called a ticket-granting server) from which the user is requesting
authentication to open a session with a computer on the network.
● Second, the security server generates a random session key and sends that to the
user, encrypted with the user's secret key. (The user's secret key is a hash of the
user's password.) It also sends the user, encrypted with its own permanent key, a
"ticket", which includes a timestamp, the user's identity, the random session key
divulged to the user previously within this message, and the service the user is
requesting (of the security server).
● Third, the user sends an authenticator to the security server, which consists of
the user's name and a timestamp, encrypted with the user's secret key. This
authenticator is then encrypted with the session key before sending. The ticket,
which identifies the user as authorized to request a ticket for a session with
another computer, is sent back as well, and it is intended that the security server
may safely rely on reading the ticket to find out what the session key is. Also,
the name of the other computer the user wants to communicate with is sent.
● Fourth, the security server responds with another random session key, this one
intended to be used with the requested computer, encrypted with the current
session key for use between itself and the user. And it sends the user another
"ticket"; this one includes a timestamp, the user's identity, the random session
key for use with the requested computer, and the service requested of the
requested computer. This ticket is enciphered with the permanent secret key of
the requested computer.
● Fifth, the user, now having a "ticket" for use with the requested computer,
generates another authenticator, consisting of the user's name and a timestamp,
encrypted with the session key for use with that computer, and also sends the
"ticket", from which the requested computer can verify the user's identity, and
discover what session key is to be used.
It should be noted that while the timestamp on a ticket is intended to prevent replay
attacks, it is valid for a somewhat extended period of time; the timestamp on an
authenticator is only valid for a very brief amount of time, as authenticators are
intended to be only used once.
In Kerberos version 4, when a ticket is sent to a user, it is also encrypted under the key
known to the user at that stage: by the user's secret key in the second message, and by
the session key for use with the security server in the fourth message. In version 5, this
encipherment, not being seen as necessary for security, is omitted to save computer
time. In version 4, the PCBC mode of DES is used for encryption; in version 5, CBC
mode is used, and there is provision for use of block ciphers other than DES.
Incidentally, PCBC mode was used without the transmission of an initialization vector:
instead, the DES key, known to both parties, served as the initialization vector without
being transmitted.
Also, in Version 5, the user's secret key is derived not only from the user's password,
but from "salt", consisting of the user's location on the system and a timestamp added
to the first message. This makes dictionary attacks on passwords somewhat more
difficult, but they are still possible. For this reason, and because there might be
applications where security is desired, but there is no secure initial contact for
communicating a password secretly to the user or the server, there are several proposals
to improve and extend Kerberos by adding steps involving the use of public-key
cryptography to it.
The following diagram may make it clearer what is happening in Kerberos:

In the first line, the user machine, colored red, sends a message in the clear identifying
itself (a red N) and the ticket-granting server it wants to talk to (its name being a blue
N) to the Kerberos server.
The Kerberos server knows the permanent secret keys of all the users, shown by a red
key beside it for the current user, and the permanent secret keys of all the ticket-
granting servers, shown by a blue key beside it for the ticket-granting server requested.
It responds by providing the user with a session key for communicating with the ticket-
granting server, shown as a purple key. This key was generated by the Kerberos server
at random, so it knows that key also, shown by a purple key popping out of thin air
beside the server. The purple key is in a red box, which means that it is encrypted with
the user's secret key. The user also recieves a ticket, which is shown as another purple
key, plus a red N, in a blue box: the red/blue session key, and the name of the user,
encrypted in the ticket-granting server's key.
The user then presents the ticket to the ticket-granting server, along with an
authenticator - a copy of its own name, and a timestamp, encrypted in the session key.
As well, it sends a green N to the ticket-granting server, to identify the computer for
which it wants a ticket. The ticket-granting server can unwrap the ticket, since the blue
key is its own secret key, and finding the session key it can verify the authenticator. As
well as knowing a secret key of its own, it knows the secret keys of the ordinary
computers it serves, shown by a green key, the secret key of the computer requested in
the example session.
The ticket-granting server then follows in the footsteps of the Kerberos server,
generating a session key (this time shown as brown) for communications between the
user and the computer the user had originally set out to use. This session key is given
to the user enciphered in the purple session key given to the ticket-granting server and
the user by the Kerberos server; it is also enclosed, with the user's name, in a ticket,
which this time is in a green box, that is, enciphered in the permanent secret key of the
computer the user wanted to use.
Finally, the user presents the ticket, and an authenticator, to the computational server,
thus providing it with the brown key which will protect their productive interactive
session.
Note that in the diagrams, the ticket is shown before the authenticator, since the
recieving server needs to unwrap the ticket before it can verify the authenticator. Also,
it might be noted that the use of a timestamp in the authenticator is what distinguishes
and simplifies Kerberos; a more traditional protocol might have the server generate a
random number, send it to the user, and the user then sends it back encrypted with the
session key inside the ticket for authentication. The server can be requested to
authenticate itself; in Kerberos, this is done by sending the timestamp plus one in the
session key.
Next
Table of Contents
Main Page
Protocols and Privacy Amplification

In the previous section, we have examined the Kerberos system, which provides
cryptographic protection to networked computers.
It had one important limitation: if a user chooses a poor password, that is, not one so
poor that it could be guessed in a few tries at a computer terminal for attempts to
directly log on to the actual system, but merely one poor enough that an attacker trying
thousands of passwords from a list on a computer of his own could find the password
on that list, that user's security can be compromised.
Note that the IBM system examined in the section before it did not have this weakness;
it, however, depended on tamper-proof hardware being present on the user terminals.
With this proviso, it is possible to do anything public-key methods can achieve, and
more. Kerberos, however, did not even use any public-key techniques.
This technique, a dictionary attack, had also been used against password files on
classic Unix systems: two countermeasures were employed to block this attack there:
one was salt, a random value which is hashed with the user's password (this prevents
the attacker from precomputing a dictionary of hashed common passwords, but a
dictionary attack remains possible, just somewhat slower, as the dictionary must be
hashed for each user under attack) and another was a shadow password file (in Unix,
unlike in most other timesharing operating systems, the file with user IDs and the
hashes of their passwords was actually readable by all normal users of the computer),
which meant that the attacker could not read the file with the hashes of user passwords.
Securing Kerberos Simply
How can Kerberos be modified so that it is immune to the dictionary attack?
Kerberos is vulnerable to a dictionary attack because there are components of some

messages that are encrypted with the user's permanent secret key (the one derived from
the user's current password) that can, in combination with components of other
messages, be seen to be correctly deciphered if a correct guess at the user's password is
applied to them.
Specifically, the second message, from the Kerberos server to the user, contains a copy
of the session key for the dialogue between the user and the ticket-granting server. This
session key is then used by the user to encipher an authenticator which is sent to the
ticket-granting server in the third message. That authenticator contains the current time
and the user's name, and since these two values are public information, a correct value
for the session key, which a correct guess at the password would yield, can be seen to
be correct when these two values emerge.
If the Kerberos server had a public key, and the first message from the user to the
Kerberos server were enciphered in that key, and included a random value which
would be combined with the user's permanent secret key to encrypt the first session
key, an eavesdropper would not have the information available to mount a dictionary
attack.
An attacker who impersonated the user would recieve a copy of the first session key,
encrypted by means of a known function of the user's permanent secret key. But since
the first session key is only a sequence of random bits, the encrypted first session key
would be of no use for a dictionary attack.
If the first message included an authenticator for the user's permanent secret key (the
user's name and the current time enciphered with it), that would further guarantee the
user was genuine, and encrypted it would not be available for a dictionary attack.
If, however, the user only sent the authenticator, encrypted with the server's public key,
and no random padding was used in the public-key encrypted block, then a brute-force
search would still be possible, by noting the time, and creating an authenticator, and
then encrypting it with the server's public key, for every password tried.
Privacy Amplification
Several related techniques have been developed for making use of a small shared secret
such as a password for achieving a high security of communications between two
parties. These techniques have been developed recently, and some of them are
protected by patents.
The simplest of these techniques to understand, and the one that most obviously
provides privacy amplification, is EKE, or Encrypted Key Exchange.
Instead of the parties having permanent public keys, they generate a new public/private
key pair for each session, but each party sends its "public" key to the other party
encrypted, using the small shared secret as the key.
In order for this to work, brute-force search on the small shared secret must be
impossible, hence the portion of the public key that is encrypted with it must have the
form of a string of random bits. Hence, this technique cannot be used by enciphering
the modulus for RSA.
Privacy amplification is obtained, because to read a message, if the encryption
techniques used are effective, one has to do a brute-force search on the conventional
encryption key, and then solve for the private key from a public key for each value
tried in the search.
Another technique, SPEKE, is based on the Diffie-Hellman method of key

establishment.
In Diffie-Hellman, a common modulus, P, and a common base, A, are agreed upon by

both parties. Each party generates a secret number, x for the first party, and y for the
second. The first party communicates A^x (modulo P) to the second party, and the
second party communicates A^y (modulo P) to the first. Both parties can compute A^
(xy) (modulo P), since that is both (A^x)^y and (A^y)^x, but an eavesdropper, knowing
only A^x and A^y, cannot.
In SPEKE, the common base, A, is derived from the shared secret. Also, x and y are
equal to twice random integers produced by each party.
Another technique is SNAKE. In this case, the modulus P is a function of the shared
secret. However, instead of just one modulus, a function is provided to create different
moduli based on other inputs in addition to the shared secret.
Thus, both users create a family of secret random numbers; the first one creates x1, x2,
x3 and so on, the second y1, y2, y3. Each user also creates a family of public random
numbers, the first a1, a2, a3... and the second b1, b2, b3 and so on.
P1 is a function of a1 and the shared secret; P2 is a function of a2 and the shared secret,
and so on. (The function is also varied each time, so that if a1=a2, it is not the case that
P1=P2.)
The first user calculates and discloses b1^x1 mod P1, b2^x2 mod P2, b3^x3 mod P3
and so on; the second user calculates and discloses b1^y2 mod P1, b2^y2 mod P2,
b3^y3 mod P3 and so on. So, as in Diffie-Hellman, both users can calculate b1^
(x1*y1) mod P1 and so on.
Finally, in SNAKE, the agreed-upon secret key depends on these secret values, but is a
hash of all the public information exchanged followed by the secret values obtained by
the Diffie-Hellman method.
Another of these techniques is SRP, which is also a variant of Diffie-Hellman. In this

technique, in addition to both participants generating a random number, one x and the
other y, a third number, z, is a function of the shared secret.
The user generates A^x, and passes it to the host. The host generates A^y, but sends
A^y+A^z to the user.
Both the user and the host know what z is, so subtracting off A^z is not a problem for
the user, but it would be for the eavesdropper.
Thus, the user knows x, A^y, and z, and the host knows A^x, y, and z. The Diffie-
Hellman method is now modified so that what the user and host both know is (A^y)^(x
+z) which equals (A^x*A^z)^y. The user in this method is proving twice to the host
that it knows z. A hash of this calculated quantity is used as the session key.
Other Protocols
One interesting thing that can be done using only a hash function, is bit-commitment or
coin-flipping.
Given a one-way hash function, two people can proceed as follows: each one generates
a random number, and then transmits the hash of that random number to the other
person.
After both have done this, they can then transmit the original random numbers to each
other, and both can be sure that neither party altered his random number based on
finding out what the other person's random number was. Hence, the XOR of those two
random numbers can be treated as if it was a genuine random number by the two
parties (but not necessarily by anyone else) for basically the same game-theoretic
reasons that make playing randomly the best strategy for scissors-paper-stone.
An interesting example of a smart-card protocol, UEPS, is described in Bruce

Schneier's Applied Cryptography.
It involves tamper-proof cards and machines into which the cards are inserted; both
customers and merchants have cards, but of two different types.
A customer card contains the customer's ID and two secret keys which are functions of
the customer's ID, and it is able to carry out two secret hash functions. A merchant card
is able to carry out the secret algorithm to produce a customer's two secret keys from
the customer's ID. Both cards can derive a 56-bit DES key from an encrypted message.
A transaction proceeds as follows:
● The merchant card transmits the merchant's ID to the customer in the clear.
● The customer card transmits the customer's ID in the clear, and encrypts using
both secret customer keys in turn and sends a message consisting of the
customer's ID, the merchant's ID, and random padding.
● The merchant card decrypts and verifies the message recieved from the
customer. It then uses the encrypted message from the customer, as encrypted
with only one of the customer's secret keys instead of with both, (the
intermediate result in the original encryption is used) to produce a session key.
The merchant card then encrypts using first the session key, and then the other
one of the customer's secret keys, a message consisting of the merchant's ID, the
customer's ID, and random padding.
● The customer's card also generates the session key, and uses that as well as the
appropriate one of its own secret keys to decrypt and verify the message
recieved from the merchant. The merchant's message, encrypted with only the
session key, is used to produce a second session key. The second session key is
used to encrypt the transaction, which consists of the IDs of both parties, the
amount and type of the transaction, and the two secret hash functions of that
information. One secret hash function is for the use of the bank, and the other is
for the use of the clearing center. (Since the customer cards can carry out those
hashes, presumably the merchant cards can also safely be allowed to do so, so
that they can be verified as well.)
Next
Table of Contents
Home Page
Passwords and Protocols

Many multiuser computer systems require someone wishing to use the computer to
supply a user ID and a password. The operating system then looks up the user ID in a
list, and determines if the password is correct, before allowing the user to proceed.
This simple procedure had some potential problems.
In the UNIX operating system, it was decided to put the list of user IDs and passwords
in a text file that was generally available to programs on the system to read, but not to
alter. This allowed programs on the system to make themselves available only to
certain users. To prevent revealing everyone's password, the list didn't contain actual
passwords, but instead a hash function of the password.
This was seen as such a good idea that other operating systems, which already made
the password file inaccessible (as UNIX and related operating systems later did with
"shadow password files") adopted it as well.
However, it still had its limitations. One could not calculate backwards from a hash to
obtain a password. But one could try a list of passwords, hashing each one, until one
matches the hash that is seen. This becomes easier for a computer to do when people
use passwords that are easy to remember; it is called a "dictionary attack", and is the
reason people are advised not to use a single word as a password, but to use special
characters and unconventional capitalization in passwords. Many systems limit
passwords to 8 characters in length, which increases the need to do this, and which
makes it considerably harder to construct a password which is both secure and easy to
remember.
One step that did not make this attack impossible, but which made it a bit less trivial,
was to include "salt" in password files. In this case, the list of passwords contained
hashes of the password plus a random value (which is what was called the "salt"), and
the hash and the random value both appeared in the list. This meant at least that an
attacker had to, based on the random value for a specific user, perform the hash of the
possible passwords in his dictionary once just to attack that user's password. Without
"salt", a dictionary containing precomputed hashes could be used directly against an
entire password file.
Another fundamental problem was harder to solve, since it required that the user's
terminal have local processing abilities: when the user types his password at a terminal,
an eavesdropper could discover the password.
Today, of course, people don't buy terminals, they use their PCs as terminals. So it is
possible for the link between a remote user and a computer to be encrypted.
We have seen in the preceding section that a short shared secret, such as a password,
can be very powerful in combination with public-key cryptography, using methods like
Encrypted Key Exchange.
A number of protocols have been proposed that address the problem of setting up a
highly secure connection between a user and a computer with the help of a password,
as well as addressing the question of security if an attacker can also read the password
file stored on the central computer.
Kerberos illustrates how two parts of this problem can be addressed.
To prevent an eavesdropper from finding information that can be used for a later
fraudulent logon, one can use a challenge-response protocol. In its simplest form, the
user provides his logon ID along with a hash of his password plus a random number
with which he was provided by the computer to which he seeks to log in.
Since a different random number will be provided on subsequent occasions, an

eavesdropper cannot use the hash intercepted to log in later.
To verify the hash, though, the computer needs a copy of the original password. Of
course, one could keep H(password) on the computer, and make H(H(password)
+random number) the response to the challenge-response protocol. But then H
(password) would be all the information needed to log in fraudulently.
This problem, though, was also addressed by Kerberos. While the password list needed
now to be kept secure, it was kept on a central computer used to maintain security.
Once a user's identity was verified, the user was given a coded credential to use to
prove his identity to the computer that he - and other users - were allowed to use. That
computer didn't have a copy of the password file, and so the fact that people could use
it for their own computations, and possibly compromise its security, didn't put user's
passwords at risk.
Now we will examine various proposals to address this problem which make use of
public-key cryptography as well to gain greater security.
SRP
SRP uses techniques based on Diffie-Hellman to improve the security of logging on to

a computer.
For each user, the central computer stores the following two items:
● a random salt value, and

● a Diffie-Hellman public key, the corresponding private key to which is a hash of
the user's password plus the random salt value. This is called the "verifier".
Note that a dictionary attack on the password (the Diffie-Hellman base and modulus
used have to be available to all users of the system) is possible if an attacker reads
these two items, although the need to perform a public-key computation for each trial
does slow it down somewhat.
The protocol proceeds as follows:
● The user sends his or her user ID to the host computer.

● The host computer replies with the user's salt value (s).
● The user generates a nonce Diffie-Hellman key pair (x, X=A^x), and sends the
public key from that pair (X) to the host computer.
● The host computer generates a nonce Diffie-Hellman key pair (y, Y=A^y). Then
it sends a random value to the user (r), along with the sum (V+Y) of the public
key from that nonce key pair (Y) and the verifier (V). This sum is also a Diffie-
Hellman public key, and the private key which corresponds to it is the hash of
the user's password and the user's random salt value, but the host computer does
not retain this value.
● Both parties can, however, derive a common session key at this point. The user's
computer, having been informed of the user's salt value, can calculate the hash
of the user's password and the user's salt value (v) that was used to produce the
verifier (V=A^v). Thus the user can compute the verifier by raising the base to
the power of this value, and subtract it off of the value transmitted by the host
computer to obtain the host computer's nonce public key. Thus, the user,
knowing v, r, V+Y, and x, calculates the common session key as V^(x+rv), and
the host computer, knowing X, y, V, and r calculates the common session key as
(X*(V^r))^y. Thus, Diffie-Hellman is performed, but both the random value and
the hash of the user's password participate in masking the exchange.
● Both parties then hash the resulting common value to get the actual session key,
and then they verify to each other that they posess it by sending each other
hashes of quantities including this actual session key.
PAK-R
PAK-R also proceeds by masking a Diffie-Hellman key exchange. The host computer
retains the user's actual password, or at least the same quantity as is used in the user's
computations, so if the password file is compromised, it is directly insecure, without
even the need for a dictionary attack.
Again, this is not a fatal objection, since one can expect that SRP and PAK might be
carried out on a security server similar to the one in Kerberos.
For PAK-R, Diffie-Hellman calculations are performed on a prime P of the form uv+1,
where u is not a multiple of v. This facilitates masking the Diffie-Hellman exchange.
The steps in PAK-R are as follows:
● The user generates a nonce Diffie-Hellman key pair (x, X=A^x), and calculates
a masked version of his or her public key by calculating a random value r, and
multiplying the public key by r^v and also by h, the hash of the user's password.
This value, X'=(A^x)*(r^v)*h, is transmitted to the host computer.
● The host computer generates a nonce Diffie-Hellman key pair (y, Y=A^y), and
transmits the public key portion of it to the user.
● The user calculates the session key in the normal Diffie-Hellman fashion, by
calculating Y^x, and the host computer determines X^y, also the session key, by
calculating (((X'/h)û)^y)Û where U is the multiplicative inverse of u, modulo
v.
Again, I omit further steps where this common session key is hashed, and further
hashes are used to verify its joint posession.
Augmented EKE
The presentation of Augmented EKE is quite general, and I am simplifying it here, by

describing only one specific case, to make it easier to understand. I believe that the
special case I present here is a valid example of augmented EKE.
Let a hash of the user's password (h) be used as the private key for a Diffie-Hellman
key pair, of which the public key is H=A^h.
Use H also as the conventional encryption key for EKE as described in the previous
section in the normal manner. The host computer has a copy of H, so, once again,
dictionary attacks are possible, but this isn't a problem if the host is a security computer
and not the ultimate computational host.
Then, using the session key established by EKE, the host computer generates a nonce
public/private key pair for Diffie-Hellman (y and Y=A^y), and the user's computer
proves that it knows h by successfully establishing communications using the normal
common session key Y^h=H^y additionally protected by the other session key.
Kaliski-Ford
The Kaliski-Ford protocol finally does address the question of dictionary attacks
directly. It does so by distributing the information needed for such an attack over a
network of computers which are peers, rather than having a hierachical system with a
security server. A scheme designed for such an environment is, of course, appropriate
for existing networks in many offices.
A given user has a certain set of servers with which he completes preliminary
authentication. Preliminary authentication produces a credential, or "hardened
password", for the user from each server as follows:
● The user's computer calculates a hash of the user's password. This hash is in the
appropriate range for being used as a private key for Diffie-Hellman with p=2q
+1 where q and 2q+1 are prime (hence, q is a Sophie Germain prime) as the
modulus. The public/private key pair is produced, h the hash and the private
key, and H=A^h the public key.
● The user's computer chooses a random blinding exponent k, and sends H^k to
the server from which a hardened password is desired.
● The server returns (H^k)ê, where e is a hardening exponent for the particular
user on that particular server.
● The user, knowing k, calculates 1/k modulo q, and by raising (H^k)ê which
equals H^(ke) to that power, obtains Hê, the hardened password.
After having obtained a complete set of hardened passwords from the required set of
computers, some sort of hash is taken of all these hardened passwords, and this result is
used as a Diffie-Hellman private key; the corresponding public key is kept on the
computer one wishes to use. So that the same set of hardened passwords can be used
for logging on to more than one computer, the target computer's ID is included in the
hash.
Conclusions
Before hearing of Kaliski-Ford, but because I noted that SRP and PAK were (in their
original versions as discussed here) susceptible to dictionary attacks, instead of simply
accepting that a security server could carry them out, I made the concept of a security
server explicit, and came up with a fairly complicated protocol. Originally, I was going
to use EKE to make the communications between the user and the security server as
secure as possible; but since the computational host can retain no long-term secrets, I
could not ultimately retain the increased security that would provide, so I was able,
without loss, to avoid the use of this patented algorithm.
The main thing that I attempted to add was allowing the actual computational host
computer, which could retain no secrets, to verify for itself that the user was authentic.
This could also have been done simply by having it retain a copy of the security
server's public key, to verify signed messages from it, but I went ahead and did things
the hard way.
The computational host computer is the resource access to which is being controlled.
Since it is a resource that users use directly, though, it cannot keep long-term secrets on
its hard drives, but it is assumed that it can keep short-term secrets in its memory.
Therefore, it is trusted, but not secure. The security server, on the other hand, only
performs the single task of verifying users, and can't be used directly. So the
information on its hard drives is secure. But because the host computer isn't secure, an
attacker might be able to mount an active attack on the connection between the host
computer and the security server, so while the security server itself is trusted, the host
computer does not trust messages recieved from it.
My protocol went like this:
1. The user types his ID (UID) and password (UPASS) on the keyboard of his
computer.
2. The user's computer generates a random number (UR1).
3. The user's computer transmits the following to the computational host
computer:
❍ The user's ID (UID), and
❍ encrypted using the public key of the security server (SPUB), a message
containing the following items:

■ A hash of the random value generated by the user's computer (H
(UR1)), and
■ A hash of this hash, encrypted conventionally with a hash of the
user's password as the key.

Thus, the message transmitted is: UID + EPK(H(UR1) + E(H(H(UR1)), H
(UPASS)), SPUB). Note that this does not depend on an externally-generated
random number; protection against replay attacks comes from a later step in the
protocol.
4. The computational host computer now generates a nonce public-private key pair
(HPUB, HPRV) and a random number (HR). This random number will, later in
the protocol, be communicated securely to the other two computers, and is used
as a session key for communications between them.
5. The host computer transmits the following to the security server:
❍ The user's ID (UID),
❍ The encrypted message from the user's computer intended for the
security server, EPK(H(UR1) + E(H(H(UR1)), H(UPASS)), SPUB), and


■ The random number generated by the host computer (HR), and
■ The host computer's nonce public key (HPUB).
Thus, the message transmitted is: UID + EPK(H(UR1) + E(H(H(UR1)), H

(UPASS)), SPUB) + EPK(HR + HPUB, SPUB)
6. The security computer generates a random value of its own (SR). As it knows
its own private key (SPRV) corresponding to SPUB, it can decode the message
transmitted to it. It also has a copy of H(UPASS) for each user, and therefore it
can verify that E(H(H(UR1)), H(UPASS)) and H(UR1) correspond. In addition,
it has a copy of USALT, a random salt value for the user as well. This salt
value, not stored on the user's computer or the computational host, is used to
calculate UVERIFY, a hash of which is stored on the computational host, and
thus prevents dictionary attacks on that computer's password file. Because the
security computer has a copy of H(UPASS), it knows at this stage that the user
is authentic, except for the possibility of a replay attack. (If the user is not valid,
the protocol is halted here.) Now, the task of the protocol is to convince the
computational host computer, which does not contain any secrets, of that fact,
and this will be done so as to eliminate the possibility of a replay attack.
7. Now the security computer sends a message to the host computer which gets
used again later, so we refer to it as message M. Encrypted first with H(UPASS)
and then with H(UR1) as the keys, it contains:
❍ The user's salt value, USALT,
❍ The host computer random value, HR,
❍ The security server random value, SR, and
❍ The host computer public key, HPUB.
8. The host computer retains a copy of this message for future reference.
9. The host computer passes it on to the user's computer.
10. The user's computer thought of the user's random value, UR1, and was given the
user's password, UPASS, and so it knows the hashes of both of them, and can
decrypt message M, obtaining USALT, HR, SR, and HPUB from it. It then
calculates UVERIFY, a hash of H(UPASS) encrypted with USALT as the key.
(That is, UVERIFY = H(E(H(UPASS),USALT)).)
11. The user's computer transmits a message to the host computer encrypted with
the host computer's public key HPUB, consisting of:
❍ The user's random value, UR1,
❍ A hash of a copy of message M, encrypted in turn with:
■ The user's random value UR1,
■ The host's random value HR, and
■ The value UVERIFY, which depends on the password the user
knows, and the salt value the security server knows.

12. The host computer has its own password file, which contains a copy of
UVERIFY for the user, but not USALT or H(UPASS); thus, since it also knows
HPRV and HR, it can decode the message, and verify that the hash is correct.
UVERIFY is almost incidental to the security of the protocol as it stands. Although

normally it can only be calculated with both H(UPASS) and USALT, since the
computational host has a copy of it, it is not secure. One could keep only H(UVERIFY)
on the computational host, and send a copy of UVERIFY to the host in the final
message to it from the user's computer. That would seem to increase security, but since
the host contains no secrets, UVERIFY could be obtained if an attacker were to control
the links to both the user's computer and the security server, and impersonate the
computational host.
Instead, it is HR that proves the identity of the user; HR was only transmitted originally
to the security server encrypted with its public key, so only the real security server
could have read it. And the real security server then sends HR to the user's computer
encrypted with H(UPASS) as a key; this value is kept secret by the security server, and
only the user's computer, with UPASS, can decode it.
The following is an extended version of the protocol that brings a modified version of
UVERIFY into the protocol more centrally, using the idea, from Augmented EKE
above, that one can prove knowledge of a quantity by using it as a Diffie-Hellman
private key to decrypt something sent to you by the posessor of the corresponding
Diffie-Hellman public key.
1. The user types his ID (UID) and password (UPASS) on the keyboard of his
computer.
2. The user's computer generates a random number (UR).
3. The user's computer transmits the following to the computational host
computer:
❍ The user's ID (UID), and

■ A hash of the random value generated by the user's computer (H
(UR)), and
■ A hash of this hash, encrypted conventionally with a hash of the
user's password as the key.

Thus, the message transmitted is: UID + EPK(H(UR) + E(H(H(UR)), H
(UPASS)), SPUB). Note that this does not depend on an externally-generated
random number; protection against replay attacks comes from a later step in the
protocol.
4. The computational host computer now generates a nonce public-private key pair
(HPUB, HPRV) and two random numbers (HR1, HR2). In its password table, it
finds the quantity UVERIFY for the user, which will be defined later, but which
is a Diffie-Hellman public key to which the corresponding private key is a
quantity depending on the user's password. The first of these random numbers
will, later in the protocol, be communicated securely to the other two
computers, and is used as a session key for communications between them.
5. The host computer transmits the following to the security server:
❍ The user's ID (UID),
❍ The encrypted message from the user's computer intended for the
security server, EPK(H(UR) + E(H(H(UR)), H(UPASS)), SPUB), and

■ The random number generated by the host computer (HR1), and
■ The host computer's nonce public key (HPUB);
that is, EPK( HR1 + HPUB, SPUB ).

❍ A copy of HR2, encrypted using the public key UVPUB; that is, EPK
( HR2, UVPUB ).
Thus, the message transmitted is: UID + EPK(H(UR1) + E(H(H(UR)), H
(UPASS)), SPUB) + EPK(HR1 + HPUB, SPUB) + EPK(HR2, UVPUB)
6. The security computer generates a random value of its own (SR). As it knows
its own private key (SPRV) corresponding to SPUB, it can decode the first two
parts of the message transmitted to it. It also has a copy of H(UPASS) for each
user, and therefore it can verify that E(H(H(UR)), H(UPASS)) and H(UR)
correspond. In addition, it has a copy of USALT, a random salt value for the
user as well. This salt value, not stored on the user's computer or the
computational host, is used to calculate the private key corresponding to
UVERIFY. Because the security computer has a copy of H(UPASS), it knows at
this stage that the user is authentic, except for the possibility of a replay attack.
(If the user is not valid, the protocol is halted here.) Now, the task of the
protocol is to convince the computational host computer, which does not
contain any secrets, of that fact, and this will be done so as to eliminate the
possibility of a replay attack. Since information prepared at this stage for
transmission to the user's computer will be encrypted using both H(UR) and H
(UPASS), a replay attacker would not be able to read it.
7. Now the security computer sends a message to the host computer. It consists of:
❍ A copy of the following, encrypted first with H(UPASS) and then with H
(UR) as the keys:

■ The user's salt value, USALT,
■ The host computer random value, HR1,
■ The security server random value, SR, and
■ The host computer public key, HPUB.
❍ Also, it contains EPK(HR2, UVPUB) as sent by the host computer.
8. The host computer passes it on to the user's computer.

9. The user's computer thought of the user's random value, UR, and was given the
user's password, UPASS, and so it knows the hashes of both of them, and can
decrypt message M, obtaining USALT, HR1, SR, and HPUB from it. It then
calculates UVPRV, a hash of UPASS encrypted with USALT as the key. Since
it depends on UPASS and not H(UPASS), even the security server could not
have calculated it. (That is, UVPRV = H(E(UPASS, USALT)).)
10. The user's computer uses UVPRV to decrypt EPK(HR2, UVPUB), where
UVPUB was the Diffie-Hellman private key corresponding to UVPRV as the
private key. (Of course, since EPK is a Diffie-Hellman step, an additional public
and private key pair in the other direction is involved; these keys can be
nonces.)
11. The user's computer transmits a message to the host computer encrypted with
the host computer's public key HPUB, consisting of:
❍ The user's random value, UR,
❍ A copy of HR1, encrypted in turn with:
■ The user's random value UR, and
■ The host's random value HR2.
12. The host computer has its own password file, which contains a copy of UVPUB
for the user, but not USALT or UPASS or even H(UPASS); since it also knows
HPRV and HR1, it can decode the message, and verify that the user correctly
decoded HR2, which nicely authenticates the user.
Using HR2 as an encryption key, and returning HR1 to the host computer, instead of
the other way around, as I mistakenly did originally in this modified protocol, prevents
an attacker impersonating the host computer from mounting attacks aimed at
discovering the value of UVPRV by transmitting chosen values not encrypted with
UVPUB in place of EPK( HR2, UVPUB ) to the user's computer. (Actually, this isn't
really a problem unless one were to use RSA encryption, instead of conventional
encryption with a key derived from Diffie-Hellman key agreement, but I think it's
appropriate to have a protocol that can be used in a flexible fashion.)
Next
Table of Contents
Home Page
Military Key Management

Two users of a program like RIPEM or PGP can communicate by exchanging public
keys, but they are vulnerable to the "man-in-the-middle" attack under some
circumstances. In a military environment, the opportunity to distribute secret keys to
the users of a cryptosystem exists, but keys can be lost or stolen.
Since security is the overriding concern in a military environment, it is possible that a

secure communications system for such users would attempt to combine the benefits of
different approaches to key distribution.
There are, basically, three ways to provide a member of a communications network

with the means to participate in secured communications.
That person may be provided with the public keys of other participants in the network,
and asked to generate a public and private key for his own node.
If public keys are distributed directly to other network members in the same manner
that secret keys are distributed, the problem of authentication is avoided. However,
there is the limitation that a mathematical breakthrough might make it possible
someday to derive secret keys from public keys, because of the restricted number of
public-key algorithms.
That person may be provided with one or more secret keys for conventional encryption.
In that case, these keys are open to compromise by the participants in the network.
That person may be provided with a tamper-resistant hardware module containing key
material which performs encryption functions internally.
Here, no person is provided with key material that can be betrayed; the module can use
symmetric-key algorithms of arbitrary complexity and yet function as a physical
"public key" since it can refuse to perform some possible functions with the key
material it guards within it. However, tamper-resistance is not perfect, and physical
objects can always end up being left behind on a field of battle.
For a military system, it is possible to use all three of these methods of key
distribution, in such a way that the system will remain secure unless all three methods
are compromised.
For each communications session, the session key could be formed from three
components, combined so that no two of them would provide a useful clue to the actual
key.
One component would be transmitted enciphered under the recipient's public key.
Since only the recipient has a copy of his own secret key, unless the recipient's own
terminal is captured, messages to it cannot be read.
Another component would be enciphered under a key manually entered on the device
by the users at both ends. (This key could be enciphered under a user ID, so that while
both users would in effect be entering the same key, they would not know what any
other user would have to enter.) The manually entered key would be retained only in
volatile storage, and would have to be re-entered each time the device was used again
after being unplugged. Unless the keys are compromised in distribution, a person
would have to reveal a key, since it would not be transmitted, nor would it be still
present in the hardware if it were taken for inspection. Another way to provide a
manual component to security would simply be for other data, internally stored in non-
volatile memory, to be encrypted by a user password.
And the third component would be enciphered under key material hidden within
tamper-proof hardware. This would not be transmitted, nor would it be known to any
individuals.
Each of the three components of the system would be adequate to allow session keys to
be communicated securely, unless they were compromised. Since these three
components are vulnerable to compromise through different attacks: either overcoming
the mathematical basis of the public-key system used, or compromising individuals
using the system, or capturing hardware and defeating its tamper-resistance, a setup
that requires all three to be compromised before it will fail has a greater likelihood of
defeating the best efforts of a determined adversary.
In practice, it appears that the U.S. military is able to obtain the benefits of the second
leg of this triad while avoiding its weaknesses, by physically loading encryption
devices with key material from a modified handheld computer (the DTD, or AN/CYZ-
10), probably similar to those gadgets with barcode readers you may see in
advertisements in the back pages of computer magazines. This also allows keeping an
audit trail of the distribution of key material.
Apparently, the job of generating a public/private key pair is not done by some
cryptographic devices that use public-key cryptography, but is instead handled on, of
all things, a desktop PC. At least they're running SCO Unix on the machines used for
this function, rather than DOS. This information comes from a publicly accessible web
site, operated by the U.S. Navy (at least access to their FTP server requires
authorization), a link to which I found on a site with a somewhat out-of-date link on it
to my page as well; the site also noted that at least as recently as 1992, eight years after
the arrests of Walker and Whitworth, the Navy was still using some systems with paper
keylists. This may not be as bad as it sounds, since it is not unreasonable for units to
require an ability to communicate securely even when the power fails. (Said U.S. Navy
site has a link to the "INFOSEC Tip of the Day" which uses a <BLINK> tag. However,
it isn't a header or in large type.)
While I originally thought that external generation of public keys was an unfortunate
concession to technical or cost limitations, I have since realized that my neat and tidy
model of a triad of security features does have one flaw. While there is no
mathematical flaw known in public-key encryption methods that would permit a
passive attack, if a terminal simply thought up its own key pairs for use with a public-
key system, then if the other components of the cryptographic system in use were
compromised, a man-in-the-middle attack could be performed. Thus, a key for a simple
public-key system is not able to make a real contribution to system security unless it is
certified. And it is precisely a connection to an external hierarchy that allows this.
However, the Key Exchange Algorithm illustrates how uncertified key pairs, generated
for each message, can still contribute to security when used in concert with key pairs
for the public component of which a certificate exists.
The ideal, though, would be for a secure communications device to generate its own
private and public key pairs, and submit only the public key to an external authority for
certification through a trusted channel.
As I have noted elsewhere, while a cryptographic program like PGP creates a new
session key for each message, and exchanges it using public-key techniques, one could
obtain greater efficiency by only using public-key techniques infrequently, to exchange
a conventional key used to encipher each message's session key. Such a key, as noted
in the section on the IBM key management system, is called a key-exchange key, or
KEK.
If we consider an encryption device which does not use public-key technology, the
following hierarchy of keys is possible:
● KEKEK: built into the hardware of the device, and not subject to change
● KEK: encrypted with the KEKEK, it is loaded into the device by direct physical
contact
● K: encrypted with the KEK, the key used to encrypt messages is transmitted
along with each message
Building a key into the hardware of a cipher machine, and not allowing it to be
changed, is a weakness. So why is the KEKEK treated this way?
Because one could omit the KEKEK entirely, and simply load the KEK into the device
directly. But this creates the problem that the KEK is carried around in unencrypted
form. If the KEKEK could be changed, with no key "above" it, then it would be the key
carried around unencrypted.
Thus, placing a permanent key on the top does provide some real benefit: the topmost
key loaded into the device is encrypted, even if the key used for that purpose might be
compromised. Continuing the hierarchy upwards, on the other hand, simply begs the
question of how keys are to be protected from compromise.
If public-key techniques are used, however, it becomes possible to usefully extend the
hierarchy upwards by one step:
● KEKEKEK: built into the hardware of the device

● KEKEK: loaded into the device by physical contact, encrypted by both the
KEKEKEK and by the public member of a key pair generated within the device
● KEK: conventionally encrypted with the KEKEK, it is loaded into the device
by direct physical contact
● K: encrypted with the KEK, the key used to encrypt messages is transmitted
along with each message
Since the public key of the device is only used to encrypt a key that is loaded into the
device by physical contact, the problem of key certification is simplified. (It may not be
entirely eliminated, if a key encrypted at one point is carried over a long distance,
along which it is vulnerable to compromise, causing a key to be enciphered using a
public key one has generated may be a useful attack.)
While extending the hierarchy upwards appears to be a useless exercise in infinite

regress, extending the hierarchy downwards may be useful in systems which involve
the exchange of large amounts of data at high speeds. In such a case, having a KEK or
even a KEKEK which is transmitted over the insecure data link at occasional intervals
in encrypted form is a useful way to limit the amount of data encrypted with a single
key. In that case, the key at the next level up in the hierarchy would be the lowest-level
one loaded by physical contact, and the rest of the hierarchy would move up
accordingly.
Next
Table of Contents
Home Page
Red Thread Resistance

Not everyone who uses encryption is a computer programmer. People using computer
programs (such as PGP) or cryptographic hardware to perform their encryption are, to a
certain extent, trusting their supplier. There are possibilities for malicious alteration of
an encryption system so that it seems to be functioning normally, but will reveal all
your messages to the attacker who provided you with a program or device that was
tampered with (while still keeping them secret from other parties).
As an example, let us take a program like PGP. How could a malicious programmer
use the available source to produce a modified version of the program that would
appear to operate normally in every way?
When performing conventional encryption, opportunities for mischief are few; but a
modified program could hide an encrypted version of the key used, and the name of the
file it was used on, somewhere on the user's hard disk.
When used for communications with both RSA and IDEA, however, there are many
opportunities for mischief. (Of course, the current version of PGP uses Diffie-Hellman
and Triple-DES instead, but I will avoid confusing complications.)
An encrypted E-mail message, being encrypted in CBC mode, includes an initialization

vector, chosen at random by the program. This IV could be chosen to include
information about the session key.
For example, the session key could be generated from the IV. Having only 2^64
possibilities for the 128-bit session key, out of 2^128, would be hard to detect.
Of course, that only lets the adversary read messages from the person who has the
modified program. What about the messages to him?
Well, it is possible to do even worse. A tampered-with version of PGP could generate

only 32 random bits, and combine them with 32 bits that contain both a part of one of
the user's private keys, and an indication of which part of which key it is; encipher that
for use as the IV, and then use the IV to generate the session key.
The method used to protect users of PGP against this is simple enough: the official
version of the PGP executable was itself signed using PGP.
As a Canadian, able to distribute source code under more favorable restrictions than U.
S. citizens, but still limited by U.S. law for executables I produce on compilers that
come from the U.S., I have considered the question of whether I could make a program
similar to PGP but which would have inherent resistance to tampering, by changing the
protocol used, so that people using such a program, despite my having no control over
the executables, would have some chance of safety.
I have recently learned that the technique which the following paragraphs describe may
be covered under one or more U.S. patents, including patent number 5,673,319, owned
by IBM, covering inventions by Mihir Bellare.
If one uses RSA as the public-key component of such a cipher (at the rate I'm going,
the patent [on RSA, that is. The Bellare patent dates from 1997.] will expire before I
write any code) one can save bandwith as well as improve security by the following
expedient: instead of padding the session key with "random" bits to create a block for
encipherment under RSA, encipher the following under RSA: the session key, the IV,
and as much of the message as will fit. Then, the remainder of the message is
enciphered using a conventional cipher system outside the RSA block.
A malicious programmer could still have the program choose several different values
for the IV and session key, encrypt each one under RSA, and choose to use the one that
had the desired value for a small number of bits to be leaked in the RSA block. This
would be very slow; but one could instead choose different values so as to leak
information in the conventionally-encrypted portion of the message, and the trials for
this would be much faster. Also, even if no information is leaked, if the number of
possible session keys were limited to some small value, say 2^40 or less, then (the
conventionally-encrypted portion of) messages could be read without any leaked
information.
So, I've taken this idea, which seems to help matters, and advanced another step with it.
I propose to allow a program which, like RIPEM or PGP, encrypts messages with a
combination of public and private key methods, to function without generating any
random numbers whatever.
Of course, random numbers are still used to set up an initial choice of RSA keys, and
so a modified program could be designed to choose primes from a set with only 2^40
members. So, 100% security is still not obtained.
What I would do is this: Given the message to be transmitted, I would divide it into
two parts: the first 160 bits, and all the rest. Then, I would obtain a 160-bit hash of the
rest of the message, using SHA. This hash would then be XORed to the first 160 bits of
the message. The result would be used as the session key and IV. (If 160 bits aren't
enough, I would simply take the remainder of the message, and repeat the process,
dividing it into a first 160 bits and all the rest.) Then, the rest of the message (whether
or not it will be later part of the RSA block; this will make chosen-plaintext attacke
more difficult) is encrypted conventionally. Finally, as much of the message as
possible, including of course the entire session key and IV, are encrypted in a block
using RSA.
The following diagram illustrates the process:
If the user needs to encrypt multiple copies of the same message, the user can manually
add some random text to the message to prevent the multiple copies from enciphering
identically.
If one is using hardware for encryption, other possibilities present themselves. A

simple DES chip can have its operation validated; the only bad thing it can do is
disclose keys when sent some secret combination of signals.
But one unusual possibility bears noting.
Suppose one is supplied with a chip (or a program) that merely carries out an unknown
encryption algorithm. Obviously, there is the hazard that this algorithm might be
poorly designed, and therefore weak. But there is a way to maliciously design an
algorithm that would appear and be strong, except against attacks by those who set it
up.
Let us suppose the following "super-duper algorithm" is provided: encryption using

DES under a constant key, XOR with the key provided by the customer, encryption
using DES under another constant key.
This algorithm would behave like a secure block cipher with a 64-bit key. However, to
those who designed it, knowing the constant keys used for the DES steps, it would fall
trivially to a known-plaintext attack.
Next
Table of Contents
Main Page
Key Escrow
The previous page examined illicit methods of transmitting key information to
someone who has tampered with an encryption program or device. This section looks
at methods where key information is overtly provided to supervisory personnel or
retained for future recovery use. The most well-known real-world proposal will be very
briefly examined here. There are more sophisticated approaches based on extending
public-key encrypton concepts as well.
Some of the systems examined here are intended to allow the government access to
keys for law-enforcement purposes. This is, of course, a highly controversial subject;
questions of the politics of cryptography will be examined in the next section.
Clipper
The notorious "Clipper chip" is said to operate as follows:
A secured voice conversation is set up with an 80-bit session key, possibly by the use
of public-key techniques. (If the Clipper chip can not execute any cryptographic
algorithm other than the Skipjack algorithm, which is, like DES, a block cipher acting
on 64-bit blocks, but with an 80-bit key, then the chip designers will necessarily have
at least the potential of eavesdropping on all Clipper-protected messages without use of
the LEAF.)
The Clipper chip encrypts only voice, not data. According to Applied Cryptography by
Bruce Schneier it does so by means of output-feedback (OFB) mode. This is noted as a
potential threat to the evidentiary value of wiretapped conversations, due to the
possibility of a bit-flipping attack. The Clipper Chip, however, performs the conversion
of speech to a bitstream internally; if the apparatus for carrying out authorized wiretaps
also does not provide the decrypted bitstream, but only the spoken conversation, this
criticism is mitigated.
Each Clipper-encrypted message is accompanied by a 128 bit Law Enforcement

Access Field (LEAF), which is the element which provides key escrow.
The precise makeup of that field is secret, but it is made up of the following: the 80-bit
session key, a 32-bit unit ID, and a 16-bit checksum. The 16-bit checksum and the 32-
bit unit ID are only encrypted using a "Family key" which all Clipper chips in a
particular network, thus capable of interoperation, share. Thus, the recieving Clipper
chip checks the checksum for validity to enforce the presence of the LEAF.
The 80-bit session key is additionally encrypted by a secret "Unit key". The 32-bit unit
ID indicates which unit key is used.
Two separate government agencies, such as the FBI and the Department of Justice, are
each issued lists of 80-bit quantities associated with each 32-bit unit ID. One list is a
one-time-pad, the other the keys encrypted by that one-time-pad, so that neither list
alone is enough to intercept communications.
When a request for an authorized wiretap is made and accepted, however, the unit key
for the telephone to be tapped is not given out directly, but only as part of an encrypted
authorization message which also includes information about the period of time for
which the wiretap is authorized. (Since a wiretap may involve incoming calls to a
telephone, note that the recieving telephone also must transmit a LEAF of its own
when a connection is made.) Then, special tamper-proof devices would use these
authorization messages on behalf of police departments. Presumably, the two lists of
unit key "halves" are also protected by additional encryption, despite the fact that each
one is composed solely of useless random numbers, to prevent a unit key from being
obtained by simple collusion.
If the validity of the LEAF is determined solely by the 16-bit checksum, then there is a
one chance in 2^64 probability of establishing a connection even with a scrambled
LEAF; this was verified experimentally by Matt Blaze. A simple cure would be
obtaining authorization to wiretap the other telephone, as scrambling both LEAFs
would square the difficulty of obtaining a connection. However, the Clipper design
could have included a precaution to avoid this danger: after the normal key-exchange
method leads to agreement on an 80-bit key, and that key is included in the LEAFs
from both units, the actual 80-bit key used to encrypt the telephone conversation could
have been the XOR of the following three quantities: the 80-bit agreed key, the 80-bit
agreed key enciphered using the unit key of the first telephone, and the 80-bit agreed
key enciphered using the unit key of the second telephone. This would ensure that both
LEAF fields would have to be intact, since a modified LEAF field with a valid 16-bit
checksum would still not have its correct 80-bit contribution to the actual session key.
The GCHQ proposal
In Diffie-Hellman, two communicating parties each generate random numbers, one

generating x, the other generating y. They keep those numbers secret, but make A^x
mod P and A^y mod P public, where A and P are public parameters.
In the GCHQ proposal, parties communicating by escrowed encryption use Diffie-

Hellman, but they recieve their secret numbers from their local escrow agent and key
certifying authority.
For local communications, and for transmitting to a party belonging to another escrow
agent, x is simply a function of the users ID known to the local escrow agent. (It could
be random, if the local escrow agent could store all the keys; making x fixed was noted
as a problem with this proposal.)
For recieving a message from a party belonging to an escrow agent, x is the current
date, encrypted by a key. This key is the recieving user's ID, encrypted by a key shared
between the two escrow agents involved.
The session key produced by Diffie-Hellman is only used by the parties to encrypt the
real session key; this way, messages can be broadcast to several parties while only
having their entire text encrypted once.
The escrow agents communicate these shared keys between themselves using the same
method, if they have an escrow agent above them. Thus, the number of escrow agents,
and the number of keys each one must handle, merely grows logarithmically as the
number of users increases. (This seems to answer another objection made to the
proposal.) This method allows international communications, since only escrow agents
directly above the two parties in a communication can decode it.
A third objection to this proposal was that, since the keys are known to the escrow
agents, why are public-key methods used; Kerberos was noted as an alternative.
However, an advantage is either gained or at least is hoped for from the existing
proposal: the escrow authorities do not have to be directly involved in every encrypted
communication, only a fraction of them.
Fair Cryptosystems
A proprietary technique, invented by Silvio Micali, uses Diffie-Hellman to allow any

number of escrow agents to share the information needed jointly to reconstruct a key.
It makes use of Diffie-Hellman. In Diffie-Hellman, a party generates a random number,

x, and keeps it secret, but makes A^x (modulo P, since discrete log is hard, but regular
log isn't) public.
If, instead, a party generates several separate random numbers, and uses the sum of
them as x, then for each random number r, he can disclose to an escrow agent both r
and A^r. The escrow agents keep r private unless an escrowed key is to be used, but
A^r is public from the beginning.
Each escrow agent can verify that the number r is correct, since they can calculate A^r
themselves. Every escrow agent can verify that the A^r values must be correct, since
their product must equal the public A^x.
Next
Table of Contents
Home Page
Pass Phrases and Random Numbers

The 56-bit key length of DES was claimed to be inadequate in the late 1970s, when
DES was originally proposed, and it is now considered to be inadequate because a
relatively inexpensive machine was built that can exhaustively search the DES
keyspace in weeks. The keyspace of a cipher with a 40-bit key is 65,536 times smaller.
But that keyspace still has over a trillion (a million million, or a British and Continental
billion) possibilities in it. Isaac Asimov once wrote a book with the title Only a
Trillion; that perhaps qualifies him as a prophet of cryptography.
The fact that 2^40 or 10^12 different keys is a hopelessly inadequate number in this
part computer age at first hardly seems troubling. There are many ciphers around with
128-bit keys, and it is fairly trivial to design one with an even longer key. Of course, it
isn't trivial to design a cipher well enough that there is no attack against it possible that
is more effective than a brute-force search over all those keys.
But there is another problem: how to come up with a random key of the required length.
For many paper-and-pencil ciphers, the key is a single word from the dictionary, like
"CONTINENTAL" or "INVIGORATING". There are thousands of words in the
dictionary, but not millions, and certainly not trillions.
Some computer operating systems only allow passwords that are 8 characters long.
Even if a password were composed of random letters, 26^8 is only 208,827,064,576 or
just over a fifth of a trillion.
A pass phrase is much better. But it is important that the pass phrase not be a well-
known phrase, a famous literary quotation, or the like, because that again limits the
possibilities severely.
Some people find it useful to compose a pronounceable pass phrase from nonsense
syllables chosen at random, or from random words in the dictionary, and there are tools
available to assist in this, such as Diceware.
One way to protect a key is to memorize it, and give it only to whoever you are
communicating with. However, public-key cryptography allows keys to be protected
without having to be carried from place to place. So your computer just thinks of a
random 128-bit key, enciphers it in RSA, and there is no problem?
Unfortunately, however, most computers today don't come equipped with special
hardware to generate random numbers. A typical method for obtaining a genuinely
random starting point for input to a pseudorandom number generator, so that, for
example, a game contains elements that vary each time it is played, is to use the current
date and time.
If one's computer provides the current time in thousandths of a second, and someone
trying to break your enciphered messages can guess when you've enciphered them to
within a week (often, messages are enciphered only minutes before they are sent, so
this is an optimistic assumption), then, given that there are 86,400 seconds in a day, we
are dealing with only 604.8 million possible keys; less than a billion.
In addition to the time, there are a few other sources of randomness in a computer, such
as the position of the hard disk in its spin, and some register contents, but they are quite
limited.
Counterpane Systems, the company of Bruce Schneier, author of the justly famed book
Applied Cryptography, has made available the program Yarrow, which is a well-
designed program for the purpose of obtaining randomness from a personal computer,
to address these difficulties. (The name of the program is, no doubt, a reference to the
traditional method of consulting the I Ching, or Book of Changes.)
At this point, it should not be hard to see why the earlier versions of PGP required the
user, prior to the generation of keys for RSA encryption, to type characters on the
keyboard for a time. The timing of those characters, not which characters were typed,
were used as a source of randomness. A program for creating encrypted virtual disk
drives obtains randomness by asking the user to move the mouse at random for a time.
The digits of pi look random, and for some purposes they are. But there is only one pi,
and it is well known, and it is an easy thing to guess. Good cryptographic algorithms
produce output that looks random. But a cipher is only as good as its key; a genuinely
unpredictable and unguessable starting point, big enough to be a good key, is required
for secure encryption. And obtaining such a key is harder than it may seem at first, and
it is something that is often and easily forgotten.
Next
Table of Contents
Home Page
The Interlock Protocol

Public-key cryptography allows two parties to communicate securely without having
had to have previously met to exchange a secret key. It is enough to know the other
party's public key to send messages that only the other party, with his private key, can
read.
But if one does not have any direct contact with the other party, there is the possibility
of the man-in-the-middle attack. An active eavesdropper could arrange for you to see
his public key in place of the public key of the party you actually want to send a
message to, then take your message when you send it, decode it and read it, then
encipher it again, this time in the other party's real public key, and send it on.
One method of dealing with this is through the use of key certificates. A trusted central
authority, having had direct contact with the intended recipient of your message, uses
public key methods to digitally sign a message that states what the public key of your
intended recipient actually is.
Another type of method has also been proposed to combat the man-in-the-middle
attack. These methods, by themselves, don't prove the identity of the party with whom
you are communicating: but they do prevent a man-in-the-middle from passing on
messages in both directions between two other parties at the same time. Thus, if these
methods are coupled with some other form of identity check, they can be useful.
The original interlock protocol, as devised by Ron Rivest and Adi Shamir, worked like
this: after both parties exchanged public keys, then each sent, in turn, the first half of an
encrypted message, and then each sent, in turn, the second half of his or her own
message.
This required that the messages were encrypted in such a way that only a whole
message, not half of one, could be decrypted with the key. This protocol works well
with RSA, since it enciphers data in large blocks, numbers modulo M, the product of
two large primes, and nothing can be done with half of the digits of a block.
With a public-key system like Diffie-Hellman, a similar result can be obtained by first
sending messages enciphered in a symmetric key system, and then afterwards sending
that symmetric key as a message enciphered using the normal Diffie-Hellman session
key.
But an interlock protocol only allows a man-in-the-middle attack to be detected after

the fact, if the attacker can at least temporarily pretend to be one of the two parties to
the communication. However, there is a case where that would be enough to prevent
any successful eavesdropping.
Since an interlock protocol is only usable when two parties are communicating in real
time, it can't be used for E-mail. Could it be useful with a secure telephone?
A secure telephone can be protected against a man-in-the-middle attack by displaying a

checksum of the session key in a display at both ends, which one party could then read
off to the other. This (provided, of course, that both parties recognize each other's
voices) would prevent a man-in-the-middle attack quite effectively, and it would do so
without any need to use an interlock protocol for the previous exchange of keys.
Next
Table of Contents
Home Page
Quantum Mechanics and Cryptography

Quantum Mechanics is the part of physics based on the discovery that things tend to
get fuzzy as they get small. I doubt that I should try to explain the Schrödinger
Equation here (it is a differential equation, which explains how the wave-function of a
particle is affected by the potential energy distribution it faces; the frequency of the
wave determines the particle's momentum, and its amplitude the probability the particle
is at any point; it corresponds to the classical equations which show how a particle will
move in response to forces).
Quantum Mechanics so far has been found to relate to cryptography in two different
ways.
A quantum computer might be able to operate like the ultimate parallel computer: it
might be able to solve a problem for every possible set of initial conditions at once!
However, it could only give us one of the solutions when it finishes.
Quantum cryptography is the public-key cryptography answer to invisible ink; one can
send two particles out from a central location to two communicating parties, allowing
both parties to co-operate in generating a random one-time pad common to both of
them that no one else could have intercepted.
● Quantum Computing
● Quantum Cryptography

Table of Contents
Home Page
Quantum Computing
The site http://www.openqubit.org/ is co-ordinating a project to develop an open source
computer program to simulate a quantum computer, to help increase familiarity with
this new frontier in computation. The site also contains some papers describing how a
quantum computer may work.
The type of quantum computer discussed there incorporates another new computer
idea: reversible computation. I was very skeptical when I first heard of this idea: that
computations which do not destroy information can be made to run without using
energy. But while that would be difficult to do on a conventional scale, that it could be
achieved in a quantum system makes more sense. If a quantum computer is to perform
an extensive computation, since it must be isolated from the environment during the
entire calculation, avoiding any heat dissipation is essential.
However, a quantum computer's memory is zeroed before starting a computation, and

when the right result is found, it stops; these operations do consume energy, but their
number is limited, and they do not occur during computations.
This may be oversimplified, but here is a set of possible instructions for a quantum
computer:
● Swap two bits in memory.

● Invert a bit in memory.
● Perform either of the invertible operations above if another bit, which must not
be affected by the operation to be performed, is 1.
Incidentally, these operations have some resemblance to the operations allowed when
one is inverting a matrix by pivoting. And they can be generalized to allow more
elaborate invertible operations, thus making programs easier to write:
● Rearrange any group of bits in memory in any order, as long as no bit is

duplicated and every bit is preserved.
● Perform an exclusive OR operation, provided that the source bits and the target
bits to be inverted if the corresponding source bit is 1 have no bits in common.
The program counter can operate invertibly if it is set up as a ring counter, but that may
not be needed; incrementing a counter normally is also invertible.
The main distinguishing feature of this kind of computer is that some common
operations will use up memory space initialized to zero. Sometimes, after copying the
result to some blank memory, a computation can be run in reverse to clean up the mess
made by intermediate results.
Another important fact about a quantum computer is that since it is started, and
maintained externally in a superposition of equally probable states, the one "right"
state, where the computation has started out trying the right possible key, and found it
to be correct, even if it executes an instruction that tells it to signal the outside world
and thereby break up the computer's isolation, that doesn't guarantee that anything will
happen.
Thus, the program used has to be changed, so that if the wrong key is tried, the
program continues by trying the next key.
The good news is that since a quantum system does behave as if it is in all of its
superposed states, it doesn't just choose one of them and stay in that state. So the
"right" state has more than one opportunity to be randomly selected. As the other states
gradually find the right key, and decide in turn to do something noticeable, we have
that the number of states that have the right answer grows proportionally to the time,
and the number of chances each state has to be noticed if it is right also grows
proportionally to the time.
The probability of us recieving the answer is a fraction of the total number of states,
which equals the total number of possible keys. Hence, instead of giving us the answer
in the time taken to try one key, as would have been hoped for from the initial
oversimplified picture of a quantum computer, or in the time taken to try all (or half, on
average) the keys, like a conventional computer, the time required (which can vary
randomly) is actually proportional to the square root of the number of keys. A recent
paper has been published with a proof a quantum computer cannot do better than this
on problems of searching.
Next
Table of Contents
Home Page
Quantum Cryptography
What is commonly called "Quantum Cryptography" is a method that exploits the EPR
(Einstein-Podolsky-Rosen) paradox to distribute a one-time-pad to two locations. It is
secure against undetectable eavesdropping, but although an active attack could be
detected, it could still lead to the attacker reading a message.
In quantum mechanics, a particle, instead of actually being a point object that can be in
only one place at a time, is really a wave function that is spread over a larger or smaller
area. The act of observing where a particle is consists of changing the shape of its wave
function to one with a sharp spike at one location.
If a particle's wave function spans a large area, and quick measurements of position are
made at the same time at two widely separated points in that area, the wave function,
whose amplitude determines the particle's probability of being located at each point,
controls two independent chances of the particle being where it is looked for, because
nothing can travel faster than light. So you have a chance of looking to see where a
particle is, and finding two of them. This led to the theoretical prediction of the
existence of antimatter; in this way, an extra particle can be created, and there is no
problem, because to make two position measurements so precisely and so quickly
actually takes enough energy to create an extra particle, and its antiparticle as well
(required to conserve various physical quantities).
But for some physical properties, one of which is angular momentum, this doesn't
happen. It's possible to measure angular momentum without contributing any angular
momentum to the system being measured. And it is possible for two particles to be
created under conditions that cause them to be heading off in two opposite directions,
with equal and opposite angular momentum.
When this happens, since the measurement can't contribute the missing angular
momentum to account for a discrepancy, it seemed, from the formulas for quantum
mechanics, that conservation of angular momentum and quantum mechanics would
have to take precedence over relativity: that, when measured at a large distance, two
such particles would have to always measure as having exactly equal and opposite
spins.
This was first noted in a paper by Einstein, Podolsky, and Rosen. It was advanced by
them as a paradox; a result indicated by quantum mechanics that could not possibly be
true, which therefore indicated that something was wrong with quantum mechanics.
If each of the two particles carried with it a set of instructions for what to do under
every possible condition of measurement, then angular momentum could be conserved
without apparent faster-than-light communications (or "nonlocality"; the faster-than-
light communications are internal to Nature, and not directly exploitable, so there are
those who object to the use of terms implying we know something to exist that we
cannot directly touch). This is known as a "hidden variables theory". Bell's Inequality
notes that if that were the case, but the spin on both sides was measured not for being
up and down relative to the same direction, but relative to a slightly tilted axis on one
side, the chance of the spins being opposite would be proportional to the angle of tilt.
But given the way a particle with a spin normally responds to measurement, the chance
of the spins being opposite should be much smaller, and proportional to the square of
the angle.
In any event, the experiment was finally actually performed, and J. B. S. Haldane
recieved partial vindication: the Universe was proved to be strange enough to cause us
trouble in imagining it. A pair of particles having opposing angular momenta, as a
result of the method of their creation, whose angular momenta were in no way
observed on the way to the separated detectors, thus leaving them in a pristine quantum
state of entanglement, really did behave as quantum mechanics predicted: always
having the same angular momentum when checked for angular momentum in the same
direction, and with the chance of a difference being proportional to the square of the
angle of tilt between the two detectors otherwise.
This can be used for forming a one time pad made up of ones and zeroes as follows:
A suitable radioactive source is set up halfway between two correspondents.
Each chooses, randomly, to begin measuring vertical or horizontal angular momentum.
After a particle is detected by one party, that party then randomly chooses again which
type of angular momentum to measure.
Then, the two parties can communicate, over an open channel, the times at which they
detected particles, and what kind of angular momentum they were measuring for at the
time of the event detected.
Finally, ignoring all events except those detected at the same time by both parties, and
additionally only counting those where both parties were measuring for the same type
of spin polarization, a one-time-pad can be generated by taking Up to be 1 and Down
to be 0, and Left to be 0 and Right to be 1, for example.
If an attacker sends particles with a known spin out, then if it happens both sides are
measuring for horizontal polarization when he sent the particles out with a fixed
vertical polarization, for example, the two parties may have mismatched digits in their
one-time-pads, thus encountering a garble and therefore detecting tampering. An
attempt to find the polarization of one of the particles, and replace it with one of the
same polarization, will also fail if the wrong direction is chosen in the same way.
Next
Table of Contents
Home Page
Cryptanalysis
In previous sections of this work, I have briefly touched upon methods of
cryptanalyzing a few of the specific cipher systems presented.
Here, I attempt to make a few general comments about cryptanalysis itself.
● The Limits of Cryptanalysis

● The Nature of Cryptanalysis
Next
Table of Contents
Main Page
The Limits of Cryptanalysis

Under what conditions can one say that a cipher is unbreakable, or even that it is
adequately secure?
Kinds of Attack
This is an interesting question, even if, in practice, any answer is likely to be deceptive.
An attacker seeking to eavesdrop on someone else's communications is not limited to
gentlemanly rules or to expected attacks. As we have seen in the section on block
ciphers, resistance to a ciphertext-only attack is not considered enough: a block cipher
is held to be weak even if it is only possible to deduce the key by enciphering vast
quantities of chosen plaintext on the equipment of the person whose communications
are to be read. From the viewpoint of the original military applications of
cryptography, it would seem that, if one has such access, why not just plant a bug?
But if a cipher is secure against such attacks, then it can be used for other applications:
for example, encryption can be provided as a kind of public utility, protecting terminal
to computer communications in a time-sharing environment. Also, using a block cipher
as a component in a hash function may be safer.
Even more important, the boundaries between a ciphertext-only attack, a known

plaintext attack, and a chosen-plaintext attack are not necessarily rigid in practice. One
of the techniques used to mount a ciphertext-only attack on a message is the probable
word method, where a guess about possible plaintext is tried as a hypothesis. This, in
effect, at the cost of some wrong guesses and additional trials, turns the ciphertext-only
case into the known plaintext case. Similarly, if a sufficient amount of known plaintext
is available, that quantity will include plaintexts with different properties, including
some that are desirable to the cryptanalyst; hence, at least in extreme cases, the known
plaintext case blurs into the chosen-plaintext case.
The One-Time Pad
The one-time pad is an example of a cipher system that can be seen to be unbreakable.
This is because a key, having the same length as the message, is used only once, on that
message, in such a way that, because the key is random, any other message having the
same length as the message seen is entirely possible as far as someone not knowing the
key can possibly determine.
The requirements for this are:
● The key must be truly random. It cannot be generated by any algorithm that
takes as input a shorter key. And it must be without bias: the probabilities of all
symbols must be equal.
● The key must be the same length as the message. Not only must the key and the
message have the same number of characters, but the characters must come
from alphabets of equal size. A key consisting of 100 digits applied to a
message of 100 letters is actually shorter than the message, by a factor of log
(10)/log(26), representing the amount of bits (or digits, letters, or other symbols)
required to encode the key and the message respectively.
● The key must be applied to the message in such a way that, given that the key is
random and unbiased, for a given plaintext symbol, all ciphertext symbols are
equally probable, and conversely, for a given ciphertext symbol, all plaintext
symbols are equally likely.
● Except for its use in enciphering one message, the key is never used for any
other purpose, or otherwise exposed to interception in whole or in part,
permitting (for example) two uses of the same key to be worked against each
other to obtain information about the key.
The Information-Theoretic Converse of the One-Time Pad, and

Some Implications Thereof
If it were possible to subject messages, before encipherment, to perfect compression, so

that any string of letters would be a valid, sensible, message, then any conventional
encipherment scheme would be partly unbreakable. If there were a million possible
keys, then there would be a million possible messages, all equally reasonable.
When the message is longer than the key, some information about the message is still
gained, because the possibilities will be narrowed.
In practice, with normal text messages, that kind of compression is not possible. The
messages decoded by trying wrong keys might come close to making sense, but they
could not all be perfectly reasonable, and in fact it's highly unlikely that any doubt
about the correct message could really exist. But if the message consisted only of
random numbers to begin with, for example, a session key transmitted under a key-
exchange key, this does point out a case in which a conventional cipher becomes
resistant to attack.
The "Aryabharata" Cipher
The fact that a message consisting only of random numbers, enciphered by a

conventional cryptosystem, can be broken, since there is no way to choose between the
plaintexts that different keys produce in that case has led to a type of cipher system
being proposed that, while it has some interesting properties, is not completely
unbreakable. However, because it is based on individual messages, each of which (in
isolation) is completely unbreakable, people have occasionally become confused by the
fallacy that the system as a whole is unbreakable as well.
The simplest case is the following:
Let us encipher a message by applying a sequence of random data to it after the manner
of a one-time-pad. The result of this is cipher message A, which, without knowing the
random data, is unbreakable.
Let us then also transmit cipher message B, consisting of the text of the one-time-pad,
enciphered in some fashion.
This system was once proposed in the pages of the journal Cryptologia, in an article
that claimed it was a simplified or modernized version of the Aryabharata cipher of
ancient India.
Neither message A nor message B can, in isolation, be broken by a cryptanalyst. But

since both messages are being transmitted, both messages can be intercepted. Thus,
working on the two messages together, a cryptanalyst may be able to make some
progress.
If message B were enciphered using only monalphabetic substitution, admittedly an

extremely simple case, the method of attack on such a system can be given. All the
letters in message A that correspond to any one letter of the alphabet as it repeats in
message B were enciphered by a single (but unknown) letter in the one-time-pad, and a
frequency count is sufficient to solve a Caesar cipher.
Sending both a message enciphered by a random OTP and the random OTP itself is,
essentially, a way of splitting a message into two parts, each of which are random in
themselves. The next step above the relatively weak system just discussed would be to
encipher message A by some system as well. While no theoretical immunity to
cryptanalysis is gained, it may well be true that cryptanalysis by establishing
correlations between two messages, each enciphered in a different way, is more
difficult than solving a message that has simply been enciphered twice, by the use of
each system in turn.
For example, if the two methods used are the Playfair cipher and simple columnar
transposition, if transposition is used first, the Playfair cipher can still be attacked,
because it takes each input letter to a limited number of substitutes; if the Playfair
cipher is used first, multiple anagramming, although now much more difficult, is still
possible because a text enciphered by Playfair still has digraph frequencies marked
well enough to allow a correct match to be detected.
But if what we have is a random OTP, enciphered by simple columnar transposition,

and the message, first with the OTP (before transposition) applied, and then enciphered
by Playfair, then it is not at all clear how we can apply techniques analogous to those
used against these two ciphers in the double encryption case.
Since the enciphered OTP, being transmitted, is known, one might, however, consider
the following arrangement, which involves sending only one message, to be equivalent:
take a fixed random sequence of letters (perhaps derived from the digits of pi; since
we're using Playfair, we need a 25-letter alphabet anyways), then encipher (or, to be
strictly equivalent, decipher) it using the current key by simple columnar transposition,
apply the result by Vigenere to the plaintext, then encipher the result with Playfair.
The main difference between that and double encryption is the presence of a fixed
random sequence. Thus, it would seem that message splitting only provides additional
strength by hiding statistical properties of the plaintext, whch is only of benefit against
weak or poorly designed ciphers.
Even so, a still more elaborate form of message splitting suggests itself. A base station
could send, to a remote station, a thousand pads of random data, each one accompanied
by an identification number, protected by one form of encryption.
Then, the remote station could, to send a message back to the base station, select two of
those pads to use (and then discard), sending a message, also encrypted by a different
key and cipher method, consisting of the numbers of the two pads chosen, the starting
points within them, and then the message with the two pads applied.
The messages sent in both directions are enciphered random data, impossible to break
individually, but now it is also not possible for the cryptanalyst to determine which
three messages to attempt to correlate with one another, or at what starting points. This
still isn't unbreakable in theory, but it certainly does seem like it would make things
considerably more difficult for an attacker. Although such a method, as it increases the
amount of bandwidth required for sending a message by a factor of three, as well as
requiring a lengthy amount of transmission in advance, would seem to be impractical,
it may be noted that some military communications systems transmit encrypted data
continuously, even though the actual message traffic being sent is much smaller, in
order to prevent an eavesdropper from gaining information on how much is being
communicated and to whom. Attempts to gain this kind of information, falling short of
actual message contents, through eavesdropping, are known as traffic analysis. In such
a case, instead of leaving the extra capacity of the channel entirely unused, it could be
used to send random superencipherment pads during the time when no messages are
being sent. Such a channel might work as shown in the diagram below:
While the idea of sending superencipherment pads during otherwise idle time may not
have been used, it is likely that encrypted channels resembling what is shown in the
diagram in part may have been used in practice.
To allow the reciever to keep track of where packets begin and end, a counter field is
shown. A special synchronization signal, not corresponding to any binary data value,
might also be used, as it may not be necessary to label each packet uniquely. In any
case, as the counter contains no information, but is a fixed sequence, it is shown as not
encrypted.
Encryption layer 1 is some method of encryption shared by the entire communications

network. This is used to conceal everything about the packets being sent, and thus it
blocks traffic analysis.
Beneath that layer, only the addressee is not otherwise encrypted. Different groups of
addressees may use even different encryption algorithms in addition to using different
keys.
Encryption layer 2 is unique to each addressee; each one has a unique key, and
different addressees may even use different algorithms in some cases. Some addressee
codes, however, may correspond to messages intended for more than one recipient, in
which case all those recipients would share the necessary key.
At this point, the information which identifies a block as either an encrypted message
or a pad of random data is in the clear.
Encryption layer 3 consists of the two different algorithms used by each recipient, one
for the superencipherment pads, and a completely unrelated one for messages. Using
unrelated algorithms is an important step in allowing the random data to be used to
make cryptanalysis more difficult.
Finally, the actual pads, labelled with their identifying numbers, are visible in
unencrypted form. The plaintext messages are still encrypted, but only by addition of
two pads, the identification numbers of which, and the starting points used in which,
appear at this stage in the clear without further encryption accompanying the plaintext
message.
However, the scheme as illustrated above is not quite practical. Three layers of
encryption are not really necessary, and sending each of possibly 65,536 addressees
their very own set of 4,096 superencipherment pads is rather excessive. A modified
version of this scheme more suitable to actual implementation is illustrated below:
Here, removing the first layer of encryption, common to the whole network,
immediately reveals whether a block is a keypad or a message. The identification
number of each keypad and the addressee of each message is also revealed; note that
keypads do not have addressees.
The second layer of encryption is unique to each addressee, at least in that each
addressee has a unique key. Different classes of addressee may also use different
algorithms. Also, once again, each addressee uses one algorithm to decrypt keypads,
and a completely different one to decrypt messages.
In this fashion, the hub of the network only requires one set of 4,096 keypads, but the
keypads are "decrypted" in a different way by each addressee (and by the hub for
communicating with that addressee).
Note that the displacement and pad number within a message must be random, and so
keypads must be exactly 256 elements long in the format shown. If an element were a
hexadecimal digit, or nybble, instead of a byte, we could say from the diagrams that in
the first format the message text field would be 249 nybbles long, and in the second it
would be 245 nybbles long. In an actual format, however, keypads would probably fill
more than one block, and the number of blocks in a message would be variable. If there
were fifteen allowed message lengths in blocks, this would work out nicely in using a
single hexadecimal digit to indicate the start of either a keypad or a message, and in the
case of a message, also its length.
It should be noted, though, that, if it is assumed that the first layer of encryption, since
it is shared among all the nodes in the network, can be compromised, then the fact that
the keypad numbers are not further concealed does weaken this system: for each value
tried in a brute-force search of the key for a message block, the related keypad is
immediately identifiable. One still doesn't know which one is the right one, but one of
the points of uncertainty is lost.
If the whole keypad, including the keypad number, was encrypted by most reasonably
secure methods, then there would be no assurance that a complete set of keypads was
recieved by any node. One way of solving this would be to give each node its own
codebook with 4,096 entries for interpreting the keypad numbers in its own way.
One could also do this: usually just send out random bits for keypads, which will be
treated by each recieving node as an encrypted keypad including an identification
number which is also covered by the encryption, but also decrypt these keypads that
are sent out for storage (as would be required anyways) using the keys of each node.
Then, monitor if for any node, any of the keypad numbers is excessively stale: if so,
using that keypad number, followed by random bits, create a keypad block by
enciphering it using the key for that particular node which needs a fresh keypad of that
number.
Continuous Key Changes
Another idea, which I feel is related to the form of message splitting examined above,
has recently been suggested by Douglas A. Gwyn in the sci.crypt newsgroup.
In many cryptosystems, a higher-security cipher with a longer key is used for the
occasional exchange of new keys used for the cipher system that is used for the actual
protection of plaintext.
What was suggested was that keys be exchanged much more frequently; instead of
taking into account how difficult the cipher being used is to break, use new keys so
frequently that if the keys were safe from attack, no unambiguous decryption of the
text encrypted under only one key would be possible. If the plaintext was well
compressed, this could be achieved while transmitting somewhat less key material than
plaintext.
A later extension of this proposal involved adding message splitting to the system by
sending a random mask as the first plaintext block, and then performing an XOR
between it and the plaintext of each succeeding block as the first step in that plaintext's
encipherment.
This, like message splitting, does force the cryptanalyst to work on two separately
keyed blocks at once, and thus it has some value, but I am not sure of exactly how
much value. Unlike message splitting, though, this does not double bandwidth
consumption, and unlike double encryption, it does not require twice as much work to
encrypt a message.
I found it sufficiently interesting to propose the following elaboration of it, which does
require as much time to encrypt a message as does double encryption, though:
Use the key that comes with each message block, and encrypt it with three different
keys to obtain three keys used for different purposes.
A changing key encryption key, followed by a second encryption with one of the three
fixed keys, obtains the key for encrypting the next block.
The second fixed key obtains the key encryption key for the next block.
The third fixed key obtains the key used to encrypt the mask, as used with the previous
block, to use with this block.
In this way, the keys for encrypting blocks aren't sent encrypted in exactly the same
way as the plaintext, but are protected by an extra layer of encryption. In addition,
having the mask constantly changing increases its effectiveness.
In detail, this scheme works as follows:
Initial keys:
● KA1 : initial block encrypting key

● Ka : new key to block encryption key transformation key
● KB1 : initial key encrypting key
● Kb : new key to key encryption key transformation key
● Kc : new key to mask encryption key transformation key
First block:
E(P1, KA1), where the first plaintext message P1 is composed of R, random data 896
bits long, and K2, a 128-bit random vector.
Set:
● M1 = R
● KA2 = D( D( K2, KB1), Ka )
● KB2 = D( K2, Kb )
Second block - and subsequent blocks follow the same pattern:
E(P2, KA2), where P2 is composed of 896 bits of plaintext sent in this block, XOR
M2, and K3, a 128-bit random vector.
Set:
● KC2 = E(K3, Kc)

● M2 = E(M1, KC2)
● KA3 = D( D( K3, KB2), Ka )
● KB3 = D( K3, Kb )
Thus: each block consists of 896 bits of plaintext and a 128-bit random vector which is
used as a source of keys.
First, the block is deciphered by the current regular key (KA2).
This obtains the plaintext XORed with the current mask (M2), and it obtains the key
source value.
The key source value (K3) is used to generate three keys.
● The regular key for the next block (KA3) is obtained by decrypting the key
source value (K3) first with the current key decrypting key (KB2), then with the
permanent key to block encryption key transformation key (Ka).
● The key decrypting key for the next block (KB3) is obtained by decrypting the
key source value (K3) with the permanent key to key encryption key
transformation key (Kb).
● Then, a key used to encrypt the mask value for use with the next block (KC2) is
obtained by decrypting the key source value (K3) with the permanent key to
mask encryption key transformation key (Kc).
Some additional discussion of ideas suggested by the "Aryabharata" cipher is on this

page.
Public-key Cryptography
However, the limitation to cryptanalysis discussed above, that if a plaintext has no non-
random distinguishing characteristics, there is no way to determine if a decryption key
being tried is really correct, does not apply to public key systems. There is no
conventional secret key in a system like RSA. There is a private key, which is very
difficult to deduce from the public key: but it is still a fact that, if one had enough
computer power available, the public key strictly determines what the private key must
be. Thus, knowing the public key means that there is only one way to decode a
message sent with it.
From the information-theoretic perspective, therefore, which does not attempt to

estimate the limits of an adversary's computational and analytic ability, only the one-
time pad is truly secure, and public-key cryptography is completely worthless!
However, that perspective is not the whole story. The other half of cryptographic
security, called the "work factor", by Claude Shannon, refers to the difficulty of either
trying all possible keys, or of doing something better, to read a message. But in this
area, it is no longer possible to set definite limits to cryptanalysis, since no one knows,
for example, what new methods of factoring large numbers might be discovered
tomorrow.
Relying on the "work factor", rather than on the information-theoretic absolute limits,
lets one have the convenience of a short key that one can change at leisure (with
conventional encryption), or the additional convenience offered by public-key systems.
But it has a price: one no longer has a way of proving how truly secure one's messages
are.
Next
Table of Contents
Main Page
The Nature of Cryptanalysis

In the conclusions section of the first chapter, I classify five attributes of cipher
systems that contribute to their strength, by adding convolution, alternation, and
indirection to Shannon's confusion and diffusion.
In the conclusions section of this chapter, I attempt to classify the cipher systems
themselves, based on the different constructions they use.
Can cryptanalytic techniques also be usefully categorized?
One basic technique involves trying every possible key until one has found the right
one. Sometimes, this technique is usable, for example, in cracking DES, or in
attempting to crack a route transposition.
Sometimes, straight logical deduction can be used when deciphering a message.

Factoring the modulus to crack RSA is an example of this, and so is the technique of
symmetry of position, which can be used against sliding-alphabet Vigenère.
Collecting information about messages can sometimes be a cryptanalytic technique in

itself; in breaking a simple substitution, collecting letter and contact frequencies directs
one to the appropriate possibilities to try.
The kappa test allows one to align parts of messages enciphered with the same part of a
keystream, which allows them to be read without any knowledge of the actual key
which may have been used to generate the keystream. This combines collecting
information, and switching from trying possibilities for the key itself to looking at the
key in a transformed form or at consequences of the key.
But to my mind the most common and fundamental cryptanalytic technique is to find
ways to replace a brute-force search on the key as a whole with brute-force searches on
parts of the key.
Thus, in breaking a monalphabetic substitution cipher, one can test the possibility that a
certain letter stands for E separately from all the possibilities of what the other letters
may stand for. The Bombe tested different rotor positions, and all the rotor orders also
had to be tried, but it was designed so that the plugboard settings could be found
separately. Differential cryptanalysis, when applied to DES, tests for the consequences
of individual bits of the key; when applied to a cipher with a fancier key schedule, it
tests for portions of the subkeys.
Next
Table of Contents
Home Page
Security Without Proof

This section expresses my own view of some matters which are of a highly
controversial and contentious nature. Much of the debate, however, is not about
whether or not the various things I advocate here are beneficial, but about the relative
merits of different measures. This doesn't prevent the debate from being vigorous, as
each point of view sees the measures it percieves as less beneficial, or beneficial only
in theory, as very much less beneficial than those it emphasizes, and likely to lead to
the neglect of those measures which it views as being of real benefit.
As noted in the previous section, the cipher system known as the one time pad, if
employed correctly, makes reading your messages as difficult as guessing next week's
winning lottery numbers.
The one-time pad system is not totally impractical. It requires a bit of advance effort
before communications can begin. But even a floppy disk contains over a megabyte of
data, which corresponds in size to the contents of an entire book. And the price of CD-
R recorders has been coming down recently.
However, many people choose to employ other types of cipher systems to protect their
correspondence, for reasons of convenience which are outlined below:
● The one-time pad requires the previous exchange of an amount of key that
corresponds exactly to the quantity of messages to be transmitted.
● A conventional, or symmetric-key, cipher can protect a large volume of
messages with one small key, without a clear boundary beyond which further
messages become insecure.
● Public-key techniques can allow two parties to communicate securely without
any previous contact for the exchange of key material.
But each increase in convenience involves a cost in security.
The one-time pad comes with a mathematical proof of security, and no other cipher
system has that. In fact, there is a good reason for believing that no other cipher system
can have a mathematical proof of its security.
Proving whether or not an unsolved mathematical problem has a solution is like

proving that a given Turing machine will halt or not without following its execution to
a halt or to a simple infinite loop. There exist mathematical problems richer in
complexity than any finite pre-set threshold, so such proofs are not possible.
If we intend to use a cipher system other than the one-time pad, how can we cope with
the absence of a proof of security?
One way is to look for corroborating evidence of security, however incomplete it may
be. For example:
● Was an algorithm designed by someone generally recognized as competent?

● Have there been independent analyses of the algorithm by other respected
researchers, and have these failed to turn up weaknesses?
Another way is to take as many precautions as one can in the use of any algorithm:
● If the algorithm is kept secret, an attacker faces an open-ended set of

possibilities, and does not know where to start an attack.
● If one uses several different algorithms, one after the other, in enciphering a
message, an attacker needs to break all of the ciphers used, not just any one.
● If one uses an algorithm that is less commonly used, an attacker may not have
the time to analyze it just to read your messages.
● If one uses several algorithms which are fundamentally different in their basic
principles to encipher a message, but which are currently believed to be secure,
more than one new discovery would be required to render them all insecure.
(I am particularly indebted to Terry Ritter for the third of these precautions, which I
have stated here in considerably shortened and simplified form.)
Some of these precautions directly conflict with being able to obtain corroborating
evidence of security. If you design your own algorithm and keep it secret, then unlike
DES it won't have recieved the cryptanalytic attention of the noted researchers in the
field.
But using multiple algorithms allows one to have the best of both worlds: one can use a
well-respected algorithm and then also use an unknown algorithm.
In order to ensure, however, that multiple algorithms do indeed provide added strength,
they have to be used properly. One algorithm can't be implemented in a way that adds
redundancy to the text to be enciphered by the next algorithm. The keys used by the
different algorithms have to be effectively independent, so that breaking a weak
algorithm won't provide a clue to the key used by a stronger algorithm, enabling the
stronger algorithm to be reversed without having to break it.
One way to make multiple keys effectively independent is to use a good one-way hash
function applied to an input key to generate the key for each algorithm; the input key
would be slightly modified each time it is to be hashed. However, unlike having truly
independent keys, this does mean that the security of the hash function limits the
security of the whole cipher system.
It is possible to use multiple public-key algorithms to each convey a piece of a session

key. But one cannot cascade public-key algorithms to obtain a result of arbitrarily high
complexity, the way one can with conventional symmetric-key algorithms.
Next
Table of Contents
Home Page
The Ideal Cipher

In 1883, the most famous work by Auguste Kerckhoffs, after whom the cryptanalytic
technique of superimposing multiple messages enciphered with the same running key
is named, was published: La Cryptographie Militare (Military Cryptography). This
book set forth six desiderata for systems of encryption.
1. A cipher should be unbreakable. If it cannot be theoretically proven to be

unbreakable, it should at least be unbreakable in practice.
2. If the method of encipherment becomes known to one's adversary, this should
not prevent one from continuing to use the cipher.
3. It should be possible to memorize the key without having to write it down, and
it should be easy to change to a different key.
4. Messages, after being enciphered, should be in a form that can be sent by
telegraph.
5. If a cipher machine or code book or the like is involved, any such items required
should be portable, and usable by one person without assistance.
6. Enciphering or deciphering messages in the system should not cause mental
strain, and should not require following a long and complicated procedure.
These six desiderata, as they are phrased, are directly applicable to pencil-and-paper
ciphers. Some of the concerns they raise do not seem as important today, when the
ubiquitous personal computer stands ready to assist the cryptographer.
It may be noted that I have rather heavily paraphrased Kerckhoffs in my listing of his
six dicta above. The second dictum originally stated that "compromise of the system
should not inconvenience the participants". While my paraphrase makes explicit the
usual way in which this dictum is understood, there is at least one other way in which
the users of a cryptosystem could be inconvenienced by compromise of the algorithm
used.
During the Second World War, the highly-secure American cipher machine SIGABA
was handled with extreme physical security. One of the reasons for this was that it was
so secure that if an enemy had discovered how it worked, although that probably would
not allow that adversary to begin cryptanalyzing messages encrypted on the SIGABA,
it would enable the adversary to copy the principle, and thus deprive the Allies of the
intelligence they had been able to obtain from solving even the highest-level German
and Japanese cipher systems.
Hence, satisfying the first dictum too well caused it to fail the second dictum in a less
usual manner.
In any case, as amended for the computer era, Kerckhoff's desiderata might look like
this:
1. That a cipher should be unbreakable, in practice if not in theory, needs no

modification as a statement of what is desired. However, only the one-time-pad,
or a cipher essentially equivalent to the one-time-pad, is known to be secure in
theory at present, and there are good reasons to believe that such ciphers will
remain the only ciphers that can be proven to be unbreakable. There are a
number of other ciphers can be proven to be as hard to break as certain classes
of difficult problems in mathematics are to solve. But what can't be proven at
present (and what may possibly even remain forever unprovable) is that those
"difficult problems", such as factoring the product of two large primes, will
indefinitely continue to require enough time to inconvenience the cryptanalyst
as new discoveries are made in mathematics.
2. That the security of a cipher system should depend on the key and not the
algorithm has become a truism in the computer era, and this one is the best-
remembered of Kerckhoff's dicta. The original reason for this requirement,
however, is not due to some magical distinction between "key" and "algorithm".
Rather, it follows from the later conditions imposed on the key: it must be short,
and easy to abandon for a new key. A cryptographic algorithm can meet neither
of those conditions. Hence, it should not be part of the key, because then the key
would be bulky and hard to change. However, there is also a fundamental
distinction between key and algorithm which, even if Kerchoff considered it
when he wrote this desideratum, was not likely to have been one of the major
considerations behind it, although it relates to the first desideratum, and which
is generally used today as the main rationale for this requirement. Unlike a key,
an algorithm can be studied and analyzed by experts to determine if it is likely
to be secure. An algorithm that you have invented yourself and kept secret has
not had the opportunity for such review.
3. With today's computer technology, that allows a cipher with a key 56 bits in
length, as used with DES, to be easily broken by brute force (by merely trying
every possible key) it would appear that a dictum advocating that keys should
be short is entirely obsolete. But if we rephrase the requirement to indicate the
reasons behind it, we find that the concern is still valid. The secret key, on
which the security of one's messages depends, should not be of a size (or form)
that prevents it from being handled, stored, and exchanged in ways that
effectively protect it from compromise. And it may also be noted that public-
key cryptography, which allows the two participants to avoid having to
exchange their private keys, and which allows them to use a fresh session key
for each message, contributes to the ease of meeting this requirement. And on
the other hand, the one-time-pad may require the exchange of keys at an
inconvenient time, once the available key is exhausted.
4. Enciphered messages should be in a form suitable to transmission by means of
whatever communications medium is intended to be used, or convenient to use.
This may mean the Internet or a fiber-optic link instead of the telegraph, but the
principle remains sound.
5. In order for a cipher to satisfy the first rule, it seems impossible to avoid having
to use a piece of apparatus for encipherment, the digital computer. Computers
certainly do exist that are portable and which are easily used by one person
today. As apparatus can also cause problems by arousing suspicion, it would be
an advantage in this area if one's cipher could be carried out with the aid of a
computer program in BASIC that one could type in from memory.
6. Again, it seems that for a cipher to remain unbreakable by today's standards, the
algorithm used would have to be intricate and complicated. However, it is also
true that we now have computers to do all the hard work. One of the reasons
that a cipher should not be too complicated is to avoid problems caused by error
in the encipherment of messages. Hence, this dictum could be considered to
recommend that ciphers with unfavorable error-propagation characteristics
should be avoided, since transmission errors can also make it necessary to
retransmit a message. And this relates more directly to the cipher itself than to
simply note that any encryption program, like any other computer program,
should have a good user interface.
Thus, I claim that all six of Kerckhoffs' desiderata, not just those whose relevance is
most often acknowledged at the present time, still retain at least some degree of
importance, when correctly understood. But it is true that the ones regarded as obsolete
have retained less of their importance as stated, although the reasons behind them
remain valid in a different form.
Next
Table of Contents
Home Page
Cryptography and Content Protection

One common application of cryptography is to prevent copies, or at least digital copies,
being made of computer programs, music, pictures, or movies.
Since these things can't be used while in an encrypted form, however, works protected
in this fashion still need to be accompanied, either as they are distributed, or in the
device on which they will be legitimately played or used, by all the information needed
to decrypt them. Thus, it appears that someone attempting to overcome such protection
will always have an alternative to cryptanalysis as a means of attack: prying the key out
of wherever it is hidden.
However, if a key is hidden inside the circuitry of a microchip, prying it out of there
requires specialized equipment; that, in itself, would be more reassuring if many
hackers weren't college students, but the military also uses various techniques to make
that more difficult, such as painting chips with chemicals that will catch fire if exposed
to the air. Because this limitation does mean that no content protection method can be
technically perfect, it is not surprising, whether or not one approves of it, that industries
relying on copyright have asked for (and have recieved in many cases, such as the
Digital Millenium Copyright Act in the United States) specific legal protection of
content protection schemes, to make it illegal to attempt to defeat them, and to reveal
the hidden keys to others once they are found.
To allow a protected movie or song, for example, to be played on a computer, without

it being necessary to allow the protected content in decrypted form to move along the
computer's buses, one of the ideas that has been advanced, and which does seem
necessary, is to put the decryption inside each display device, such as inside video
cards, sound cards, and printers (so that you can print a copy of a book without being
able to access its text in machine readable form).
Software, if protected by encryption, could be protected in two different ways. It could

be distributed with a dongle that decrypts an important part of the software, totally
preventing copying. Or, the encryption could use a key which is jointly derived from
the user's serial number or name and a corresponding secret value: the two together
would produce the constant key in which the software is encrypted on a CD-ROM, but
it would be made difficult to find and use this key directly, so that unauthorized copies
would normally identify their source.
I remember that, some years ago, there was a news story about a new microprocessor
that had, built into it, the capability of running programs that were encrypted. Actually,
two chips had this feature; they were the NEC V25 Software Guard and the NEC V35
Software Guard. These chips were 8086-compatible chips; the V35 (which also existed
in a plain form without this feature), in addition, had features that allowed it to address
16 Megabytes of RAM with a 24-bit address, but in a simpler fashion than that which
later became the standard with Intel's 80286 chip.
The encryption provided was, however, somewhat limited. Customers could specify a
256-byte translation table, and when the chip was executing encrypted software, this
table was used to decrypt the first opcode byte of instructions.
Since the address portion of an instruction usually appears in the clear on the address
bus in a later cycle, it made sense not to encrypt that, and thereby provide a window
into the translation table for anyone who could monitor the computer's bus.
One could imagine slightly enhancing this kind of encryption, while keeping its time
requirements comparable to those involved in address calculation:
Here, bytes being fetched by the CPU go through two translation tables or S-boxes, and
in between are XORed with a quantity calculated from the least significant two bytes of
the address from which they were fetched.
Four different S-boxes are present in each position. Another table, not shown in the
diagram, would determine which S-box is to be used for various types of memory
access, and it might look something like this:
00000 First opcode byte 00 00 00 00
00001 Other opcode bytes 01 01 01 01
00010 8-bit displacement X
00011 Address field X
00100 (not used) X
00101 one-byte data 10 10 10 10
00110 16-bit data, first byte 11 11 11 11
00111 16-bit data, second byte 00 01 10 11
01000 32-bit integer, first byte 01 10 11 00
01001 32-bit integer, second byte 10 11 00 01
01010 32-bit integer, third byte 11 00 01 10
01011 32-bit integer, fourth byte 11 10 01 00
01100 32-bit floating, first byte 10 01 00 11
01101 32-bit floating, second byte 01 00 11 10
01110 32-bit floating, third byte 00 11 10 01
01111 32-bit floating, fourth byte 00 11 00 11
11000 64-bit floating, first byte 01 10 01 10

11001 64-bit floating, second byte 10 01 10 01
...
so there would be nine bits for each entry, one turning off encryption, the other eight
specifying the four S-boxes to use. One could add another two bits, so that the two
XOR steps shown in the diagram could individually be switched to addition.
To allow a standard part to be used, the chip could contain the ability to do public-key
cryptography, so that it could load in the contents for all these tables from the outside.
But even with the additional complications shown, it seems like quite a mismatch to
start off by using something as powerful as public-key cryptography, and then protect
software with such an elementary type of cryptography.
So, instead of (or in addition to) using the chipmaker's public key to encrypt S-boxes
for use in this elementary fashion, it ought to be used to allow decryption of executable
code, which, in decrypted form, would be kept in memory on the chip itself, and not
allowed to leave there.
The program so decrypted could be a small program, including a key, which would
serve to conventionally decrypt by any algorithm additional program code to also be
placed in this internal memory. This would reduce the amount of dedicated encryption
hardware needed on the chip, but might create problems in connection with what I
propose below.
Decrypting a program by a secure algorithm, and only storing the result inside the
microprocessor chip for use, would be quite secure.
But this raises another issue.
Do we allow every software maker to protect its own software in this fashion? Or will
making use of the mechanism be restricted to large, respected companies, that the
chipmaker will trust to abide by a non-disclosure agreement?
Using public-key cryptography would mean that the chipmaker could disclose the
public key corresponding to the private key built into every chip without compromising
the security. But what happens when writers of viruses and trojan-horse programs use it
to protect their efforts? Of course, the chipmaker would use its knowledge of its private
key to assist efforts to combat viruses, but this would still allow such code to be far
more damaging, and harder to detect.
In a USENET post, I proposed a scheme that would allow a facility of this nature to be
made openly available and yet have additional protection against misuse.
● Using the BIOS setup program of a computer, the purchaser of a computer

would set up a personal secret key in nonvolatile memory inside the
microprocessor.
● Programs that have an encrypted part would use a system of standardized
headers to indicate which part is encrypted.
● The microprocessor would not decrypt and use things encrypted with the
chipmaker's private key directly. Instead, the only decryption operation
provided would do the following: first, decrypt using the personal secret key set
up on the chip using a conventional algorithm, then, decrypt the result using the
chipmaker's public key, placing this final result in the protected memory within
the chip for later use.
Hence, the only way that a program containing encrypted parts could successfully
execute on a user's computer would be if that user activated the program by using a
utility to superencrypt that program's encrypted parts with his own personal key.
This would be a fair approach to content protection, as it would provide a level playing
field for software writers, and it would also provide the user with control over his
computer, by being able to decide what programs he will trust to execute in encrypted
form on that computer.
Note that this proposal requires on-chip symmetric encryption capability, to handle the
user's key. Programs to be loaded into protected memory using this encryption might
also be required to be superencrypted with the user's key, in addition to requiring this
for the block encrypted with public-key techniques.
(There is no need to require this for programs which aren't decrypted once, and loaded
into chip-internal memory, but executed in regular memory using the simple scheme
illustrated in the diagram above, where the block containing the S-boxes for the
program has been activated. Although much less secure, it might be thought useful to
include this kind of ability on a chip that runs secured software, so as to allow all the
program to be protected somewhat, providing an additional nuisance to hackers, in
addition to protecting the small pieces of the program loaded into the internal memory
of the chip with more advanced encryption. Possibly also useful would be a secondary
user key, used to activate programs which are only allowed to use the multiple S-box
method of external protection, but which are not loaded in part into the chip's internal
memory.)
But even this would not be a foolproof way of preventing a protected program from
accepting other programs as protected in a fashion that bypasses the requirement of
explicit user activation, since a program could always be loaded in the form of P-code
into an on-chip data area, as a program which is to be hidden needs the ability to work
with data in private as well. This is particularly likely to be a problem if the computer's
operating system makes use of this protection, but if the operating system were
activated with the type of secondary user key proposed above, so that it was only
protected using the simple scheme in the illustration, it would have no direct access to
the internal memory. But that wouldn't stop it from accepting programs written in
encrypted P-code for execution, of course.
Also note that a protected program, using either type of protection, would have to be
treated like an interrupt service routine by the computer, so that it could only be called
at the entry points explicitly specified when it was loaded. However, that does not
mean that such programs should be privileged; limiting those externally protected to
being user-mode programs, and further limiting those executing on-chip to access to a
fixed area of memory, so that they can only serve as computational subroutines, is
another way to combat misuse of the security feature, although, again, it is not
foolproof.
Next
Table of Contents
Main Page
Fallacies of Cryptography and

Compression
Every so often, someone notes that there are 254 possible sequences of seven or fewer
bits, and concludes from this that nearly every file can be compressed, by a method
resembling the following:
0000 0000
0001 0001
0010 0
0011 1
0100 00
0101 01
0110 10
0111 11
1000 000
1001 001
1010 010
1011 011
1100 100
1101 101
1110 110
1111 111
The table in this example is ordered to show what is going on. The 0 and 1
combinations are not compressed; all other combinations are replaced by the bits
following the first 1 bit.
If one were to compress each byte of a file in this fashion, the effect would be that of
converting a file from 5-level code to Morse code; and no actual compression would
take place, because recording the length of each symbol, or the breaks between
symbols, would lengthen the file enough to cancel out any gains. At least if the file
were composed of random bits: using real Morse code on a real text file, since the most
common letters have the shortest symbols, would provide real compression, but no
more compression than could be achieved by a Huffman code.
Some people have even had the bright idea of applying this method of compression
repeatedly:
0000 0000 000 000 00 00
0001 0001 001 001 01 01
0010 0 010 0 10 0
0011 1 011 1 11 1
0100 00 100 00
0101 01 101 01
0110 10 110 10
0111 11 111 11
1000 000
1001 001
1010 010
1011 011
1100 100
1101 101
1110 110
1111 111
Thus, 1110 compresses to 110, which compresses to 10, which compresses to 0.
Unfortunately, 0 decompresses to 10, 010, or 0010, 10 decompresses to 110 or 0110,

010 decompresses to 1010...
If one records the particular path that compression took, then one has recorded enough
information to cause this scheme to no longer involve any compression.
Here is an illustration of a more pervasive fallacy:
Let us use the following square:
0123456789
0 A IOSW
1 T IT A S
2 EEGT TS M
3 MEE HS BW
4 TR ETSO
5 IS HS
6 T E TAI T
7 IO S H
8 WFO E T T
9 WA H W I
to decode the following cipher message:
3.14 15 92 65 35 89 79 32 38 46
I T W A S T H E B E
26 43 38 32 79 50 28 84 19 71
S T B E H I M E S I
o f t
69 39 93 75 10 58 20 97 49 44
T W A S T H E W O R
59 23 07 81 64 06 28 62 08 99
S T O F T I M E S I
86 28 03 48 25 34 21 17 06 79
T M A S T H E A I H
w g e
82 14 80 86 51 32 82 30 66 47
O I W T S E O M I T
f i d
09 38 44 60 95 50 58 22 31 72
W B R T H I H G E O
a s e a
Hmm, those errors just keep accumulating. Perhaps pi isn't really A Tale of Two Cities
in code after all.
What if we try a different cipher square? How about...
3.14 15 92 65 35 89 79 32 38 46
I N T H E S E C O N
26 43 38 32 79 50 28 84 19 71
D C O C E U R Y O F
e n t
69 39 93 75 10 58 20 97 49 44
T H E C H R I S T I
59 23 07 81 64 06 28 62 08 99
A N E R A T H E E M
86 28 03 48 25 34 21 17 06 79
P H R E O F R O T E
i m
No, I guess it isn't Gibbons' Decline and Fall of the Roman Empire either.
Of course, I've only scratched the surface of the possibilities. Perhaps I need to apply a
fancier encryption technique to the digits of pi before trying a homophonic substitution.
If I used three digits, rather than two, at a time, I would get better results (simply
because it would take longer before a sequence of three digits would repeat). Perhaps I
need to start somewhere else in the decimal expansion of pi, rather than at the
beginning.
This can be considered a compression fallacy as well as an encryption fallacy. Since pi

contains so many existing examples of random strings of digits, could we take a
random string of digits, and compress it by turning it into a set of pointers to where its
component sequences occur in pi?
The answer is no, since if we take a random sequence of five digits, on average one
would have to go through the first 50,000 digits of pi to find a match for it.
Thus, the description of where something is hidden in pi is, almost always, as long as
the thing itself.
Next
Table of Contents
Home Page
The Politics of Cryptography

Subjecting a text to a transformation is a lot like doing arithmetic. Thus, I view as
highly intrusive any attempt to make the private use of encryption illegal, even if
certain forms of hardware encryption with government access features are excepted.
On the other hand, the use of any form of encryption over mobile radio links, such as
Amateur Radio or Citizens Band radio, has long been banned; and this does not seem
unreasonable, both because the use of the airwaves is regulated in many ways, and the
use of radios to co-ordinate a bank robbery or outside assistance to a prison escape is
an obvious possibility. Thus, while the idea of putting a Clipper chip on every
telephone in the U.S. (this assuming every home in the U.S. had an ISDN line to hook
up a digital telephone to) naturally raised many eyebrows, using that same technology
in the limited province of cellular telephones doesn't seem unreasonable. This would
even have been a good place to start for a government with an agenda to put that chip
in other places; a claim the chip was for mandatory use in one specific area, highly
subject to regulation in any case, would be believable. A claim that it was for voluntary
use (what good is it to be able to tap the phones only of people who don't mind) was
simply not credible, and steered the whole thing into a sufficiently deep quagmire of
public objections that I must confess to being unsure that the U.S. government was ever
really serious about Clipper.
Since even an old 8-bit computer, such as a VIC-20, can be used to encrypt text
securely, using algorithms considerably more complex than those used by the cipher
machines of World War II, and since basic knowledge about cryptography is widely
available (unlike programs that implement DES, even the export control regime of the
U.S., which goes beyond the Wassenar agreements in several respects, does not restrict
the export of descriptions of DES or similar algorithms), and since how to program a
computer is a basic skill that is also very common, it is difficult to see how a
compelling national security need is met by placing restrictions on the export of
encryption software, particularly in source code form.
However, encryption hardware, not only offering additional security features, but also
being ruggedized for use under adverse battlefield conditions, is obviously military in
nature, and requires advanced technology to produce.
Even in the nineteen-twenties, financial institutions used cryptography to protect funds

transfers. However, codes and ciphers have traditionally been primarily the province of
rulers, diplomats, spies, and especially the military. Today, the basic insecurity of the
Internet has stimulated public interest in cryptography for much the same reason as the
telegraph did in its early years.
The development of public-key cryptographic techniques is also responsible for the

increased current popularity of cryptography, as it has made setting up secure
communications much more convenient, and hence practical in situations where it
would previously have been awkward.
Is cryptography a weapon? Its relation to military operations seems to be rather that of

a support function. Jeeps that don't break down, radios that work under harsh
conditions, food that won't spoil, clothing suitable to the weather that will last: an army
needs all of these things, just as it needs a way to report observations, and recieve
orders, that cannot be overheard by its adversaries.
I cannot, therefore, deny that it is militarily useful, even if it is in the category of a dual-
use technology. Export controls impose costs, by on the one hand denying sales to the
commercial software industry, and on the other hand restricting the availability of
freeware and shareware software to consumers containing encryption, since this kind of
software is distributed in ways which make preventing export difficult to do.
Next
Table of Contents
Home Page
[Up] [Previous] [Index]
Conclusions
This chapter deals with ancilliary functions, rather than encryption itself.
However, the idea of converting text from binary form to letters of the alphabet does
suggest a way to complicate any attempt to analyze a cipher system. Since such a
conversion unavoidably adds a small degree of redundancy to the message being
encrypted, as a safety precaution the key used for encryption before conversion and the
key used for encryption after conversion should be unrelated.
The various forms of encryption we have seen here can be organized into groups based
on common properties: I once essayed to classify the ciphers of the first four chapters,
ciphers other than public-key systems, by the following scheme, based on the kind of
operations performed on the plaintext:
● Transposition: pure transposition ciphers, such as double columnar

● Substitution
❍ Single-character ciphers
■ Displacement: the Caesar cipher
■ Substitution: monalphabetic substitution
❍ Polygraphic ciphers
■ Convolution and Substitution
■ (includes transposition - exchange of column coordinates,
or displacement - two characters in same row or column):

Playfair
■ (variation of displacement and trivial convolution - the
XOR with the f-function output, with embedded variation

of substitution within the f-function itself): DES in ECB
mode
■ Convolution and Transposition and Substitution
■ Fractionation
❍ Stream ciphers: plain
■ Variation of Displacement: Vigenere, Porta, Beaufort, DES in
OFB mode, Hagelin lug and pin machines

■ (with trivial convolution): Vernam two-tape system,
Lorenz Schlusselzusatz, additive superenciphered code

❍ Stream ciphers: fancy
■ Substitution and Variation of Displacement: most rotor
machines, DES in CBC or PCBC mode

■ (with trivial convolution): Hagelin B-21, B-211
■ Variation of Substitution: Cypher SA, PURPLE, HC-9
■ (with embedded transposition): Dynamic Substitution
■ (by means of transposition, trivial convolution, and
variation of displacement): Siemens and Halske T52

■ Variation of Substitution and Variation of Displacement:
Bazeries Cylinder
This form of classification only, however, addresses one dimension in which ciphers
vary. Another classification has been mentioned in a previous section in the current
chapter, which does include public-key systems:
● The one-time pad requires the previous exchange of an amount of key that
corresponds exactly to the quantity of messages to be transmitted.
● A conventional, or symmetric-key, cipher can protect a large volume of
messages with one small key, without a clear boundary beyond which further
messages become insecure.
● A public-key cipher can allow two parties to communicate securely without
any previous contact for the exchange of key material.
Also, the first classification is based on what happens to the plaintext. But when stream
ciphers are classified, while the classification takes into account what changes as
successive letters or bits or blocks are enciphered, how the changes are determined was
ignored. A classification of stream ciphers based on this dimension might look like this:
● Repeating key: Vigenere

● Multiple repeating keys: Vernam two-tape system, Hagelin lug and pin
machines
● Chained repeating keys: most rotor machines, PURPLE
❍ (with other elements): SIGABA, Converter M-228
● Cyclically encrypted key: DES in OFB mode

● Reservoir system: Alleged RC4, MacLaren-Marsaglia PRNG, Dynamic
Substitution
● Autokey: Vigenere autokey, Cypher SA
● Random key: Bazeries cylinder, one-time-pad
however, this classification is little more than a listing of methods commonly in use.
Another way of looking at the deficiency in the first classification that this one attempts
to remedy is that the first classification is based on the operation performed directly on
the plaintext to produce ciphertext.
But that operation may not be the principal difficulty in cracking a cipher.
For example, let us compare these two ciphers:

● A standard rotor machine cipher
● A Vigenère autokey, in which each letter is enciphered by means of the
Vigenère tableau with the key letter being the encipherment of the previous
letter of the message...by the exact same rotor machine as used to encipher the
message itself in the previous example cipher.
Thus, all the workings of a cipher need to be considered in classifying it.
I originally composed the classification of ciphers which appears first on this page to
illustrate my own view of how cipher systems should be categorized, as a response to
the classification entitled "A Cipher Taxonomy", by Terry Ritter. That illustrates
another approach to the classification of different types of cipher.
[Up] [Previous] [Index]
Table of Contents
Home Page
Left: [2] [3] [5] [6] [7] [11] [12] [13] [14] [15] [17] [18] [19] [21] [22] [23] [24] [26] [28] [29] [31] [33] [34] [35] [37] [38] [39]
Right: [2] [3] [5] [6] [7] [11] [12] [13] [14] [15] [17] [18] [19] [21] [22] [23] [24] [26] [28] [29] [31] [33] [34] [35] [37] [38] [39]
Back to Fractionation page Back to Armor page Back to Armor-Related Fractionation page
These tables show the powers of all the prime numbers less than forty, but also many composite numbers. The criterion for excluding a composite number from
this table is that numbers which were a power of another number were excluded, since those numbers could be seen in an earlier part of the table, and all multiples
of ten were excluded.
Powers of two
2 4
3 8
4 16 Powers of twenty-six
5 32 2
6 64 676
7 128 3
8 256 17576
9 512 4
10 1024 456976
11 2048 5
12 4096 11881376
13 8192 6
14 16384 308915776
15 32768 7
16 65536 8031810176
17 131072 8 20
18 262144 8827064576
19 524288 9 542
20 1048576 9503678976
21 2097152 10 14116
22 4194304 7095653376
23 8388608 11 367034
24 16777216
25 33554432
26 67108864
27 134217728
28 268435456
29 536870912 4486987776
30 1073741824 12 9542895
31 2147483648 6661682176
32 4294967296 13 248115287
33 8589934592 3203736576
34 1 7179869184 14 6450997470
35 3 4359738368 3297150976
36 6 8719476736 15 16 7725934228
37 13 7438953472 5725925376
38 27 4877906944 16 436 0874289942
39 54 9755813888 8874059776
40 109 9511627776 17 11338 2731538515
41 219 9023255552 0725554176
42 439 8046511104 18 294795 1020001391
43 879 6093022208 8864408576
44 1759 2186044416 19 7664672 6520036189
45 3518 4372088832 0474622976
46 7036 8744177664 20 199281488 9520940915
47 14073 7488355328 2340197376
48 28147 4976710656 21 5181318712 7544463796
49 56294 9953421312 0845131776
50 112589 9906842624 22 13 4714286531 6156058698
51 225179 9813685248 1973426176
52 450359 9627370496 23 350 2571449822 0057526153
53 900719 9254740992 1309080576
54 1801439 8509481984 24 9106 6857695372 1495679981
55 3602879 7018963968 4036094976
56 7205759 4037927936 25 236773 8300079675 8887679516
57 14411518 8075855872 4938469376
58 28823037 6151711744 26 6156119 5802071573 1079667428
59 57646075 2303423488 8400203776
60 115292150 4606846976 27 160059109 0853860900 8071353149
61 230584300 9213693952 8405298176
62 461168601 8427387904
63 922337203 6854775808
64 1844674407 3709551616
65 3689348814 7419103232
66 7378697629 4838206464
67 1 4757395258 9676412928 28 4161536836 2200383420 9855181895
68 2 9514790517 9352825856 8537752576
69 5 9029581035 8705651712
70 11 8059162071 7411303424
71 23 6118324143 4822606848
72 47 2236648286 9645213696
73 94 4473296573 9290427392
74 188 8946593147 8580854784
75 377 7893186295 7161709568
76 755 5786372591 4323419136
77 1511 1572745182 8646838272
78 3022 3145490365 7293676544
79 6044 6290980731 4587353088
80 12089 2581961462 9174706176
81 24178 5163922925 8349412352
82 48357 0327845851 6698824704
83 96714 0655691703 3397649408
84 193428 1311383406 6795298816
85 386856 2622766813 3590597632
86 773712 5245533626 7181195264
87 1547425 0491067253 4362390528
88 3094850 0982134506 8724781056
89 6189700 1964269013 7449562112
90 12379400 3928538027 4899124224
91 24758800 7857076054 9798248448
92 49517601 5714152109 9596496896
93 99035203 1428304219 9192993792
94 198070406 2856608439 8385987584
95 396140812 5713216879 6771975168
96 792281625 1426433759 3543950336
97 1584563250 2852867518 7087900672
98 3169126500 5705735037 4175801344
99 6338253001 1411470074 8351602688
100 1 2676506002 2822940149 6703205376
101 2 5353012004 5645880299 3406410752
102 5 0706024009 1291760598 6812821504
103 10 1412048018 2583521197 3625643008
104 20 2824096036 5167042394 7251286016
105 40 5648192073 0334084789 4502572032
106 81 1296384146 0668169578 9005144064
107 162 2592768292 1336339157 8010288128
108 324 5185536584 2672678315 6020576256
109 649 0371073168 5345356631 2041152512
110 1298 0742146337 0690713262 4082305024
111 2596 1484292674 1381426524 8164610048
112 5192 2968585348 2762853049 6329220096
113 10384 5937170696 5525706099 2658440192
114 20769 1874341393 1051412198 5316880384
115 41538 3748682786 2102824397 0633760768
116 83076 7497365572 4205648794 1267521536
117 166153 4994731144 8411297588 2535043072
118 332306 9989462289 6822595176 5070086144
119 664613 9978924579 3645190353 0140172288
120 1329227 9957849158 7290380706 0280344576
121 2658455 9915698317 4580761412 0560689152
122 5316911 9831396634 9161522824 1121378304
123 10633823 9662793269 8323045648 2242756608
124 21267647 9325586539 6646091296 4485513216
125 42535295 8651173079 3292182592 8971026432
126 85070591 7302346158 6584365185 7942052864
127 170141183 4604692317 3168730371 5884105728
128 340282366 9209384634 6337460743 1768211456
129 680564733 8418769269 2674921486 3536422912
130 1361129467 6837538538 5349842972 7072845824
131 2722258935 3675077077 0699685945 4145691648
132 5444517870 7350154154 1399371890 8291383296
REM Copyright (C) 2000 John J. G. Savard
REM Redistribution is only permitted if no charge is made

REM and all copyright notices, and the licensing
REM conditions which follow, including this licensing condition,
REM are retained.
REM Use, including commercial use, is permitted.
REM It is specifically permitted to modify this program

REM for purposes of use, but not of redistribution
REM by changing the statement "FOR bx% = 1 to 11"
REM to "FOR bx% = 1 to" a higher number, and by replacing
REM the DATA statements with either more digits of Euler's constant
REM or the digits of another quantity;
REM excepting that redistribution after such a modification is
REM permitted providing that the constant whose value is in the
REM DATA statements is accurately identified, and its value is
REM correct.
REM No copyright is claimed to program output, and users of this

REM program agree that, if it is applied to a string of digits as
REM input that are themselves not subject to copyright, that the
REM output is a trivial transformation of the input, and is also
REM not subject to copyright, and therefore they also agree not to
REM apply for or enforce any such rights relative to program output
REM in such a case.
REM The above condition in no way prejudices the ability of someone

REM who owns a copyrighted work to express that work as a string of
REM digits, and apply this program to those digits, and retain and
REM enforce copyright on the output from this program when applied
REM to those digits.
DIM a%(3000), s%(255)
LINE INPUT "Output file? "; fi$

OPEN fi$ FOR OUTPUT AS #2
REM Fill working array with Euler's constant

FOR i% = 1 TO 3000
READ a%(i%)
NEXT i%
REM Generate S-boxes

FOR bx% = 1 TO 11
REM Initialize array for S-box

FOR i% = 0 TO 255
s%(i%) = i%
NEXT i%
REM Shuffle S-box contents

FOR ch% = 256 TO 2 STEP -1
REM Multiply Euler's constant by number of choices,

REM take integer part
ca% = 0
FOR i% = 3000 TO 1 STEP -1
REM force long integer arithmetic

w& = a%(i%)
w& = w& * ch%
w& = w& + ca%
ca% = w& \ 10000

cy& = ca%
a%(i%) = w& - 10000 * cy&
NEXT i%
REM Use result, from 0 to ch%-1, to pick an element

REM from the array
IF ca% = 0 THEN 90
pt% = 256 - ch%
ta% = pt% + ca%
t% = s%(pt%)
s%(pt%) = s%(ta%)
s%(ta%) = t%
90 REM
NEXT ch%
REM Print out the S-box that has been calculated

PRINT #2,
FOR i% = 0 TO 248 STEP 8
FOR j% = 0 TO 7
PRINT #2, USING " ###"; s%(i% + j%);
NEXT j%
PRINT #2,
NEXT i%
PRINT #2,
NEXT bx%
DATA 5772, 1566, 4901, 5328, 6060, 6512, 900, 8240, 2431, 421
DATA 5933, 5939, 9235, 9880, 5767, 2348, 8486, 7726, 7776, 6467
DATA 936, 9470, 6329, 1746, 7495, 1463, 1447, 2498, 708, 2480
DATA 9605, 401, 4486, 5428, 3622, 4173, 9976, 4492, 3536, 2535
DATA 33, 3742, 9373, 3773, 7673, 9427, 9259, 5258, 2470, 9491
DATA 6008, 7352, 394, 8165, 6708, 5323, 3151, 7766, 1152, 8621
DATA 1995, 150, 7984, 7937, 4508, 5705, 7400, 2992, 1354, 7861
DATA 4669, 4029, 6043, 2542, 1519, 587, 7553, 5267, 3313, 9925
DATA 4012, 9674, 2051, 3754, 1395, 4911, 1685, 1028, 798, 4234
DATA 8775, 8720, 5038, 4310, 9399, 7361, 3725, 5306, 889, 3312
DATA 6760, 172, 4795, 3783, 6759, 2713, 5157, 7226, 1027, 3492
DATA 9139, 4079, 8430, 1034, 1777, 1778, 881, 5495, 7066, 1075
DATA 101, 6191, 6633, 4015, 2278, 9358, 6796, 5497, 2520, 3621
DATA 2879, 2265, 5595, 3669, 6281, 7638, 8792, 7268, 132, 4310
DATA 1047, 6505, 9637, 394, 7394, 9576, 3890, 6572, 9679, 2960
DATA 1009, 151, 2519, 5950, 9222, 4350, 1409, 3498, 7122, 8247
DATA 9497, 4719, 5646, 9763, 1850, 6676, 1290, 6381, 1051, 8241
DATA 9744, 4867, 8363, 8086, 1749, 4551, 6989, 2792, 3018, 7739
DATA 1072, 9457, 8155, 4316, 50, 218, 2844, 960, 5377, 2434
DATA 2032, 8547, 8367, 151, 7739, 4398, 7003, 237, 339, 5183
DATA 2869, 1, 5581, 9398, 8042, 7074, 1154, 2227, 8197, 1652
DATA 3011, 735, 6583, 3967, 3487, 1765, 491, 9418, 1230, 40
DATA 6546, 9314, 2999, 2977, 7956, 9303, 1005, 308, 6303, 4185
DATA 6980, 3231, 836, 9164, 25, 8929, 7089, 985, 4868, 2577
DATA 7364, 2882, 5395, 4925, 8736, 2959, 6133, 2985, 7473, 9302
DATA 3734, 3884, 7070, 3702, 8441, 2920, 1664, 1785, 248, 7333
DATA 7908, 562, 7549, 9843, 4590, 7616, 4316, 7103, 1467, 1072
DATA 2370, 218, 1074, 5044, 4186, 6475, 9134, 8036, 6902, 5532
DATA 4586, 2544, 2225, 3451, 8138, 7912, 4345, 7350, 1361, 2977
DATA 8227, 8288, 1489, 4590, 9863, 8460, 629, 3169, 4718, 8714
DATA 9587, 5254, 9236, 6493, 5204, 7324, 3641, 972, 6827, 6160
DATA 8775, 9508, 8095, 1262, 840, 4544, 4779, 9229, 9157, 2482
DATA 9251, 6251, 2784, 2765, 9657, 832, 1461, 298, 2146, 1795
DATA 1957, 9590, 9592, 2704, 2089, 8962, 7971, 2553, 6321, 7948
DATA 8737, 6421, 660, 6070, 6598, 2561, 9901, 288, 756, 1251
DATA 9913, 7511, 6782, 1764, 3619, 570, 5844, 783, 5735, 158
DATA 56, 774, 5793, 4213, 1449, 8850, 786, 4151, 7161, 5194
DATA 5657, 617, 432, 4507, 5008, 1687, 523, 789, 937, 461
DATA 4306, 6848, 1791, 6496, 8425, 4915, 496, 7243, 1218, 3783
DATA 8753, 5648, 9495, 868, 4541, 234, 601, 6225, 851, 5583
DATA 8672, 3494, 4187, 8804, 4094, 770, 1068, 8379, 5111, 3078
DATA 7202, 3426, 3952, 2692, 971, 6088, 5690, 8382, 5113, 7871
DATA 2836, 8204, 9117, 8925, 9447, 8486, 1991, 1852, 9391, 293
DATA 990, 5925, 5266, 9172, 7446, 8920, 4438, 6971, 1147, 1745
DATA 7157, 4573, 2039, 3520, 9122, 3160, 8508, 6827, 5588, 9010
DATA 9451, 6811, 8101, 6874, 9754, 7096, 9366, 6712, 1020, 6304
DATA 8271, 6589, 5049, 3273, 1486, 874, 9402, 700, 6742, 5909
DATA 1824, 8759, 6213, 7384, 2311, 4426, 5313, 5029, 2303, 1751
DATA 7225, 7221, 6283, 2488, 3811, 2458, 9574, 3862, 3987, 375
DATA 7662, 8551, 3033, 1439, 2999, 5401, 8531, 3414, 1586, 2127
DATA 8864, 8076, 1100, 3015, 2119, 6578, 68, 1177, 7376, 3501
DATA 6818, 3897, 3389, 6639, 8689, 5793, 2991, 4563, 8864, 4310
DATA 3706, 807, 8174, 4899, 5795, 8324, 5794, 1896, 2026, 498
DATA 4104, 3922, 5078, 6046, 362, 5277, 2602, 2919, 6829, 9586
DATA 988, 3390, 1378, 7171, 4226, 9178, 8381, 9529, 8445, 6079
DATA 1605, 1972, 7973, 6047, 5910, 2510, 9957, 7913, 3515, 7917
DATA 7225, 1502, 5492, 9324, 6325, 287, 4767, 7948, 4215, 8405
DATA 759, 9290, 4018, 5576, 4599, 186, 2692, 6776, 4372, 6605
DATA 7117, 6813, 3655, 9088, 1554, 8107, 4700, 62, 3363, 7252
DATA 8894, 9554, 6369, 7143, 3012, 79, 1308, 5552, 6395, 9549
DATA 7823, 231, 4403, 9149, 7404, 9474, 6825, 9473, 2084, 6185
DATA 2460, 5877, 6694, 8828, 7953, 104, 634, 9172, 2921, 8580
DATA 870, 6770, 6904, 2792, 6743, 2844, 4696, 8514, 9718, 2567
DATA 8095, 8416, 5449, 1851, 4575, 3319, 6406, 3311, 9937, 3821
DATA 5734, 5087, 4988, 3255, 6088, 8873, 5280, 1901, 9155, 896
DATA 8855, 4682, 5924, 5444, 5277, 2817, 3057, 3010, 8060, 6177
DATA 113, 6377, 3182, 4629, 2466, 81, 2771, 6210, 1867, 7446
DATA 8495, 9514, 2817, 9014, 5111, 9489, 3422, 8834, 4825, 3075
DATA 3118, 7018, 6097, 6122, 4623, 1767, 4977, 5564, 1246, 1983
DATA 8564, 148, 4123, 5871, 7724, 9554, 2248, 2016, 1517, 6579
DATA 9408, 629, 6834, 2428, 9057, 2594, 7392, 6963, 8633, 8387
DATA 4380, 5471, 3196, 7642, 9268, 3724, 9076, 875, 737, 8528
DATA 3702, 3046, 8650, 3490, 5120, 3422, 7217, 4366, 8979, 2848
DATA 6297, 2908, 8926, 7897, 7703, 2624, 6239, 1226, 1888, 7653
DATA 57, 7862, 7436, 609, 4443, 6039, 2809, 7708, 1338, 3693
DATA 4235, 5085, 8394, 1126, 7092, 1873, 4414, 5121, 8780, 3276
DATA 1505, 947, 8055, 4663, 58, 6845, 5631, 5245, 4605, 3151
DATA 1325, 2818, 8910, 7923, 1491, 3110, 3234, 4302, 4509, 3345
DATA 3, 765, 5864, 8742, 2297, 1770, 331, 7845, 3915, 566
DATA 9401, 5998, 8492, 9160, 9114, 29, 4869, 208, 8485, 3816
DATA 9700, 9551, 5663, 4705, 5445, 2217, 6403, 5862, 9398, 2865
DATA 8131, 2387, 132, 5358, 8006, 2568, 6626, 9269, 9776, 7737
DATA 7306, 8322, 6900, 9160, 8510, 4515, 22, 6107, 1802, 5546
DATA 5928, 4938, 9492, 7759, 5897, 5407, 6155, 9933, 7826, 4824
DATA 1979, 5064, 1868, 1437, 8817, 1850, 8854, 803, 6799, 6314
DATA 2395, 4009, 1964, 3887, 5007, 8900, 6, 2799, 7942, 8098
DATA 8637, 2992, 5919, 7776, 5040, 4099, 2203, 7940, 4276, 1681
DATA 7837, 1566, 8653, 669, 3983, 916, 5243, 2270, 5955, 3041
DATA 7667, 3664, 116, 7929, 5901, 2930, 5374, 4971, 8308, 42
DATA 7584, 8635, 838, 804, 2466, 7350, 9355, 9832, 3241, 1696
DATA 9214, 8606, 4989, 2763, 6244, 3295, 8854, 8737, 8970, 1489
DATA 7133, 4353, 8448, 28, 9046, 6650, 9028, 4537, 6896, 2239
DATA 8304, 8814, 627, 3054, 879, 5911, 8967, 574, 9385, 4432
DATA 4786, 9148, 853, 3770, 2640, 6775, 8081, 2754, 5873, 1117
DATA 6364, 7878, 7430, 7392, 664, 2011, 2513, 5272, 7499, 6175
DATA 4505, 3085, 5823, 5668, 3068, 3229, 1767, 6677, 410, 3523
DATA 1535, 325, 1012, 4656, 3861, 5670, 6449, 8471, 3269, 5969
DATA 3301, 6786, 6138, 3333, 3344, 1657, 9006, 586, 7497, 1036
DATA 4689, 5174, 5695, 9718, 1553, 7640, 7837, 7650, 1842, 7834
DATA 5991, 8420, 1599, 5431, 4490, 4772, 5552, 3061, 4767, 165
DATA 9934, 1639, 660, 9120, 5400, 5322, 1589, 209, 1340, 8027
DATA 8225, 1533, 8528, 9951, 1665, 4522, 4586, 9185, 9936, 7122
DATA 132, 1501, 4480, 1424, 2309, 8625, 4604, 4886, 7256, 9343
DATA 1488, 7049, 1593, 446, 4018, 9164, 5020, 2240, 5495, 3862
DATA 9184, 7586, 2930, 7788, 9350, 6437, 7159, 6606, 9096, 468
DATA 1243, 7023, 546, 5703, 1606, 7999, 2587, 1666, 7524, 7219
DATA 4097, 7798, 186, 3626, 2563, 3582, 5262, 7942, 2393, 2548
DATA 6013, 2693, 5307, 138, 8937, 4369, 2384, 2878, 9385, 1276
DATA 4740, 8565, 4865, 281, 5630, 6774, 442, 2030, 6440, 3756
DATA 8263, 910, 2917, 5145, 7223, 4441, 503, 6931, 7711, 4521
DATA 7088, 8907, 4464, 1604, 8688, 7010, 8386, 2311, 4261, 2844
DATA 1425, 9609, 5637, 400, 6192, 57, 9335, 341, 5524, 2624
DATA 262, 646, 5693, 5430, 6125, 8526, 5834, 5219, 2121, 4977
DATA 7187, 8069, 5866, 851, 6334, 9221, 483, 6737, 9945, 9259
DATA 4340, 3795, 6000, 2192, 7854, 1837, 9417, 7602, 336, 5594
DATA 6730, 7887, 9838, 848, 1631, 4678, 2414, 9235, 4649, 1488
DATA 7668, 3368, 4074, 9289, 3865, 2818, 6304, 8589, 8203, 5481
DATA 8624, 3838, 4817, 5997, 6358, 4907, 5180, 7914, 8063, 4943
DATA 9162, 8470, 5482, 2007, 5494, 5348, 9861, 3382, 7235, 7309
DATA 2219, 30, 7400, 9680, 337, 6668, 4493, 2505, 5676, 5493
DATA 7530, 3181, 1251, 6410, 5524, 9238, 4077, 6451, 4984, 2395
DATA 7620, 1278, 1552, 3229, 4492, 8854, 5578, 5382, 248, 9189
DATA 4244, 1857, 959, 1955, 8208, 1000, 7157, 8384, 396, 2747
DATA 9985, 8178, 8088, 8865, 7168, 3069, 9436, 607, 3599, 421
DATA 685, 1142, 7913, 1696, 9959, 6792, 3008, 2898, 8156, 975
DATA 3833, 8059, 1093, 6034, 1252, 9986, 5679, 389, 5687, 9567
DATA 3455, 833, 6290, 7823, 8626, 3856, 3490, 7473, 1927, 5278
DATA 7401, 6655, 7531, 1901, 1154, 3470, 181, 8625, 6971, 2611
DATA 2012, 6852, 9231, 2993, 7161, 4039, 696, 5112, 2248, 1661
DATA 5082, 3536, 4398, 2396, 6205, 3263, 3322, 2485, 519, 1593
DATA 6826, 9071, 5004, 3155, 8987, 1802, 7833, 5384, 5448, 3091
DATA 724, 9498, 578, 8096, 1717, 9963, 3716, 7036, 5541, 8004
DATA 1464, 6675, 3871, 9586, 9484, 8333, 1543, 5833, 3064, 1935
DATA 9294, 8742, 951, 4788, 3234, 7748, 4814, 1814, 9776, 8716
DATA 9441, 3640, 566, 4515, 6936, 1165, 2416, 1555, 7341, 4193
DATA 5424, 7213, 7306, 7468, 3338, 4905, 4426, 6260, 3837, 2788
DATA 2175, 5270, 9930, 9581, 4102, 6136, 9795, 78, 6465, 8767
DATA 7160, 8630, 8044, 6074, 9802, 8015, 7696, 2675, 9138, 9779
DATA 4772, 2143, 3751, 5470, 8293, 4587, 9123, 8984, 3305, 5067
DATA 2234, 7496, 9984, 9424, 8670, 6721, 5025, 6927, 3529, 5850
DATA 6586, 9588, 9974, 8653, 5562, 1869, 5804, 3997, 1251, 6897
DATA 6654, 1698, 6265, 3862, 8919, 7754, 2187, 7219, 3960, 5817
DATA 11, 423, 6414, 1587, 8081, 386, 1721, 155, 7551, 9237
DATA 1116, 49, 8806, 8229, 1618, 977, 3242, 1958, 3289, 7486
DATA 9227, 1839, 7919, 467, 7165, 4266, 8138, 8933, 7929, 6036
DATA 8154, 5793, 9611, 3396, 2192, 2245, 4301, 5158, 631, 7437
DATA 840, 5608, 5364, 1603, 1384, 9829, 6951, 8566, 9526, 1282
DATA 2123, 7169, 3936, 8130, 3212, 9656, 1939, 7187, 1020, 7098
DATA 79, 4883, 3910, 1975, 3510, 4307, 4418, 2344, 8833, 3317
DATA 9697, 8277, 3320, 9114, 3324, 5143, 508, 6573, 4575, 68
DATA 7391, 4754, 7077, 7577, 5599, 1846, 7118, 3085, 8366, 159
DATA 4371, 9371, 8449, 390, 6177, 232, 5365, 6797, 7596, 7444
DATA 7574, 7511, 5841, 9574, 6700, 9973, 4500, 2454, 4284, 658
DATA 5024, 5085, 8564, 6392, 7912, 4611, 9879, 936, 9307, 2019
DATA 8040, 2930, 3603, 7388, 3843, 742, 1628, 2120, 1635, 3864
DATA 6622, 6097, 1989, 5843, 6799, 4305, 7203, 149, 6380, 5083
DATA 2232, 3658, 2555, 7724, 5342, 3718, 7737, 4398, 1833, 3306
DATA 4546, 6290, 6993, 3111, 2597, 3721, 9502, 7464, 6899, 654
DATA 5715, 5440, 3039, 1783, 5419, 7564, 3431, 5739, 348, 8386
DATA 6750, 5427, 4216, 1831, 500, 6055, 464, 2235, 4570, 8427
DATA 3935, 4935, 9051, 7627, 1747, 9299, 4723, 9890, 8632, 9701
DATA 190, 5610, 1077, 4269, 926, 4752, 3574, 304, 6301, 5924
DATA 3442, 4649, 83, 4188, 6308, 5932, 685, 5225, 779, 910
DATA 1958, 5889, 5314, 3287, 9981, 7570, 9819, 1682, 9315, 9404
DATA 5300, 5632, 5433, 1448, 8517, 3573, 269, 8256, 9372, 5346
DATA 9964, 134, 4087, 1580, 1081, 4528, 7865, 7904, 866, 3637
DATA 9450, 7110, 8505, 1042, 4179, 7691, 9112, 9261, 5132, 103
DATA 1636, 3498, 866, 694, 8624, 4078, 66, 8400, 6716, 9622
DATA 1463, 7181, 1477, 7268, 3418, 4664, 6364, 2427, 3405, 3003
DATA 1380, 7734, 9611, 9981, 4686, 1768, 5854, 6312, 816, 3164
DATA 7989, 3796, 4263, 7383, 5661, 8938, 3137, 1098, 3289, 5649
DATA 521, 1488, 1340, 2974, 2388, 8686, 3154, 3132, 9787, 6579
DATA 9125, 4542, 4333, 8563, 4720, 268, 1290, 4899, 4955, 426
DATA 9808, 8213, 267, 2635, 8153, 2480, 6753, 8790, 3230, 5742
DATA 1040, 3301, 4978, 8786, 7523, 7786, 705, 4688, 6147, 2100
DATA 9926, 3294, 2510, 8878, 197, 284, 1179, 2240, 2591, 914
DATA 6658, 4809, 2578, 5719, 2786, 2821, 4766, 7074, 878, 6351
DATA 9714, 2562, 9242, 7867, 284, 770, 3241, 4375, 6993, 1883
DATA 2433, 3155, 9002, 4333, 476, 9111, 92, 4797, 9118, 62
DATA 8620, 2213, 7078, 62, 1725, 7329, 473, 5994, 3988, 8313
DATA 9279, 9279, 6939, 7063, 5676, 2811, 6694, 541, 2885, 9081
DATA 9820, 2383, 8277, 354, 8349, 6879, 7340, 4888, 8293, 167
DATA 3677, 941, 5846, 5440, 954, 8624, 6514, 6101, 3539, 1349
DATA 6855, 9120, 4023, 6361, 8721, 5099, 2980, 6519, 586, 1682
DATA 8153, 287, 5042, 7545, 2586, 533, 1963, 4325, 9577, 7478
DATA 8134, 3723, 9394, 9912, 4380, 6143, 7544, 9859, 686, 751
DATA 8563, 1427, 2552, 5564, 2593, 9670, 1498, 414, 2598, 1823
DATA 7852, 5768, 2943, 6395, 9656, 2438, 8520, 6565, 4807, 1038
DATA 8454, 6394, 4537, 7019, 1784, 5718, 7410, 1186, 2232, 2780
DATA 2525, 1943, 6265, 7438, 2422, 5609, 3567, 6925, 8238, 7749
DATA 1160, 7377, 5945, 1401, 4470, 3190, 2241, 5355, 9112, 5061
DATA 3817, 8297, 4212, 6498, 2641, 6187, 2460, 6313, 3408, 9192
DATA 6702, 3597, 9580, 2365, 8416, 3175, 5679, 2335, 6621, 123
DATA 1335, 8454, 9459, 590, 699, 8420, 672, 2602, 5116, 7743
DATA 8473, 6482, 4385, 7154, 714, 6265, 9456, 4239, 1127, 1707
DATA 8030, 6371, 4169, 2638, 6440, 1005, 7131, 958, 9606, 3264
DATA 9637, 5529, 5676, 9364, 6894, 1051, 7952, 6, 1645, 2021
DATA 8843, 5340, 4730, 1824, 3930, 5148, 8198, 4593, 762, 9640
DATA 4445, 6877, 6241, 6528, 7162, 727, 6731, 8606, 3254, 801
DATA 4288, 7457, 1198, 6573, 747, 1701, 8866, 368, 7970, 3647
DATA 7085, 4852, 8716, 7000, 3622, 9285, 2883, 7468, 2466, 588
DATA 1411, 7540, 4744, 6061, 6763, 5430, 3739, 9237, 5659, 6593
DATA 6967, 879, 2316, 7744, 6856, 9310, 8382, 1078, 3048, 3159
DATA 1964, 3002, 1441, 2597, 228, 9063, 2031, 7410, 1149, 3664
DATA 8095, 2903, 117, 1633, 4531, 9179, 2293, 9242, 4287, 7283
DATA 7872, 3495, 6992, 9232, 1360, 9223, 4947, 2264, 5824, 3755
DATA 945, 1533, 5520, 1176, 1289, 7517, 3395, 1371, 7829, 3328
DATA 7158, 6094, 3866, 2701, 1791, 8415, 5458, 7264, 8982, 5139
DATA 2555, 9437, 9519, 7317, 8674, 4876, 9925, 3261, 7942, 3381
DATA 2999, 4127, 9398, 6026, 4424, 5196, 60, 5436, 8186, 6467
DATA 986, 5944, 3659, 3015, 4376, 2914, 8697, 9597, 6949, 9653
DATA 3527, 2100, 2002, 967, 9104, 3948, 2547, 2441, 1334, 2244
DATA 8700, 5463, 7656, 8408, 6676, 2153, 3736, 2746, 1591, 2054
DATA 7008, 6290, 5716, 9825, 7353, 7052, 3976, 1231, 2384, 1256
DATA 4349, 4117, 8949, 8615, 8285, 9702, 971, 970, 3919, 6352
DATA 1681, 2258, 2247, 5627, 1951, 9382, 7282, 8520, 9147, 1823
DATA 7534, 3655, 2540, 2074, 6203, 667, 3047, 6952, 4700, 9441
DATA 3814, 5617, 8282, 6663, 1961, 3967, 3593, 6725, 7264, 6033
DATA 8849, 4642, 4894, 7244, 8978, 4815, 9671, 5306, 1538, 4671
DATA 2236, 9871, 2823, 1978, 4769, 3110, 5716, 6236, 3732, 6207
DATA 5959, 7118, 401, 5143, 8962, 3170, 6019, 5857, 982, 3813
DATA 9246, 6613, 5279, 1369, 5637, 6559, 486, 1676, 2051, 2974
DATA 998, 3149, 6559, 7860, 2534, 1012, 9454, 3998, 6728, 8300
DATA 6244, 844, 186, 1815, 1175, 687, 887, 6467, 1609, 7992
DATA 9201, 7769, 6249, 6330, 1575, 8292, 5961, 8849, 4858, 7200
DATA 2292, 2480, 6062, 8812, 1778, 7338, 3145, 8825, 5129, 3953
DATA 6510, 8819, 1865, 1200, 4492, 3154, 9839, 4773, 1473, 5786
DATA 8897, 3142, 473, 1094, 5381, 4648, 2263, 2102, 3310, 7943
DATA 9597, 4628, 5235, 4129, 5751, 9106, 3558, 7923, 19, 5618
DATA 1312, 9461, 2030, 1575, 7634, 159, 7856, 8175, 1749, 8423
DATA 7788, 2447, 3753, 9824, 7457, 5996, 8677, 740, 8545, 5743
DATA 2942, 4026, 7819, 3848, 2203, 5409, 6210, 6060, 7219, 2499
DATA 825, 1048, 5400, 3184, 9631, 9986, 3221, 5690, 8909, 7614
DATA 531, 716, 5113, 1293, 2685, 3498, 5244, 286, 4482, 9347
DATA 591, 6085, 8699, 5981, 9889, 395, 9955, 9181, 1076, 4134
DATA 4665, 8814, 5254, 2565, 8815, 3545, 288, 8473, 9975, 3243
DATA 2780, 9021, 5225, 6952, 1844, 1452, 9865, 835, 5129, 8398
DATA 226, 2382, 6497, 4881, 8115, 8152, 5034, 5997, 4991, 5966
DATA 4009, 8320, 1452, 70, 4803, 5556, 8589, 9730, 9981, 5031
DATA 419, 2238, 5089, 7453, 7327, 6129, 4717, 1268, 1653, 886
DATA 7005, 4728, 8657, 7922, 4670, 1782, 6594, 8272, 6097, 2290
DATA 3471, 5741, 4031, 6697, 3107, 505, 782, 9610, 8260, 7287
DATA 429, 1260, 8231, 1974, 1510, 1473, 5784, 7810, 1072, 7971
DATA 1242, 7976, 284, 8141, 1516, 3388, 6896, 9078, 6717, 5772
DATA 5938, 1524, 7961, 2378, 9999, 366, 6175, 6035, 8821, 8132
DATA 5467, 5634, 4830, 9148, 7296, 2669, 3721, 9885, 270, 188
DATA 2981, 7301, 7024, 9442, 1406, 3172, 6519, 7139, 5062, 2108
DATA 2764, 5071, 8166, 3910, 4366, 8329, 5663, 8073, 719, 4543
DATA 2112, 5505, 3620, 8967, 8323, 310, 8517, 1481, 1492, 8588
DATA 9936, 2870, 6488, 7558, 4389, 1300, 4718, 6846, 7985, 8165
DATA 5521, 5901, 3925, 6032, 613, 7642, 7156, 2801, 1897, 1096
DATA 1140, 239, 1303, 9340, 6061, 7784, 8211, 221, 7165, 9926
DATA 5959, 6829, 5889, 544, 9896, 4857, 4041, 2204, 7497, 3542
DATA 5646, 7184, 236, 5046, 7905, 8274, 8590, 6950, 4735, 5535
DATA 3118, 3835, 8089, 6528, 8615, 8894, 1744, 1621, 9886, 8042
DATA 3034, 9243, 8958, 1497, 3672, 2274, 9518, 1127, 1453, 4386
DATA 9749, 9243, 2421, 3868, 4148, 4837, 5770, 3310, 8761, 7671
DATA 3319, 9442, 6349, 8806, 7216, 6702, 9837, 1723, 571, 3049
DATA 7256, 3819, 8844, 3653, 9981, 9479, 7022, 3275, 4329, 1144
DATA 4433, 4632, 5211, 4793, 1884, 6497, 3594, 6944, 8480, 9517
DATA 3477, 940, 7261, 914, 9351, 518, 5504, 3188, 8516, 3801
DATA 8002, 4268, 1763, 1726, 4589, 5778, 8146, 5894, 7316, 2199
DATA 1354, 2179, 7069, 6392, 9591, 2560, 3838, 485, 8583, 1567
DATA 2725, 4184, 6146, 9966, 351, 9007, 6701, 1178, 2305, 2799
DATA 9831, 3186, 9807, 2478, 2168, 1733, 8984, 6912, 4905, 5791
DATA 867, 654, 3025, 6293, 8081, 948, 2360, 9111, 8296, 668
DATA 9497, 3819, 7631, 5105, 1538, 4935, 1755, 2397, 1928, 5356
DATA 7163, 9294, 2133, 6526, 9580, 4910, 3950, 3518, 4024, 2187
DATA 1935, 4618, 1447, 7959, 7003, 349, 8159, 5797, 2043, 677
DATA 7594, 9449, 172, 3142, 3798, 5974, 7626, 7707, 8008, 9801
DATA 1891, 8522, 2292, 9262, 3297, 2928, 631, 4764, 8100, 1191
DATA 7099, 9353, 1769, 7308, 9422, 6374, 201, 70, 9335, 666
DATA 2278, 5533, 7722, 1764, 9569, 4295, 1334, 2217, 561, 681
DATA 8127, 5696, 1404, 4749, 5829, 392, 8608, 5745, 7388, 2919
DATA 3650, 8052, 2428, 6122, 2127, 5463, 6351, 513, 6722, 1258
DATA 2245, 5750, 7710, 9355, 4824, 1864, 4081, 8218, 6806, 5780
DATA 8079, 9719, 5177, 947, 4197, 6777, 3212, 4823, 7146, 2384
DATA 3954, 8793, 7267, 5599, 9117, 281, 9706, 756, 3576, 6641
DATA 128, 1350, 990, 870, 5335, 6200, 5233, 6929, 6054, 2950
DATA 9254, 5419, 7352, 3808, 7726, 1644, 7265, 3722, 3075, 6826
DATA 5054, 8450, 9679, 7718, 9920, 854, 8913, 4740, 7396, 4160
DATA 4941, 2403, 5553, 2681, 5724, 6269, 238, 3938, 5187, 1880
DATA 2550, 6849, 2576, 6238, 7484, 587, 6020, 8515, 6822, 6963
DATA 7595, 9505, 1924, 7241, 5113, 3516, 3399, 7915, 7222, 4009
DATA 6108, 7839, 2752, 2588, 2213, 913, 7090, 3982, 5360, 2681
DATA 267, 1419, 2457, 6566, 1757, 7459, 7781, 4068, 7748, 392
DATA 7288, 1158, 3817, 5631, 1947, 7376, 5607, 6600, 5726, 4678
DATA 9529, 7998, 4580, 9862, 3666, 3728, 8604, 2022, 1081, 5746
DATA 2248, 753, 4447, 1068, 2668, 2453, 1314, 6783, 139, 7955
DATA 6546, 9446, 5699, 2479, 8847, 7387, 2509, 6467, 6238, 9036
DATA 7941, 5569, 2945, 8900, 7614, 5200, 7886, 8536, 3678, 5881
DATA 2639, 9189, 5915, 7620, 432, 1719, 9636, 7902, 6988, 2911
DATA 2413, 5380, 382, 6280, 3150, 4030, 397, 4901, 4353, 6007
DATA 2497, 1492, 2144, 7964, 3758, 8216, 4985, 2142, 9139, 1538
DATA 4273, 4092, 6605, 6541, 1078, 5900, 9804, 7548, 5015, 6339
DATA 6294, 1100, 6873, 2270, 8858, 389, 2093, 8666, 266, 9800
DATA 647, 3728, 2478, 2041, 2411, 9241, 7329, 6188, 7633, 8055
DATA 6482, 7656, 3436, 2806, 224, 3482, 6427, 5294, 4486, 6804
DATA 7095, 5821, 4825, 8986, 4430, 1688, 1299, 3853, 8646, 3056
DATA 323, 6099, 7731, 2396, 870, 2975, 4227, 948, 3861, 8748
REM Copyright (C) 2000 John J. G. Savard
REM Redistribution is only permitted if no charge is made
REM Use, including commercial use, is permitted
LINE INPUT "Input file name?"; fi$

LINE INPUT "Output file name?"; fj$
OPEN fi$ FOR INPUT AS #1
OPEN fj$ FOR OUTPUT AS #2
cc = 0
nc = 0
lc = 0
ac = 0
os$ = "data "
100 LINE INPUT #1, a$

n = LEN(a$)
FOR i = 1 TO n
x = ASC(MID$(a$, i, 1))
IF x < 48 THEN 190
IF x > 57 THEN 190
ac = ac * 10 + x - 48
cc = cc + 1
IF cc < 4 THEN 190
cc = 0
os$ = os$ + STR$(ac)
ac = 0
nc = nc + 1
IF nc < 10 THEN os$ = os$ + ", ": GOTO 190
nc = 0
PRINT #2, os$
os$ = "data "
lc = lc + 1
IF lc < 300 THEN 190
GOTO 900
190 REM
NEXT i
GOTO 100
900 END
Powers of two
2 4
3 8
4 16
5 32
6 64
7 128
8 256
9 512
10 1024
11 2048
12 4096
13 8192
14 16384
15 32768
16 65536
17 131072
18 262144
19 524288
20 1048576
21 2097152
22 4194304
23 8388608
24 16777216
25 33554432
26 67108864
27 134217728
28 268435456
29 536870912
30 1073741824
31 2147483648
32 4294967296
33 8589934592
34 1 7179869184
35 3 4359738368
36 6 8719476736
37 13 7438953472
38 27 4877906944
39 54 9755813888
40 109 9511627776
41 219 9023255552
42 439 8046511104
43 879 6093022208
44 1759 2186044416
45 3518 4372088832
46 7036 8744177664
47 14073 7488355328
48 28147 4976710656
49 56294 9953421312
50 112589 9906842624
51 225179 9813685248
52 450359 9627370496
53 900719 9254740992
54 1801439 8509481984
55 3602879 7018963968
56 7205759 4037927936
57 14411518 8075855872
58 28823037 6151711744
59 57646075 2303423488
60 115292150 4606846976
61 230584300 9213693952
62 461168601 8427387904
63 922337203 6854775808
64 1844674407 3709551616
65 3689348814 7419103232
66 7378697629 4838206464
67 1 4757395258 9676412928
68 2 9514790517 9352825856
69 5 9029581035 8705651712
70 11 8059162071 7411303424
71 23 6118324143 4822606848
72 47 2236648286 9645213696
73 94 4473296573 9290427392
74 188 8946593147 8580854784
75 377 7893186295 7161709568
76 755 5786372591 4323419136
77 1511 1572745182 8646838272
78 3022 3145490365 7293676544
79 6044 6290980731 4587353088
80 12089 2581961462 9174706176
81 24178 5163922925 8349412352
82 48357 0327845851 6698824704
83 96714 0655691703 3397649408
84 193428 1311383406 6795298816
85 386856 2622766813 3590597632
86 773712 5245533626 7181195264
87 1547425 0491067253 4362390528
88 3094850 0982134506 8724781056
89 6189700 1964269013 7449562112
90 12379400 3928538027 4899124224
91 24758800 7857076054 9798248448
92 49517601 5714152109 9596496896
93 99035203 1428304219 9192993792
94 198070406 2856608439 8385987584
95 396140812 5713216879 6771975168
96 792281625 1426433759 3543950336
97 1584563250 2852867518 7087900672
98 3169126500 5705735037 4175801344
99 6338253001 1411470074 8351602688
100 1 2676506002 2822940149 6703205376
101 2 5353012004 5645880299 3406410752
102 5 0706024009 1291760598 6812821504
103 10 1412048018 2583521197 3625643008
104 20 2824096036 5167042394 7251286016
105 40 5648192073 0334084789 4502572032
106 81 1296384146 0668169578 9005144064
107 162 2592768292 1336339157 8010288128
108 324 5185536584 2672678315 6020576256
109 649 0371073168 5345356631 2041152512
110 1298 0742146337 0690713262 4082305024
111 2596 1484292674 1381426524 8164610048
112 5192 2968585348 2762853049 6329220096
113 10384 5937170696 5525706099 2658440192
114 20769 1874341393 1051412198 5316880384
115 41538 3748682786 2102824397 0633760768
116 83076 7497365572 4205648794 1267521536
117 166153 4994731144 8411297588 2535043072
118 332306 9989462289 6822595176 5070086144
119 664613 9978924579 3645190353 0140172288
120 1329227 9957849158 7290380706 0280344576
121 2658455 9915698317 4580761412 0560689152
122 5316911 9831396634 9161522824 1121378304
123 10633823 9662793269 8323045648 2242756608
124 21267647 9325586539 6646091296 4485513216
125 42535295 8651173079 3292182592 8971026432
126 85070591 7302346158 6584365185 7942052864
127 170141183 4604692317 3168730371 5884105728
128 340282366 9209384634 6337460743 1768211456
129 680564733 8418769269 2674921486 3536422912
130 1361129467 6837538538 5349842972 7072845824
131 2722258935 3675077077 0699685945 4145691648
132 5444517870 7350154154 1399371890 8291383296
Powers of three
2 9
3 27
4 81
5 243
6 729
7 2187
8 6561
9 19683
10 59049
11 177147
12 531441
13 1594323
14 4782969
15 14348907
16 43046721
17 129140163
18 387420489
19 1162261467
20 3486784401
21 1 0460353203
22 3 1381059609
23 9 4143178827
24 28 2429536481
25 84 7288609443
26 254 1865828329
27 762 5597484987
28 2287 6792454961
29 6863 0377364883
30 20589 1132094649
31 61767 3396283947
32 185302 0188851841
33 555906 0566555523
34 1667718 1699666569
35 5003154 5098999707
36 15009463 5296999121
37 45028390 5890997363
38 135085171 7672992089
39 405255515 3018976267
40 1215766545 9056928801
41 3647299637 7170786403
42 1 0941898913 1512359209
43 3 2825696739 4537077627
44 9 8477090218 3611232881
45 29 5431270655 0833698643
46 88 6293811965 2501095929
47 265 8881435895 7503287787
48 797 6644307687 2509863361
49 2392 9932923061 7529590083
50 7178 9798769185 2588770249
51 21536 9396307555 7766310747
52 64610 8188922667 3298932241
53 193832 4566768001 9896796723
54 581497 3700304005 9690390169
55 1744492 1100912017 9071170507
56 5233476 3302736053 7213511521
57 15700428 9908208161 1640534563
58 47101286 9724624483 4921603689
59 141303860 9173873450 4764811067
60 423911582 7521620351 4294433201
61 1271734748 2564861054 2883299603
62 3815204244 7694583162 8649898809
63 1 1445612734 3083749488 5949696427
64 3 4336838202 9251248465 7849089281
65 10 3010514608 7753745397 3547267843
66 30 9031543826 3261236192 0641803529
67 92 7094631478 9783708576 1925410587
68 278 1283894436 9351125728 5776231761
69 834 3851683310 8053377185 7328695283
70 2503 1555049932 4160131557 1986085849
71 7509 4665149797 2480394671 5958257547
72 22528 3995449391 7441184014 7874772641
73 67585 1986348175 2323552044 3624317923
74 202755 5959044525 6970656133 0872953769
75 608266 7877133577 0911968399 2618861307
76 1824800 3631400731 2735905197 7856583921
77 5474401 0894202193 8207715593 3569751763
78 16423203 2682606581 4623146780 0709255289
79 49269609 8047819744 3869440340 2127765867
80 147808829 4143459233 1608321020 6383297601
81 443426488 2430377699 4824963061 9149892803
82 1330279464 7291133098 4474889185 7449678409
83 3990838394 1873399295 3424667557 2349035227
Powers of five
2 25
3 125
4 625
5 3125
6 15625
7 78125
8 390625
9 1953125
10 9765625
11 48828125
12 244140625
13 1220703125
14 6103515625
15 3 0517578125
16 15 2587890625
17 76 2939453125
18 381 4697265625
19 1907 3486328125
20 9536 7431640625
21 47683 7158203125
22 238418 5791015625
23 1192092 8955078125
24 5960464 4775390625
25 29802322 3876953125
26 149011611 9384765625
27 745058059 6923828125
28 3725290298 4619140625
29 1 8626451492 3095703125
30 9 3132257461 5478515625
31 46 5661287307 7392578125
32 232 8306436538 6962890625
33 1164 1532182693 4814453125
34 5820 7660913467 4072265625
35 29103 8304567337 0361328125
36 145519 1522836685 1806640625
37 727595 7614183425 9033203125
38 3637978 8070917129 5166015625
39 18189894 0354585647 5830078125
40 90949470 1772928237 9150390625
41 454747350 8864641189 5751953125
42 2273736754 4323205947 8759765625
43 1 1368683772 1616029739 3798828125
44 5 6843418860 8080148696 8994140625
45 28 4217094304 0400743484 4970703125
46 142 1085471520 2003717422 4853515625
47 710 5427357601 0018587112 4267578125
48 3552 7136788005 0092935562 1337890625
49 17763 5683940025 0464677810 6689453125
50 88817 8419700125 2323389053 3447265625
51 444089 2098500626 1616945266 7236328125
52 2220446 0492503130 8084726333 6181640625
53 11102230 2462515654 0423631668 0908203125
54 55511151 2312578270 2118158340 4541015625
55 277555756 1562891351 0590791702 2705078125
56 1387778780 7814456755 2953958511 3525390625
57 6938893903 9072283776 4769792556 7626953125
Powers of six
2 36
3 216
4 1296
5 7776
6 46656
7 279936
8 1679616
9 10077696
10 60466176
11 362797056
12 2176782336
13 1 3060694016
14 7 8364164096
15 47 0184984576
16 282 1109907456
17 1692 6659444736
18 10155 9956668416
19 60935 9740010496
20 365615 8440062976
21 2193695 0640377856
22 13162170 3842267136
23 78973022 3053602816
24 473838133 8321616896
25 2843028802 9929701376
26 1 7058172817 9578208256
27 10 2349036907 7469249536
28 61 4094221446 4815497216
29 368 4565328678 8892983296
30 2210 7391972073 3357899776
31 13264 4351832440 0147398656
32 79586 6110994640 0884391936
33 477519 6665967840 5306351616
34 2865117 9995807043 1838109696
35 17190707 9974842259 1028658176
36 103144247 9849053554 6171949056
37 618865487 9094321327 7031694336
38 3713192927 4565927966 2190166016
39 2 2279157564 7395567797 3140996096
40 13 3674945388 4373406783 8845976576
41 80 2049672330 6240440703 3075859456
42 481 2298033983 7442644219 8455156736
43 2887 3788203902 4655865319 0730940416
44 17324 2729223414 7935191914 4385642496
45 103945 6375340488 7611151486 6313854976
46 623673 8252042932 5666908919 7883129856
47 3742042 9512257595 4001453518 7298779136
48 22452257 7073545572 4008721112 3792674816
49 134713546 2441273434 4052326674 2756048896
50 808281277 4647640606 4313960045 6536293376
51 4849687664 7885843638 5883760273 9217760256
Powers of seven
2 49
3 343
4 2401
5 16807
6 117649
7 823543
8 5764801
9 40353607
10 282475249
11 1977326743
12 1 3841287201
13 9 6889010407
14 67 8223072849
15 474 7561509943
16 3323 2930569601
17 23263 0513987207
18 162841 3597910449
19 1139889 5185373143
20 7979226 6297612001
21 55854586 4083284007
22 390982104 8582988049
23 2736874734 0080916343
24 1 9158123138 0566414401
25 13 4106861966 3964900807
26 93 8748033764 7754305649
27 657 1236236353 4280139543
28 4599 8653654473 9960976801
29 32199 0575581317 9726837607
30 225393 4029069225 8087863249
31 1577753 8203484580 6615042743
32 11044276 7424392064 6305299201
33 77309937 1970744452 4137094407
34 541169560 3795211166 8959660849
35 3788186922 6566478168 2717625943
36 2 6517308458 5965347177 9023381601
37 18 5621159210 1757430245 3163671207
38 129 9348114471 2302011717 2145698449
39 909 5436801298 6114082020 5019889143
40 6366 8057609090 2798574143 5139224001
41 44567 6403263631 9590019004 5974568007
42 311973 4822845423 7130133032 1821976049
43 2183814 3759917965 9910931225 2753832343
44 15286700 6319425761 9376518576 9276826401
45 107006904 4235980333 5635630038 4937784807
46 749048330 9651862334 9449410269 4564493649
47 5243338316 7563036344 6145871886 1951455543
Powers of eleven
2 121
3 1331
4 14641
5 161051
6 1771561
7 19487171
8 214358881
9 2357947691
10 2 5937424601
11 28 5311670611
12 313 8428376721
13 3452 2712143931
14 37974 9833583241
15 417724 8169415651
16 4594972 9863572161
17 50544702 8499293771
18 555991731 3492231481
19 6115909044 8414546291
20 6 7274999493 2560009201
21 74 0024994425 8160101211
22 814 0274938683 9761113321
23 8954 3024325523 7372246531
24 98497 3267580761 1094711841
25 1083470 5943388372 2041830251
26 11918176 5377272094 2460132761
27 131099941 9149993036 7061460371
28 1442099361 0649923403 7676064081
29 1 5863092971 7149157441 4436704891
30 17 4494022688 8640731855 8803753801
31 191 9434249577 5048050414 6841291811
32 2111 3776745352 5528554561 5254209921
33 23225 1544198878 0814100176 7796309131
34 255476 6986187658 8955101944 5759400441
35 2810243 6848064247 8506121390 3353404851
36 30912680 5328706726 3567335293 6887453361
37 340039485 8615773989 9240688230 5761986971
38 3740434344 4773513889 1647570536 3381856681
Powers of twelve
2 144
3 1728
4 20736
5 248832
6 2985984
7 35831808
8 429981696
9 5159780352
10 6 1917364224
11 74 3008370688
12 891 6100448256
13 10699 3205379072
14 128391 8464548864
15 1540702 1574586368
16 18488425 8895036416
17 221861110 6740436992
18 2662333328 0885243904
19 3 1947999937 0622926848
20 38 3375999244 7475122176
21 460 0511990936 9701466112
22 5520 6143891243 6417593344
23 66247 3726694923 7011120128
24 794968 4720339084 4133441536
25 9539621 6644069012 9601298432
26 114475459 9728828155 5215581184
27 1373705519 6745937866 2586974208
28 1 6484466236 0951254395 1043690496
29 19 7813594833 1415052741 2524285952
30 237 3763137997 6980632895 0291431424
31 2848 5157655972 3767594740 3497177088
32 34182 1891871668 5211136884 1966125056
33 410186 2702460022 2533642610 3593500672
34 4922235 2429520267 0403711324 3122008064
35 59066822 9154243204 4844535891 7464096768
36 708801874 9850918453 8134430700 9569161216
37 8505622499 8211021445 7613168411 4829934592
Powers of thirteen
2 169
3 2197
4 28561
5 371293
6 4826809
7 62748517
8 815730721
9 1 0604499373
10 13 7858491849
11 179 2160394037
12 2329 8085122481
13 30287 5106592253
14 393737 6385699289
15 5118589 3014090757
16 66541660 9183179841
17 865041591 9381337933
18 1 1245540695 1957393129
19 14 6192029037 5446110677
20 190 0496377488 0799438801
21 2470 6452907345 0392704413
22 32118 3887795485 5105157369
23 417539 0541341311 6367045797
24 5428007 7037437051 2771595361
25 70564100 1486681666 6030739693
26 917333301 9326861665 8399616009
27 1 1925332925 1249201655 9195008117
28 15 5029328026 6239621526 9535105521
29 201 5381264346 1115079850 3956371773
30 2619 9956436499 4496038055 1432833049
31 34059 9433674492 8448494716 8626829637
32 442779 2637768406 9830431319 2148785281
33 5756130 4290989290 7795607149 7934208653
34 74829695 5782860780 1342892947 3144712489
35 972786042 5177190141 7457608315 0881262357
Powers of fourteen
2 196
3 2744
4 38416
5 537824
6 7529536
7 105413504
8 1475789056
9 2 0661046784
10 28 9254654976
11 404 9565169664
12 5669 3912375296
13 79371 4773254144
14 1111200 6825558016
15 15556809 5557812224
16 217795333 7809371136
17 3049134672 9331195904
18 4 2687885421 0636742656
19 59 7630395894 8914397184
20 836 6825542528 4801560576
21 11713 5557595398 7221848064
22 163989 7806335582 1105872896
23 2295856 9288698149 5482220544
24 32141997 0041774093 6751087616
25 449987958 0584837311 4515226624
26 6299831412 8187722360 3213172736
27 8 8197639779 4628113044 4984418304
28 123 4766956912 4793582622 9781856256
29 1728 6737396774 7110156721 6945987584
30 24201 4323554845 9542194103 7243826176
31 338820 0529767843 3590717452 1413566464
32 4743480 7416749807 0270044329 9789930496
33 66408730 3834497298 3780620619 7059026944
34 929722225 3682962177 2928688675 8826377216
Powers of fifteen
2 225
3 3375
4 50625
5 759375
6 11390625
7 170859375
8 2562890625
9 3 8443359375
10 57 6650390625
11 864 9755859375
12 12974 6337890625
13 194619 5068359375
14 2919292 6025390625
15 43789389 0380859375
16 656840835 5712890625
17 9852612533 5693359375
18 14 7789188003 5400390625
19 221 6837820053 1005859375
20 3325 2567300796 5087890625
21 49878 8509511947 6318359375
22 748182 7642679214 4775390625
23 11222741 4640188217 1630859375
24 168341121 9602823257 4462890625
25 2525116829 4042348861 6943359375
26 3 7876752441 0635232925 4150390625
27 56 8151286615 9528493881 2255859375
28 852 2269299239 2927408218 3837890625
29 12783 4039488589 3911123275 7568359375
30 191751 0592328840 8666849136 3525390625
31 2876265 8884932613 0002737045 2880859375
32 43143988 3273989195 0041055679 3212890625
33 647159824 9109837925 0615835189 8193359375
34 9707397373 6647568875 9237527847 2900390625
Powers of seventeen
2 289
3 4913
4 83521
5 1419857
6 24137569
7 410338673
8 6975757441
9 11 8587876497
10 201 5993900449
11 3427 1896307633
12 58262 2237229761
13 990457 8032905937
14 16837782 6559400929
15 286242305 1509815793
16 4866119187 5666868481
17 8 2724026188 6336764177
18 140 6308445206 7724991009
19 2390 7243568515 1324847153
20 40642 3140664757 2522401601
21 690919 3391300873 2880827217
22 11745628 7652114845 8974062689
23 199675689 0085952380 2559065713
24 3394486713 1461190464 3504117121
25 5 7706274123 4840237893 9569991057
26 98 1006660099 2284044197 2689847969
27 1667 7113221686 8828751353 5727415473
28 28351 0924768677 0088773010 7366063041
29 481968 5721067509 1509141182 5223071697
30 8193465 7258147655 5655400102 8792218849
31 139288917 3388510144 6141801748 9467720433
32 2367911594 7604672458 4410629732 0951247361
Powers of eighteen
2 324
3 5832
4 104976
5 1889568
6 34012224
7 612220032
8 1 1019960576
9 19 8359290368
10 357 0467226624
11 6426 8410079232
12 115683 1381426176
13 2082296 4865671168
14 37481336 7582081024
15 674664061 6477458432
16 1 2143953109 6594251776
17 21 8591155973 8696531968
18 393 4640807529 6537575424
19 7082 3534535533 7676357632
20 127482 3621639607 8174437376
21 2294682 5189512940 7139872768
22 41304285 3411232932 8517709824
23 743477136 1402192791 3318776832
24 1 3382588450 5239470243 9737982976
25 24 0886592109 4310464391 5283693568
26 433 5958657969 7588359047 5106484224
27 7804 7255843455 6590462855 1916716032
28 140485 0605182201 8628331393 4500888576
29 2528731 0893279633 5309965082 1015994368
30 45517159 6079033403 5579371477 8287898624
31 819308872 9422601264 0428686600 9182175232
Powers of nineteen
2 361
3 6859
4 130321
5 2476099
6 47045881
7 893871739
8 1 6983563041
9 32 2687697779
10 613 1066257801
11 11649 0258898219
12 221331 4919066161
13 4205298 3462257059
14 79900668 5782884121
15 1518112702 9874798299
16 2 8844141356 7621167681
17 54 8038685778 4802185939
18 1041 2735029791 1241532841
19 19784 1965566031 3589123979
20 375899 7345754595 8193355601
21 7142094 9569337320 5673756419
22 135699804 1817409090 7801371961
23 2578296279 4530772724 8226067259
24 4 8987629309 6084681771 6295277921
25 93 0764956882 5608953660 9610280499
26 1768 4534180768 6570119558 2595329481
27 33600 6149434604 4832271606 9311260139
28 638411 6839257485 1813160531 6913942641
29 12129821 9945892218 4450050102 1364910179
30 230466617 8971952150 4550951940 5933293401
31 4378865740 0467090858 6468086871 2732574619
Powers of twenty-one
2 441
3 9261
4 194481
5 4084101
6 85766121
7 1801088541
8 3 7822859361
9 79 4280046581
10 1667 9880978201
11 35027 7500542221
12 735582 7511386641
13 15447237 7739119461
14 324391993 2521508681
15 6812231858 2951682301
16 14 3056869024 1985328321
17 300 4194249508 1691894741
18 6308 8079239671 5529789561
19 132484 9664033102 6125580781
20 2782184 2944695154 8637196401
21 58425870 1838598252 1381124421
22 1226943273 8610563294 9003612841
23 2 5765808751 0821829192 9075869661
24 54 1081983772 7258413051 0593262881
25 1136 2721659227 2426674072 2458520501
26 23861 7154843772 0960155517 1628930521
27 501096 0251719214 0163265860 4207540941
28 10523016 5286103494 3428583068 8358359761
29 220983347 1008173381 2000244445 5525554981
30 4640650289 1171641005 2005133356 6036654601
Powers of twenty-two
2 484
3 10648
4 234256
5 5153632
6 113379904
7 2494357888
8 5 4875873536
9 120 7269217792
10 2655 9922791424
11 58431 8301411328
12 1285500 2631049216
13 28281005 7883082752
14 622182127 3427820544
15 1 3688006801 5412051968
16 30 1136149633 9065143296
17 662 4995291945 9433152512
18 14574 9896422810 7529355264
19 320649 7721301836 5645815808
20 7054294 9868640404 4207947776
21 155194489 7110088897 2574851072
22 3414278773 6421955739 6646723584
23 7 5114133020 1283026272 6227918848
24 165 2510926442 8226577997 7014214656
25 3635 5240381742 0984715949 4312722432
26 79981 5288398326 1663750887 4879893504
27 1759593 6344763175 6602519524 7357657088
28 38711059 9584789864 5255429544 1868455936
29 851643319 0865377019 5619449972 1106030592
Powers of twenty-three
2 529
3 12167
4 279841
5 6436343
6 148035889
7 3404825447
8 7 8310985281
9 180 1152661463
10 4142 6511213649
11 95280 9757913927
12 2191462 4432020321
13 50403636 1936467383
14 1159283632 4538749809
15 2 6663523546 4391245607
16 61 3261041568 0998648961
17 1410 5003956066 2968926103
18 32441 5090989524 8285300369
19 746154 7092759071 0561908487
20 17161558 3133458634 2923895201
21 394715841 2069548588 7249589623
22 9078464347 7599617540 6740561329
23 20 8804679998 4791203435 5032910567
24 480 2507639965 0197679016 5756943041
25 11045 7675719195 4546617381 2409689943
26 254052 6541541495 4572199768 5422868689
27 5843211 0455454395 5160594676 4725979847
28 134393854 0475451096 8693677558 8697536481
29 3091058643 0935375227 9954583854 0043339063
Powers of twenty-four
2 576
3 13824
4 331776
5 7962624
6 191102976
7 4586471424
8 11 0075314176
9 264 1807540224
10 6340 3380965376
11 152168 1143169024
12 3652034 7436056576
13 87648833 8465357824
14 2103572012 3168587776
15 5 0485728295 6046106624
16 121 1657479094 5106558976
17 2907 9779498268 2557415424
18 69791 4707958438 1377970176
19 1674995 2991002515 3071284224
20 40199887 1784060367 3710821376
21 964797292 2817448816 9059713024
22 2 3155135014 7618771605 7433112576
23 55 5723240354 2850518537 8394701824
24 1333 7357768502 8412444908 1472843776
25 32009 6586444068 1898677795 5348250624
26 768231 8074657636 5568267092 8358014976
27 18437563 3791783277 3638410228 0592359424
28 442501521 1002798656 7321845473 4216626176
Powers of twenty-six
2 676
3 17576
4 456976
5 11881376
6 308915776
7 8031810176
8 20 8827064576
9 542 9503678976
10 14116 7095653376
11 367034 4486987776
12 9542895 6661682176
13 248115287 3203736576
14 6450997470 3297150976
15 16 7725934228 5725925376
16 436 0874289942 8874059776
17 11338 2731538515 0725554176
18 294795 1020001391 8864408576
19 7664672 6520036189 0474622976
20 199281488 9520940915 2340197376
21 5181318712 7544463796 0845131776
22 13 4714286531 6156058698 1973426176
23 350 2571449822 0057526153 1309080576
24 9106 6857695372 1495679981 4036094976
25 236773 8300079675 8887679516 4938469376
26 6156119 5802071573 1079667428 8400203776
27 160059109 0853860900 8071353149 8405298176
28 4161536836 2200383420 9855181895 8537752576
Powers of twenty-eight
2 784
3 21952
4 614656
5 17210368
6 481890304
7 1 3492928512
8 37 7801998336
9 1057 8455953408
10 29619 6766695424
11 829350 9467471872
12 23221826 5089212416
13 650211142 2497947648
14 1 8205911982 9942534144
15 50 9765535523 8390956032
16 1427 3434994667 4946768896
17 39965 6179850689 8509529088
18 1119037 3035819315 8266814464
19 31333044 5002940843 1470804992
20 877325246 0082343608 1182539776
21 2 4565106888 2305621027 3111113728
22 68 7822992870 4557388764 7111184384
23 1925 9043800372 7606885411 9113162752
24 53925 3226410437 2992791533 5168557056
25 1509909 0339492244 3798162938 4719597568
26 42277452 9505782842 6348562277 2148731904
27 1183768682 6161919593 7759743762 0164493312
Powers of twenty-nine
2 841
3 24389
4 707281
5 20511149
6 594823321
7 1 7249876309
8 50 0246412961
9 1450 7145975869
10 42070 7233300201
11 1220050 9765705829
12 35381478 3205469041
13 1026062871 2958602189
14 2 9755823267 5799463481
15 86 2918874759 8184440949
16 2502 4647368034 7348787521
17 72571 4773673007 3114838109
18 2104572 8436517212 0330305161
19 61032612 4658999148 9578849669
20 1769945761 5110975319 7786640401
21 5 1328427083 8218284273 5812571629
22 148 8524385430 8330243933 8564577241
23 4316 7207177494 1577074081 8372739989
24 125184 9008147330 5735148373 2809459681
25 3630362 1236272586 6319302825 1474330749
26 105280501 5851905012 3259781929 2755591721
27 3053134545 9705245357 4533675948 9912159909
Powers of thirty-one
2 961
3 29791
4 923521
5 28629151
6 887503681
7 2 7512614111
8 85 2891037441
9 2643 9622160671
10 81962 8286980801
11 2540847 6896404831
12 78766278 3788549761
13 2441754629 7445042591
14 7 5694393522 0796320321
15 234 6526199184 4685929951
16 7274 2312174718 5263828481
17 225501 1677416274 3178682911
18 6990536 1999904503 8539170241
19 216706622 1997039619 4714277471
20 6717905288 1908228203 6142601601
21 20 8255063933 9155074312 0420649631
22 645 5906981951 3807303673 3040138561
23 20013 3116440492 8026413872 4244295391
24 620412 6609655276 8818830045 1573157121
25 19232792 4899313583 3383731399 8767870751
26 596216567 1878721083 4895673396 1803993281
Powers of thirty-three
2 1089
3 35937
4 1185921
5 39135393
6 1291467969
7 4 2618442977
8 140 6408618241
9 4641 1484401953
10 153157 8985264449
11 5054210 6513726817
12 166788951 4952984961
13 5504035399 3448503713
14 18 1633168178 3800622529
15 599 3894549886 5420543457
16 19779 8520146255 8877934081
17 652735 1164826444 2971824673
18 21540258 8439272661 8070214209
19 710828541 8495997839 6317068897
20 2 3457341881 0367928707 8463273601
21 77 4092282074 2141647358 9288028833
22 2554 5045308449 0674362844 6504951489
23 84298 6495178819 2253973873 4663399137
24 2781855 4340901034 4381137824 3892171521
25 91801229 3249734136 4577548204 8441660193
26 3029440567 7241226503 1059090759 8574786369
Powers of thirty-four
2 1156
3 39304
4 1336336
5 45435424
6 1544804416
7 5 2523350144
8 178 5793904896
9 6071 6992766464
10 206437 7754059776
11 7018884 3638032384
12 238642068 3693101056
13 8113830324 5565435904
14 27 5870231034 9224820736
15 937 9587855187 3643905024
16 31890 5987076370 3892770816
17 1084280 3560596593 2354207744
18 36865532 1060284170 0043063296
19 1253428091 6049661780 1464152064
20 4 2616555114 5688500524 9781170176
21 144 8962873895 3409017849 2559785984
22 4926 4737712441 5906606874 7032723456
23 167500 1082223014 0824633739 9112597504
24 5695003 6795582478 8037547156 9828315136
25 193630125 1049804279 3276603337 4162714624
26 6583424253 5693345497 1404513472 1532297216
Powers of thirty-five
2 1225
3 42875
4 1500625
5 52521875
6 1838265625
7 6 4339296875
8 225 1875390625
9 7881 5638671875
10 275854 7353515625
11 9654915 7373046875
12 337922050 8056640625
13 1 1827271778 1982421875
14 41 3954512236 9384765625
15 1448 8407928292 8466796875
16 50709 4277490249 6337890625
17 1774829 9712158737 1826171875
18 62119048 9925555801 3916015625
19 2174166714 7394453048 7060546875
20 7 6095835015 8805856704 7119140625
21 266 3354225555 8204984664 9169921875
22 9321 7397894453 7174463272 0947265625
23 326260 8926305880 1106214523 3154296875
24 11419131 2420705803 8717508316 0400390625
25 399669593 4724703135 5112791061 4013671875
Powers of thirty-seven
2 1369
3 50653
4 1874161
5 69343957
6 2565726409
7 9 4931877133
8 351 2479453921
9 12996 1739795077
10 480858 4372417849
11 17791762 1779460413
12 658295200 5840035281
13 2 4356922421 6081305397
14 90 1206129599 5008299689
15 3334 4626795181 5307088493
16 123375 1191421716 6362274241
17 4564879 4082603515 5404146917
18 168900538 1056330074 9953435929
19 6249319909 9084212774 8277129373
20 23 1224836666 6115872668 6253786801
21 855 5318956664 6287288739 1390111637
22 31654 6801396591 2629683348 1434130569
23 1171223 1651673876 7298283881 3062831053
24 43335257 1111933439 0036503608 3324748961
25 1603404513 1141537243 1350633508 3015711557
Powers of thirty-eight
2 1444
3 54872
4 2085136
5 79235168
6 3010936384
7 11 4415582592
8 434 7792138496
9 16521 6101262848
10 627821 1847988224
11 23857205 0223552512
12 906573790 8494995456
13 3 4449804052 2809827328
14 130 9092553986 6773438464
15 4974 5517051493 7390661632
16 189032 9647956762 0845142016
17 7183252 6622356959 2115396608
18 272963601 1649564450 0385071104
19 1 0372616844 2683449101 4632701952
20 39 4159440082 1971065855 6042674176
21 1497 8058723123 4900502512 9621618688
22 56916 6231478692 6219095492 5621510144
23 2162831 6796190319 6325628717 3617385472
24 82187603 8255232146 0373891259 7460647936
25 3123128945 3698821549 4207867870 3504621568
Powers of thirty-nine
2 1521
3 59319
4 2313441
5 90224199
6 3518743761
7 13 7231006679
8 535 2009260481
9 20872 8361158759
10 814040 6085191601
11 31747583 7322472439
12 1238155765 5576425121
13 4 8288074856 7480579719
14 188 3234919413 1742609041
15 7344 6161857113 7961752599
16 286440 0312427438 0508351361
17 11171161 2184670083 9825703079
18 435675287 5202133275 3202420081
19 1 6991336213 2883197737 4894383159
20 66 2662112318 2444711762 0880943201
21 2584 3822380411 5343758721 4356784839
22 100790 9072836049 8406590135 9914608721
23 3930845 3840605943 7857015303 6669740119
24 153302969 9783631807 6423596843 0119864641
25 5978815829 1561640498 0520276877 4674720999

A Cryptographic Compendium

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

A Cryptographic Compendium

Uploaded by

Copyright:

Available Formats

[Next]

Its chapters are:

You can also go directly to a complete table of contents.

● a page introducing beginners to methods of solving different kinds

Occasionally, some methods of cryptanalysis are briefly touched upon

It covers forms of cryptography ranging from the simple paper-and-pencil

One word of warning, however: I have indulged my own ego rather

Return to Home Page

Copyright (c) 1998, 1999, 2000, John J. G. Savard

Even then, it took a conceptual breakthrough to realize that letters can be

Obviously, if a message contains nothing that is confidential, there is no

But equally, if a message is not urgent, then even if it is secret, it can be

Suggestions for Reading

Elementary Cryptanalysis, Helen Fouché Gaines, Dover. Published under

And I will also mention two other books here:

Machine Cryptography and Modern Cryptanalysis, Cipher A. Deavours

Return to Home Page

Copyright (c) 1998, 1999, 2000 John J. G. Savard

Pencil and Paper Systems

ABCDE FGH IJKL MNO PQRST UVW XYZ

9:@$*@ *@8Q !@ *J!@ !J8@;

For example, the diagram to the right

In transposition, instead of replacing letters with something else, the letters of a

● Cryptanalyzing the Simple Substitution Cipher

❍ Polygraphic Ciphers and Fractionation

■ Playfair and its Relatives

■ The Bifid, the Trifid, and the Straddling Checkerboard

■ Fractionated Morse, and Other Oddities

■ The VIC Cipher

■ Two Trigraphic Ciphers, and a Heptagraphic One

Skip to Next Section

Electrical and Mechanical Cipher

● Early Machine Ciphers

❍ The Kryha Cryptograph

❍ The Hill Cipher

❍ The RED Machine

❍ The A-22 Cryptograph

● The Hagelin lug and pin machines

● Rotor Machines - and their PURPLE cousins

❍ The Interval Method

❍ The Method of Isomorphs

❍ PURPLE, CORAL, and JADE

● The Enigma: a unique rotor machine

❍ The Uhr Box

❍ The Enigma A and Enigma B

❍ Relatives of the Enigma

❍ Cryptanalysis of the Enigma

■ Cliques on the Rods

● An American Achievement: the ultimate rotor machine

● Conclusions for Chapter II

❍ Irregular Rotor Movement

[Next] [Previous] [Up/Index]

Skip to Next Chapter

International Telegraph Alphabet No. 5 is the international version of ASCII;

Characters ITA 2 ITA 4 ITA 3 CCIR 476 AUTOSPEC

Character 32 00000 100000 0000111 1101010 0000000000

Q 1 11101 011101 0001101 0101110 1110111101 Q 1 q !

A - 11000 011000 0011010 1000111 1100011000 A - a _

This is a bit confusing, so I will illustrate it:

Thus, this example proceeds as follows:

One begins by having only figures and upper-case letters available.

[LTRS] ghi [FIGS] 1234 [LTRS] jkl

[LTRS] MNOPQ [FIGS] 1234 [LTRS] rst

9:@$@ @8Q !@ *J!@ !J8@;